GitHub Actions
Basic Workflow
Section titled “Basic Workflow”Add this workflow to .github/workflows/redactyl.yml:
name: Secret Scanning
on: push: branches: [main] pull_request: branches: [main]
jobs: scan: runs-on: ubuntu-latest permissions: contents: read security-events: write steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # Full history for git scanning
- uses: actions/setup-go@v5 with: go-version: '1.21'
- name: Install Redactyl run: go install github.com/varalys/redactyl@latest
- name: Run Redactyl scan run: redactyl scan --sarif > redactyl.sarif.json
- name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: redactyl.sarif.jsonSARIF Integration
Section titled “SARIF Integration”SARIF output integrates with GitHub Code Scanning. Findings appear:
- In the Security tab
- As annotations on PRs
- In the code view
Container Image Scanning
Section titled “Container Image Scanning”Scan images before pushing to registry:
jobs: build-and-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Build image run: docker build -t myapp:${{ github.sha }} .
- name: Install Redactyl run: go install github.com/varalys/redactyl@latest
- name: Scan image run: | docker save myapp:${{ github.sha }} > image.tar redactyl scan image.tar --sarif > redactyl.sarif.json
- name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: redactyl.sarif.jsonPR Comments
Section titled “PR Comments”Add findings as PR comments:
- name: Run Redactyl scan id: scan run: | redactyl scan --json > findings.json echo "count=$(jq length findings.json)" >> $GITHUB_OUTPUT
- name: Comment on PR if: steps.scan.outputs.count > 0 uses: actions/github-script@v7 with: script: | const findings = require('./findings.json'); const body = `## Redactyl found ${findings.length} secrets\n\n` + findings.map(f => `- \`${f.detector}\` in ${f.file}:${f.line}`).join('\n'); github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body });Scheduled Scans
Section titled “Scheduled Scans”Scan main branch on a schedule:
on: schedule: - cron: '0 0 * * *' # Daily at midnight
jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: go install github.com/varalys/redactyl@latest - run: redactyl scan --no-tuiHelm Chart Scanning
Section titled “Helm Chart Scanning”- name: Scan Helm charts run: redactyl scan --helm ./charts --sarif > redactyl.sarif.jsonUsing Baseline
Section titled “Using Baseline”Exclude known secrets:
- name: Run Redactyl with baseline run: redactyl scan --baseline .redactyl-baseline.json --sarif > redactyl.sarif.jsonFail on Severity
Section titled “Fail on Severity”Only fail on high severity findings:
- name: Run Redactyl scan run: redactyl scan --severity high --no-tuiMatrix Strategy
Section titled “Matrix Strategy”Scan multiple images:
jobs: scan: strategy: matrix: image: [api, web, worker] steps: - run: redactyl scan --image myorg/${{ matrix.image }}:latest