A GitHub Action that automatically scans pull requests for sensitive content, including secrets, credentials, and potentially harmful code patterns. It helps prevent accidental exposure of sensitive information in your codebase.
- 🔍 Comprehensive Scanning: Detects API keys, passwords, tokens, and other secrets
- 🎯 Smart Pattern Recognition: Identifies suspicious code patterns and potential security issues
- 📝 Detailed Reporting: Posts informative comments on PRs with context and suggestions
- ⚙️ Highly Configurable: Customize patterns, severity levels, and exclusions
- 🚀 Fast & Efficient: Only scans changed files and lines in PRs
- 📊 Severity Levels: Categorizes findings by importance (low, medium, high)
Create a workflow file (e.g., .github/workflows/sensitive-scan.yml):
name: Sensitive Content Scanner
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: windyinwind/sensitive-scanner-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}| Input | Description | Required | Default |
|---|---|---|---|
github-token |
GitHub token for API access | Yes | ${{ github.token }} |
sensitive-words-file |
Path to custom sensitive words file | No | .github/sensitive-words.txt |
custom-patterns |
Additional regex patterns (JSON array) | No | [] |
exclude-files |
File patterns to exclude (comma-separated) | No | *.min.js,*.lock,package-lock.json,yarn.lock,*.map |
severity-level |
Minimum severity to report | No | medium |
fail-on-detection |
Fail workflow when issues found | No | true |
comment-mode |
Comment handling mode | No | create |
| Output | Description |
|---|---|
findings-count |
Number of findings detected |
has-high-severity |
Whether high severity issues were found |
scan-status |
Overall scan status |
- uses: windyinwind/sensitive-scanner-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}- uses: windyinwind/sensitive-scanner-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
sensitive-words-file: '.github/custom-words.txt'
custom-patterns: '["(?i)todo.*hack", "(?i)fixme.*security"]'
exclude-files: '*.min.js,*.bundle.js,dist/**,build/**'
severity-level: 'low'
fail-on-detection: 'false'- name: Scan for sensitive content
id: scan
uses: windyinwind/sensitive-scanner-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Handle scan results
if: steps.scan.outputs.has-high-severity == 'true'
run: |
echo "High severity issues found!"
echo "Total findings: ${{ steps.scan.outputs.findings-count }}"Create a .github/sensitive-words.txt file in your repository:
# Sensitive words (one per line)
# Lines starting with # are comments
password
secret
apikey
token
confidential
internal_only
# Add your organization-specific terms
- API keys and tokens (OpenAI, GitHub, Slack, etc.)
- Database connection strings
- Private keys and certificates
- Hardcoded passwords
- Suspicious code patterns (
eval,innerHTML, etc.) - Template injection patterns
- Custom sensitive words
- Debug statements in production code
- Development URLs (localhost, .local domains)
- TODO/FIXME comments with security implications
- Hardcoded development credentials
- The action only scans changed lines in pull requests
- No sensitive data is stored or transmitted outside GitHub
- All processing happens within your GitHub Actions environment
- Comments are posted using the provided GitHub token permissions
We welcome contributions!
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
- GitLeaks Action - Another secret scanning tool
- TruffleHog - Secrets scanner
- Semgrep - Static analysis tool
⭐ If this action helps you, please consider giving it a star!