GitHub Action: Run detect-secrets with reviewdog

This action runs detect-secrets with reviewdog on pull requests to improve code review experience.

detect-secrets-1

Inputs

`github_token`

Required. Must be in form of github_token: ${{ secrets.github_token }}'.

`workdir`

Optional. The directory from which to look for and run detect-secrets. Default '.'

`filter_mode`

Optional. Reviewdog filter mode [added, diff_context, file, nofilter] It's the same as the -filter-mode flag of reviewdog.

`fail_on_error`

Whether reviewdog should fail when errors are found. [true,false] This is useful for failing CI builds in addition to adding comments when errors are found. It's the same as the -fail-on-error flag of reviewdog.

`level`

Optional. Report level for reviewdog [info,warning,error]. It's same as -level flag of reviewdog.

`reporter`

Reporter of reviewdog command [github-pr-check,github-pr-review,github-check]. Default is github-pr-check. github-pr-review can use Markdown and add a link to rule page in reviewdog reports.

`reviewdog_flags`

Optional. Additional reviewdog flags.

`detect_secrets_flags`

Optional. Flags and args of detect-secrets command. The default is --all-files --force-use-all-plugins.

`baseline_path`

Optional. The path to provide to --baseline argument of detect-secrets command. If provided, the baseline file will be updated with newly discovered secrets, otherwise it will be created. The default is empty, so baseline created or overwritten.

Example usage

.github/workflows/reviewdog.yml

name: reviewdog
on: [pull_request]
jobs:
  detect-secrets:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: detect-secrets
      uses: reviewdog/action-detect-secrets@master
      with:
        reporter: github-pr-review # Change reporter.

Troubleshooting

False positives

It is possible to disable detection for individual lines of code in case of false positives. To do this, add a comment at the end of the line with text pragma: allowlist secret.

public_key: |  # pragma: allowlist secret
    gX69YO4CvBsVjzAwYxdG
    yDd30t5+9ez31gKATtj4

Or add a comment with the text pragma: allowlist nextline secret before the line.

# pragma: allowlist nextline secret
public_key = gX69YO4CvBsVjzAwYxdG

action-detect-secrets
action-detect-secrets copied to clipboard

Metadata

GitHub Action: Run detect-secrets with reviewdog

Inputs

`github_token`

`workdir`

`filter_mode`

`fail_on_error`

`level`

`reporter`

`reviewdog_flags`

`detect_secrets_flags`

`baseline_path`

Example usage

.github/workflows/reviewdog.yml

Troubleshooting

False positives

← Metadata

Owner

Metadata

action-detect-secrets action-detect-secrets copied to clipboard

Metadata

GitHub Action: Run detect-secrets with reviewdog

Inputs

github_token

workdir

filter_mode

fail_on_error

level

reporter

reviewdog_flags

detect_secrets_flags

baseline_path

Example usage

.github/workflows/reviewdog.yml

Troubleshooting

False positives

← Metadata

Owner

Metadata

action-detect-secrets
action-detect-secrets copied to clipboard

`github_token`

`workdir`

`filter_mode`

`fail_on_error`

`level`

`reporter`

`reviewdog_flags`

`detect_secrets_flags`

`baseline_path`