Skip to content

Latest commit

 

History

History
73 lines (47 loc) · 4.37 KB

v2.md

File metadata and controls

73 lines (47 loc) · 4.37 KB
Raw

Announcements

📢 Release of Gitleaks-Action v2

6/13/2022

On June 2, 2022, we released Gitleaks Action v2. There are a boatload of improvements in v2, but it also represents a breaking change from the prior version (v1.6.0). We haven't merged v2 to the master branch yet because we noticed that many users of Gitleaks Action don't pin their version. If you are using zricethezav/gitleaks-action@master (or now gitleaks/gitleaks-action@master), then as soon as we merge v2 to master, your jobs will start fa iling.

How to upgrade to v2

For full details, see the rest of the v2 README. Here is the quick list of changes to your .yml:

  • Change the "uses" line to - uses: gitleaks/gitleaks-action@v2
  • Add an env: section with GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  • If you are scanning repos that belong to an organization, you'll also have to acquire a GITLEAKS_LICENSE, add the license to your GitHub Secrets, and add this line to the env: section: GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}

How to pin to v1.6.0

  • Change your "uses" line to gitleaks/[email protected]
  • Set a reminder to upgrade to v2 later.

v2 Benefits

If you are using Gitleaks-Action v2 to scan repos owned by an Organization, you will find that you need to acquire a GITEAKS_LICENSE in order for the action to run. A "Starter" license to scan 1 repo is free, but scanning more than 1 repo belonging to the same organization requires a paid license. This raises the obvious question:

Is v2 really worth paying for?

It's a fair question. We think that the new features and improvements in v2 deliver exceptional value for the price. We put together a list of some of the top reasons we think v2 is worth paying for.

1. On demand scans

You can now use workflow_dispatch events to trigger on demand gitleaks scans.

Screen Shot 2022-05-30 at 8 30 31 PM

2. Gitleaks report artifact uploads

Not much more to say here. Download reports when leaks are present. Pretty useful feature.

Screen Shot 2022-05-30 at 9 20 36 PM

3. Powered by the latest version of Gitleaks

The latest version of gitleaks (v8.8.6 at the time of writing) has better performance, more configuration options, and is more accurate than the previous major version.

4. Job summaries

Easy to understand report of a Gitleaks job. If no leaks are detected you'll see:

Screen Shot 2022-05-30 at 9 26 10 PM

If leaks are detected you'll see something like:

Screen Shot 2022-05-30 at 8 41 07 PM

5. Faster job times

Gitleaks-Action Version 2 does not rely on Docker build anymore.

6. Pull Request Comments

If a leak is encountered during a pull request, gitleaks-action will comment on the line number and commit containing the secret.

Screen Shot 2022-05-31 at 9 31 06 PM

7. Ensure Project Longevity

Gitleaks is used by thousands (millions?) of developers around the world. It is used by individuals, governments, and corporations to prevent and detect leaked secrets. Until now, everything associated with gitleaks has been Free and Open Source under the MIT License, maintained primarily as a side project by 1 person. Let's be honest, that wasn't a sustainable model (and it was starting to feel like an xkcd comic).

By buying a GITLEAKS_LICENSE to use v2, you are supporting the gitleaks project as a whole and helping to ensure the longevity of the project.