Skip to content
shield

GitHub Action

Run detect-secrets with reviewdog

v0.28.1 Latest version

Run detect-secrets with reviewdog

shield

Run detect-secrets with reviewdog

🐶 Run detect-secrets with reviewdog on pull requests to improve code review experience

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Run detect-secrets with reviewdog

uses: reviewdog/[email protected]

Learn more about this action in reviewdog/action-detect-secrets

Choose a version

GitHub Action: Run detect-secrets with reviewdog

This action runs detect-secrets with reviewdog on pull requests to improve code review experience.

detect-secrets-1

Inputs

github_token

Required. Must be in form of github_token: ${{ secrets.github_token }}'.

workdir

Optional. The directory from which to look for and run detect-secrets. Default '.'

filter_mode

Optional. Reviewdog filter mode [added, diff_context, file, nofilter] It's the same as the -filter-mode flag of reviewdog.

fail_level

Optional. If set to none, always use exit code 0 for reviewdog. Otherwise, exit code 1 for reviewdog if it finds at least 1 issue with severity greater than or equal to the given level. Possible values: [none, any, info, warning, error] Default is none.

fail_on_error

Deprecated, use fail_level instead. Whether reviewdog should fail when errors are found. [true,false] This is useful for failing CI builds in addition to adding comments when errors are found. It's the same as the -fail-on-error flag of reviewdog.

level

Optional. Report level for reviewdog [info,warning,error]. It's same as -level flag of reviewdog.

reporter

Reporter of reviewdog command [github-pr-check,github-pr-review,github-check]. Default is github-pr-check. github-pr-review can use Markdown and add a link to rule page in reviewdog reports.

reviewdog_flags

Optional. Additional reviewdog flags.

detect_secrets_flags

Optional. Flags and args of detect-secrets command. The default is --all-files --force-use-all-plugins. This can be used to exclude paths, secrets or lines to ignore false positives.

baseline_path

Optional. The path to provide to --baseline argument of detect-secrets command. If provided, the baseline file will be updated with newly discovered secrets, otherwise it will be created. The default is empty, so baseline created or overwritten.

Example usage

name: reviewdog
on: [pull_request]
jobs:
  detect-secrets:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: detect-secrets
      uses: reviewdog/action-detect-secrets@master
      with:
        reporter: github-pr-review # Change reporter.

Configuration

Preventing false positives

Since the detect-secrets CLI can report false positives, it is likely you will have to configure it by using the detect_secrets_flags input to ignore any or use inline comments. There are 4 filtering options to ignore false positives: