This reusable workflow runs Gitleaks to detect hardcoded secrets in pull requests. It is designed to be called from organization/module repositories via workflow_call.
Use this workflow when you want a centralized and consistent secret-scanning gate managed from clouddrove/github-shared-workflows.
- ✅ Reusable
workflow_callimplementation - 🔐 Detects leaked credentials/secrets in PR code changes
- 🧩 Can be consumed by
.githubpolicy repos and module repos - 🛡️ Uses
GITHUB_TOKENfrom caller context (secrets: inherit)
name: Gitleaks PR Secret Scan
on:
pull_request:
workflow_dispatch:
permissions:
contents: read
jobs:
gitleaks:
uses: clouddrove/github-shared-workflows/.github/workflows/gitleaks-pr-scan.yml@master
secrets: inherit