The official GitHub Action for SecretsBuster. Automatically scan your deployed websites for leaked secrets on every push and pull request. Block risky deployments before attackers find your exposed credentials.
Add secret scanning to your GitHub workflow in minutes
Visit the subscription page to create an account and get your API key. You can also manage your existing account.
Go to your repository's Settings → Secrets and variables → Actions and add your API key as SB_API_KEY.
Add the workflow file below to .github/workflows/ and start scanning on every push.
Simple YAML configuration for automated secret scanning
name: SecretsBuster Scan
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Run SecretsBuster scanner
uses: rank0-dev/secretsbuster-scan-action@v1
with:
sb-api-key: ${{ secrets.SB_API_KEY }}
targets: |
https://example.com
https://staging.example.comInputs and outputs for the SecretsBuster Scan Action
| Input | Description | Required |
|---|---|---|
sb-api-key |
Your SecretsBuster API key | Yes |
targets |
URLs to scan (one per line) | Yes |
Use the pipe syntax (|) to specify multiple target URLs, one per line. Invalid URLs are logged as warnings and recorded as ERROR.
| Output | Description |
|---|---|
scan-results |
JSON array of scan results for each target |
Use ${{{ steps.<step-id>.outputs.scan-results }} to access results in subsequent steps.
The action outputs detailed results for each scanned URL
[
{
"url": "https://example.com",
"scanResult": "SAFE",
"reportPublicId": "432fa629-899a-42ed-9714-cb9878ec2ae7"
},
{
"url": "https://leaky-example.com",
"scanResult": "LEAKY",
"reportPublicId": "b130c67f-8c2b-4c66-97a6-78e5d20b5a3b"
}
]No secrets detected. Your site is clean.
Secrets were found. Action will fail the workflow.
Scan failed or target was invalid. Action will fail.
Use the reportPublicId with our REST API to retrieve full details about detected secrets.
The action handles the complete scan lifecycle automatically
The action submits scan requests and polls every 15 seconds until scans reach CRAWLED or ERROR state.
The action fails if any target returns LEAKY or ERROR. This blocks deployments with exposed credentials.
Full scan progress is logged to the workflow console. Invalid targets are logged as warnings.
Simplify your workflow compared to raw API calls
| Feature | SecretsBuster Action | Manual curl Commands |
|---|---|---|
| Setup Complexity | 3 lines of YAML | 30+ lines of shell script |
| Multiple Targets | Built-in support | Manual looping required |
| Polling Logic | Automatic | Write your own |
| Error Handling | Built-in | Manual implementation |
| Structured Output | Native GitHub output | Parse JSON manually |
Use scan results in downstream workflow steps
name: SecretsBuster with Notifications
on:
schedule:
- cron: '0 6 * * *' # Daily at 6 AM
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Scan production sites
id: secretsbuster
uses: rank0-dev/secretsbuster-scan-action@v1
with:
sb-api-key: ${{ secrets.SB_API_KEY }}
targets: |
https://www.mysite.com
https://api.mysite.com
https://app.mysite.com
- name: Process results
if: always()
run: |
echo "Scan results:"
echo '${{ steps.secretsbuster.outputs.scan-results }}' | jq .
- name: Notify on failure
if: failure()
run: |
# Send alert to Slack, PagerDuty, etc.
echo "Secrets detected! Check the scan results."Get your API key and start scanning for leaked secrets on every deployment.