Skip to content

Update README.md #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
guibranco merged 1 commit into from
Apr 12, 2026
Merged

Update README.md #161

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 81 additions & 33 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,24 @@ The following workflow step will scan for secret leaks in your repository.
```yml
- name: Infisical Secrets Check
id: secrets-scan
uses: guibranco/github-infisical-secrets-check-action@v4.1.0
```
uses: guibranco/github-infisical-secrets-check-action@v5.0.1
````

---

## Inputs

| Input | Description | Required | Default |
|-------|-------------|----------|---------|
| `GH_TOKEN` | GitHub token to add comments in pull requests | No | `${{ github.TOKEN }}` |
| `ADD_COMMENT` | Whether to comment results in the pull request | No | `true` |
| Input | Description | Required | Default |
| ------------- | ---------------------------------------------- | -------- | --------------------- |
| `GH_TOKEN` | GitHub token to add comments in pull requests | No | `${{ github.TOKEN }}` |
| `ADD_COMMENT` | Whether to comment results in the pull request | No | `true` |

---

## Outputs

| Output | Description |
|--------|-------------|
| Output | Description |
| ---------------- | ------------------------------------------------------------ |
| `secrets-leaked` | The number of secrets leaked found by the Infisical CLI tool |

---
Expand All @@ -60,9 +60,11 @@ jobs:
pull-requests: write
steps:
- name: Infisical Secrets Check
uses: guibranco/github-infisical-secrets-check-action@v4.1.0
uses: guibranco/github-infisical-secrets-check-action@v5.0.1
```

---

### With a custom GitHub token

```yml
Expand All @@ -80,13 +82,15 @@ jobs:
pull-requests: write
steps:
- name: Infisical Secrets Check
uses: guibranco/github-infisical-secrets-check-action@v4.1.0
uses: guibranco/github-infisical-secrets-check-action@v5.0.1
with:
GH_TOKEN: ${{ secrets.CUSTOM_GH_TOKEN }}
```

Remember to add the repository secret `CUSTOM_GH_TOKEN`.

---

### Disable PR comments

```yml
Expand All @@ -104,11 +108,13 @@ jobs:
pull-requests: write
steps:
- name: Infisical Secrets Check
uses: guibranco/github-infisical-secrets-check-action@v4.1.0
uses: guibranco/github-infisical-secrets-check-action@v5.0.1
with:
ADD_COMMENT: false
```

---

### Using outputs in subsequent steps

```yml
Expand All @@ -127,7 +133,7 @@ jobs:
steps:
- name: Infisical Secrets Check
id: secrets-scan
uses: guibranco/github-infisical-secrets-check-action@v4.1.0
uses: guibranco/github-infisical-secrets-check-action@v5.0.1

- name: Handle secrets found
if: steps.secrets-scan.outputs.secrets-leaked > 0
Expand All @@ -144,44 +150,65 @@ jobs:

![success](success.png)

---

### Failure - 🚨 Secrets leaked!

Version 5 introduces an improved remediation workflow:

When secrets are detected, the action now:

* Shows detected fingerprints
* Generates `.infisicalignore` update suggestions
* Provides a **Commit suggestion button directly inside the PR comment**
* Automatically creates or updates `.infisicalignore`
* Prevents duplicate fingerprints

This allows contributors to fix false positives **without leaving the pull request UI**.

![failure](failure.png)

---

### Tool Failure - ⚠️ Unable to complete scan

When the Infisical CLI fails to run (due to network issues, API rate limiting, etc.), the action will post a clear error message:

- Explains that this is a tool failure, not a security issue
- Provides suggestions for resolution (re-run workflow, check logs)
- Includes a link to workflow logs for debugging
- Clarifies that the failure doesn't mean secrets were found
* Explains that this is a tool failure, not a security issue
* Provides suggestions for resolution (re-run workflow, check logs)
* Includes a link to workflow logs for debugging
* Clarifies that the failure doesn't mean secrets were found

---

## Features

- πŸ” **Comprehensive Scanning**: Uses the latest Infisical CLI to scan for secrets in your repository
- πŸ’¬ **Smart PR Comments**: Automatically adds detailed comments to pull requests with scan results
- πŸ“Š **Detailed Reports**: Provides CSV and Markdown reports of found secrets
- πŸ”’ **Fork-Safe**: Safely handles pull requests from forks by disabling comments
- ⚑ **Efficient Caching**: Caches CLI downloads and dependencies for faster runs
- πŸ›‘οΈ **Robust Error Handling**: Distinguishes between tool failures and actual security issues
- πŸ“ **Actionable Guidance**: Provides clear next steps for different scenarios
- πŸ”§ **Configurable**: Customize token usage and comment behavior
* πŸ” **Comprehensive scanning** using the latest Infisical CLI
* πŸ’¬ **Smart PR comments** with structured scan results
* 🧠 **Interactive remediation workflow (new in v5)** with commit suggestion support
* πŸ“ **Automatic `.infisicalignore` generation/update suggestions**
* 🧹 **Duplicate fingerprint prevention**
* πŸ“Š **Detailed CSV and Markdown reports**
* πŸ”’ **Fork-safe execution**
* ⚑ **Efficient dependency caching**
* πŸ›‘οΈ **Robust failure detection and reporting**
* πŸ“Ž **Workflow-friendly outputs**
* πŸ”§ **Configurable comment behavior**

---

## Error Handling

Version 4 introduces improved error handling that prevents confusing empty comments:
Version 4 introduced improved error handling that prevents confusing empty comments.

Version 5 builds on this by improving remediation guidance:

- **Tool Installation Failures**: Clear messages when CLI download or installation fails
- **API Rate Limiting**: Graceful handling of GitHub API limits
- **Network Issues**: Proper detection and reporting of connectivity problems
- **Scan Execution Errors**: Distinguishes between tool failures and secrets detection
* Generates commit suggestions for ignore rules
* Prevents duplicate ignore entries
* Improces PR workflow ergonomics
Comment thread
guibranco marked this conversation as resolved.
* Keeps scan failures clearly separated from security failures

The action will fail the workflow appropriately, providing users with meaningful feedback on what went wrong and how to resolve it.
The action will fail the workflow appropriately, providing meaningful feedback on what went wrong and how to resolve it.

---

Expand All @@ -191,12 +218,33 @@ The action requires the following permissions:

```yml
permissions:
contents: read # Required to checkout and scan the repository
pull-requests: write # Required to add comments to PRs
contents: read
pull-requests: write
```

---

## Ignoring False Positives

If the scan detects false positives, you can ignore them by creating a `.infisicalignore` file in your repository root with the secret fingerprints provided in the scan results.
If the scan detects false positives:

Version 5 allows you to fix them directly from the PR comment.

The action now automatically:

1. Detects whether `.infisicalignore` exists
2. Creates the file if missing
3. Appends fingerprints if present
4. Removes duplicates automatically
5. Generates a **Commit suggestion button**

Simply click the suggestion button inside the PR comment to apply the ignore list instantly.

Manual fallback (still supported):

Create a `.infisicalignore` file at repository root:

```
fingerprint_value_here
another_fingerprint_here
```
Loading