CI/CD Integration

GitHub Actions

Add Redactyl to your GitHub Actions workflows with SARIF integration

Basic Workflow

Add this workflow to .github/workflows/redactyl.yml:

name: Secret Scanning

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for git scanning

      - uses: actions/setup-go@v5
        with:
          go-version: '1.21'

      - name: Install Redactyl
        run: go install github.com/redactyl/redactyl@latest

      - name: Run Redactyl scan
        run: redactyl scan --sarif > redactyl.sarif.json

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: redactyl.sarif.json

SARIF Integration

SARIF output integrates with GitHub Code Scanning. Findings appear:

  • In the Security tab
  • As annotations on PRs
  • In the code view

Container Image Scanning

Scan images before pushing to registry:

jobs:
  build-and-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Install Redactyl
        run: go install github.com/redactyl/redactyl@latest

      - name: Scan image
        run: |
          docker save myapp:${{ github.sha }} > image.tar
          redactyl scan image.tar --sarif > redactyl.sarif.json

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: redactyl.sarif.json

PR Comments

Add findings as PR comments:

- name: Run Redactyl scan
  id: scan
  run: |
    redactyl scan --json > findings.json
    echo "count=$(jq length findings.json)" >> $GITHUB_OUTPUT

- name: Comment on PR
  if: steps.scan.outputs.count > 0
  uses: actions/github-script@v7
  with:
    script: |
      const findings = require('./findings.json');
      const body = `## Redactyl found ${findings.length} secrets\n\n` +
        findings.map(f => `- \`${f.detector}\` in ${f.file}:${f.line}`).join('\n');
      github.rest.issues.createComment({
        owner: context.repo.owner,
        repo: context.repo.repo,
        issue_number: context.issue.number,
        body
      });

Scheduled Scans

Scan main branch on a schedule:

on:
  schedule:
    - cron: '0 0 * * *'  # Daily at midnight

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: go install github.com/redactyl/redactyl@latest
      - run: redactyl scan --no-tui

Helm Chart Scanning

- name: Scan Helm charts
  run: redactyl scan --helm ./charts --sarif > redactyl.sarif.json

Using Baseline

Exclude known secrets:

- name: Run Redactyl with baseline
  run: redactyl scan --baseline .redactyl-baseline.json --sarif > redactyl.sarif.json

Fail on Severity

Only fail on high severity findings:

- name: Run Redactyl scan
  run: redactyl scan --severity high --no-tui

Matrix Strategy

Scan multiple images:

jobs:
  scan:
    strategy:
      matrix:
        image: [api, web, worker]
    steps:
      - run: redactyl scan --image myorg/${{ matrix.image }}:latest

CI/CD Integration

Add secret scanning to your CI/CD pipelines

GitLab CI

Add Redactyl to your GitLab CI/CD pipelines

On this page

Basic WorkflowSARIF IntegrationContainer Image ScanningPR CommentsScheduled ScansHelm Chart ScanningUsing BaselineFail on SeverityMatrix Strategy