Scan GitHub Actions logs for secrets accidentally echoed to stdout and quote each occurrence with a masking suggestion for the workflow.
Scans GitHub Actions run logs for evidence that a secret was echoed to stdout (or stderr) without masking. For each suspect line, suggests a workflow change (add-mask directive or env-var indirection) to prevent recurrence.
repo: <owner>/<name> for the GitHub repo.run_ids: comma-separated run IDs to scan, or latest:N for the last N runs.GITHUB_TOKEN env var with actions:read scope.secret_names: explicit list of secret names registered in the org/repo (so the scan can also look for the names in the logs).gh run list --repo <repo> --limit <N> if run_ids=latest:N, else use the explicit list.gh run view <run_id> --log to a file per run.\bAKIA[0-9A-Z]{16}\b.\bgh[pousr]_[A-Za-z0-9]{36,255}\b.\bxox[bpoars]-[A-Za-z0-9-]{10,72}\b.+ echo or = markers.Setting up MASK for value lines; if a mask was set, the leak is double-redaction failure (rare) or a substring leak.secret_names provided, search the logs for those names appearing alongside = to detect leaks via debug print.[REDACTED] for the report).echo "::add-mask::${{ secrets.X }}"; or rewrite run: echo $X to never echo at all; or use core.setSecret(value) from @actions/core in JS actions.secret-leak-report.md with a per-finding section: run link, step name, redacted excerpt, suggested workflow patch. Plus a CSV secret-leaks.csv for tracking. Exit 1 if any finding is found.
For each finding, rerun the workflow with the proposed fix on a feature branch and re-scan the new run's logs; the regex match must drop to zero. Confirm secret-leaks.csv has one row per occurrence (avoid double-counting the same line). Cross-check by triggering the GitHub secret-scanning push protection — if it would have caught the leak, the report should note severity as critical.
***): the regex won't match the secret value but the mask itself signals near-misses; surface as info.gh run view --log may be incomplete; warn and recommend mirroring logs centrally..secret-scan-allowlist file with regex exceptions.Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/gha-secret-leakage-checker.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.
Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.
Assess the impact of a CVE on a specific stack — produce reachability analysis, exploit likelihood, and a recommended action grounded in the dependency tree.