Push Sentinel — Credential Leak Detector

Scans git diffs for exposed API keys and credentials on every push and pull request.

Detected patterns

• OpenAI API keys
• GitHub personal access tokens
• AWS access keys
• Stripe secret keys
• Slack tokens
• Generic high-entropy secrets
• JWT tokens
• Private keys (RSA / EC)

Usage

name: Credential Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: Pmaind/push-sentinel-saas/apps/action@main
        with:
          tenant_slug: my-org
          pepper: ${{ secrets.PUSH_SENTINEL_PEPPER }}

Add PUSH_SENTINEL_PEPPER as a repository secret (any random string, e.g. openssl rand -hex 32).

Inputs

Input	Required	Description
tenant_slug	✅	Identifier for your organization
pepper	✅	Secret used to derive credential fingerprints
block_on_high		Set true to fail the job on high severity findings
block_on_any		Set true to fail the job on any finding
ignore_json		Inline JSON ignore rules: {"lines":[],"patterns":[]}

Outputs

Output	Description
finding_count	Total findings detected
high_count	High severity findings
scan_id	Unique scan identifier
blocked	Whether the job was failed due to block rules

Block on high severity findings

- uses: Pmaind/push-sentinel-saas/apps/action@main
  with:
    tenant_slug: my-org
    pepper: ${{ secrets.PUSH_SENTINEL_PEPPER }}
    block_on_high: true

Ignore known false positives

- uses: Pmaind/push-sentinel-saas/apps/action@main
  with:
    tenant_slug: my-org
    pepper: ${{ secrets.PUSH_SENTINEL_PEPPER }}
    ignore_json: '{"patterns":["test/fixtures"]}'

License

MIT