Scan Pull Requests for Credentials & Secrets with the Nightfall DLP GitHub Action

Michael Osakwe
August 26, 2020
Scan Pull Requests for Credentials & Secrets with the Nightfall DLP GitHub ActionScan Pull Requests for Credentials & Secrets with the Nightfall DLP GitHub Action
Michael Osakwe
August 26, 2020
On this page

Nightfall’s DLP platform is now available in the form of an open-source GitHub Action to protect your secrets and sensitive data as an integrated part of your code review workflow.

What are GitHub Actions?

GitHub Actions is a powerful feature that allows users to automate custom elements of their software development workflows.

What is the Nightfall DLP GitHub Action?

The Nightfall DLP GitHub Action scans pull requests for sensitive data like credentials & secrets and provides developers inline feedback to avoid merging sensitive data into their repositories. Nightfall DLP now combines the power of GitHub Actions with Nightfall’s own DLP API to keep your secrets and customer data safe. With the addition of a simple configuration file and a few environment variables you’ll be able to rest assured that your pull requests are free of leaked credentials.

What problem does the Nightfall DLP GitHub Action solve?

Credentials, secrets, and PII committed to code repos can lead to data exfiltration and breaches. Research into this issue has suggested that thousands of credentials could be leaking daily. This isn’t surprising as cleaning up credentials & secrets once it’s merged into a repository is challenging, if not impossible depending on the circumstances. The Nightfall DLP GitHub Action addresses this problem by detecting credentials & secrets at the point at which new code is being merged into a repository via a pull request. This means developers are getting feedback in real-time during the code review process, fitting naturally into their workflow.

How does the Nightfall DLP GitHub Action work?

Nightfall DLP can be configured to trigger automatically on Push events or Pull Request events to any GitHub repository and can detect 200+ types of credentials & secrets out of the box, like API keys and certificates, as well as many forms of PII like credit card numbers and US Social Security Numbers. Once triggered, Nightfall DLP will scan your code for the configured secrets and post review comments automatically.

How is this different from Nightfall Radar for GitHub?

Nightfall Radar scans your repositories historically on already merged code, whereas the Nightfall DLP GitHub Action acts in real time to provide DLP security before pull requests are merged into the repository. For full code base security, you can use both products in tandem.

What is the Nightfall DLP API?

Nightfall’s DLP API powers the Nightfall DLP GitHub Action. It’s the engine under the hood. The API can ingest any text and scan it for sensitive data like PII and other detectors like API keys or client secrets. Nightfall then provides you with full visibility into what data was detected and precisely where it lies. Scanning your files, communications, and data stores of sensitive information has never been easier. Nightfall’s DLP platform is used by customers across a number of different use cases including code security, internal communications, customer support tickets, and databases, as well as broad-ranging industries like financial services, healthcare, retail, media, e-commerce, and more.

How do I get started?

A Nightfall API account and key are required to get started. You can request a free API key here. You’ll find the Nightfall DLP GitHub Action tool and its documentation in the GitHub marketplace here. For help, contact us at

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo