require-secret-scan-fetch-depth-zero
Rule catalog ID: R105
Targeted pattern scopeโ
Jobs that use secret-scanning actions such as Gitleaks or TruffleHog.
What this rule reportsโ
This rule reports secret-scanning jobs that do not checkout repository history with fetch-depth: 0.
Why this rule existsโ
Secret scanners are most effective when they can inspect full repository history rather than only the latest commit range.
โ Incorrectโ
- uses: actions/checkout@v6
โ Correctโ
- uses: actions/checkout@v6
with:
fetch-depth: 0
Additional examplesโ
This rule is job-scoped, so it only checks jobs that actually run the supported secret scanners.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.security];
When not to use itโ
Disable this rule if your secret scanning workflow is intentionally limited to shallow history or event-specific diffs.