Secret Scanning in CI: What Pre-Commit, Pull Request, and Main Branch Each Actually Catch

A teammate pastes an AWS access key into a PR comment to "debug quickly." Another commits .env.production because .gitignore was wrong on a new microservice. A third rotates nothing after a contractor laptop compromise because "we never committed secrets, probably fine."

Secret scanners are not interchangeable at every stage of the software development lifecycle (SDLC). Running only on main means the secret already lived in git history. Running only locally means it never ran on the machine that mattered. Layers matter, and each layer should have a different job.

In this article, you will implement a practical three-layer secret-scanning model with Gitleaks and GitHub Actions, then verify each layer and handle real incidents without creating scanner fatigue.

Who this is for: Engineers owning GitHub Actions security checks for application repos.

What you'll build: Pre-commit hook, PR scan, and post-merge history scan with shared allowlist discipline.