GitHub Action

An official GitHub Action runs Trestle on every push and pull request. The action downloads the Community binary for the runner's operating system and architecture, verifies the download against the sha256 checksum published with the release, and runs trestle scan on the checked-out repository.

Quick start

Add the following workflow to .github/workflows/secret-scan.yml:

name: Secret scan

on:
  push:
  pull_request:

jobs:
  trestle:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: toro-guapo/trestle-action@v1

By default, the job fails if Trestle finds secrets, so the push or pull request is blocked until the finding is addressed.

For a full reference, including inputs, outputs, supported runners, and an example that uploads SARIF findings to the GitHub Security tab, see toro-guapo/trestle-action.