GitHub Actions Merge Prevention
SailPoint Entro provides a GitHub Action you can incorporate into your GitHub Actions workflows.
The GitHub Action is available in GitHub's marketplace here - Scan PR using SailPoint Entro
Step 1 : Configure credentials
-
Go to your GitHub Organization.
-
In the Settings tab, navigate to Security → Secrets and variables → Actions.
-
Switch to Organization secrets: - Create a secret named ENTRO_API_KEY and a secret named ENTRO_API_ENDPOINT
Step 2 : Create a Central .github Repository
Note
The .github folder is used as your organizational's workflow templates repository. For more information, refer to the GitHub documentation.
-
Create (or open) the
.githubrepository in your organization. -
Inside it, create a folder named workflow-templates (if it does not already exist).
-
Create a file named entro-secret-scan.yml under workflow-templates/.
name: Entro Scanner on: pull_request: branches: [ "main" ] jobs: secrets-scan: runs-on: ubuntu-latest steps: - name: 'Get PR commits' run: echo "PR_FETCH_DEPTH=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> "${GITHUB_ENV}" - name: 'Checkout PR branch and all PR commits' uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref }} fetch-depth: ${{ env.PR_FETCH_DEPTH }} - name: 'Scan for secrets' uses: liminal-security/scan-action@v1.0.0 with: api-endpoint: ${{ secrets.ENTRO_API_ENDPOINT }} api-token: ${{ secrets.ENTRO_API_KEY }}
Step 3 : Adopt the Workflow in Each Repository
-
Use “Actions → New workflow” from Template
-
In each target repository, go to the Actions tab.
-
look for the Entro Scanner template in the list of organization workflow templates.
-
Select it and follow the prompts to commit the workflow file to the repository’s
.github/workflowsdirectory.
Step 4 : Enforce Global Merge Prevention with Branch Protection
Organization-Level Settings for Branch Protection
-
Manually Configure Each Repo
-
Under Branch protection rules, choose your main branch (e.g. main or master).
-
Check Require status checks to pass before merging.
-
Under Status checks that are required, select Entro Secret Scanner.
-
Save the rule
Note
Organization and repository admins can forcefully merge a block PR request. More about Organizational roles and Repository roles
Use GitHub Organization or Enterprise Policies
-
Navigate to Organization Settings or Enterprise Account Settings if you’re managing multiple orgs.
-
Locate “Policies” or “Security” / “Compliance” Options
-
Define the Default Branch Protection Rule - Specify the branch name patterns (e.g., main, master, or * for all branches). - Check Require status checks to pass before merging. -Under “Status checks that are required,” specify the checks your organization mandates (“Entro Secret Scanner”).
-
Enforce / Apply to All Repositories
-
Enable the policy so that it applies not only to existing repositories but also to newly created ones.
If you’re on GitHub Enterprise Cloud, you can set organization-level or enterprise-level rules that automatically apply standard branch protection to all repositories in the org.