Skip to content

GitHub Actions Merge Prevention

SailPoint Entro provides a GitHub Action you can incorporate into your GitHub Actions workflows.

The GitHub Action is available in GitHub's marketplace here - Scan PR using SailPoint Entro

Step 1 : Configure credentials

  • Go to your GitHub Organization.

  • In the Settings tab, navigate to SecuritySecrets and variablesActions.

  • Switch to Organization secrets: - Create a secret named ENTRO_API_KEY and a secret named ENTRO_API_ENDPOINT

Step 2 : Create a Central .github Repository

Note

The .github folder is used as your organizational's workflow templates repository. For more information, refer to the GitHub documentation.

  • Create (or open) the .github repository in your organization.

  • Inside it, create a folder named workflow-templates (if it does not already exist).

  • Create a file named entro-secret-scan.yml under workflow-templates/.

    name: Entro Scanner
    on:
      pull_request:
        branches: [ "main" ]
    
    jobs:
      secrets-scan:
        runs-on: ubuntu-latest
        steps:
          - name: 'Get PR commits'
            run: echo "PR_FETCH_DEPTH=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> "${GITHUB_ENV}"
    
          - name: 'Checkout PR branch and all PR commits'
            uses: actions/checkout@v4
            with:
              ref: ${{ github.event.pull_request.head.ref }}
              fetch-depth: ${{ env.PR_FETCH_DEPTH }}
    
          - name: 'Scan for secrets'
            uses: liminal-security/scan-action@v1.0.0
            with:
              api-endpoint: ${{ secrets.ENTRO_API_ENDPOINT }}
              api-token: ${{ secrets.ENTRO_API_KEY }}
    

Step 3 : Adopt the Workflow in Each Repository

  • Use “Actions → New workflow” from Template

  • In each target repository, go to the Actions tab.

  • look for the Entro Scanner template in the list of organization workflow templates.

  • Select it and follow the prompts to commit the workflow file to the repository’s .github/workflows directory.

Step 4 : Enforce Global Merge Prevention with Branch Protection

Organization-Level Settings for Branch Protection

  • Manually Configure Each Repo

  • Under Branch protection rules, choose your main branch (e.g. main or master).

  • Check Require status checks to pass before merging.

  • Under Status checks that are required, select Entro Secret Scanner.

  • Save the rule

Note

Organization and repository admins can forcefully merge a block PR request. More about Organizational roles and Repository roles

Use GitHub Organization or Enterprise Policies

  • Navigate to Organization Settings or Enterprise Account Settings if you’re managing multiple orgs.

  • Locate “Policies” or “Security” / “Compliance” Options

  • Define the Default Branch Protection Rule - Specify the branch name patterns (e.g., main, master, or * for all branches). - Check Require status checks to pass before merging. -Under “Status checks that are required,” specify the checks your organization mandates (“Entro Secret Scanner”).

  • Enforce / Apply to All Repositories

  • Enable the policy so that it applies not only to existing repositories but also to newly created ones.

If you’re on GitHub Enterprise Cloud, you can set organization-level or enterprise-level rules that automatically apply standard branch protection to all repositories in the org.