Getting Started: Integrate Git Secret Scanning with Astra's OrbitX

Last updated: June 1, 2026

Introduction

Integrating Git secret scanning with Astra ensures that sensitive information, such as API keys, tokens, and credentials, is automatically detected during your development pipeline. By embedding this into your CI/CD workflow, you can prevent accidental leaks from reaching your production environment with minimal manual effort.

Prerequisites

  • Active access to the Astra Dashboard.

  • Administrative or Write permissions for your repository to configure secrets and YAML files.

  • An existing Astra Project ID and Access Token, which can be copied from the Integrations page in your dashboard.

Initial Setup Steps

  1. Login to your Astra Dashboard and navigate to the Integrations menu.

  2. Select your CI/CD tool and click Activate. Follow the on-screen steps — Astra will generate the pipeline snippet for your tool automatically during this process.

  3. When prompted, select Automated as the scan trigger and Secret Scanning as the scan type.

  4. Copy the generated snippet and add it as a new step or stage in your pipeline configuration file, strictly after the deploy step.

First Actions: Adding the Scan to Your Pipeline

The pipeline snippet is auto-generated on the Astra Dashboard during integration setup, with your ASTRA_ACCESS_TOKEN and ASTRA_PROJECT_ID pre-filled. You do not need to manually construct the YAML. The core execution command used across all tools is:

wget -O - https://git.io/JSHtC | bash || true

Below are the supported CI/CD tools with brief setup pointers. For navigating tool-specific variable settings, refer to the official documentation linked for each tool.

GitHub

  • Add ASTRA_ACCESS_TOKEN as a repository secret under Settings → Secrets and Variables → Actions. (GitHub Docs: Using secrets)

  • Select Automated mode and Secret Scanning type on the Astra Dashboard during setup.

  • Paste the generated snippet as a new step in your .github/workflows YAML file, after the deploy step.

GitLab

  • Add ASTRA_ACCESS_TOKEN and ASTRA_PROJECT_ID as CI/CD variables under Settings → CI/CD → Variables. (GitLab Docs: CI/CD Variables)

  • Select Automated mode and Secret Scanning type on the Astra Dashboard during setup.

  • Paste the generated snippet as a new stage in your .gitlab-ci.yml file, after the deploy step.

Jenkins

  • Add ASTRA_ACCESS_TOKEN and ASTRA_PROJECT_ID in the environment block of your Jenkinsfile, using values from the Astra Dashboard. (Jenkins Docs: Using credentials)

  • Select Automated mode and Secret Scanning type on the Astra Dashboard during setup.

  • Paste the generated snippet as a new stage in your Jenkinsfile, after the deploy step.

Bitbucket

  • Add ASTRA_ACCESS_TOKEN and ASTRA_PROJECT_ID under Repository Settings → Pipelines → Repository Variables. (Bitbucket Docs: Variables)

  • Select Automated mode and Secret Scanning type on the Astra Dashboard during setup.

  • Paste the generated snippet as a new step in your bitbucket-pipelines.yml file, after the deploy step.

Azure

  • Add ASTRA_ACCESS_TOKEN and ASTRA_PROJECT_ID as pipeline variables under Pipelines → Edit → Variables. (Azure Docs: Define variables)

  • Select Automated mode and Secret Scanning type on the Astra Dashboard during setup.

  • Paste the generated snippet as a new stage in your Azure pipeline YAML file, after the deploy step.

CircleCI

  • Add ASTRA_ACCESS_TOKEN and ASTRA_PROJECT_ID under Project Settings → Environment Variables. (CircleCI Docs: Environment Variables)

  • Select Automated mode and Secret Scanning type on the Astra Dashboard during setup.

  • Paste the generated job snippet into the jobs section and reference it in the workflows section of your .circleci/config.yml, after the deploy step.

Expected Outcome

Once the pipeline runs, the Astra secret scanner will parse your repository for exposed secrets. Any detected secrets will be reported directly to your Astra Dashboard, where they can be viewed and managed alongside other security findings.

Next Steps & Customization

  • Custom Rules: Create a .astra-secret-rules.toml file in your repository root to add organization-specific regex rules or whitelist certain files. Refer to 📄 Customizing Astra Secret Detection for a detailed guide.

Common Issues and Troubleshooting

  • Authentication Errors: If the scan fails with rpc error: code = Unauthenticated, double-check that your ASTRA_ACCESS_TOKEN is correct and not masked incorrectly in your CI settings.

  • Scanner Not Triggering: Ensure ASTRA_SCAN_TYPE is explicitly set to secret_scanning; otherwise, the system may default to a standard vulnerability scan.