From 6b8f7a4a552123ef48274768a3ad1ffe2627b2b9 Mon Sep 17 00:00:00 2001
From: Samia Wear <samia.wear1@nhs.net>
Date: Tue, 28 Apr 2026 10:11:38 +0100
Subject: [PATCH 1/2] update the guidance to use docker

---
 tools/gitleaks.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/gitleaks.md b/tools/gitleaks.md
index 92a86082..d61488f8 100644
--- a/tools/gitleaks.md
+++ b/tools/gitleaks.md
@@ -58,7 +58,11 @@ Example GitHub Actions step:
 
 ```yaml
 - name: Run GitLeaks
-  run: gitleaks git --redact --verbose --log-opts="--all"
+  run:  docker run --rm --platform linux/amd64 \
+            -v "$(pwd):/repo" \
+            -w /repo \
+            ghcr.io/gitleaks/gitleaks:v8.30.1 \
+            git --source /repo --redact --verbose --log-opts="--all"
 ```
 
 If you maintain a custom configuration, store it in the repository and reference it explicitly in local and CI commands so the same rules apply everywhere.

From 5cec54652079b9f490a36426ee16fe6d02cd99ef Mon Sep 17 00:00:00 2001
From: Samia Wear <samia.wear1@nhs.net>
Date: Thu, 7 May 2026 11:43:00 +0100
Subject: [PATCH 2/2] pin the version using SHA

Signed-off-by: Samia Wear <samia.wear1@nhs.net>
---
 tools/gitleaks.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/gitleaks.md b/tools/gitleaks.md
index d61488f8..2b8d4ef2 100644
--- a/tools/gitleaks.md
+++ b/tools/gitleaks.md
@@ -61,7 +61,7 @@ Example GitHub Actions step:
   run:  docker run --rm --platform linux/amd64 \
             -v "$(pwd):/repo" \
             -w /repo \
-            ghcr.io/gitleaks/gitleaks:v8.30.1 \
+            ghcr.io/gitleaks/gitleaks@sha256:c00b6bd0aeb3071cbcb79009cb16a60dd9e0a7c60e2be9ab65d25e6bc8abbb7f \
             git --source /repo --redact --verbose --log-opts="--all"
 ```