gitleaks
gitleaks documentation
- Version in MegaLinter: 8.8.7
- Visit Official Web Site
- See How to configure gitleaks rules
Configuration in MegaLinter
- Enable gitleaks by adding
REPOSITORY_GITLEAKS
in ENABLE_LINTERS variable - Disable gitleaks by adding
REPOSITORY_GITLEAKS
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_GITLEAKS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_GITLEAKS_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
Exclude every file |
REPOSITORY_GITLEAKS_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
REPOSITORY_GITLEAKS_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_GITLEAKS_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_GITLEAKS_CONFIG_FILE | gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it |
.gitleaks.toml |
REPOSITORY_GITLEAKS_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_GITLEAKS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 101 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 18 | ||
documentation | MegaLinter for documentation projects | 42 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 50 | ||
go | Optimized for GO based projects | 44 | ||
java | Optimized for JAVA based projects | 44 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 51 | ||
php | Optimized for PHP based projects | 46 | ||
python | Optimized for PYTHON based projects | 50 | ||
ruby | Optimized for RUBY based projects | 43 | ||
rust | Optimized for RUST based projects | 43 | ||
salesforce | Optimized for Salesforce based projects | 45 | ||
security | Optimized for security | 20 | ||
swift | Optimized for SWIFT based projects | 43 | ||
terraform | Optimized for TERRAFORM based projects | 48 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
gitleaks is called once on the whole project directory
- filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
does not make gitleaks analyze only updated files
Example calls
gitleaks detect --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --no-git --verbose --source .
Help content
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
detect detect secrets in code
help Help about any command
protect protect secrets in code
version display gitleaks version
Flags:
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (--source/-s)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--exit-code int exit code when leaks have been encountered (default 1)
-h, --help help for gitleaks
-l, --log-level string log level (debug, info, warn, error, fatal) (default "info")
--redact redact secrets from logs and stdout
-f, --report-format string output format (json, csv, sarif) (default "json")
-r, --report-path string report file
-s, --source string path to source (default: $PWD) (default ".")
-v, --verbose show verbose output from scan
Use "gitleaks [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
FROM zricethezav/gitleaks:v8.8.7 as gitleaks
COPY --from=gitleaks /usr/bin/gitleaks /usr/bin/