Skip to content

gitleaks

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

gitleaks documentation

gitleaks - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_GITLEAKS_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_GITLEAKS_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_GITLEAKS_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_GITLEAKS_CONFIG_FILE gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it .gitleaks.toml
REPOSITORY_GITLEAKS_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_GITLEAKS_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 114 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 20 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 82 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 48 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 60 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 50 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 51 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 57 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 51 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 59 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 48 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 48 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 51 Docker Image Size (tag) Docker Pulls
security Optimized for security 22 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 48 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 53 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

gitleaks is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false does not make gitleaks analyze only updated files

Example calls

gitleaks detect --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --no-git --verbose --source .

Help content

Gitleaks scans code, past or present, for secrets

Usage:
  gitleaks [command]

Available Commands:
  completion  generate the autocompletion script for the specified shell
  detect      detect secrets in code
  help        Help about any command
  protect     protect secrets in code
  version     display gitleaks version

Flags:
  -b, --baseline-path string       path to baseline with issues that can be ignored
  -c, --config string              config file path
                                   order of precedence:
                                   1. --config/-c
                                   2. env var GITLEAKS_CONFIG
                                   3. (--source/-s)/.gitleaks.toml
                                   If none of the three options are used, then gitleaks will use the default config
      --exit-code int              exit code when leaks have been encountered (default 1)
  -h, --help                       help for gitleaks
  -l, --log-level string           log level (trace, debug, info, warn, error, fatal) (default "info")
      --max-target-megabytes int   files larger than this will be skipped
      --no-banner                  suppress banner
      --redact                     redact secrets from logs and stdout
  -f, --report-format string       output format (json, csv, sarif) (default "json")
  -r, --report-path string         report file
  -s, --source string              path to source (default: $PWD) (default ".")
  -v, --verbose                    show verbose output from scan

Use "gitleaks [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
FROM zricethezav/gitleaks:v8.16.1 as gitleaks
COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/