gitleaks
gitleaks documentation
- Version in MegaLinter: 8.16.1
- Visit Official Web Site
- See How to configure gitleaks rules
- If custom
.gitleaks.tomlconfig file is not found, .gitleaks.toml will be used
- If custom
- See How to ignore files and directories with gitleaks
Configuration in MegaLinter
- Enable gitleaks by adding
REPOSITORY_GITLEAKSin ENABLE_LINTERS variable - Disable gitleaks by adding
REPOSITORY_GITLEAKSin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_GITLEAKS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_GITLEAKS_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_GITLEAKS_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_GITLEAKS_CONFIG_FILE | gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it |
.gitleaks.toml |
| REPOSITORY_GITLEAKS_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_GITLEAKS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
MegaLinter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 114 |   |
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 20 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 82 |   |
|
| documentation | MegaLinter for documentation projects | 48 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 60 |   |
|
| go | Optimized for GO based projects | 50 |   |
|
| java | Optimized for JAVA based projects | 51 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 57 |   |
|
| php | Optimized for PHP based projects | 51 |   |
|
| python | Optimized for PYTHON based projects | 59 |   |
|
| ruby | Optimized for RUBY based projects | 48 |   |
|
| rust | Optimized for RUST based projects | 48 |   |
|
| salesforce | Optimized for Salesforce based projects | 51 |   |
|
| security | Optimized for security | 22 |   |
|
| swift | Optimized for SWIFT based projects | 48 |   |
|
| terraform | Optimized for TERRAFORM based projects | 53 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
gitleaks is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoes not make gitleaks analyze only updated files
Example calls
gitleaks detect --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --no-git --verbose --source .
Help content
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
detect detect secrets in code
help Help about any command
protect protect secrets in code
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (--source/-s)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--exit-code int exit code when leaks have been encountered (default 1)
-h, --help help for gitleaks
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--redact redact secrets from logs and stdout
-f, --report-format string output format (json, csv, sarif) (default "json")
-r, --report-path string report file
-s, --source string path to source (default: $PWD) (default ".")
-v, --verbose show verbose output from scan
Use "gitleaks [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
FROM zricethezav/gitleaks:v8.16.1 as gitleaks
COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/