gitleaks
Scan only Pull Request commits
VALIDATE_ALL_CODEBASE: false doesn't make gitleaks analyze only updated files. To analyze only commits on Pull Request, set VALIDATE_ALL_CODEBASE: false together with REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true (you have to specify it explicitly), but only works for selected platforms: GitHub Actions, Azure Pipelines, GitLab Pipelines* (Merge Requests and External Pull Requests)
- * Only GitLab self-managed and GitLab SaaS (Premium and Ultimate) are supported (limitation due to GitLab itself) and Merge result pipelines feature has to be enabled.
- If MegaLinter with the gitleaks runs on PR on the not listed platform above, then the analysis is performed on the whole repository - default gitleaks behavior (checked-out commits, depends on fetch-depth configuration).
- You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs:
PULL_REQUEST=true*,REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true,REPOSITORY_GITLEAKS_PR_SOURCE_SHAwith last commit sha from your PR andREPOSITORY_GITLEAKS_PR_TARGET_SHAcommit sha from your target branch (for example,mainif you do PR to main branch). Example on how to get source commit shagit rev-list -n 1 refs/remotes/origin/<source_branch>and target commit shagit rev-parse refs/remotes/origin/<target_branch>- *
PULL_REQUESTenvironment variable must be set totrueonly on Pull Requests, so you must calculate the value in your pipeline and pass the outcome.
- *
- You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs:
- PR commits scan feature, if applicable, will override your
--log-optsargument if you used it in theREPOSITORY_GITLEAKS_ARGUMENTS.
Repository checkout on Pull Requests
To scan only PR commits, the shallow fetch for a repository checkout has to be 0. Below is an example configuration for supported platforms:
GitHub Actions
- uses: actions/checkout@v3
with:
fetch-depth: 0
Azure Pipelines
- checkout: self
fetchDepth: 0
GitLab Pipelines
variables:
GIT_DEPTH: 0
Git
git fetch --depth=0
gitleaks documentation
- Version in MegaLinter: 8.16.4
- Visit Official Web Site
- See How to configure gitleaks rules
- If custom
.gitleaks.tomlconfig file isn't found, .gitleaks.toml will be used
- If custom
- See How to disable gitleaks rules in files
- See How to ignore files and directories with gitleaks
Configuration in MegaLinter
- Enable gitleaks by adding
REPOSITORY_GITLEAKSin ENABLE_LINTERS variable - Disable gitleaks by adding
REPOSITORY_GITLEAKSin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_GITLEAKS_PR_COMMITS_SCAN | Scan only PR commits on Pull Request | false |
| REPOSITORY_GITLEAKS_PR_SOURCE_SHA | Pull Request source commit sha (N/A to supported scenarios) | `` |
| REPOSITORY_GITLEAKS_PR_TARGET_SHA | Pull Request target commit sha (N/A to supported scenarios) | `` |
| REPOSITORY_GITLEAKS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_GITLEAKS_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_GITLEAKS_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_GITLEAKS_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_GITLEAKS and its pre/post commands | None |
| REPOSITORY_GITLEAKS_CONFIG_FILE | gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it |
.gitleaks.toml |
| REPOSITORY_GITLEAKS_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_GITLEAKS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_GITLEAKS_CLI_EXECUTABLE | Override CLI executable | ['gitleaks'] |
MegaLinter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 113 |   |
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 19 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 81 |   |
|
| documentation | MegaLinter for documentation projects | 47 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 59 |   |
|
| go | Optimized for GO based projects | 49 |   |
|
| java | Optimized for JAVA based projects | 51 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 56 |   |
|
| php | Optimized for PHP based projects | 50 |   |
|
| python | Optimized for PYTHON based projects | 58 |   |
|
| ruby | Optimized for RUBY based projects | 47 |   |
|
| rust | Optimized for RUST based projects | 47 |   |
|
| salesforce | Optimized for Salesforce based projects | 50 |   |
|
| security | Optimized for security | 21 |   |
|
| swift | Optimized for SWIFT based projects | 47 |   |
|
| terraform | Optimized for TERRAFORM based projects | 51 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
gitleaks is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make gitleaks analyze only updated files
Example calls
gitleaks detect --redact --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --redact --no-git --verbose --source .
Help content
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
detect detect secrets in code
help Help about any command
protect protect secrets in code
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (--source/-s)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--exit-code int exit code when leaks have been encountered (default 1)
-h, --help help for gitleaks
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--no-color turn off color for verbose output
--redact redact secrets from logs and stdout
-f, --report-format string output format (json, csv, sarif) (default "json")
-r, --report-path string report file
-s, --source string path to source (default ".")
-v, --verbose show verbose output from scan
Use "gitleaks [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
FROM zricethezav/gitleaks:v8.16.4 as gitleaks
COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/