Skip to content

secretlint

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

secretlint documentation

secretlint - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_SECRETLINT_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_SECRETLINT_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
REPOSITORY_SECRETLINT_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_SECRETLINT_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_SECRETLINT_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_SECRETLINT and its pre/post commands None
REPOSITORY_SECRETLINT_CONFIG_FILE secretlint configuration file nameUse LINTER_DEFAULT to let the linter find it .secretlintrc.json
REPOSITORY_SECRETLINT_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_SECRETLINT_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_SECRETLINT_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_SECRETLINT_CLI_EXECUTABLE Override CLI executable ['secretlint']

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 121 Docker Image Size (tag) Docker Pulls
c_cpp Optimized for pure C/C++ projects 55 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 22 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 84 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 51 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 64 Docker Image Size (tag) Docker Pulls
dotnetweb Optimized for C, C++, C# or VB based projects with JS/TS 73 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 53 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 54 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 60 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 54 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 62 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 51 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 51 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 55 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 51 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 55 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

secretlint is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using secretlint configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make secretlint analyze only updated files

Example calls

secretlint "*/**"
secretlint --secretlintrc .secretlintrc.json "**/*"

Help content


  Secretlint CLI that scan secret/credential data.

  Usage
    $ secretlint [file|glob*]

  Note
    supported glob syntax is based on microglob
    https://github.com/micromatch/micromatch#matching-features

  Options
    --init             setup config file. Create .secretlintrc.json file from your package.json
    --format           [String] formatter name. Default: "stylish". Available Formatter: checkstyle, compact, jslint-xml, junit, pretty-error, stylish, tap, unix, json, mask-result, table
    --output           [path:String] output file path that is written of reported result.
    --no-color         disable ANSI-color of output.
    --no-terminalLink  disable terminalLink of output.
    --maskSecrets      enable masking of secret values. replace actual secrets with "***".
    --secretlintrc     [path:String] path to .secretlintrc config file. Default: .secretlintrc.*
    --secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore

  Options for Developer
    --profile          Enable performance profile.
    --secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.

  Experimental Options
    --locale            [String] locale tag for translating message. Default: en

  Examples
    $ secretlint ./README.md
    # glob pattern should be wrapped with double quote
    $ secretlint "**/*"
    $ secretlint "source/**/*.ini"
    # found secrets and mask the secrets
    $ secretlint .zsh_history --format=mask-result --output=.zsh_history

  Exit Status
    Secretlint exits with the following values:

    - 0:
      - Linting succeeded, no errors found.
      - Found lint error but --output is specified.
    - 1:
      - Linting failed, errors found.
    - 2:
      - Unexpected error occurred, fatal error.

Installation on mega-linter Docker image