gitleaks
Scan only Pull Request commits
VALIDATE_ALL_CODEBASE: false
doesn't make gitleaks analyze only updated files. To analyze only commits on Pull Request, set VALIDATE_ALL_CODEBASE: false
together with REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true
(you have to specify it explicitly), but only works for selected platforms: GitHub Actions, Azure Pipelines, GitLab Pipelines* (Merge Requests and External Pull Requests)
- * Only GitLab self-managed and GitLab SaaS (Premium and Ultimate) are supported (limitation due to GitLab itself) and Merge result pipelines feature has to be enabled.
- If MegaLinter with the gitleaks runs on PR on the not listed platform above, then the analysis is performed on the whole repository - default gitleaks behavior (checked-out commits, depends on fetch-depth configuration).
- You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs:
PULL_REQUEST=true
*,REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true
,REPOSITORY_GITLEAKS_PR_SOURCE_SHA
with last commit sha from your PR andREPOSITORY_GITLEAKS_PR_TARGET_SHA
commit sha from your target branch (for example,main
if you do PR to main branch). Example on how to get source commit shagit rev-list -n 1 refs/remotes/origin/<source_branch>
and target commit shagit rev-parse refs/remotes/origin/<target_branch>
- *
PULL_REQUEST
environment variable must be set totrue
only on Pull Requests, so you must calculate the value in your pipeline and pass the outcome.
- *
- You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs:
- PR commits scan feature, if applicable, will override your
--log-opts
argument if you used it in theREPOSITORY_GITLEAKS_ARGUMENTS
.
Repository checkout on Pull Requests
To scan only PR commits, the shallow fetch for a repository checkout has to be 0. Below is an example configuration for supported platforms:
GitHub Actions
- uses: actions/checkout@v4
with:
fetch-depth: 0
Azure Pipelines
- checkout: self
fetchDepth: 0
GitLab Pipelines
variables:
GIT_DEPTH: 0
Git
git fetch --depth=0
gitleaks documentation
- Version in MegaLinter: 8.18.4
- Visit Official Web Site
- See How to configure gitleaks rules
- If custom
.gitleaks.toml
config file isn't found, .gitleaks.toml will be used
- If custom
- See How to disable gitleaks rules in files
- See How to ignore files and directories with gitleaks
Configuration in MegaLinter
- Enable gitleaks by adding
REPOSITORY_GITLEAKS
in ENABLE_LINTERS variable - Disable gitleaks by adding
REPOSITORY_GITLEAKS
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_GITLEAKS_PR_COMMITS_SCAN | Scan only commits in the current Pull Request/Merge Request | false |
REPOSITORY_GITLEAKS_PR_SOURCE_SHA | Source commit SHA of the Pull Request/Merge Request | `` |
REPOSITORY_GITLEAKS_PR_TARGET_SHA | Target commit SHA of the Pull Request/Merge Request | `` |
REPOSITORY_GITLEAKS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_GITLEAKS_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_GITLEAKS_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_GITLEAKS_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_GITLEAKS_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_GITLEAKS and its pre/post commands | None |
REPOSITORY_GITLEAKS_CONFIG_FILE | gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it |
.gitleaks.toml |
REPOSITORY_GITLEAKS_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_GITLEAKS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_GITLEAKS_CLI_EXECUTABLE | Override CLI executable | ['gitleaks'] |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 125 | ||
c_cpp | Optimized for pure C/C++ projects | 56 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 | ||
cupcake | MegaLinter for the most commonly used languages | 84 | ||
documentation | MegaLinter for documentation projects | 51 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 63 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 72 | ||
go | Optimized for GO based projects | 53 | ||
java | Optimized for JAVA based projects | 54 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 61 | ||
php | Optimized for PHP based projects | 56 | ||
python | Optimized for PYTHON based projects | 64 | ||
ruby | Optimized for RUBY based projects | 52 | ||
rust | Optimized for RUST based projects | 52 | ||
salesforce | Optimized for Salesforce based projects | 56 | ||
security | Optimized for security | 24 | ||
swift | Optimized for SWIFT based projects | 52 | ||
terraform | Optimized for TERRAFORM based projects | 56 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
gitleaks is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make gitleaks analyze only updated files
Example calls
gitleaks detect --redact --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --redact --no-git --verbose --source .
Help content
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
detect detect secrets in code
help Help about any command
protect protect secrets in code
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (--source/-s)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--enable-rule gitleaks detect --enable-rule=atlassian-api-token --enable-rule=slack-access-token only enable specific rules by id, ex: gitleaks detect --enable-rule=atlassian-api-token --enable-rule=slack-access-token
--exit-code int exit code when leaks have been encountered (default 1)
--follow-symlinks scan files that are symlinks to other files
-i, --gitleaks-ignore-path string path to .gitleaksignore file or folder containing one (default ".")
-h, --help help for gitleaks
--ignore-gitleaks-allow ignore gitleaks:allow comments
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--log-opts string git log options
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--no-color turn off color for verbose output
--redact uint[=100] redact secrets from logs and stdout. To redact only parts of the secret just apply a percent value from 0..100. For example --redact=20 (default 100%)
-f, --report-format string output format (json, csv, junit, sarif) (default "json")
-r, --report-path string report file
-s, --source string path to source (default ".")
-v, --verbose show verbose output from scan
Use "gitleaks [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=docker depName=zricethezav/gitleaks
ARG REPOSITORY_GITLEAKS_VERSION=v8.18.4
FROM zricethezav/gitleaks:${REPOSITORY_GITLEAKS_VERSION} as gitleaks
COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/