Skip to content

gitleaks

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

Scan only Pull Request commits

VALIDATE_ALL_CODEBASE: false doesn't make gitleaks analyze only updated files. To analyze only commits on Pull Request, set VALIDATE_ALL_CODEBASE: false together with REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true (you have to specify it explicitly), but only works for selected platforms: GitHub Actions, Azure Pipelines, GitLab Pipelines* (Merge Requests and External Pull Requests)

  • * Only GitLab self-managed and GitLab SaaS (Premium and Ultimate) are supported (limitation due to GitLab itself) and Merge result pipelines feature has to be enabled.
  • If MegaLinter with the gitleaks runs on PR on the not listed platform above, then the analysis is performed on the whole repository - default gitleaks behavior (checked-out commits, depends on fetch-depth configuration).
    • You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs: PULL_REQUEST=true*, REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true, REPOSITORY_GITLEAKS_PR_SOURCE_SHA with last commit sha from your PR and REPOSITORY_GITLEAKS_PR_TARGET_SHA commit sha from your target branch (for example, main if you do PR to main branch). Example on how to get source commit sha git rev-list -n 1 refs/remotes/origin/<source_branch> and target commit sha git rev-parse refs/remotes/origin/<target_branch>
      • * PULL_REQUEST environment variable must be set to true only on Pull Requests, so you must calculate the value in your pipeline and pass the outcome.
  • PR commits scan feature, if applicable, will override your --log-opts argument if you used it in the REPOSITORY_GITLEAKS_ARGUMENTS.

Repository checkout on Pull Requests

To scan only PR commits, the shallow fetch for a repository checkout has to be 0. Below is an example configuration for supported platforms:

GitHub Actions

- uses: actions/checkout@v4
  with:
    fetch-depth: 0

Azure Pipelines

- checkout: self
  fetchDepth: 0

GitLab Pipelines

variables:
  GIT_DEPTH: 0

Git

git fetch --depth=0

gitleaks documentation

gitleaks - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_GITLEAKS_PR_COMMITS_SCAN Scan only commits in the current Pull Request/Merge Request false
REPOSITORY_GITLEAKS_PR_SOURCE_SHA Source commit SHA of the Pull Request/Merge Request ``
REPOSITORY_GITLEAKS_PR_TARGET_SHA Target commit SHA of the Pull Request/Merge Request ``
REPOSITORY_GITLEAKS_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_GITLEAKS_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
REPOSITORY_GITLEAKS_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_GITLEAKS_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_GITLEAKS_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_GITLEAKS and its pre/post commands None
REPOSITORY_GITLEAKS_CONFIG_FILE gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it .gitleaks.toml
REPOSITORY_GITLEAKS_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_GITLEAKS_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_GITLEAKS_CLI_EXECUTABLE Override CLI executable ['gitleaks']

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 125 Docker Image Size (tag) Docker Pulls
c_cpp Optimized for pure C/C++ projects 56 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 21 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 84 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 51 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 63 Docker Image Size (tag) Docker Pulls
dotnetweb Optimized for C, C++, C# or VB based projects with JS/TS 72 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 53 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 54 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 61 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 56 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 64 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 52 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 52 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 56 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 52 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 56 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

gitleaks is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make gitleaks analyze only updated files

Example calls

gitleaks detect --redact --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --redact --no-git --verbose --source .

Help content

Gitleaks scans code, past or present, for secrets

Usage:
  gitleaks [command]

Available Commands:
  completion  generate the autocompletion script for the specified shell
  detect      detect secrets in code
  help        Help about any command
  protect     protect secrets in code
  version     display gitleaks version

Flags:
  -b, --baseline-path string                                                                             path to baseline with issues that can be ignored
  -c, --config string                                                                                    config file path
                                                                                                         order of precedence:
                                                                                                         1. --config/-c
                                                                                                         2. env var GITLEAKS_CONFIG
                                                                                                         3. (--source/-s)/.gitleaks.toml
                                                                                                         If none of the three options are used, then gitleaks will use the default config
      --enable-rule gitleaks detect --enable-rule=atlassian-api-token --enable-rule=slack-access-token   only enable specific rules by id, ex: gitleaks detect --enable-rule=atlassian-api-token --enable-rule=slack-access-token
      --exit-code int                                                                                    exit code when leaks have been encountered (default 1)
      --follow-symlinks                                                                                  scan files that are symlinks to other files
  -i, --gitleaks-ignore-path string                                                                      path to .gitleaksignore file or folder containing one (default ".")
  -h, --help                                                                                             help for gitleaks
      --ignore-gitleaks-allow                                                                            ignore gitleaks:allow comments
  -l, --log-level string                                                                                 log level (trace, debug, info, warn, error, fatal) (default "info")
      --log-opts string                                                                                  git log options
      --max-target-megabytes int                                                                         files larger than this will be skipped
      --no-banner                                                                                        suppress banner
      --no-color                                                                                         turn off color for verbose output
      --redact uint[=100]                                                                                redact secrets from logs and stdout. To redact only parts of the secret just apply a percent value from 0..100. For example --redact=20 (default 100%)
  -f, --report-format string                                                                             output format (json, csv, junit, sarif) (default "json")
  -r, --report-path string                                                                               report file
  -s, --source string                                                                                    path to source (default ".")
  -v, --verbose                                                                                          show verbose output from scan

Use "gitleaks [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
# renovate: datasource=docker depName=zricethezav/gitleaks
ARG REPOSITORY_GITLEAKS_VERSION=v8.18.4
FROM zricethezav/gitleaks:${REPOSITORY_GITLEAKS_VERSION} as gitleaks
COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/