secretlint
secretlint documentation
- Version in MegaLinter: 8.2.4
- Visit Official Web Site
- See How to configure secretlint rules
- If custom
.secretlintrc.jsonconfig file isn't found, .secretlintrc.json will be used
- If custom
- See How to ignore files and directories with secretlint
- You can define a
.secretlintignorefile to ignore files and folders
- You can define a
- See Index of problems detected by secretlint
Configuration in MegaLinter
- Enable secretlint by adding
REPOSITORY_SECRETLINTin ENABLE_LINTERS variable - Disable secretlint by adding
REPOSITORY_SECRETLINTin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_SECRETLINT_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_SECRETLINT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_SECRETLINT_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_SECRETLINT_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_SECRETLINT_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_SECRETLINT and its pre/post commands | None |
| REPOSITORY_SECRETLINT_CONFIG_FILE | secretlint configuration file nameUse LINTER_DEFAULT to let the linter find it |
.secretlintrc.json |
| REPOSITORY_SECRETLINT_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_SECRETLINT_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_SECRETLINT_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_SECRETLINT_CLI_EXECUTABLE | Override CLI executable | ['secretlint'] |
MegaLinter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 125 |   |
| c_cpp | Optimized for pure C/C++ projects | 56 |   |
|
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 84 |   |
|
| documentation | MegaLinter for documentation projects | 51 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 63 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 72 |   |
|
| go | Optimized for GO based projects | 53 |   |
|
| java | Optimized for JAVA based projects | 54 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 61 |   |
|
| php | Optimized for PHP based projects | 56 |   |
|
| python | Optimized for PYTHON based projects | 64 |   |
|
| ruby | Optimized for RUBY based projects | 52 |   |
|
| rust | Optimized for RUST based projects | 52 |   |
|
| salesforce | Optimized for Salesforce based projects | 56 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 52 |   |
|
| terraform | Optimized for TERRAFORM based projects | 56 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
secretlint is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using secretlint configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make secretlint analyze only updated files
Example calls
secretlint "*/**"
secretlint --secretlintrc .secretlintrc.json "**/*"
Help content
Secretlint CLI that scan secret/credential data.
Usage
$ secretlint [file|glob*]
Note
supported glob syntax is based on microglob
https://github.com/micromatch/micromatch#matching-features
Options
--init setup config file. Create .secretlintrc.json file from your package.json
--format [String] formatter name. Default: "stylish". Available Formatter: checkstyle, compact, jslint-xml, junit, pretty-error, stylish, tap, unix, json, mask-result, table
--output [path:String] output file path that is written of reported result.
--no-color disable ANSI-color of output.
--no-terminalLink disable terminalLink of output.
--maskSecrets enable masking of secret values. replace actual secrets with "***".
--secretlintrc [path:String] path to .secretlintrc config file. Default: .secretlintrc.*
--secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore
Options for Developer
--profile Enable performance profile.
--secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.
Experimental Options
--locale [String] locale tag for translating message. Default: en
Examples
$ secretlint ./README.md
# glob pattern should be wrapped with double quote
$ secretlint "**/*"
$ secretlint "source/**/*.ini"
# found secrets and mask the secrets
$ secretlint .zsh_history --format=mask-result --output=.zsh_history
Exit Status
Secretlint exits with the following values:
- 0:
- Linting succeeded, no errors found.
- Found lint error but --output is specified.
- 1:
- Linting failed, errors found.
- 2:
- Unexpected error occurred, fatal error.
Installation on mega-linter Docker image
- NPM packages (node.js):