gitleaks
Scan only Pull Request commits
VALIDATE_ALL_CODEBASE: false
doesn't make gitleaks analyze only updated files. To analyze only commits on Pull Request, set VALIDATE_ALL_CODEBASE: false
together with REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true
(you have to specify it explicitly), but only works for selected platforms: GitHub Actions, Azure Pipelines, GitLab Pipelines* (Merge Requests and External Pull Requests)
- * Only GitLab self-managed and GitLab SaaS (Premium and Ultimate) are supported (limitation due to GitLab itself) and Merge result pipelines feature has to be enabled.
- If MegaLinter with the gitleaks runs on PR on the not listed platform above, then the analysis is performed on the whole repository - default gitleaks behavior (checked-out commits, depends on fetch-depth configuration).
- You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs:
PULL_REQUEST=true
*,REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true
,REPOSITORY_GITLEAKS_PR_SOURCE_SHA
with last commit sha from your PR andREPOSITORY_GITLEAKS_PR_TARGET_SHA
commit sha from your target branch (for example,main
if you do PR to main branch). Example on how to get source commit shagit rev-list -n 1 refs/remotes/origin/<source_branch>
and target commit shagit rev-parse refs/remotes/origin/<target_branch>
- *
PULL_REQUEST
environment variable must be set totrue
only on Pull Requests, so you must calculate the value in your pipeline and pass the outcome.
- *
- You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs:
- PR commits scan feature, if applicable, will override your
--log-opts
argument if you used it in theREPOSITORY_GITLEAKS_ARGUMENTS
.
Repository checkout on Pull Requests
To scan only PR commits, the shallow fetch for a repository checkout has to be 0. Below is an example configuration for supported platforms:
GitHub Actions
- uses: actions/checkout@v4
with:
fetch-depth: 0
Azure Pipelines
- checkout: self
fetchDepth: 0
GitLab Pipelines
variables:
GIT_DEPTH: 0
Git
git fetch --depth=0
gitleaks documentation
- Version in MegaLinter: 8.22.0
- Visit Official Web Site
- See How to configure gitleaks rules
- If custom
.gitleaks.toml
config file isn't found, .gitleaks.toml will be used
- If custom
- See How to disable gitleaks rules in files
- See How to ignore files and directories with gitleaks
Configuration in MegaLinter
- Enable gitleaks by adding
REPOSITORY_GITLEAKS
in ENABLE_LINTERS variable - Disable gitleaks by adding
REPOSITORY_GITLEAKS
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_GITLEAKS_PR_COMMITS_SCAN | Scan only commits in the current Pull Request/Merge Request | false |
REPOSITORY_GITLEAKS_PR_SOURCE_SHA | Source commit SHA of the Pull Request/Merge Request | `` |
REPOSITORY_GITLEAKS_PR_TARGET_SHA | Target commit SHA of the Pull Request/Merge Request | `` |
REPOSITORY_GITLEAKS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_GITLEAKS_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_GITLEAKS_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
REPOSITORY_GITLEAKS_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_GITLEAKS_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_GITLEAKS_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_GITLEAKS and its pre/post commands | None |
REPOSITORY_GITLEAKS_CONFIG_FILE | gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it |
.gitleaks.toml |
REPOSITORY_GITLEAKS_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_GITLEAKS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_GITLEAKS_CLI_EXECUTABLE | Override CLI executable | ['gitleaks'] |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
c_cpp | Optimized for pure C/C++ projects | 54 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 | ||
cupcake | MegaLinter for the most commonly used languages | 84 | ||
documentation | MegaLinter for documentation projects | 49 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 62 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 71 | ||
go | Optimized for GO based projects | 51 | ||
java | Optimized for JAVA based projects | 53 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 | ||
php | Optimized for PHP based projects | 54 | ||
python | Optimized for PYTHON based projects | 62 | ||
ruby | Optimized for RUBY based projects | 50 | ||
rust | Optimized for RUST based projects | 50 | ||
salesforce | Optimized for Salesforce based projects | 54 | ||
security | Optimized for security | 24 | ||
swift | Optimized for SWIFT based projects | 50 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
gitleaks is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make gitleaks analyze only updated files
Example calls
gitleaks detect --redact --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --redact --no-git --verbose --source .
Help content
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
dir scan directories or files for secrets
git scan git repositories for secrets
help Help about any command
stdin detect secrets from stdin
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (target path)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
--enable-rule strings only enable specific rules by id
--exit-code int exit code when leaks have been encountered (default 1)
-i, --gitleaks-ignore-path string path to .gitleaksignore file or folder containing one (default ".")
-h, --help help for gitleaks
--ignore-gitleaks-allow ignore gitleaks:allow comments
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--max-decode-depth int allow recursive decoding up to this depth (default "0", no decoding is done)
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--no-color turn off color for verbose output
--redact uint[=100] redact secrets from logs and stdout. To redact only parts of the secret just apply a percent value from 0..100. For example --redact=20 (default 100%)
-f, --report-format string output format (json, jsonextra, csv, junit, sarif, template) (default "json")
-r, --report-path string report file
--report-template string template file used to generate the report (implies --report-format=template)
-v, --verbose show verbose output from scan
Use "gitleaks [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=docker depName=zricethezav/gitleaks
ARG REPOSITORY_GITLEAKS_VERSION=v8.22.0
FROM zricethezav/gitleaks:${REPOSITORY_GITLEAKS_VERSION} AS gitleaks
COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/