Skip to content

gitleaks

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

Scan only Pull Request commits

VALIDATE_ALL_CODEBASE: false doesn't make gitleaks analyze only updated files. To analyze only commits on Pull Request, set VALIDATE_ALL_CODEBASE: false together with REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true (you have to specify it explicitly), but only works for selected platforms: GitHub Actions, Azure Pipelines, GitLab Pipelines* (Merge Requests and External Pull Requests)

  • * Only GitLab self-managed and GitLab SaaS (Premium and Ultimate) are supported (limitation due to GitLab itself) and Merge result pipelines feature has to be enabled.
  • If MegaLinter with the gitleaks runs on PR on the not listed platform above, then the analysis is performed on the whole repository - default gitleaks behavior (checked-out commits, depends on fetch-depth configuration).
    • You can still scan only PR commits in your CI/CD platform by setting MegaLinter envs: PULL_REQUEST=true*, REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: true, REPOSITORY_GITLEAKS_PR_SOURCE_SHA with last commit sha from your PR and REPOSITORY_GITLEAKS_PR_TARGET_SHA commit sha from your target branch (for example, main if you do PR to main branch). Example on how to get source commit sha git rev-list -n 1 refs/remotes/origin/<source_branch> and target commit sha git rev-parse refs/remotes/origin/<target_branch>
      • * PULL_REQUEST environment variable must be set to true only on Pull Requests, so you must calculate the value in your pipeline and pass the outcome.
  • PR commits scan feature, if applicable, will override your --log-opts argument if you used it in the REPOSITORY_GITLEAKS_ARGUMENTS.

Repository checkout on Pull Requests

To scan only PR commits, the shallow fetch for a repository checkout has to be 0. Below is an example configuration for supported platforms:

GitHub Actions

- uses: actions/checkout@v4
  with:
    fetch-depth: 0

Azure Pipelines

- checkout: self
  fetchDepth: 0

GitLab Pipelines

variables:
  GIT_DEPTH: 0

Git

git fetch --depth=0

gitleaks documentation

gitleaks - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_GITLEAKS_PR_COMMITS_SCAN Scan only commits in the current Pull Request/Merge Request false
REPOSITORY_GITLEAKS_PR_SOURCE_SHA Source commit SHA of the Pull Request/Merge Request ``
REPOSITORY_GITLEAKS_PR_TARGET_SHA Target commit SHA of the Pull Request/Merge Request ``
REPOSITORY_GITLEAKS_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_GITLEAKS_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
REPOSITORY_GITLEAKS_CLI_LINT_MODE Override default CLI lint mode
⚠️ As default value is project, overriding might not work
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
project
REPOSITORY_GITLEAKS_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_GITLEAKS_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_GITLEAKS_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_GITLEAKS and its pre/post commands None
REPOSITORY_GITLEAKS_CONFIG_FILE gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it .gitleaks.toml
REPOSITORY_GITLEAKS_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_GITLEAKS_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_GITLEAKS_CLI_EXECUTABLE Override CLI executable ['gitleaks']

MegaLinter Flavors

This linter is available in the following flavors

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 124 Docker Image Size (tag) Docker Pulls
c_cpp Optimized for pure C/C++ projects 54 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 21 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 84 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 49 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 62 Docker Image Size (tag) Docker Pulls
dotnetweb Optimized for C, C++, C# or VB based projects with JS/TS 71 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 51 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 53 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 59 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 54 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 62 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 50 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 50 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 54 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 50 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 54 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

gitleaks is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make gitleaks analyze only updated files

Example calls

gitleaks detect --redact --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --redact --no-git --verbose --source .

Help content

Gitleaks scans code, past or present, for secrets

Usage:
  gitleaks [command]

Available Commands:
  completion  generate the autocompletion script for the specified shell
  dir         scan directories or files for secrets
  git         scan git repositories for secrets
  help        Help about any command
  stdin       detect secrets from stdin
  version     display gitleaks version

Flags:
  -b, --baseline-path string          path to baseline with issues that can be ignored
  -c, --config string                 config file path
                                      order of precedence:
                                      1. --config/-c
                                      2. env var GITLEAKS_CONFIG
                                      3. (target path)/.gitleaks.toml
                                      If none of the three options are used, then gitleaks will use the default config
      --enable-rule strings           only enable specific rules by id
      --exit-code int                 exit code when leaks have been encountered (default 1)
  -i, --gitleaks-ignore-path string   path to .gitleaksignore file or folder containing one (default ".")
  -h, --help                          help for gitleaks
      --ignore-gitleaks-allow         ignore gitleaks:allow comments
  -l, --log-level string              log level (trace, debug, info, warn, error, fatal) (default "info")
      --max-decode-depth int          allow recursive decoding up to this depth (default "0", no decoding is done)
      --max-target-megabytes int      files larger than this will be skipped
      --no-banner                     suppress banner
      --no-color                      turn off color for verbose output
      --redact uint[=100]             redact secrets from logs and stdout. To redact only parts of the secret just apply a percent value from 0..100. For example --redact=20 (default 100%)
  -f, --report-format string          output format (json, jsonextra, csv, junit, sarif, template) (default "json")
  -r, --report-path string            report file
      --report-template string        template file used to generate the report (implies --report-format=template)
  -v, --verbose                       show verbose output from scan

Use "gitleaks [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
# renovate: datasource=docker depName=zricethezav/gitleaks
ARG REPOSITORY_GITLEAKS_VERSION=v8.22.0
FROM zricethezav/gitleaks:${REPOSITORY_GITLEAKS_VERSION} AS gitleaks
COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/