secretlint
secretlint documentation
- Version in MegaLinter: 9.0.0
- Visit Official Web Site
- See How to configure secretlint rules
- If custom
.secretlintrc.json
config file isn't found, .secretlintrc.json will be used
- If custom
- See How to ignore files and directories with secretlint
- You can define a
.secretlintignore
file to ignore files and folders
- You can define a
- See Index of problems detected by secretlint
Configuration in MegaLinter
- Enable secretlint by adding
REPOSITORY_SECRETLINT
in ENABLE_LINTERS variable - Disable secretlint by adding
REPOSITORY_SECRETLINT
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_SECRETLINT_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_SECRETLINT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_SECRETLINT_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
REPOSITORY_SECRETLINT_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_SECRETLINT_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_SECRETLINT_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_SECRETLINT and its pre/post commands | None |
REPOSITORY_SECRETLINT_CONFIG_FILE | secretlint configuration file nameUse LINTER_DEFAULT to let the linter find it |
.secretlintrc.json |
REPOSITORY_SECRETLINT_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_SECRETLINT_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_SECRETLINT_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_SECRETLINT_CLI_EXECUTABLE | Override CLI executable | ['secretlint'] |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
c_cpp | Optimized for pure C/C++ projects | 54 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 21 | ||
cupcake | MegaLinter for the most commonly used languages | 84 | ||
documentation | MegaLinter for documentation projects | 49 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 62 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 71 | ||
go | Optimized for GO based projects | 51 | ||
java | Optimized for JAVA based projects | 53 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 | ||
php | Optimized for PHP based projects | 54 | ||
python | Optimized for PYTHON based projects | 62 | ||
ruby | Optimized for RUBY based projects | 50 | ||
rust | Optimized for RUST based projects | 50 | ||
salesforce | Optimized for Salesforce based projects | 54 | ||
security | Optimized for security | 24 | ||
swift | Optimized for SWIFT based projects | 50 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
secretlint is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using secretlint configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make secretlint analyze only updated files
Example calls
secretlint "*/**"
secretlint --secretlintrc .secretlintrc.json "**/*"
Help content
Secretlint CLI that scan secret/credential data.
Usage
$ secretlint [file|glob*]
Note
supported glob syntax is based on microglob
https://github.com/micromatch/micromatch#matching-features
Options
--init setup config file. Create .secretlintrc.json file from your package.json
--format [String] formatter name. Default: "stylish". Available Formatter: checkstyle, compact, jslint-xml, junit, pretty-error, stylish, tap, unix, json, mask-result, table
--output [path:String] output file path that is written of reported result.
--no-color disable ANSI-color of output.
--no-terminalLink disable terminalLink of output.
--maskSecrets enable masking of secret values. replace actual secrets with "***".
--secretlintrc [path:String] path to .secretlintrc config file. Default: .secretlintrc.*
--secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore
Options for Developer
--profile Enable performance profile.
--secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.
Experimental Options
--locale [String] locale tag for translating message. Default: en
Examples
$ secretlint ./README.md
# glob pattern should be wrapped with double quote
$ secretlint "**/*"
$ secretlint "source/**/*.ini"
# found secrets and mask the secrets
$ secretlint .zsh_history --format=mask-result --output=.zsh_history
Exit Status
Secretlint exits with the following values:
- 0:
- Linting succeeded, no errors found.
- Found lint error but --output is specified.
- 1:
- Linting failed, errors found.
- 2:
- Unexpected error occurred, fatal error.
Installation on mega-linter Docker image
- NPM packages (node.js):