secretlint
SecretLint is a comprehensive secrets detection tool that prevents sensitive information like API keys, passwords, and tokens from being committed to version control. It provides pluggable architecture with extensive rule sets for detecting various types of secrets across different platforms and services.
Key Features:
- Extensive Rule Library: Built-in detection for AWS, GitHub, Slack, Google, and dozens of other service credentials
- Pluggable Architecture: Modular rule system allowing custom secret patterns and organization-specific detection
- Multiple Output Formats: Supports JSON, SARIF, and other formats for integration with security tools and platforms
- Configuration Flexibility: Highly configurable with support for custom rules, ignore patterns, and severity levels
- Ignore System: Sophisticated ignore patterns for managing false positives and legacy secrets
- Team Collaboration: Shared configuration files ensure consistent secret detection across development teams
- Performance Optimized: Fast scanning suitable for large repositories and automated workflows
- Open Source: Community-driven with transparent detection rules and continuous updates
secretlint documentation
- Version in MegaLinter: 10.2.0
- Visit Official Web Site
- See How to configure secretlint rules
- If custom
.secretlintrc.jsonconfig file isn't found, .secretlintrc.json will be used
- If custom
- See How to ignore files and directories with secretlint
- You can define a
.secretlintignorefile to ignore files and folders
- You can define a
- See Index of problems detected by secretlint
Configuration in MegaLinter
- Enable secretlint by adding
REPOSITORY_SECRETLINTin ENABLE_LINTERS variable - Disable secretlint by adding
REPOSITORY_SECRETLINTin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_SECRETLINT_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_SECRETLINT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_SECRETLINT_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| REPOSITORY_SECRETLINT_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_SECRETLINT_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_SECRETLINT_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_SECRETLINT and its pre/post commands | None |
| REPOSITORY_SECRETLINT_CONFIG_FILE | secretlint configuration file nameUse LINTER_DEFAULT to let the linter find it |
.secretlintrc.json |
| REPOSITORY_SECRETLINT_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| REPOSITORY_SECRETLINT_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_SECRETLINT_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_SECRETLINT_CLI_EXECUTABLE | Override CLI executable | ['secretlint'] |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 126 |   |
| c_cpp | Optimized for pure C/C++ projects | 56 |   |
|
| ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 22 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 87 |   |
|
| documentation | MegaLinter for documentation projects | 49 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 64 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 73 |   |
|
| go | Optimized for GO based projects | 51 |   |
|
| java | Optimized for JAVA based projects | 54 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 |   |
|
| php | Optimized for PHP based projects | 54 |   |
|
| python | Optimized for PYTHON based projects | 65 |   |
|
| ruby | Optimized for RUBY based projects | 50 |   |
|
| rust | Optimized for RUST based projects | 50 |   |
|
| salesforce | Optimized for Salesforce based projects | 54 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 50 |   |
|
| terraform | Optimized for TERRAFORM based projects | 54 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
secretlint is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using secretlint configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make secretlint analyze only updated files
Example calls
secretlint "*/**"
secretlint --secretlintrc .secretlintrc.json "**/*"
Help content
Usage
$ secretlint [file|glob*]
Note
supported glob syntax is based on microglob
https://github.com/micromatch/micromatch#matching-features
Options
--init setup config file. Create .secretlintrc.json file from your package.json
--format [String] formatter name. Default: "stylish". Available Formatter: checkstyle, compact, jslint-xml, junit, pretty-error, stylish, tap, unix, json, mask-result, table
--output [path:String] output file path that is written of reported result.
--no-color disable ANSI-color of output.
--no-terminalLink disable terminalLink of output.
--no-maskSecrets disable masking of secret values; secrets are masked by default.
--secretlintrc [path:String] path to .secretlintrc config file. Default: .secretlintrc.*
--secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore
--stdinFileName [String] filename to process STDIN content. Some rules depend on filename to check content.
Options for Developer
--profile Enable performance profile.
--secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.
Experimental Options
--locale [String] locale tag for translating message. Default: en
Examples
$ secretlint ./README.md
# glob pattern should be wrapped with double quote
$ secretlint "**/*"
$ secretlint "source/**/*.ini"
# output masked result to file
$ secretlint .zsh_history --format=mask-result --output=.zsh_history
# lint STDIN content instead of file
$ echo "SECRET CONTENT" | secretlint --stdinFileName=secret.txt
Exit Status
Secretlint exits with the following values:
- 0:
- Linting succeeded, no errors found.
- Found lint error but --output is specified.
- 1:
- Linting failed, errors found.
- 2:
- Unexpected error occurred, fatal error.
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=npm depName=secretlint
ARG NPM_SECRETLINT_VERSION=10.2.0
# renovate: datasource=npm depName=@secretlint/secretlint-rule-preset-recommend
ARG NPM_SECRETLINT_SECRETLINT_RULE_PRESET_RECOMMEND_VERSION=10.2.0
# renovate: datasource=npm depName=@secretlint/secretlint-formatter-sarif
ARG NPM_SECRETLINT_SECRETLINT_FORMATTER_SARIF_VERSION=10.2.0