gitleaks
gitleaks documentation
Configuration in MegaLinter
- Enable gitleaks by adding
REPOSITORY_GITLEAKS
in ENABLE_LINTERS variable - Disable gitleaks by adding
REPOSITORY_GITLEAKS
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_GITLEAKS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_GITLEAKS_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
Exclude every file |
REPOSITORY_GITLEAKS_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
REPOSITORY_GITLEAKS_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_GITLEAKS_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_GITLEAKS_CONFIG_FILE | gitleaks configuration file nameUse LINTER_DEFAULT to let the linter find it |
.gitleaks.toml |
REPOSITORY_GITLEAKS_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_GITLEAKS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 101 | ||
ci_light | Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML | 18 | ||
documentation | MegaLinter for documentation projects | 42 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 50 | ||
go | Optimized for GO based projects | 44 | ||
java | Optimized for JAVA based projects | 44 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 51 | ||
php | Optimized for PHP based projects | 46 | ||
python | Optimized for PYTHON based projects | 50 | ||
ruby | Optimized for RUBY based projects | 43 | ||
rust | Optimized for RUST based projects | 43 | ||
salesforce | Optimized for Salesforce based projects | 45 | ||
security | Optimized for security | 20 | ||
swift | Optimized for SWIFT based projects | 43 | ||
terraform | Optimized for TERRAFORM based projects | 48 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
gitleaks is called once on the whole project directory
- filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
does not make gitleaks analyze only updated files
Example calls
gitleaks detect --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --no-git --verbose --source .
Help content
Usage:
C:\Users\33614\go\bin\gitleaks.EXE [OPTIONS]
Application Options:
/v, /verbose Show verbose output from scan
/q, /quiet Sets log level to error and only output leaks, one
json object per line
/r, /repo-url: Repository URL
/p, /path: Path to directory (repo if contains .git) or file
/c, /config-path: Path to config
/repo-config-path: Path to gitleaks config relative to repo root
/clone-path: Path to clone repo to disk
/version Version number
/username: Username for git repo
/password: Password for git repo
/access-token: Access token for git repo
/threads: Maximum number of threads gitleaks spawns
/ssh-key: Path to ssh key used for auth
/unstaged Run gitleaks on unstaged code
/branch: Branch to scan
/redact Redact secrets from log messages and leaks
/debug Log debug messages
/no-git Treat git repos as plain directories and scan those
files
/leaks-exit-code: Exit code when leaks have been encountered
(default: 1)
/append-repo-config Append the provided or default config with the repo
config.
/additional-config: Path to an additional gitleaks config to append
with an existing config. Can be used with
--append-repo-config to append up to three
configurations
/o, /report: Report output path
/f, /format: json, csv, sarif (default: json)
/files-at-commit: Sha of commit to scan all files at commit
/commit: Sha of commit to scan or "latest" to scan the last
commit of the repository
/commits: Comma separated list of a commits to scan
/commits-file: Path to file of line separated list of commits to
scan
/commit-from: Commit to start scan from
/commit-to: Commit to stop scan
/commit-since: Scan commits more recent than a specific date. Ex:
'2006-01-02' or '2006-01-02T15:04:05-0700' format.
/commit-until: Scan commits older than a specific date. Ex:
'2006-01-02' or '2006-01-02T15:04:05-0700' format.
/depth: Number of commits to scan
Help Options:
/? Show this help message
/h, /help Show this help message
Installation on mega-linter Docker image
- Dockerfile commands :
FROM zricethezav/gitleaks:v8.8.7 as gitleaks
COPY --from=gitleaks /usr/bin/gitleaks /usr/bin/