Skip to content

gitleaks GitHub last commit

gitleaks documentation

gitleaks - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_GITLEAKS_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_GITLEAKS_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
Exclude every file
REPOSITORY_GITLEAKS_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
REPOSITORY_GITLEAKS_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_GITLEAKS_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_GITLEAKS_CONFIG_FILE gitleaks configuration file name
Use LINTER_DEFAULT to let the linter find it
.gitleaks.toml
REPOSITORY_GITLEAKS_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_GITLEAKS_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_GITLEAKS_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 101 Docker Image Size (tag) Docker Pulls
ci_light Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML 18 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 42 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 50 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 44 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 44 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 51 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 46 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 50 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 43 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 43 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 45 Docker Image Size (tag) Docker Pulls
security Optimized for security 20 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 43 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 48 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

gitleaks is called once on the whole project directory

  • filtering can not be done using MegaLinter configuration variables,it must be done using gitleaks configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false does not make gitleaks analyze only updated files

Example calls

gitleaks detect --no-git --verbose --source .
gitleaks detect -c .gitleaks.toml --no-git --verbose --source .

Help content

Usage:
  C:\Users\33614\go\bin\gitleaks.EXE [OPTIONS]

Application Options:
  /v, /verbose              Show verbose output from scan
  /q, /quiet                Sets log level to error and only output leaks, one
                            json object per line
  /r, /repo-url:            Repository URL
  /p, /path:                Path to directory (repo if contains .git) or file
  /c, /config-path:         Path to config
      /repo-config-path:    Path to gitleaks config relative to repo root
      /clone-path:          Path to clone repo to disk
      /version              Version number
      /username:            Username for git repo
      /password:            Password for git repo
      /access-token:        Access token for git repo
      /threads:             Maximum number of threads gitleaks spawns
      /ssh-key:             Path to ssh key used for auth
      /unstaged             Run gitleaks on unstaged code
      /branch:              Branch to scan
      /redact               Redact secrets from log messages and leaks
      /debug                Log debug messages
      /no-git               Treat git repos as plain directories and scan those
                            files
      /leaks-exit-code:     Exit code when leaks have been encountered
                            (default: 1)
      /append-repo-config   Append the provided or default config with the repo
                            config.
      /additional-config:   Path to an additional gitleaks config to append
                            with an existing config. Can be used with
                            --append-repo-config to append up to three
                            configurations
  /o, /report:              Report output path
  /f, /format:              json, csv, sarif (default: json)
      /files-at-commit:     Sha of commit to scan all files at commit
      /commit:              Sha of commit to scan or "latest" to scan the last
                            commit of the repository
      /commits:             Comma separated list of a commits to scan
      /commits-file:        Path to file of line separated list of commits to
                            scan
      /commit-from:         Commit to start scan from
      /commit-to:           Commit to stop scan
      /commit-since:        Scan commits more recent than a specific date. Ex:
                            '2006-01-02' or '2006-01-02T15:04:05-0700' format.
      /commit-until:        Scan commits older than a specific date. Ex:
                            '2006-01-02' or '2006-01-02T15:04:05-0700' format.
      /depth:               Number of commits to scan

Help Options:
  /?                        Show this help message
  /h, /help                 Show this help message

Installation on mega-linter Docker image

  • Dockerfile commands :
FROM zricethezav/gitleaks:v8.8.7 as gitleaks
COPY --from=gitleaks /usr/bin/gitleaks /usr/bin/