Русский

Scanning for secrets¶

Important

To use this functionality, the platform must have active CodeScoring.Secrets module.

Scanning for secrets is performed using the following commands:

johnny secrets gitleaks dir — scan files in the specified directory;
johnny secrets gitleaks git — scan the commit history of a local git repository;
johnny secrets trufflehog dir — scan files in the specified directory using Trufflehog;
johnny secrets trufflehog git — scan the commit history of a local git repository using Trufflehog.

Important: The agent only works with Gitleaks version 8.19.0 and above, and with Trufflehog version 3.93.8 and above.

When launched, the agent:

Analyzes files in the specified directory or the commit history of the repository for secrets (passwords, tokens, access keys, etc.).
- excludes files and directories specified in .gitleaksignore;
- ignores secrets recorded in the Gitleaks report if baseline-path is specified.
Generates results for the found secrets, saves them to the CodeScoring platform if necessary, and creates a report in GitLab format.

Scanning a git repository¶

The git mode allows scanning the commit history of a local git repository. Unlike the dir mode, which analyzes the current state of files, the git mode checks for secrets across all commits in the repository or within a limited range.

Example of running the command for Gitleaks¶

johnny secrets gitleaks git /path/to/repo \
--gitleaks-path <path-to-gitleaks> \
--api_token <api_token> \
--api_url <api_url> \
--save-results \
--project <project-name> \
--git-ref main \
--git-depth 100

Example of running the command for Trufflehog¶

johnny secrets trufflehog git /path/to/repo \
--trufflehog-path <path-to-trufflehog> \
--api_token <api_token> \
--api_url <api_url> \
--save-results \
--project <project-name> \
--git-ref main \
--git-depth 100

Git mode parameters¶

The johnny secrets gitleaks git and johnny secrets trufflehog git commands support the following additional parameters:

--git-ref – git branch, tag, or commit ref to scan. If not set, all refs are scanned. Examples: main, v1.0.0, a1b2c3d;
--git-depth – limit the scan to this many commits from the tip of the history. The value 0 means no limit.

Gitleaks config example¶

Example of Gitleaks config which extends a default configuration and adds a new rule with regex

title = “Custom gitleaks config”

[extend]
useDefault = true

[[rules]]
id = “custom-generic-password”
description = “Detected a Generic password”
regex = ‘’‘passw(?:or)d.+’‘’
entropy = 1

Example of running the command¶

johnny secrets gitleaks dir . \
--gitleaks-path <path-to-gitleaks> \
--gitleaks-config <path-to-gitleaks-config> \
--api_token <api_token> \
--api_url <api_url> \
--save-results \
--create-project \
--project <project-name> \
--gitleaks-ignore-path .gitleaksignore \
--gl-secrets-report \
--gl-secrets-report-filename secrets-report.json

This command starts scanning secrets in the current directory, ignoring files listed in .gitleaksignore, sends the results to the CodeScoring platform, and generates a report in GitLab format, saving it to secrets-report.json.

Command Parameters¶

The johnny secrets gitleaks dir, johnny secrets gitleaks git, johnny secrets trufflehog dir, and johnny secrets trufflehog git commands have the following unique parameters:

Secrets search startup parameters¶

--commit – commit hash to associate with found secrets when saving results. Used only for dir commands when the tool does not determine the commit on its own (e.g.: --commit a1b2c3d);
--gl-secrets-report – enable generation of a report on found secrets in GitLab format.
--gl-secrets-report-filename – name of the output file for the report in GitLab format (by default gl-secrets-report.json).

Gitleaks parameters¶

--gitleaks-path – path to the Gitleaks executable file that will be used during scanning. If not set system command gitleaks will be executed.
--gitleaks-config - path to the Gitleaks config file;
--baseline-path – path to the Gitleaks report file, which is used as a baseline for ignoring previously found secrets;
--enable-rule – list of rule IDs that will be enabled during scanning;
--gitleaks-ignore-path – path to .gitleaksignore file or directory containing it, to add fingerprints of secrets discovered earlier;
--ignore-gitleaks-allow – ignore gitleaks:allow comments that mark lines as safe to ignore;
--log-level – logging level that controls the verbosity of output messages. Possible values: trace, debug, info, warn, error, fatal;
--max-decode-depth – maximum depth of recursive decoding when searching for secrets. The value 0 disables decoding;
--max-target-megabytes – maximum size of analyzed files in megabytes. Files larger than this size will be skipped;
--no-banner – disables the Gitleaks banner that is displayed when the tool is launched;
--no-color – disables color output for verbose mode;
--redact – masks found secrets in logs. You can specify intermediate values (for example, 20 to hide 20% of the secret);
--verbose – enables verbose output, providing more information about the scanning process.

Trufflehog parameters¶

--trufflehog-path – path to the Trufflehog executable file that will be used during scanning. If not set, system command trufflehog will be executed;
--trufflehog-config – path to the Trufflehog configuration file;
--concurrency – number of concurrent workers used during scanning;
--no-verification – do not verify found secrets;
--only-verified – output only verified secrets;
--include-paths – path to a file with newline-separated regex patterns for files to include in scanning;
--exclude-paths – path to a file with newline-separated regex patterns for files to exclude from scanning;
--trufflehog-log-level – Trufflehog logging level. Possible values: debug, info, warn, error.

For a summary of available command options and usage instructions, you can call the command with the -h, --help flag.

Страница была полезна?