#Scanning for secrets

Scanning for secrets is performed using the following commands:

• johnny secrets gitleaks dir — scan files in the specified directory;
• johnny secrets gitleaks git — scan the commit history of a local git repository;
• johnny secrets trufflehog dir — scan files in the specified directory using Trufflehog;
• johnny secrets trufflehog git — scan the commit history of a local git repository using Trufflehog.

Important: The agent only works with Gitleaks version 8.19.0 and above, and with Trufflehog version 3.93.8 and above.

When launched, the agent:

1. Analyzes files in the specified directory or the commit history of the repository for secrets (passwords, tokens, access keys, etc.).
   • excludes files and directories specified in .gitleaksignore;
   • ignores secrets recorded in the Gitleaks report if baseline-path is specified.
2. Generates results for the found secrets, saves them to the CodeScoring platform if necessary, and creates a report in GitLab format.

#Scanning a git repository

The git mode allows scanning the commit history of a local git repository. Unlike the dir mode, which analyzes the current state of files, the git mode checks for secrets across all commits in the repository or within a limited range.

#Example of running the command for Gitleaks

johnny secrets gitleaks git /path/to/repo \
--gitleaks-path <path-to-gitleaks> \
--api_token <api_token> \
--api_url <api_url> \
--save-results \
--project <project-name> \
--git-ref main \
--git-depth 100

#Example of running the command for Trufflehog

johnny secrets trufflehog git /path/to/repo \
--trufflehog-path <path-to-trufflehog> \
--api_token <api_token> \
--api_url <api_url> \
--save-results \
--project <project-name> \
--git-ref main \
--git-depth 100

#Git mode parameters

The johnny secrets gitleaks git and johnny secrets trufflehog git commands support the following additional parameters:

• --git-ref – git branch, tag, or commit ref to scan. If not set, all refs are scanned. Examples: main, v1.0.0, a1b2c3d;
• --git-depth – limit the scan to this many commits from the tip of the history. The value 0 means no limit.

#Gitleaks config example

Example of Gitleaks config which extends a default configuration and adds a new rule with regex

title = “Custom gitleaks config”

[extend]
useDefault = true

[[rules]]
id = “custom-generic-password”
description = “Detected a Generic password”
regex = ‘’‘passw(?:or)d.+’‘’
entropy = 1

#Example of running the command

johnny secrets gitleaks dir . \
--gitleaks-path <path-to-gitleaks> \
--gitleaks-config <path-to-gitleaks-config> \
--api_token <api_token> \
--api_url <api_url> \
--save-results \
--create-project \
--project <project-name> \
--gitleaks-ignore-path .gitleaksignore \
--gl-secrets-report \
--gl-secrets-report-filename secrets-report.json

This command starts scanning secrets in the current directory, ignoring files listed in .gitleaksignore, sends the results to the CodeScoring platform, and generates a report in GitLab format, saving it to secrets-report.json.

#Command Parameters

The johnny secrets gitleaks dir, johnny secrets gitleaks git, johnny secrets trufflehog dir, and johnny secrets trufflehog git commands have the following unique parameters:

#Secrets search startup parameters

• --commit – commit hash to associate with found secrets when saving results. Used only for dir commands when the tool does not determine the commit on its own (e.g.: --commit a1b2c3d);
• --gl-secrets-report – enable generation of a report on found secrets in GitLab format.
• --gl-secrets-report-filename – name of the output file for the report in GitLab format (by default gl-secrets-report.json).

#Gitleaks parameters

• --gitleaks-path – path to the Gitleaks executable file that will be used during scanning. If not set system command gitleaks will be executed.
• --gitleaks-config - path to the Gitleaks config file;
• --baseline-path – path to the Gitleaks report file, which is used as a baseline for ignoring previously found secrets;
• --enable-rule – list of rule IDs that will be enabled during scanning;
• --gitleaks-ignore-path – path to .gitleaksignore file or directory containing it, to add fingerprints of secrets discovered earlier;
• --ignore-gitleaks-allow – ignore gitleaks:allow comments that mark lines as safe to ignore;
• --log-level – logging level that controls the verbosity of output messages. Possible values: trace, debug, info, warn, error, fatal;
• --max-decode-depth – maximum depth of recursive decoding when searching for secrets. The value 0 disables decoding;
• --max-target-megabytes – maximum size of analyzed files in megabytes. Files larger than this size will be skipped;
• --no-banner – disables the Gitleaks banner that is displayed when the tool is launched;
• --no-color – disables color output for verbose mode;
• --redact – masks found secrets in logs. You can specify intermediate values (for example, 20 to hide 20% of the secret);
• --verbose – enables verbose output, providing more information about the scanning process.

#Trufflehog parameters

• --trufflehog-path – path to the Trufflehog executable file that will be used during scanning. If not set, system command trufflehog will be executed;
• --trufflehog-config – path to the Trufflehog configuration file;
• --concurrency – number of concurrent workers used during scanning;
• --no-verification – do not verify found secrets;
• --only-verified – output only verified secrets;
• --include-paths – path to a file with newline-separated regex patterns for files to include in scanning;
• --exclude-paths – path to a file with newline-separated regex patterns for files to exclude from scanning;
• --trufflehog-log-level – Trufflehog logging level. Possible values: debug, info, warn, error.

For a summary of available command options and usage instructions, you can call the command with the -h, --help flag.