--- title: "scan git-changes" description: "Scan for secrets in your uncommitted code" --- ```bash infisical scan git-changes # Display the full secret findings infisical scan git-changes --verbose ``` ## Description Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub command `git-changes`. The `git-changes` scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ['shift left'](https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security) security approach. When `git-changes` is run on a Git repository, Infisical parses the output from a `git diff` command. To scan changes in commits that have been staged via `git add`, you can add the `--staged` flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool. ### Flags **Description** detect secrets in a --staged state Default value: `false` **Description** git log options Short hand: `-b` **Description** path to baseline with issues that can be ignored Short hand: `-c` **Description** config file path order of precedence: 1. --config flag 2. env var INFISICAL_SCAN_CONFIG 3. (--source/-s)/.infisical-scan.toml If none of the three options are used, then Infisical will use the default config **Description** exit code when leaks have been encountered (default 1) **Description** files larger than this will be skipped **Description** turn off color for verbose output **Description** redact secrets from logs and stdout **Description** output format (json, csv, sarif) (default "json") **Description** report file **Description** path to source (default ".") **Description** show verbose output from scan