mirror of
https://github.com/Infisical/infisical.git
synced 2026-01-09 15:38:03 -05:00
105 lines
2.4 KiB
Plaintext
105 lines
2.4 KiB
Plaintext
---
|
|
title: "scan git-changes"
|
|
description: "Scan for secrets in your uncommitted code"
|
|
---
|
|
|
|
```bash
|
|
infisical scan git-changes
|
|
|
|
# Display the full secret findings
|
|
infisical scan git-changes --verbose
|
|
```
|
|
|
|
## Description
|
|
Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub command `git-changes`.
|
|
|
|
The `git-changes` scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ['shift left'](https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security) security approach.
|
|
When `git-changes` is run on a Git repository, Infisical parses the output from a `git diff` command.
|
|
|
|
To scan changes in commits that have been staged via `git add`, you can add the `--staged` flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool.
|
|
|
|
### Flags
|
|
<Accordion title="--staged">
|
|
**Description**
|
|
|
|
detect secrets in a --staged state
|
|
|
|
Default value: `false`
|
|
</Accordion>
|
|
|
|
<Accordion title="--log-opts">
|
|
**Description**
|
|
|
|
git log options
|
|
</Accordion>
|
|
|
|
<Accordion title="--baseline-path">
|
|
Short hand: `-b`
|
|
|
|
**Description**
|
|
|
|
path to baseline with issues that can be ignored
|
|
</Accordion>
|
|
|
|
<Accordion title="--config">
|
|
Short hand: `-c`
|
|
|
|
**Description**
|
|
|
|
config file path
|
|
|
|
order of precedence:
|
|
1. --config flag
|
|
2. env var INFISICAL_SCAN_CONFIG
|
|
3. (--source/-s)/.infisical-scan.toml
|
|
If none of the three options are used, then Infisical will use the default config
|
|
</Accordion>
|
|
|
|
<Accordion title="--exit-code">
|
|
**Description**
|
|
|
|
exit code when leaks have been encountered (default 1)
|
|
</Accordion>
|
|
|
|
<Accordion title="--max-target-megabytes">
|
|
**Description**
|
|
|
|
files larger than this will be skipped
|
|
</Accordion>
|
|
|
|
<Accordion title="--no-color">
|
|
**Description**
|
|
|
|
turn off color for verbose output
|
|
</Accordion>
|
|
|
|
<Accordion title="--redact">
|
|
**Description**
|
|
|
|
redact secrets from logs and stdout
|
|
</Accordion>
|
|
|
|
<Accordion title="--report-format">
|
|
**Description**
|
|
|
|
output format (json, csv, sarif) (default "json")
|
|
</Accordion>
|
|
|
|
<Accordion title="--report-path">
|
|
**Description**
|
|
|
|
report file
|
|
</Accordion>
|
|
|
|
<Accordion title="--source">
|
|
**Description**
|
|
|
|
path to source (default ".")
|
|
</Accordion>
|
|
|
|
<Accordion title="--verbose">
|
|
**Description**
|
|
|
|
show verbose output from scan
|
|
</Accordion>
|