mirror of
https://github.com/Infisical/infisical.git
synced 2026-01-09 15:38:03 -05:00
127 lines
3.0 KiB
Plaintext
127 lines
3.0 KiB
Plaintext
---
|
|
title: "scan"
|
|
description: "Scan git history, directories, and files for secrets"
|
|
---
|
|
|
|
```bash
|
|
infisical scan
|
|
|
|
# Display the full secret findings
|
|
infisical scan --verbose
|
|
```
|
|
|
|
## Description
|
|
The `infisical scan` command serves to scan repositories, directories, and files. It's compatible with both individual developer machines and Continuous Integration (CI) environments.
|
|
|
|
When you run `infisical scan` on a Git repository, Infisical will parses the output of a `git log -p` command. This command generates [patches](https://stackoverflow.com/questions/8279602/what-is-a-patch-in-git-version-control) that Infisical uses to identify secrets in your code.
|
|
You can configure the range of commits that `git log` will cover using the `--log-opts` flag.
|
|
Any options you can use with `git log -p` are valid for `--log-opts`.
|
|
|
|
For instance, to instruct Infisical to scan a specific range of commits, use the following command: `infisical scan --log-opts="--all commitA..commitB"`. For more details, refer to the [Git log documentation](https://git-scm.com/docs/git-log).
|
|
|
|
To scan individual files and directories, use the `--no-git` flag.
|
|
|
|
### Flags
|
|
<Accordion title="--log-opts">
|
|
**Description**
|
|
|
|
git log options
|
|
</Accordion>
|
|
|
|
<Accordion title="--no-git">
|
|
**Description**
|
|
|
|
treat git repo as a regular directory and scan those files, --log-opts has no effect on the scan when --no-git is set
|
|
|
|
Default value: `false`
|
|
</Accordion>
|
|
|
|
<Accordion title="--pipe">
|
|
Short hand: `-b`
|
|
|
|
**Description**
|
|
|
|
scan input from stdin, ex: `cat some_file | infisical scan --pipe`
|
|
|
|
Default value: `false`
|
|
</Accordion>
|
|
|
|
<Accordion title="--follow-symlinks">
|
|
Short hand: `-b`
|
|
|
|
**Description**
|
|
scan files that are symlinks to other files
|
|
|
|
Default value: `false`
|
|
</Accordion>
|
|
|
|
<Accordion title="--baseline-path">
|
|
Short hand: `-b`
|
|
|
|
**Description**
|
|
|
|
path to baseline with issues that can be ignored
|
|
</Accordion>
|
|
|
|
<Accordion title="--config">
|
|
Short hand: `-c`
|
|
|
|
**Description**
|
|
|
|
config file path
|
|
|
|
order of precedence:
|
|
1. --config flag
|
|
2. env var INFISICAL_SCAN_CONFIG
|
|
3. (--source/-s)/.infisical-scan.toml
|
|
If none of the three options are used, then Infisical will use the default config
|
|
</Accordion>
|
|
|
|
<Accordion title="--exit-code">
|
|
**Description**
|
|
|
|
exit code when leaks have been encountered (default 1)
|
|
</Accordion>
|
|
|
|
<Accordion title="--max-target-megabytes">
|
|
**Description**
|
|
|
|
files larger than this will be skipped
|
|
</Accordion>
|
|
|
|
<Accordion title="--no-color">
|
|
**Description**
|
|
|
|
turn off color for verbose output
|
|
</Accordion>
|
|
|
|
<Accordion title="--redact">
|
|
**Description**
|
|
|
|
redact secrets from logs and stdout
|
|
</Accordion>
|
|
|
|
<Accordion title="--report-format">
|
|
**Description**
|
|
|
|
output format (json, csv, sarif) (default "json")
|
|
</Accordion>
|
|
|
|
<Accordion title="--report-path">
|
|
**Description**
|
|
|
|
report file
|
|
</Accordion>
|
|
|
|
<Accordion title="--source">
|
|
**Description**
|
|
|
|
path to source (default ".")
|
|
</Accordion>
|
|
|
|
<Accordion title="--verbose">
|
|
**Description**
|
|
|
|
show verbose output from scan
|
|
</Accordion>
|