Description
Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub commandgit-changes.
The git-changes scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ‘shift left’ security approach.
When git-changes is run on a Git repository, Infisical parses the output from a git diff command.
To scan changes in commits that have been staged via git add, you can add the --staged flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool.
Flags
--staged
--staged
Descriptiondetect secrets in a —staged stateDefault value:
false--log-opts
--log-opts
Descriptiongit log options
--baseline-path
--baseline-path
Short hand:
-bDescriptionpath to baseline with issues that can be ignored--config
--config
Short hand:
-cDescriptionconfig file pathorder of precedence:- —config flag
- env var INFISICAL_SCAN_CONFIG
- (—source/-s)/.infisical-scan.toml If none of the three options are used, then Infisical will use the default config
--exit-code
--exit-code
Descriptionexit code when leaks have been encountered (default 1)
--max-target-megabytes
--max-target-megabytes
Descriptionfiles larger than this will be skipped
--no-color
--no-color
Descriptionturn off color for verbose output
--redact
--redact
Descriptionredact secrets from logs and stdout
--report-format
--report-format
Descriptionoutput format (json, csv, sarif) (default “json”)
--report-path
--report-path
Descriptionreport file
--source
--source
Descriptionpath to source (default ”.”)
--verbose
--verbose
Descriptionshow verbose output from scan