scan git-changes
Scan for secrets in your uncommitted code
Description
Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub command git-changes.
The git-changes scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ‘shift left’ security approach.
When git-changes is run on a Git repository, Infisical parses the output from a git diff command.
To scan changes in commits that have been staged via git add, you can add the --staged flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool.
Flags
--staged
--staged
Description
detect secrets in a —staged state
Default value: false
--log-opts
--log-opts
Description
git log options
--baseline-path
--baseline-path
Short hand: -b
Description
path to baseline with issues that can be ignored
--config
--config
Short hand: -c
Description
config file path
order of precedence:
- —config flag
- env var INFISICAL_SCAN_CONFIG
- (—source/-s)/.infisical-scan.toml If none of the three options are used, then Infisical will use the default config
--exit-code
--exit-code
Description
exit code when leaks have been encountered (default 1)
--max-target-megabytes
--max-target-megabytes
Description
files larger than this will be skipped
--no-color
--no-color
Description
turn off color for verbose output
--redact
--redact
Description
redact secrets from logs and stdout
--report-format
--report-format
Description
output format (json, csv, sarif) (default “json”)
--report-path
--report-path
Description
report file
--source
--source
Description
path to source (default ”.”)
--verbose
--verbose
Description
show verbose output from scan