infisical scan
scan git-changes
Scan for secrets in your uncommitted code
Description
Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub commandgit-changes.
The git-changes scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ‘shift left’ security approach.
When git-changes is run on a Git repository, Infisical parses the output from a git diff command.
To scan changes in commits that have been staged via git add, you can add the --staged flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool.
Flags
--staged
--staged
Descriptiondetect secrets in a —staged stateDefault value:
false--log-opts
--log-opts
Descriptiongit log options
--baseline-path
--baseline-path
Short hand:
-bDescriptionpath to baseline with issues that can be ignored--config
--config
Short hand:
-cDescriptionconfig file pathorder of precedence:- —config flag
- env var INFISICAL_SCAN_CONFIG
- (—source/-s)/.infisical-scan.toml If none of the three options are used, then Infisical will use the default config
--exit-code
--exit-code
Descriptionexit code when leaks have been encountered (default 1)
--max-target-megabytes
--max-target-megabytes
Descriptionfiles larger than this will be skipped
--no-color
--no-color
Descriptionturn off color for verbose output
--redact
--redact
Descriptionredact secrets from logs and stdout
--report-format
--report-format
Descriptionoutput format (json, csv, sarif) (default “json”)
--report-path
--report-path
Descriptionreport file
--source
--source
Descriptionpath to source (default ”.”)
--verbose
--verbose
Descriptionshow verbose output from scan