Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Description
Theinfisical scan command serves to scan repositories, directories, and files. It’s compatible with both individual developer machines and Continuous Integration (CI) environments.
When you run infisical scan on a Git repository, Infisical will parses the output of a git log -p command. This command generates patches that Infisical uses to identify secrets in your code.
You can configure the range of commits that git log will cover using the --log-opts flag.
Any options you can use with git log -p are valid for --log-opts.
For instance, to instruct Infisical to scan a specific range of commits, use the following command: infisical scan --log-opts="--all commitA..commitB". For more details, refer to the Git log documentation.
To scan individual files and directories, use the --no-git flag.
Flags
--log-opts
--log-opts
Descriptiongit log options
--no-git
--no-git
Descriptiontreat git repo as a regular directory and scan those files, —log-opts has no effect on the scan when —no-git is setDefault value:
false--pipe
--pipe
Short hand:
-bDescriptionscan input from stdin, ex: cat some_file | infisical scan --pipeDefault value: false--follow-symlinks
--follow-symlinks
Short hand:
-bDescription
scan files that are symlinks to other filesDefault value: false--baseline-path
--baseline-path
Short hand:
-bDescriptionpath to baseline with issues that can be ignored--config
--config
Short hand:
-cDescriptionconfig file pathorder of precedence:- —config flag
- env var INFISICAL_SCAN_CONFIG
- (—source/-s)/.infisical-scan.toml If none of the three options are used, then Infisical will use the default config
--exit-code
--exit-code
Descriptionexit code when leaks have been encountered (default 1)
--max-target-megabytes
--max-target-megabytes
Descriptionfiles larger than this will be skipped
--no-color
--no-color
Descriptionturn off color for verbose output
--redact
--redact
Descriptionredact secrets from logs and stdout
--report-format
--report-format
Descriptionoutput format (json, csv, sarif) (default “json”)
--report-path
--report-path
Descriptionreport file
--source
--source
Descriptionpath to source (default ”.”)
--verbose
--verbose
Descriptionshow verbose output from scan