Use this file to discover all available pages before exploring further.
Building upon its core functionality of fetching and injecting secrets into your applications, Infisical now takes a significant step forward in bolstering your code security.
We’ve enhanced our CLI tool to include a powerful scanning feature, capable of identifying more than 140 different types of secret leaks in your codebase.
In addition to scanning for past leaks, this new addition also actively aids in preventing future leaks.
infisical scan# Display the full secret findingsinfisical scan --verbose
The infisical scan command serves to scan repositories, directories, and files. It’s compatible with both individual developer machines and Continuous Integration (CI) environments.When you run infisical scan on a Git repository, Infisical will parses the output of a git log -p command. This command generates patches that Infisical uses to identify secrets in your code.
You can configure the range of commits that git log will cover using the --log-opts flag.
Any options you can use with git log -p are valid for --log-opts.For instance, to instruct Infisical to scan a specific range of commits, use the following command: infisical scan --log-opts="--all commitA..commitB". For more details, refer to the Git log documentation.To scan individual files and directories, use the --no-git flag.View full details for this command
infisical scan git-changes# Display the full secret findingsinfisical scan git-changes --verbose
Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub command git-changes.The git-changes scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ‘shift left’ security approach.
When git-changes is run on a Git repository, Infisical parses the output from a git diff command.To scan changes in commits that have been staged via git add, you can add the --staged flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool.View full details for this command
git-changes command is only for Git repositories; using it on files or directories will result in an error.
To lower the risk of committing hardcoded secrets to your code repository, we have designed a custom git pre-commit hook.
This hook scans the changes you’re about to commit for any exposed secrets. If any hardcoded secrets are detected, it will block your commit.
If you would rather handle your pre-commit hook outside of the standard .git/hooks directory, you can quickly achieve this by adding the following command into your pre-commit script.
For instance, if you utilize Husky for managing your Git hooks, you can insert the command provided below into your .husky/pre-commit file.
When scanning large repositories or repositories with a long history, it can be helpful to use a baseline.A baseline allows Infisical to ignore any old findings that are already present in the baseline findings. You can create a infisical scan report by running infisical scan with the --report-path flag.To create a Infisical scan report and save it in a file called leaks-report.json, use the following command:
infisical scan --report-path leaks-report.json
Once a baseline is created, you can apply it when running the infisical scan command again. Use the following command:
To customize the scan, such as specifying your own rules or establishing exceptions for certain files or paths that should not be flagged as risks, you can define these specifications in the configuration file.
Example custom configuration file
infisical-scan.toml
# Title for the configuration filetitle = "Some title"# This configuration is the foundation that can be expanded. If there are any overlapping rules# between this base and the expanded configuration, the rules in this base will take priority.# Another aspect of extending configurations is the ability to link multiple files, up to a depth of 2.# "Allowlist" arrays get appended and may have repeated elements.# "useDefault" and "path" cannot be used simultaneously. Please choose one.[extend]# useDefault will extend the base configuration with the default config:# https://raw.githubusercontent.com/Infisical/infisical/main/cli/config/infisical-scan.tomluseDefault = true# or you can supply a path to a configuration. Path is relative to where infisical cli# was invoked, not the location of the base config.path = "common_config.toml"# An array of tables that contain information that define instructions# on how to detect secrets[[rules]]# Unique identifier for this ruleid = "some-identifier-for-rule"# Short human readable description of the rule.description = "awesome rule 1"# Golang regular expression used to detect secrets. Note Golang's regex engine# does not support lookaheads.regex = '''one-go-style-regex-for-this-rule'''# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used# in conjunction with a valid `regex` entry.path = '''a-file-path-regex'''# Array of strings used for metadata and reporting purposes.tags = ["tag","another tag"]# A regex match may have many groups, this allows you to specify the group that should be used as (which group the secret is contained in)# its entropy checked if `entropy` is set.secretGroup = 3# Float representing the minimum shannon entropy a regex group must have to be considered a secret.# Shannon entropy measures how random a data is. Since secrets are usually composed of many random characters, they typically have high entropyentropy = 3.5# Keywords are used for pre-regex check filtering.# If rule has keywords but the text fragment being scanned doesn't have at least one of it's keywords, it will be skipped for processing further.# Ideally these values should either be part of the identifier or unique strings specific to the rule's regex# (introduced in v8.6.0)keywords = [ "auth", "password", "token",]# You can include an allowlist table for a single rule to reduce false positives or ignore commits# with known/rotated secrets[rules.allowlist]description = "ignore commit A"commits = [ "commit-A", "commit-B"]paths = [ '''go\.mod''', '''go\.sum''']# note: (rule) regexTarget defaults to check the _Secret_ in the finding.# if regexTarget is not specified then _Secret_ will be used.# Acceptable values for regexTarget are "match" and "line"regexTarget = "match"regexes = [ '''process''', '''getenv''',]# note: stopwords targets the extracted secret, not the entire regex match# if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)stopwords = [ '''client''', '''endpoint''',]# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no# secrets will be detected for said commit. The same logic applies for regexes and paths.[allowlist]description = "global allow list"commits = [ "commit-A", "commit-B", "commit-C"]paths = [ '''gitleaks\.toml''', '''(.*?)(jpg|gif|doc)''']# note: (global) regexTarget defaults to check the _Secret_ in the finding.# if regexTarget is not specified then _Secret_ will be used.# Acceptable values for regexTarget are "match" and "line"regexTarget = "match"regexes = [ '''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''',]# note: stopwords targets the extracted secret, not the entire regex match# if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)stopwords = [ '''client''', '''endpoint''',]
If you’re intentionally committing a test secret that infisical scan might flag, you can instruct Infisical to overlook that secret with the methods listed below.
An alternative method to exclude specific findings involves creating a .infisicalignore file at your repository’s root.
You can then add the fingerprints of the findings you wish to exclude. The Infisical scan report provides a unique Fingerprint for each secret found.
By incorporating these Fingerprints into the .infisicalignore file, Infisical will skip the corresponding secret findings in subsequent scans.
