Scan and prevent secret leaks in your code base
infisical scan
command serves to scan repositories, directories, and files. It’s compatible with both individual developer machines and Continuous Integration (CI) environments.When you run infisical scan
on a Git repository, Infisical will parses the output of a git log -p
command. This command generates patches that Infisical uses to identify secrets in your code.
You can configure the range of commits that git log
will cover using the --log-opts
flag.
Any options you can use with git log -p
are valid for --log-opts
.For instance, to instruct Infisical to scan a specific range of commits, use the following command: infisical scan --log-opts="--all commitA..commitB"
. For more details, refer to the Git log documentation.To scan individual files and directories, use the --no-git
flag.View full details for this commandgit config --bool hooks.infisical-scan false
.git/hooks
directory, you can quickly achieve this by adding the following command into your pre-commit script.
For instance, if you utilize Husky for managing your Git hooks, you can insert the command provided below into your .husky/pre-commit
file.
infisical scan
with the --report-path
flag.
To create a Infisical scan report and save it in a file called leaks-report.json, use the following command:
infisical scan
command again. Use the following command:
scan
command with the --baseline-path
flag, the report output in findings.json will only contain new issues.
Example custom configuration file
infisical scan
might flag, you can instruct Infisical to overlook that secret with the methods listed below.
infisical-scan:ignore
at the end of the line as comment in the given programming.