Building upon its core functionality of fetching and injecting secrets into your applications, Infisical now takes a significant step forward in bolstering your code security. We’ve enhanced our CLI tool to include a powerful scanning feature, capable of identifying more than 140 different types of secret leaks in your codebase. In addition to scanning for past leaks, this new addition also actively aids in preventing future leaks.

Scanning

infisical scan

# Display the full secret findings
infisical scan --verbose

The infisical scan command serves to scan repositories, directories, and files. It’s compatible with both individual developer machines and Continuous Integration (CI) environments.

When you run infisical scan on a Git repository, Infisical will parses the output of a git log -p command. This command generates patches that Infisical uses to identify secrets in your code. You can configure the range of commits that git log will cover using the --log-opts flag. Any options you can use with git log -p are valid for --log-opts.

For instance, to instruct Infisical to scan a specific range of commits, use the following command: infisical scan --log-opts="--all commitA..commitB". For more details, refer to the Git log documentation.

To scan individual files and directories, use the --no-git flag.

View full details for this command

infisical scan

# Display the full secret findings
infisical scan --verbose

The infisical scan command serves to scan repositories, directories, and files. It’s compatible with both individual developer machines and Continuous Integration (CI) environments.

To scan individual files and directories, use the --no-git flag.

View full details for this command

infisical scan git-changes

# Display the full secret findings
infisical scan git-changes --verbose

Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub command git-changes.

The git-changes scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ‘shift left’ security approach. When git-changes is run on a Git repository, Infisical parses the output from a git diff command.

To scan changes in commits that have been staged via git add, you can add the --staged flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool.

View full details for this command

git-changes command is only for Git repositories; using it on files or directories will result in an error.

Automatically scan changes before you commit

To lower the risk of committing hardcoded secrets to your code repository, we have designed a custom git pre-commit hook. This hook scans the changes you’re about to commit for any exposed secrets. If any hardcoded secrets are detected, it will block your commit.

Install pre-commit hook

To install this git hook, go into your local git repository and run the following command.

infisical scan install --pre-commit-hook

To disable this hook after installing it, run the command git config --bool hooks.infisical-scan false

Third party hooks management

If you would rather handle your pre-commit hook outside of the standard .git/hooks directory, you can quickly achieve this by adding the following command into your pre-commit script. For instance, if you utilize Husky for managing your Git hooks, you can insert the command provided below into your .husky/pre-commit file.

infisical scan git-changes --staged --verbose

Creating a baseline

When scanning large repositories or repositories with a long history, it can be helpful to use a baseline.

A baseline allows Infisical to ignore any old findings that are already present in the baseline findings. You can create a infisical scan report by running infisical scan with the --report-path flag.

To create a Infisical scan report and save it in a file called leaks-report.json, use the following command:

infisical scan --report-path leaks-report.json

Once a baseline is created, you can apply it when running the infisical scan command again. Use the following command:

infisical scan --baseline-path leaks-report.json --report-path findings.json

After running the scan command with the --baseline-path flag, the report output in findings.json will only contain new issues.

Configuration file

To customize the scan, such as specifying your own rules or establishing exceptions for certain files or paths that should not be flagged as risks, you can define these specifications in the configuration file.

Example custom configuration file

infisical-scan.toml

# Title for the configuration file
title = "Some title"


# This configuration is the foundation that can be expanded. If there are any overlapping rules
# between this base and the expanded configuration, the rules in this base will take priority.
# Another aspect of extending configurations is the ability to link multiple files, up to a depth of 2.
# "Allowlist" arrays get appended and may have repeated elements.
# "useDefault" and "path" cannot be used simultaneously. Please choose one.
[extend]
# useDefault will extend the base configuration with the default config:
# https://raw.githubusercontent.com/Infisical/infisical/main/cli/config/infisical-scan.toml
useDefault = true
# or you can supply a path to a configuration. Path is relative to where infisical cli
# was invoked, not the location of the base config.
path = "common_config.toml"

# An array of tables that contain information that define instructions
# on how to detect secrets
[[rules]]

# Unique identifier for this rule
id = "some-identifier-for-rule"

# Short human readable description of the rule.
description = "awesome rule 1"

# Golang regular expression used to detect secrets. Note Golang's regex engine
# does not support lookaheads.
regex = '''one-go-style-regex-for-this-rule'''

# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
# in conjunction with a valid `regex` entry.
path = '''a-file-path-regex'''

# Array of strings used for metadata and reporting purposes.
tags = ["tag","another tag"]

# A regex match may have many groups, this allows you to specify the group that should be used as (which group the secret is contained in)
# its entropy checked if `entropy` is set.
secretGroup = 3

# Float representing the minimum shannon entropy a regex group must have to be considered a secret.
# Shannon entropy measures how random a data is. Since secrets are usually composed of many random characters, they typically have high entropy
entropy = 3.5

# Keywords are used for pre-regex check filtering.
# If rule has keywords but the text fragment being scanned doesn't have at least one of it's keywords, it will be skipped for processing further.
# Ideally these values should either be part of the identifier or unique strings specific to the rule's regex
# (introduced in v8.6.0)
keywords = [
	"auth",
	"password",
	"token",
]

# You can include an allowlist table for a single rule to reduce false positives or ignore commits
# with known/rotated secrets
[rules.allowlist]
description = "ignore commit A"
commits = [ "commit-A", "commit-B"]
paths = [
	'''go\.mod''',
	'''go\.sum'''
]
# note: (rule) regexTarget defaults to check the _Secret_ in the finding.
# if regexTarget is not specified then _Secret_ will be used.
# Acceptable values for regexTarget are "match" and "line"
regexTarget = "match"
regexes = [
	'''process''',
	'''getenv''',
]
# note: stopwords targets the extracted secret, not the entire regex match
# if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)
stopwords = [
	'''client''',
	'''endpoint''',
]


# This is a global allowlist which has a higher order of precedence than rule-specific allowlists.
# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
# secrets will be detected for said commit. The same logic applies for regexes and paths.
[allowlist]
description = "global allow list"
commits = [ "commit-A", "commit-B", "commit-C"]
paths = [
	'''gitleaks\.toml''',
	'''(.*?)(jpg|gif|doc)'''
]

# note: (global) regexTarget defaults to check the _Secret_ in the finding.
# if regexTarget is not specified then _Secret_ will be used.
# Acceptable values for regexTarget are "match" and "line"
regexTarget = "match"

regexes = [
	'''219-09-9999''',
	'''078-05-1120''',
	'''(9[0-9]{2}|666)-\d{2}-\d{4}''',
]
# note: stopwords targets the extracted secret, not the entire regex match
# if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)
stopwords = [
	'''client''',
	'''endpoint''',
]

Ignoring Known Secrets

If you’re intentionally committing a test secret that infisical scan might flag, you can instruct Infisical to overlook that secret with the methods listed below.

infisical-scan:ignore

To ignore a secret contained in line of code, simply add infisical-scan:ignore at the end of the line as comment in the given programming.

example.js

function helloWorld() {
    console.log("8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"); // infisical-scan:ignore
}

.infisicalignore

An alternative method to exclude specific findings involves creating a .infisicalignore file at your repository’s root. You can then add the fingerprints of the findings you wish to exclude. The Infisical scan report provides a unique Fingerprint for each secret found. By incorporating these Fingerprints into the .infisicalignore file, Infisical will skip the corresponding secret findings in subsequent scans.

.infisicalignore

bea0ff6e05a4de73a5db625d4ae181a015b50855:frontend/components/utilities/attemptLogin.js:stripe-access-token:147
bea0ff6e05a4de73a5db625d4ae181a015b50855:backend/src/json/integrations.json:generic-api-key:5
1961b92340e5d2613acae528b886c842427ce5d0:frontend/components/utilities/attemptLogin.js:stripe-access-token:148

Command line

Secret scanning

Scanning

Automatically scan changes before you commit

Install pre-commit hook

Third party hooks management

Creating a baseline

Configuration file

Ignoring Known Secrets

infisical-scan:ignore

.infisicalignore

Command line

​Scanning

​Automatically scan changes before you commit

​Install pre-commit hook

​Third party hooks management

​Creating a baseline

​Configuration file

​Ignoring Known Secrets

​infisical-scan:ignore

​.infisicalignore

Scanning

Automatically scan changes before you commit

Install pre-commit hook

Third party hooks management

Creating a baseline

Configuration file

Ignoring Known Secrets

infisical-scan:ignore

.infisicalignore