|
|
@@ -6,21 +6,21 @@
|
|
|
</p>
|
|
|
</p>
|
|
|
|
|
|
-Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks aims to be the **easy-to-use, all-in-one solution** for finding secrets, past or present, in your code.
|
|
|
+Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an **easy-to-use, all-in-one solution** for finding secrets, past or present, in your code.
|
|
|
|
|
|
### Features:
|
|
|
- Scan for [commited](https://github.com/zricethezav/gitleaks#Scanning) secrets
|
|
|
-- Scan for [unstaged](https://github.com/zricethezav/gitleaks#scan-unstaged-changes) secrets as part of shifting security left
|
|
|
+- Scan for [unstaged](https://github.com/zricethezav/gitleaks#scan-unstaged-changes) secrets to shift security left
|
|
|
- Scan [directories and files](https://github.com/zricethezav/gitleaks#scan-local-directory)
|
|
|
-- Available [Github Action](https://github.com/marketplace/actions/gitleaks)
|
|
|
+- Run [Gitleaks Action](https://github.com/marketplace/actions/gitleaks) in your CI/CD pipeline
|
|
|
- [Custom rules](https://github.com/zricethezav/gitleaks#configuration) via toml configuration
|
|
|
-- High performance using [go-git](https://github.com/go-git/go-git)
|
|
|
+- Increased performance using [go-git](https://github.com/go-git/go-git)
|
|
|
- JSON, SARIF, and CSV reporting
|
|
|
- Private repo scans using key or password based authentication
|
|
|
|
|
|
|
|
|
### Installation
|
|
|
-Gitleaks can be installed with Homebrew, Docker, and Go. Gitleaks is also available in binary form for many popular platforms and OS types from the [releases page](https://github.com/zricethezav/gitleaks/releases).
|
|
|
+Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the [releases page](https://github.com/zricethezav/gitleaks/releases).
|
|
|
|
|
|
##### MacOS
|
|
|
|
|
|
@@ -94,7 +94,7 @@ gitleaks --repo-url=https://github.com/my-insecure/repo -v
|
|
|
|
|
|
|
|
|
#### Basic repo-url scan output to a report:
|
|
|
-If we want the report in sarif or csv we can set the `-f/--format` option
|
|
|
+If you want the report in sarif or csv you can set the `-f/--format` option
|
|
|
```
|
|
|
gitleaks --repo-url=https://github.com/my-insecure/repo -v --report=my-report.json
|
|
|
```
|
|
|
@@ -109,20 +109,20 @@ gitleaks --repo-url=https://github.com/my-insecure/repo --commit=commit-sha -v
|
|
|
gitleaks --path=path/to/local/repo -v
|
|
|
```
|
|
|
|
|
|
-#### Scan repos contain in a parent directory:
|
|
|
-If we had `repo1`, `repo2`, `repo3` all under `path/to/local`, gitleaks will discover and scan those repos.
|
|
|
+#### Scan repos contained in a parent directory:
|
|
|
+If you have `repo1`, `repo2`, `repo3` all under `path/to/local`, gitleaks will discover and scan those repos.
|
|
|
```
|
|
|
gitleaks --path=path/to/local/ -v
|
|
|
```
|
|
|
|
|
|
#### Scan local directory:
|
|
|
-You might want to scan the current contents of a repo, ignoring git alltogether. You can use the `--no-git` option to do this.
|
|
|
+If you want to scan the current contents of a repo, ignoring git alltogether. You can use the `--no-git` option to do this.
|
|
|
```
|
|
|
gitleaks --path=path/to/local/repo -v --no-git
|
|
|
```
|
|
|
|
|
|
#### Scan a file:
|
|
|
-Or you might want to scan a single file using gitleaks rules. You can do this by specifying the file in `--path` and including the `--no-git` option.
|
|
|
+Or if you want to scan a single file using gitleaks rules. You can do this by specifying the file in `--path` and including the `--no-git` option.
|
|
|
```
|
|
|
gitleaks --path=path/to/local/repo/main.go -v --no-git
|
|
|
```
|
|
|
@@ -136,8 +136,9 @@ gitleaks --path=path/to/local/repo -v --unstaged
|
|
|
|
|
|
|
|
|
### Configuration
|
|
|
-Provide your own gitleaks configurations with `--config-path` or `--repo-config-path`. The difference between the two is `--config-path` loads a local gitleaks config whereas `--repo-config-path` will load a configuration present in the repo you want to scan. For example, `gitleaks --repo-config-path=".github/gitleaks.config"`.
|
|
|
-The default configuration Gitleaks uses is located [here](https://github.com/zricethezav/gitleaks/blob/master/config/default.go). More configuration examples can be seen [here](https://github.com/zricethezav/gitleaks/tree/master/examples). Configuration files contain a few different toml tables which will be explained below.
|
|
|
+Provide your own gitleaks configurations with `--config-path` or `--repo-config-path`. `--config-path` loads a local gitleaks configuration whereas `--repo-config-path` will load a configuration present just in the repo you want to scan. For example, `gitleaks --repo-config-path=".github/gitleaks.config"`.
|
|
|
+The default configuration Gitleaks uses is located [here](https://github.com/zricethezav/gitleaks/blob/master/config/default.go). More configuration examples can be seen [here](https://github.com/zricethezav/gitleaks/tree/master/examples). Configuration files will contain a few different toml tables. Further explanation is provided below.
|
|
|
+
|
|
|
### Rules summary
|
|
|
|
|
|
The rules are written in [TOML](https://github.com/toml-lang/toml) as defined in [TomlLoader struct](https://github.com/zricethezav/gitleaks/blob/master/config/config.go#L57-L87), and can be summarized as:
|
erikaweir