@ -38,16 +38,16 @@ import (
const configDescription = ` config file path
order of precedence :
1. -- config / - c
2. env var GITLEAKS _CONFIG
3. ( -- source / - s ) / . gitleaks . toml
If none of the three options are used , then gitleaks will use the default config `
1. -- config flag
2. env var INFISICAL_SCAN _CONFIG
3. ( -- source / - s ) / . infisical- scan . toml
If none of the three options are used , then Infisical will use the default scan config `
func init ( ) {
// scan flag for only scan command
scanCmd . Flags ( ) . String ( "log-opts" , "" , "git log options" )
scanCmd . Flags ( ) . Bool ( "no-git" , false , "treat git repo as a regular directory and scan those files, --log-opts has no effect on the scan when --no-git is set" )
scanCmd . Flags ( ) . Bool ( "pipe" , false , "scan input from stdin, ex: `cat some_file | gitleaks detect --pipe`")
scanCmd . Flags ( ) . Bool ( "pipe" , false , "scan input from stdin, ex: `cat some_file | infisical scan --pipe`")
scanCmd . Flags ( ) . Bool ( "follow-symlinks" , false , "scan files that are symlinks to other files" )
// global scan flags
@ -75,9 +75,6 @@ func init() {
// add flags to main
scanCmd . AddCommand ( scanGitChangesCmd )
rootCmd . AddCommand ( scanCmd )
// Hide flags
scanCmd . PersistentFlags ( ) . MarkHidden ( "config" )
}
func initScanConfig ( cmd * cobra . Command ) {
@ -85,13 +82,14 @@ func initScanConfig(cmd *cobra.Command) {
if err != nil {
log . Fatal ( ) . Msg ( err . Error ( ) )
}
if cfgPath != "" {
viper . SetConfigFile ( cfgPath )
log . Debug ( ) . Msgf ( "using gitleaks config %s from `--config`", cfgPath )
} else if os . Getenv ( "GITLEAKS_CONFIG" ) != "" {
envPath := os . Getenv ( "GITLEAKS_CONFIG" )
log . Debug ( ) . Msgf ( "using scan config %s from `--config`", cfgPath )
} else if os . Getenv ( config . DefaultScanConfigEnvName ) != "" {
envPath := os . Getenv ( config . DefaultScanConfigEnvName )
viper . SetConfigFile ( envPath )
log . Debug ( ) . Msgf ( "using gitleaks config from GITLEAKS_CONFIG env var: %s" , envPath )
log . Debug ( ) . Msgf ( "using scan config from %s env var: %s", config . DefaultScanConfigEnvName , envPath )
} else {
source , err := cmd . Flags ( ) . GetString ( "source" )
if err != nil {
@ -103,8 +101,8 @@ func initScanConfig(cmd *cobra.Command) {
}
if ! fileInfo . IsDir ( ) {
log . Debug ( ) . Msgf ( "unable to load gitleaks config from %s since --source=%s is a file, using default config",
filepath . Join ( source , ".gitleaks.toml" ) , source )
log . Debug ( ) . Msgf ( "unable to load scan config from %s since --source=%s is a file, using default config",
filepath . Join ( source , config . DefaultScanConfigFileName ) , source )
viper . SetConfigType ( "toml" )
if err = viper . ReadConfig ( strings . NewReader ( config . DefaultConfig ) ) ; err != nil {
log . Fatal ( ) . Msgf ( "err reading toml %s" , err . Error ( ) )
@ -112,23 +110,23 @@ func initScanConfig(cmd *cobra.Command) {
return
}
if _ , err := os . Stat ( filepath . Join ( source , ".gitleaks.toml" ) ) ; os . IsNotExist ( err ) {
log . Debug ( ) . Msgf ( "no gitleaks config found in path %s, using default gitleaks config", filepath . Join ( source , ".gitleaks.toml" ) )
if _ , err := os . Stat ( filepath . Join ( source , config . DefaultScanConfigFileName ) ) ; os . IsNotExist ( err ) {
log . Debug ( ) . Msgf ( "no scan config found in path %s, using default scan config", filepath . Join ( source , config . DefaultScanConfigFileName ) )
viper . SetConfigType ( "toml" )
if err = viper . ReadConfig ( strings . NewReader ( config . DefaultConfig ) ) ; err != nil {
log . Fatal ( ) . Msgf ( "err reading default config toml %s", err . Error ( ) )
log . Fatal ( ) . Msgf ( "err reading default scan config toml %s", err . Error ( ) )
}
return
} else {
log . Debug ( ) . Msgf ( "using existing gitleaks config %s from `(--source)/.gitleaks.toml`", filepath . Join ( source , ".gitleaks.toml" ) )
log . Debug ( ) . Msgf ( "using existing scan config %s from `(--source)/%s`", filepath . Join ( source , config . DefaultScanConfigFileName ) , config . DefaultScanConfigFileName )
}
viper . AddConfigPath ( source )
viper . SetConfigName ( ".gitleaks" )
viper . SetConfigName ( config . DefaultScanConfigFileName )
viper . SetConfigType ( "toml" )
}
if err := viper . ReadInConfig ( ) ; err != nil {
log . Fatal ( ) . Msgf ( "unable to load gitleaks config, err: %s", err )
log . Fatal ( ) . Msgf ( "unable to load scan config, err: %s", err )
}
}
@ -167,10 +165,10 @@ var scanCmd = &cobra.Command{
if err != nil {
log . Fatal ( ) . Err ( err ) . Msg ( "" )
}
// if config path is not set, then use the {source}/. gitleaks .toml path.
// note that there may not be a `{source}/. gitleaks .toml` file, this is ok.
// if config path is not set, then use the {source}/. infisical-scan .toml path.
// note that there may not be a `{source}/. infisical-scan .toml` file, this is ok.
if detector . Config . Path == "" {
detector . Config . Path = filepath . Join ( source , ".gitleaks.toml" )
detector . Config . Path = filepath . Join ( source , config . DefaultScanConfigFileName )
}
// set verbose flag
if detector . Verbose , err = cmd . Flags ( ) . GetBool ( "verbose" ) ; err != nil {
@ -188,8 +186,8 @@ var scanCmd = &cobra.Command{
log . Fatal ( ) . Err ( err ) . Msg ( "" )
}
if fileExists ( filepath . Join ( source , ".infisicalignore" ) ) {
if err = detector . AddGitleaksIgnore ( filepath . Join ( source , ".infisicalignore" ) ) ; err != nil {
if fileExists ( filepath . Join ( source , config . DefaultInfisicalIgnoreFineName ) ) {
if err = detector . AddGitleaksIgnore ( filepath . Join ( source , config . DefaultInfisicalIgnoreFineName ) ) ; err != nil {
log . Fatal ( ) . Err ( err ) . Msg ( "could not call AddInfisicalIgnore" )
}
}
@ -199,7 +197,7 @@ var scanCmd = &cobra.Command{
if baselinePath != "" {
err = detector . AddBaseline ( baselinePath , source )
if err != nil {
log . Error ( ) . Msgf ( "Could not load baseline. The path must point of a gitleaks report generated using the default format: %s", err )
log . Error ( ) . Msgf ( "Could not load baseline. The path must point t o report generated by `infisical scan` using the default format: %s", err )
}
}
@ -226,6 +224,8 @@ var scanCmd = &cobra.Command{
log . Fatal ( ) . Err ( err )
}
log . Info ( ) . Msgf ( "scanning for exposed secrets..." )
// start the detector scan
if noGit {
findings , err = detector . DetectFiles ( source )
@ -320,10 +320,10 @@ var scanGitChangesCmd = &cobra.Command{
if err != nil {
log . Fatal ( ) . Err ( err ) . Msg ( "" )
}
// if config path is not set, then use the {source}/. gitleaks .toml path.
// note that there may not be a `{source}/. gitleaks .toml` file, this is ok.
// if config path is not set, then use the {source}/. infisical-scan .toml path.
// note that there may not be a `{source}/. infisical-scan .toml` file, this is ok.
if detector . Config . Path == "" {
detector . Config . Path = filepath . Join ( source , ".gitleaks.toml" )
detector . Config . Path = filepath . Join ( source , config . DefaultScanConfigFileName )
}
// set verbose flag
if detector . Verbose , err = cmd . Flags ( ) . GetBool ( "verbose" ) ; err != nil {
@ -341,8 +341,8 @@ var scanGitChangesCmd = &cobra.Command{
log . Fatal ( ) . Err ( err ) . Msg ( "" )
}
if fileExists ( filepath . Join ( source , ".infisicalignore" ) ) {
if err = detector . AddGitleaksIgnore ( filepath . Join ( source , ".infisicalignore" ) ) ; err != nil {
if fileExists ( filepath . Join ( source , config . DefaultInfisicalIgnoreFineName ) ) {
if err = detector . AddGitleaksIgnore ( filepath . Join ( source , config . DefaultInfisicalIgnoreFineName ) ) ; err != nil {
log . Fatal ( ) . Err ( err ) . Msg ( "could not call AddInfisicalIgnore" )
}
}
@ -353,6 +353,8 @@ var scanGitChangesCmd = &cobra.Command{
log . Fatal ( ) . Err ( err ) . Msg ( "" )
}
log . Info ( ) . Msgf ( "scanning for exposed secrets..." )
// start git scan
var findings [ ] report . Finding
if staged {
@ -387,7 +389,7 @@ var scanGitChangesCmd = &cobra.Command{
}
func fileExists ( fileName string ) bool {
// check for a . gitleaks ignore file
// check for a . infisical ignore file
info , err := os . Stat ( fileName )
if err != nil && ! os . IsNotExist ( err ) {
return false