scan

infisical scan

# Display the full secret findings
infisical scan --verbose

Description

The infisical scan command serves to scan repositories, directories, and files. It's compatible with both individual developer machines and Continuous Integration (CI) environments.

When you run infisical scan on a Git repository, Infisical will parses the output of a git log -p command. This command generates patches that Infisical uses to identify secrets in your code. You can configure the range of commits that git log will cover using the --log-opts flag. Any options you can use with git log -p are valid for --log-opts.

For instance, to instruct Infisical to scan a specific range of commits, use the following command: infisical scan --log-opts="--all commitA..commitB". For more details, refer to the Git log documentation.

To scan individual files and directories, use the --no-git flag.

Flags

git log options </Accordion>

treat git repo as a regular directory and scan those files, --log-opts has no effect on the scan when --no-git is set

Default value: false </Accordion>

Description

scan input from stdin, ex: cat some_file | infisical scan --pipe

Default value: false </Accordion>

Description scan files that are symlinks to other files

Default value: false </Accordion>

Description

path to baseline with issues that can be ignored </Accordion>

Description

config file path

order of precedence:

1. --config flag
2. env var INFISICAL_SCAN_CONFIG
3. (--source/-s)/.infisical-scan.toml If none of the three options are used, then Infisical will use the default config </Accordion>

exit code when leaks have been encountered (default 1) </Accordion>

files larger than this will be skipped </Accordion>

turn off color for verbose output </Accordion>

redact secrets from logs and stdout </Accordion>

output format (json, csv, sarif) (default "json") </Accordion>

report file </Accordion>

path to source (default ".") </Accordion>

show verbose output from scan </Accordion>