← 返回命令列表

Linux command

gitleaks 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Scan a Git repository's history

gitleaks git [path/to/repo]

Scan a directory on disk

gitleaks dir [path]

Scan piped input

cat [file] | gitleaks stdin

Write a JSON report

gitleaks git --report-format json --report-path [report.json]

Use a custom config and ignore a baseline

gitleaks git --config [.gitleaks.toml] --baseline-path [baseline.json]

Deprecated form still accepted

gitleaks detect --source [path]

说明

gitleaks scans text for secrets such as API keys, tokens and passwords. It can inspect the entire commit log of a Git repository, arbitrary directories on disk, or a stream arriving on stdin. Rules are regular expressions defined in the bundled default config or a user-supplied `.gitleaks.toml`. Each rule can carry an allowlist (paths, regexes, stopwords) to suppress known-false positives. Findings can be exported as JSON, CSV, JUnit or SARIF for CI ingestion. A typical pre-commit hook runs `git diff --cached | gitleaks stdin --no-banner`; CI jobs use `gitleaks git --exit-code 2 --report-format sarif --report-path leaks.sarif`.

参数

-c, --config _FILE_
Path to a gitleaks TOML configuration.
-f, --report-format _FORMAT_
Output format: `json`, `csv`, `junit`, `sarif`, `template`.
-r, --report-path _FILE_
Output file path. Without it, findings only print to the terminal.
-b, --baseline-path _FILE_
Ignore any finding already present in an earlier report (noise reduction).
-v, --verbose
Print each finding as it is discovered.
-l, --log-level _LEVEL_
Logger verbosity (debug, info, warn, error).
--exit-code _N_
Exit code to emit when at least one leak is detected (default `1`).
--max-decode-depth _N_
Recursively decode base64/hex payloads up to this depth.
--max-archive-depth _N_
Descend into archives (zip, tar, …) up to this depth.
--help
Display help information.

FAQ

What is the gitleaks command used for?

gitleaks scans text for secrets such as API keys, tokens and passwords. It can inspect the entire commit log of a Git repository, arbitrary directories on disk, or a stream arriving on stdin. Rules are regular expressions defined in the bundled default config or a user-supplied `.gitleaks.toml`. Each rule can carry an allowlist (paths, regexes, stopwords) to suppress known-false positives. Findings can be exported as JSON, CSV, JUnit or SARIF for CI ingestion. A typical pre-commit hook runs `git diff --cached | gitleaks stdin --no-banner`; CI jobs use `gitleaks git --exit-code 2 --report-format sarif --report-path leaks.sarif`.

How do I run a basic gitleaks example?

Run `gitleaks git [path/to/repo]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -c, --config _FILE_ do in gitleaks?

Path to a gitleaks TOML configuration.