gitleaks/gitleaks

# Gitleaks ``` ┌─○───┐ │ │╲ │ │ │ ○ │ │ ○ ░ │ └─░───┘ ``` [][build] [][dockerhub] [][gitleaks-playground] [][gitleaks-action] [][go-docs] [][go-report-card] [][license] Gitleaks 是一款用于**检测** git 仓库、文件以及通过 `stdin` 输入的其他内容中的密码、API 密钥和令牌等机密信息的工具。如果你想了解更多关于检测引擎的工作原理，请查看此博客：[Regex is (almost) all you need](https://lookingatcomputer.substack.com/p/regex-is-almost-all-you-need)。 ``` ➜ ~/code(master) gitleaks git -v ○ │╲ │ ○ ○ ░ ░ gitleaks Finding: "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef", Secret: cafebabe:deadbeef RuleID: sidekiq-secret Entropy: 2.609850 File: cmd/generate/config/rules/sidekiq.go Line: 23 Commit: cd5226711335c68be1e720b318b7bc3135a30eb2 Author: John Email: john@users.noreply.github.com Date: 2022-08-03T12:31:40Z Fingerprint: cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:23 ``` ## 入门指南 Gitleaks 可以通过 Homebrew、Docker 或 Go 进行安装。此外，在 [releases page](https://github.com/gitleaks/gitleaks/releases) 上也提供了适用于许多流行平台和操作系统类型的二进制文件。另外，Gitleaks 还可以作为 pre-commit hook 直接在您的仓库中实现，或通过 [Gitleaks-Action](https://github.com/gitleaks/gitleaks-action) 作为 GitHub action 使用。 ### 安装 ``` # MacOS brew install gitleaks # Docker (DockerHub) docker pull zricethezav/gitleaks:latest docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] [OPTIONS] [SOURCE_PATH] # Docker (ghcr.io) docker pull ghcr.io/gitleaks/gitleaks:latest docker run -v ${path_to_host_folder_to_scan}:/path ghcr.io/gitleaks/gitleaks:latest [COMMAND] [OPTIONS] [SOURCE_PATH] # From Source (make sure `go` is installed) git clone https://github.com/gitleaks/gitleaks.git cd gitleaks make build ``` ### GitHub Action 查看官方 [Gitleaks GitHub Action](https://github.com/gitleaks/gitleaks-action) ``` name: gitleaks on: [pull_request, push, workflow_dispatch] jobs: scan: name: gitleaks runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: fetch-depth: 0 - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts. ``` ### Pre-Commit 1. 从 https://pre-commit.com/#install 安装 pre-commit 2. 在仓库根目录下创建一个 `.pre-commit-config.yaml` 文件，内容如下： repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.24.2 hooks: - id: gitleaks 对于 [native execution of gitleaks](https://github.com/gitleaks/gitleaks/releases)，或者使用 [`gitleaks-docker` pre-commit ID](https://github.com/gitleaks/gitleaks/blob/master/.pre-commit-hooks.yaml) 通过 [official Docker images](#docker) 执行 gitleaks 3. 通过执行 `pre-commit autoupdate` 将配置自动更新到最新的仓库版本 4. 使用 `pre-commit install` 进行安装 5. 现在一切准备就绪！ ``` ➜ git commit -m "this commit contains a secret" Detect hardcoded secrets.................................................Failed ``` 注意：要禁用 gitleaks pre-commit hook，您可以在 commit 命令前加上 `SKIP=gitleaks` 这样就会跳过运行 gitleaks ``` ➜ SKIP=gitleaks git commit -m "skip gitleaks check" Detect hardcoded secrets................................................Skipped ``` ## 使用方法 ``` Gitleaks scans code, past or present, for secrets Usage: gitleaks [command] Available Commands: completion Generate the autocompletion script for the specified shell dir scan directories or files for secrets git scan git repositories for secrets help Help about any command stdin detect secrets from stdin version display gitleaks version Flags: -b, --baseline-path string path to baseline with issues that can be ignored -c, --config string config file path order of precedence: 1. --config/-c 2. env var GITLEAKS_CONFIG 3. env var GITLEAKS_CONFIG_TOML with the file content 4. (target path)/.gitleaks.toml If none of the four options are used, then gitleaks will use the default config --diagnostics string enable diagnostics (http OR comma-separated list: cpu,mem,trace). cpu=CPU prof, mem=memory prof, trace=exec tracing, http=serve via net/http/pprof --diagnostics-dir string directory to store diagnostics output files when not using http mode (defaults to current directory) --enable-rule strings only enable specific rules by id --exit-code int exit code when leaks have been encountered (default 1) -i, --gitleaks-ignore-path string path to .gitleaksignore file or folder containing one (default ".") -h, --help help for gitleaks --ignore-gitleaks-allow ignore gitleaks:allow comments -l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info") --max-archive-depth int allow scanning into nested archives up to this depth (default "0", no archive traversal is done) --max-decode-depth int allow recursive decoding up to this depth (default "0", no decoding is done) --max-target-megabytes int files larger than this will be skipped --no-banner suppress banner --no-color turn off color for verbose output --redact uint[=100] redact secrets from logs and stdout. To redact only parts of the secret just apply a percent value from 0..100. For example --redact=20 (default 100%) -f, --report-format string output format (json, csv, junit, sarif, template) -r, --report-path string report file --report-template string template file used to generate the report (implies --report-format=template) --timeout int set a timeout for gitleaks commands in seconds (default "0", no timeout is set) -v, --verbose show verbose output from scan --version version for gitleaks Use "gitleaks [command] --help" for more information about a command. ``` ### 命令 ⚠️ v8.19.0 引入了一项更改，弃用了 `detect` 和 `protect`。这些命令仍然可用，但在 `--help` 菜单中已隐藏。请查看此 [gist](https://gist.github.com/zricethezav/b325bb93ebf41b9c0b0507acf12810d2) 以便轻松转换命令。 如果您发现 v8.19.0 破坏了现有命令（`detect`/`protect`），请提交 issue。 共有三种扫描模式：`git`、`dir` 和 `stdin`。 #### Git `git` 命令允许您扫描本地 git 仓库。在底层，gitleaks 使用 `git log -p` 命令来扫描补丁。 您可以使用 `log-opts` 选项配置 `git log -p` 的行为。 例如，如果您想在一系列提交上运行 gitleaks，可以使用以下 命令：`gitleaks git -v --log-opts="--all commitA..commitB" path_to_repo`。有关更多信息，请参阅 [git log](https://git-scm.com/docs/git-log) 文档。 如果没有指定目标作为位置参数，gitleaks 将尝试将当前工作目录作为 git 仓库进行扫描。 #### Dir `dir`（别名包括 `files`、`directory`）命令允许您扫描目录和文件。示例：`gitleaks dir -v path_to_directory_or_file`。 如果没有指定目标作为位置参数，gitleaks 将扫描当前工作目录。 #### Stdin 您也可以使用 `stdin` 命令将数据流传输到 gitleaks。示例：`cat some_file | gitleaks -v stdin` ### 创建基线 当扫描大型仓库或历史悠久的仓库时，使用基线可能会很方便。使用基线时， gitleaks 将忽略基线中存在的任何旧发现。基线可以是任何 gitleaks 报告。要创建 gitleaks 报告，请使用 `--report-path` 参数运行 gitleaks。 ``` gitleaks git --report-path gitleaks-report.json # This will save the report in a file called gitleaks-report.json ``` 一旦创建了基线，就可以在再次运行 detect 命令时应用它： ``` gitleaks git --baseline-path gitleaks-report.json --report-path findings.json ``` 在使用 --baseline-path 参数运行 detect 命令后，报告输出（findings.json）将仅包含新问题。 ## Pre-Commit hook 您可以通过将示例 `pre-commit.py` 脚本复制到 您的 `.git/hooks/` 目录中，将 Gitleaks 作为 pre-commit hook 运行。 ### 加载配置 优先级顺序如下： 1. `--config/-c` 选项： gitleaks git --config /home/dev/customgitleaks.toml . 2. 环境变量 `GITLEAKS_CONFIG`，值为文件路径： export GITLEAKS_CONFIG="/home/dev/customgitleaks.toml" gitleaks git . 3. 环境变量 `GITLEAKS_CONFIG_TOML`，值为文件内容： export GITLEAKS_CONFIG_TOML=`cat customgitleaks.toml` gitleaks git . 4. 目标路径中的 `.gitleaks.toml` 文件： gitleaks git . 如果未使用这四个选项中的任何一个，gitleaks 将使用默认配置。 ## 配置 Gitleaks 提供了一种配置格式，您可以按照该格式编写自己的机密检测规则： ``` # Title for the gitleaks configuration file. title = "Custom Gitleaks configuration" # You have basically two options for your custom configuration: # # 1. define your own configuration, default rules do not apply # # use e.g., the default configuration as starting point: # https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml # # 2. extend a configuration, the rules are overwritten or extended # # When you extend a configuration the extended rules take precedence over the # default rules. I.e., if there are duplicate rules in both the extended # configuration and the default configuration the extended rules or # attributes of them will override the default rules. # Another thing to know with extending configurations is you can chain # together multiple configuration files to a depth of 2. Allowlist arrays are # appended and can contain duplicates. # useDefault and path can NOT be used at the same time. Choose one. [extend] # useDefault will extend the default gitleaks config built in to the binary # the latest version is located at: # https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml useDefault = true # or you can provide a path to a configuration to extend from. # The path is relative to where gitleaks was invoked, # not the location of the base config. # path = "common_config.toml" # If there are any rules you don't want to inherit, they can be specified here. disabledRules = [ "generic-api-key"] # An array of tables that contain information that define instructions # on how to detect secrets [[rules]] # Unique identifier for this rule id = "awesome-rule-1" # Short human-readable description of the rule. description = "awesome rule 1" # Golang regular expression used to detect secrets. Note Golang's regex engine # does not support lookaheads. regex = '''one-go-style-regex-for-this-rule''' # Int used to extract secret from regex match and used as the group that will have # its entropy checked if `entropy` is set. secretGroup = 3 # Float representing the minimum shannon entropy a regex group must have to be considered a secret. entropy = 3.5 # Golang regular expression used to match paths. This can be used as a standalone rule or it can be used # in conjunction with a valid `regex` entry. path = '''a-file-path-regex''' # Keywords are used for pre-regex check filtering. Rules that contain # keywords will perform a quick string compare check to make sure the # keyword(s) are in the content being scanned. Ideally these values should # either be part of the identiifer or unique strings specific to the rule's regex # (introduced in v8.6.0) keywords = [ "auth", "password", "token", ] # Array of strings used for metadata and reporting purposes. tags = ["tag","another tag"] # ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`. # This change was backwards-compatible: instances of `[rules.allowlist]` still work. # # You can define multiple allowlists for a rule to reduce false positives. # A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches. [[rules.allowlists]] description = "ignore commit A" # When multiple criteria are defined the default condition is "OR". # e.g., this can match on |commits| OR |paths| OR |stopwords|. condition = "OR" commits = [ "commit-A", "commit-B"] paths = [ '''go\.mod''', '''go\.sum''' ] # note: stopwords targets the extracted secret, not the entire regex match # like 'regexes' does. (stopwords introduced in 8.8.0) stopwords = [ '''client''', '''endpoint''', ] [[rules.allowlists]] # The "AND" condition can be used to make sure all criteria match. # e.g., this matches if |regexes| AND |paths| are satisfied. condition = "AND" # note: |regexes| defaults to check the _Secret_ in the finding. # Acceptable values for |regexTarget| are "secret" (default), "match", and "line". regexTarget = "match" regexes = [ '''(?i)parseur[il]''' ] paths = [ '''package-lock\.json''' ] # You can extend a particular rule from the default config. e.g., gitlab-pat # if you have defined a custom token prefix on your GitLab instance [[rules]] id = "gitlab-pat" # all the other attributes from the default rule are inherited [[rules.allowlists]] regexTarget = "line" regexes = [ '''MY-glpat-''' ] # ⚠️ In v8.25.0 `[allowlist]` was replaced with `[[allowlists]]`. # # Global allowlists have a higher order of precedence than rule-specific allowlists. # If a commit listed in the `commits` field below is encountered then that commit will be skipped and no # secrets will be detected for said commit. The same logic applies for regexes and paths. [[allowlists]] description = "global allow list" commits = [ "commit-A", "commit-B", "commit-C"] paths = [ '''gitleaks\.toml''', '''(.*?)(jpg|gif|doc)''' ] # note: (global) regexTarget defaults to check the _Secret_ in the finding. # Acceptable values for regexTarget are "match" and "line" regexTarget = "match" regexes = [ '''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', ] # note: stopwords targets the extracted secret, not the entire regex match # like 'regexes' does. (stopwords introduced in 8.8.0) stopwords = [ '''client''', '''endpoint''', ] # ⚠️ In v8.25.0, `[[allowlists]]` have a new field called |targetRules|. # # Common allowlists can be defined once and assigned to multiple rules using |targetRules|. # This will only run on the specified rules, not globally. [[allowlists]] targetRules = ["awesome-rule-1", "awesome-rule-2"] description = "Our test assets trigger false-positives in a couple rules." paths = ['''tests/expected/._\.json$'''] ``` 请参阅默认的 [gitleaks config](https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml) 获取示例，或者如果您想为默认配置做出贡献，请遵循 [contributing guidelines](https://github.com/gitleaks/gitleaks/blob/master/CONTRIBUTING.md)。此外，您可以查看 [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf)，其中涵盖了高级配置设置。 ### 附加配置 #### 复合规则（多部分或 `required` 规则） 在 v8.28.0 中，Gitleaks 引入了复合规则，由单个“主”规则和一个或多个辅助或 `required` 规则组成。要创建复合规则，请在主规则中添加一个 `[[rules.required]]` 表，指定一个 `id` 以及可选的 `withinLines` 和/或 `withinColumns` 邻近约束。片段（fragment）是 Gitleaks 一次处理的一块内容（通常是文件、文件的一部分或 git diff），邻近匹配指示主规则仅在辅助 `required` 规则也在片段的指定区域内找到匹配项时才报告发现。 **邻近匹配：** 使用 `withinLines` 和 `withinColumns` 字段指示主规则仅在辅助 `required` 规则也在指定的邻近范围内找到匹配项时才报告发现。您可以设置： - **`withinLines: N`** - 必需的发现必须在 N 行之内（垂直方向） - **`withinColumns: N`** - 必需的发现必须在 N 个字符之内（水平方向） - **两者** - 创建一个矩形搜索区域（必须同时满足两个约束） - **都不** - 片段级匹配（必需的发现可以在同一片段的任何位置） 以下是说明每种邻近行为的图表： ``` p = primary captured secret a = auxiliary (required) captured secret fragment = section of data gitleaks is looking at *Fragment-level proximity* Any required finding in the fragment ┌────────┐ ┌──────┤fragment├─────┐ │ └──────┬─┤ │ ┌───────┐ │ │a│◀────┼─│✓ MATCH│ │ ┌─┐└─┘ │ └───────┘ │┌─┐ │p│ │ ││a│ ┌─┐└─┘ │ ┌───────┐ │└─┘ │a│◀──────────┼─│✓ MATCH│ └─▲─────┴─┴───────────┘ └───────┘ │ ┌───────┐ └────│✓ MATCH│ └───────┘ *Column bounded proximity* `withinColumns = 3` ┌────────┐ ┌────┬─┤fragment├─┬───┐ │ └──────┬─┤ │ ┌───────────┐ │ │ │a│◀┼───┼─│+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────┘ │┌─┐ │ │p│ │ │ ┌──▶│a│ ┌─┐ └─┘ │ ┌───────────┐ │ │└─┘ ││a│◀────────┼───┼─│-2C ✓ MATCH│ │ │ ┘ │ └───────────┘ │ └── -3C ───0C─── +3C ─┘ │ ┌─────────┐ │ │ -4C ✗ NO│ └──│ MATCH │ └─────────┘ *Line bounded proximity* `withinLines = 4` ┌────────┐ ┌─────┤fragment├─────┐ +4L─ ─ ┴────────┘─ ─ ─│ │ │ │ ┌─┐ │ ┌────────────┐ │ ┌─┐ │a│◀──┼─│+1L ✓ MATCH │ 0L ┌─┐ │p│ └─┘ │ ├────────────┤ │ │a│◀──┴─┴────────┼─│-1L ✓ MATCH │ │ └─┘ │ └────────────┘ │ │ ┌─────────┐ -4L─ ─ ─ ─ ─ ─ ─ ─┌─┐─│ │-5L ✗ NO │ │ │a│◀┼─│ MATCH │ └────────────────┴─┴─┘ └─────────┘ *Line and column bounded proximity* `withinLines = 4` `withinColumns = 3` ┌────────┐ ┌─────┤fragment├─────┐ +4L ┌└────────┴ ┐ │ │ ┌─┐ │ ┌───────────────┐ │ │ │a│◀┼───┼─│+2L/+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────────┘ 0L │ │p│ │ │ │ └─┘ │ │ │ │ │ ┌────────────┐ -4L ─ ─ ─ ─ ─ ─┌─┐ │ │-5L/+3C ✗ NO│ │ │a│◀┼─│ MATCH │ └───-3C────0L───+3C┴─┘ └────────────┘ ```

关于复合规则的一些最后快速想法。

这是一个实验性功能！它可能会发生变化，所以不要在这个功能之上构建新的 B2B SaaS 功能去售卖。基于扫描类型（git 与 dir）的上下文很有趣。我正在关注这种情况。复合规则对于 git 扫描可能不是非常有用，因为 gitleaks 只查看 git 历史中的添加内容。在 git 历史中扫描非添加内容作为 `required` 规则可能很有用。噢，对了，这是一个 readme，我现在闭嘴。

#### gitleaksallow 如果您明知要提交一个 gitleaks 会捕获的测试机密，您可以在该行添加 `gitleaks:allow` 注释，这将指示 gitleaks 忽略该机密。示例： ``` class CustomClass: discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' #gitleaks:allow ``` #### .gitleaksignore 您可以通过在仓库根目录下创建 `.gitleaksignore` 文件来忽略特定的发现。在 v8.10.0 版本中，Gitleaks 在 Gitleaks 报告中添加了 `Fingerprint` 值。每个泄露或发现都有一个唯一标识机密的 Fingerprint。将此 fingerprint 添加到 `.gitleaksignore` 文件以忽略该特定机密。有关示例，请参阅 Gitleaks 的 [.gitleaksignore](https://github.com/gitleaks/gitleaks/blob/master/.gitleaksignore)。注意：此功能是实验性的，未来可能会发生变化。 #### 解码 有时机密信息的编码方式可能使其难以仅通过正则表达式被发现。 现在您可以告诉 gitleaks 自动查找并解码 编码文本。标志 `--max-decode-depth` 启用此功能（默认 值“0”表示默认情况下禁用此功能）。 支持递归解码，因为解码后的文本也可能包含编码 文本。标志 `--max-decode-depth` 设置递归限制。当没有新的编码文本段需要解码时，递归停止，因此设置非常 高的最大深度并不意味着它会进行那么多次遍历。它只会进行 解码文本所需的次数。总的来说，解码只会略微增加 扫描时间。 编码文本的发现与正常发现的不同之处在于以下 方面： - 位置指向编码文本的边界 - 如果规则匹配在编码文本之外，边界会被调整以 包含该部分 - 匹配项和机密包含解码后的值 - 添加了两个标签 `decoded:` 和 `decode-depth:` 当前支持的编码： - **percent** - 任何可打印的 ASCII 百分比编码值 - **hex** - 任何可打印的 ASCII 十六进制编码值 >= 32 个字符 - **base64** - 任何可打印的 ASCII base64 编码值 >= 16 个字符 #### 归档扫描 有时机密信息被打包在 zip 文件或 tarball 等归档文件中， 使其难以被发现。现在您可以告诉 gitleaks 自动 提取并扫描归档内容。标志 `--max-archive-depth` 为 `dir` 和 `git` 扫描类型启用此功能。默认值 “0”表示默认情况下禁用此功能。 支持递归扫描，因为归档文件也可以包含其他归档文件。 `--max-archive-depth` 标志设置递归限制。当没有 新的归档文件需要提取时，递归停止，因此设置非常高的最大深度只是 设定了达到该深度的可能性。它只会深入到需要的程度。 在归档文件中发现的机密将包含指向 归档内文件的路径。内部路径用 `!` 分隔。 示例发现（为简洁起见已缩短）： ``` Finding: DB_PASSWORD=8ae31cacf141669ddfb5da ... File: testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod Line: 4 Commit: 6e6ee6596d337bb656496425fb98644eb62b4a82 ... Fingerprint: 6e6ee6596d337bb656496425fb98644eb62b4a82:testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod:generic-api-key:4 Link: https://github.com/leaktk/gitleaks/blob/6e6ee6596d337bb656496425fb98644eb62b4a82/testdata/archives/nested.tar.gz ``` 这意味着在 `archives/files.tar` 中的 `files/.env.prod.` 的第 4 行检测到一个机密，而 `archives/files.tar` 位于 `testdata/archives/nested.tar.gz` 中。 当前支持的格式： 支持 mholt 的 [archives package](https://github.com/mholt/archives) 所支持的 [compression](https://github.com/mholt/archives?tab=readme-ov-file#supported-compression-formats) 和 [archive](https://github.com/mholt/archives?tab=readme-ov-file#supported-archive-formats) 格式。 #### 报告 Gitleaks 内置支持多种报告格式：[`json`](https://github.com/gitleaks/gitleaks/blob/master/testdata/expected/report/json_simple.json)、[`csv`](https://github.com/gitleaks/gitleaks/blob/master/testdata/expected/report/csv_simple.csv?plain=1)、[`junit`](https://github.com/gitleaks/gitleaks/blob/master/testdata/expected/report/junit_simple.xml) 和 [`sarif`](https://github.com/gitleaks/gitleaks/blob/master/testdata/expected/report/sarif_simple.sarif)。 如果这些格式都不符合您的需求，您可以使用 [Go `text/template` .tmpl file](https://www.digitalocean.com/community/tutorials/how-to-use-templates-in-go#step-4-writing-a-template) 和 `--report-template` 标志创建自己的报告格式。模板可以使用 [extended functionality from the `Masterminds/sprig` template library](https://masterminds.github.io/sprig/)。 例如，以下模板提供自定义 JSON 输出： ``` # jsonextra.tmpl [{{ $lastFinding := (sub (len . ) 1) }} {{- range $i, $finding := . }}{{with $finding}} { "Description": {{ quote .Description }}, "StartLine": {{ .StartLine }}, "EndLine": {{ .EndLine }}, "StartColumn": {{ .StartColumn }}, "EndColumn": {{ .EndColumn }}, "Line": {{ quote .Line }}, "Match": {{ quote .Match }}, "Secret": {{ quote .Secret }}, "File": "{{ .File }}", "SymlinkFile": {{ quote .SymlinkFile }}, "Commit": {{ quote .Commit }}, "Entropy": {{ .Entropy }}, "Author": {{ quote .Author }}, "Email": {{ quote .Email }}, "Date": {{ quote .Date }}, "Message": {{ quote .Message }}, "Tags": [{{ $lastTag := (sub (len .Tags ) 1) }}{{ range $j, $tag := .Tags }}{{ quote . }}{{ if ne $j $lastTag }},{{ end }}{{ end }}], "RuleID": {{ quote .RuleID }}, "Fingerprint": {{ quote .Fingerprint }} }{{ if ne $i $lastFinding }},{{ end }} {{- end}}{{ end }} ] ``` 用法： ``` $ gitleaks dir ~/leaky-repo/ --report-path "report.json" --report-format template --report-template testdata/report/jsonextra.tmpl ``` ## 退出码 您始终可以使用 --exit-code 标志设置遇到泄露时的退出码。默认退出码如下： ``` 0 - no leaks present 1 - leaks or error encountered 126 - unknown flag ``` ### 加入 Discord！ [](https://discord.gg/8Hzbrnkr7E)

标签：API密钥扫描, CI/CD安全, CLI应用, DeepSeek, DevSecOps, Docker, EVTX分析, EVTX分析, EVTX分析, EVTX分析, GitHub Actions, Git安全, Golang, Google AI, GUI应用, Llama, LLM应用, Mistral, Python安全, Redis利用, Rust语言, SDK, 上游代理, 云安全监控, 代码分析, 代码审计, 凭证管理, 合规性检查, 安全助手, 安全编程, 安全防御评估, 密钥检测, 带宽管理, 开源安全工具, 敏感信息泄露, 日志审计, 正则表达式, 混合加密, 熵值分析, 用户界面自定义, 红队工具, 网络安全, 自动笔记, 蓝队防御, 请求拦截, 逆向工程平台, 隐私保护, 静态分析, 预提交钩子