Skip to main content
infisical scan

# Display the full secret findings
infisical scan --verbose

Description

The infisical scan command serves to scan repositories, directories, and files. It’s compatible with both individual developer machines and Continuous Integration (CI) environments. When you run infisical scan on a Git repository, Infisical will parses the output of a git log -p command. This command generates patches that Infisical uses to identify secrets in your code. You can configure the range of commits that git log will cover using the --log-opts flag. Any options you can use with git log -p are valid for --log-opts. For instance, to instruct Infisical to scan a specific range of commits, use the following command: infisical scan --log-opts="--all commitA..commitB". For more details, refer to the Git log documentation. To scan individual files and directories, use the --no-git flag.

Flags

Descriptiongit log options
Descriptiontreat git repo as a regular directory and scan those files, —log-opts has no effect on the scan when —no-git is setDefault value: false
Short hand: -bDescriptionscan input from stdin, ex: cat some_file | infisical scan --pipeDefault value: false
Short hand: -bDescriptionpath to baseline with issues that can be ignored
Short hand: -cDescriptionconfig file pathorder of precedence:
  1. —config flag
  2. env var INFISICAL_SCAN_CONFIG
  3. (—source/-s)/.infisical-scan.toml If none of the three options are used, then Infisical will use the default config
Descriptionexit code when leaks have been encountered (default 1)
Descriptionfiles larger than this will be skipped
Descriptionturn off color for verbose output
Descriptionredact secrets from logs and stdout
Descriptionoutput format (json, csv, sarif) (default “json”)
Descriptionreport file
Descriptionpath to source (default ”.”)
Descriptionshow verbose output from scan