scan
Scan git history, directories, and files for secrets
kms scan
# Display the full secret findings
kms scan --verboseDescription
The kms scan command serves to scan repositories, directories, and files. It's compatible with both individual developer machines and Continuous Integration (CI) environments.
When you run kms scan on a Git repository, Hanzo KMS will parses the output of a git log -p command. This command generates patches that Hanzo KMS uses to identify secrets in your code.
You can configure the range of commits that git log will cover using the --log-opts flag.
Any options you can use with git log -p are valid for --log-opts.
For instance, to instruct Hanzo KMS to scan a specific range of commits, use the following command: kms scan --log-opts="--all commitA..commitB". For more details, refer to the Git log documentation.
To scan individual files and directories, use the --no-git flag.
Flags
Description
git log options
Description
treat git repo as a regular directory and scan those files, --log-opts has no effect on the scan when --no-git is set
Default value: false
Short hand: -b
Description
scan input from stdin, ex: cat some_file | kms scan --pipe
Default value: false
Short hand: -b
Description scan files that are symlinks to other files
Default value: false
Short hand: -b
Description
path to baseline with issues that can be ignored
Short hand: -c
Description
config file path
order of precedence:
- --config flag
- env var INFISICAL_SCAN_CONFIG
- (--source/-s)/.kms-scan.toml If none of the three options are used, then Hanzo KMS will use the default config
Description
exit code when leaks have been encountered (default 1)
Description
files larger than this will be skipped
Description
turn off color for verbose output
Description
redact secrets from logs and stdout
Description
output format (json, csv, sarif) (default "json")
Description
report file
Description
path to source (default ".")
Description
show verbose output from scan
How is this guide?
Last updated on