scan git-changes
Scan for secrets in your uncommitted code
kms scan git-changes
# Display the full secret findings
kms scan git-changes --verboseDescription
Scanning for secrets before you commit your changes is great way to prevent leaks. Hanzo KMS makes this easy with the sub command git-changes.
The git-changes scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the 'shift left' security approach.
When git-changes is run on a Git repository, Hanzo KMS parses the output from a git diff command.
To scan changes in commits that have been staged via git add, you can add the --staged flag to the sub command. This flag is particularly useful when using KMS CLI as a pre-commit tool.
Flags
Description
detect secrets in a --staged state
Default value: false
Description
git log options
Short hand: -b
Description
path to baseline with issues that can be ignored
Short hand: -c
Description
config file path
order of precedence:
- --config flag
- env var INFISICAL_SCAN_CONFIG
- (--source/-s)/.kms-scan.toml If none of the three options are used, then Hanzo KMS will use the default config
Description
exit code when leaks have been encountered (default 1)
Description
files larger than this will be skipped
Description
turn off color for verbose output
Description
redact secrets from logs and stdout
Description
output format (json, csv, sarif) (default "json")
Description
report file
Description
path to source (default ".")
Description
show verbose output from scan
How is this guide?
Last updated on