Scan
pipeleak ad scan
Scan Azure DevOps Actions
Synopsis
Scan Azure DevOps pipelines for secrets in logs and artifacts.
Authentication
Create your personal access token here: https://dev.azure.com/{yourproject}/_usersSettings/tokens
In the top right corner you can choose the scope (Global, Project etc.).
Global in that case means per tenant. If you have access to multiple tentants you need to run a scan per tenant.
Get you username from an HTTPS git clone url from the UI.
| pipeleak ad scan [no options!] [flags]
|
Examples
| # Scan all pipelines the current user has access to
pipeleak ad scan --token xxxxxxxxxxx --username auser --artifacts
# Scan all pipelines of an organization
pipeleak ad scan --token xxxxxxxxxxx --username auser --artifacts --organization myOrganization
# Scan all pipelines of a project e.g. https://dev.azure.com/PowerShell/PowerShell
pipeleak ad scan --token xxxxxxxxxxx --username auser --artifacts --organization powershell --project PowerShell
|
Options
| -a, --artifacts Scan workflow artifacts
--confidence strings Filter for confidence level, separate by comma if multiple. See readme for more info.
-h, --help help for scan
--maxBuilds int Max. number of builds to scan per project (default -1)
-o, --organization string Organization name to scan
-p, --project string Project name to scan - can be combined with organization
--threads int Nr of threads used to scan (default 4)
-t, --token string Azure DevOps Personal Access Token - https://dev.azure.com/{yourUsername}/_usersSettings/tokens
--truffleHogVerification Enable the TruffleHog credential verification, will actively test the found credentials and only report those. Disable with --truffleHogVerification=false (default true)
-u, --username string Username
-v, --verbose Verbose logging
|
Options inherited from parent commands
| --coloredLog Output the human-readable log in color (default true)
--json Use JSON as log output format
-l, --logfile string Log output to a file
|
SEE ALSO