Skip to content

Scan

pipeleak gl scan

Scan a GitLab instance

Synopsis

Scan a GitLab instance for secrets in pipeline jobs and optionally artifacts

Dotenv

Dotenv artifacts are not accessible through the GitLab API. To scan these, you need to manually provide your session cookie after logging in via a web browser. The session cookie name is _gitlab_session. The cookie should be valid for two weeks.

Memory Usage

As the scanner processes a lot of resources (especially when using --artifacts) memory, CPU and disk usage can become hard to manage. You can tweak --threads, --max-artifact-size and --job-limit to obtain a customized performance and achieve stable processing.

1
pipeleak gl scan [flags]

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
# Scan all accessible projects pipelines and their artifacts and dotenv artifacts on gitlab.com
pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com -a -c [value-of-valid-_gitlab_session]

# Scan all projects matching the search query kubernetes
pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --search kubernetes

# Scan all pipelines of projects you own
pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --owned

# Scan all pipelines of projects you are a member of
pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --member

# Scan all accessible projects pipelines but limit the number of jobs scanned per project to 10, only scan artifacts smaller than 200MB and use 8 threads
pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --job-limit 10 -a --max-artifact-size 200Mb --threads 8

# Scan a single repository
pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --repo mygroup/myproject

# Scan all repositories in a namespace
pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --namespace mygroup

Options

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
  -a, --artifacts                  Scan job artifacts
      --confidence strings         Filter for confidence level, separate by comma if multiple. See readme for more info.
  -c, --cookie string              GitLab Cookie _gitlab_session (must be extracted from your browser, use remember me)
  -g, --gitlab string              GitLab instance URL
  -h, --help                       help for scan
  -j, --job-limit int              Scan a max number of pipeline jobs - trade speed vs coverage. 0 scans all and is the default.
      --max-artifact-size string   Max file size of an artifact to be included in scanning. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize (default "500Mb")
  -m, --member                     Scan projects the user is member of
  -n, --namespace string           Namespace to scan (all repos in the namespace will be scanned)
  -o, --owned                      Scan user onwed projects only
  -q, --queue string               Relative or absolute folderpath where the queue files will be stored. Defaults to system tmp. Non-existing folders will be created.
  -r, --repo string                Single repository to scan, format: namespace/repo
  -s, --search string              Query string for searching projects
      --threads int                Nr of threads used to scan (default 4)
  -t, --token string               GitLab API Token
      --truffleHogVerification     Enable the TruffleHog credential verification, will actively test the found credentials and only report those. Disable with --truffleHogVerification=false (default true)
  -v, --verbose                    Verbose logging

Options inherited from parent commands

1
2
3
      --coloredLog       Output the human-readable log in color (default true)
      --json             Use JSON as log output format
  -l, --logfile string   Log output to a file

SEE ALSO