Skip to content

Scan

pipeleek ad scan

Scan Azure DevOps Actions

Synopsis

Scan Azure DevOps pipelines for secrets in logs and artifacts.

Authentication

Create your personal access token here: https://dev.azure.com/{yourproject}/_usersSettings/tokens

In the top right corner you can choose the scope (Global, Project etc.). Global in that case means per tenant. If you have access to multiple tentants you need to run a scan per tenant. Create a read-only token with all scopes (click show all scopes), select the correct organization(s) and then generate the token. Get you username from an HTTPS git clone url from the UI.

1
pipeleek ad scan [no options!] [flags]

Examples

1
2
3
4
5
6
7
8
# Scan all pipelines the current user has access to
pipeleek ad scan --token xxxxxxxxxxx --username auser --artifacts

# Scan all pipelines of an organization
pipeleek ad scan --token xxxxxxxxxxx --username auser --artifacts --organization myOrganization

# Scan all pipelines of a project e.g. https://dev.azure.com/PowerShell/PowerShell
pipeleek ad scan --token xxxxxxxxxxx --username auser --artifacts --organization powershell --project PowerShell

Options

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
  -a, --artifacts                  Scan artifacts
      --confidence strings         Filter for confidence level, separate by comma if multiple. See readme for more info.
  -d, --devops string              Azure DevOps base URL (default "https://dev.azure.com")
  -h, --help                       help for scan
      --hit-timeout duration       Maximum time to wait for hit detection per scan item (e.g., 30s, 2m, 1h) (default 1m0s)
      --max-artifact-size string   Maximum artifact size to scan. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize (default "500Mb")
      --max-builds int             Max. number of builds to scan per project (default -1)
      --organization string        Organization name to scan
  -o, --owned                      Scan only user owned repositories
  -p, --project string             Project name to scan - can be combined with organization
      --threads int                Number of concurrent threads for scanning (default 4)
  -t, --token string               Azure DevOps Personal Access Token - https://dev.azure.com/{yourUsername}/_usersSettings/tokens
      --truffle-hog-verification   Enable TruffleHog credential verification to actively test found credentials and only report verified ones (enabled by default, disable with --truffle-hog-verification=false) (default true)
  -u, --username string            Username

Options inherited from parent commands

1
2
3
4
5
6
      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)

SEE ALSO