Skip to content

Scan

pipeleek gh scan

Scan GitHub Actions

Synopsis

Scan GitHub Actions workflow runs and artifacts for secrets

1
pipeleek gh scan [no options!] [flags]

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Scan owned repositories including their artifacts
pipeleek gh scan --token github_pat_xxxxxxxxxxx --artifacts --owned

# Scan repositories of an organization
pipeleek gh scan --token github_pat_xxxxxxxxxxx --artifacts --maxWorkflows 10 --org apache

# Scan public repositories
pipeleek gh scan --token github_pat_xxxxxxxxxxx --artifacts --maxWorkflows 10 --public

# Scan by search term
pipeleek gh scan --token github_pat_xxxxxxxxxxx --artifacts --maxWorkflows 10 --search iac

# Scan repositories of a user
pipeleek gh scan --token github_pat_xxxxxxxxxxx --artifacts --user firefart

# Scan a single repository
pipeleek gh scan --token github_pat_xxxxxxxxxxx --artifacts --repo owner/repo

Options

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
  -a, --artifacts                  Scan artifacts
      --confidence strings         Filter for confidence level, separate by comma if multiple. See readme for more info.
  -g, --github string              GitHub API base URL (default "https://api.github.com")
  -h, --help                       help for scan
      --hit-timeout duration       Maximum time to wait for hit detection per scan item (e.g., 30s, 2m, 1h) (default 1m0s)
      --max-artifact-size string   Maximum artifact size to scan. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize (default "500Mb")
      --max-workflows int          Max. number of workflows to scan per repository (default -1)
      --org string                 GitHub organization name to scan
  -o, --owned                      Scan only user owned repositories
  -p, --public                     Scan all public repositories
  -r, --repo string                Scan a single repository in the format owner/repo
  -s, --search string              GitHub search query
      --threads int                Number of concurrent threads for scanning (default 4)
  -t, --token string               GitHub Personal Access Token - https://github.com/settings/tokens
      --truffle-hog-verification   Enable TruffleHog credential verification to actively test found credentials and only report verified ones (enabled by default, disable with --truffle-hog-verification=false) (default true)
      --user string                GitHub user name to scan

Options inherited from parent commands

1
2
3
4
5
6
      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)

SEE ALSO