Scan
pipeleek gl scan
Scan a GitLab instance
Synopsis
Scan a GitLab instance for secrets in pipeline jobs and optionally artifacts
Dotenv
Dotenv artifacts are not accessible through the GitLab API. To scan these, you need to manually provide your session cookie after logging in via a web browser. The session cookie name is _gitlab_session. The cookie should be valid for two weeks.
Memory Usage
As the scanner processes a lot of resources (especially when using --artifacts) memory, CPU and disk usage can become hard to manage. You can tweak --threads, --max-artifact-size and --job-limit to obtain a customized performance and achieve stable processing.
Examples
| # Scan all accessible projects pipelines and their artifacts and dotenv artifacts on gitlab.com
pipeleek gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com -a -c [value-of-valid-_gitlab_session]
# Scan all projects matching the search query kubernetes
pipeleek gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --search kubernetes
# Scan all pipelines of projects you own
pipeleek gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --owned
# Scan all pipelines of projects you are a member of
pipeleek gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --member
# Scan all accessible projects pipelines but limit the number of jobs scanned per project to 10, only scan artifacts smaller than 200MB and use 8 threads
pipeleek gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --job-limit 10 -a --max-artifact-size 200Mb --threads 8
# Scan a single repository
pipeleek gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --repo mygroup/myproject
# Scan all repositories in a namespace
pipeleek gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.example.com --namespace mygroup
|
Options
| -a, --artifacts Scan artifacts
--confidence strings Filter for confidence level, separate by comma if multiple. See readme for more info.
-c, --cookie string GitLab Cookie _gitlab_session (must be extracted from your browser, use remember me)
-h, --help help for scan
--hit-timeout duration Maximum time to wait for hit detection per scan item (e.g., 30s, 2m, 1h) (default 1m0s)
-j, --job-limit int Scan a max number of pipeline jobs - trade speed vs coverage. 0 scans all and is the default.
--max-artifact-size string Maximum artifact size to scan. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize (default "500Mb")
-m, --member Scan projects the user is member of
-n, --namespace string Namespace to scan (all repos in the namespace will be scanned)
-o, --owned Scan only user owned repositories
-q, --queue string Relative or absolute folderpath where the queue files will be stored. Defaults to system tmp. Non-existing folders will be created.
-r, --repo string Single repository to scan, format: namespace/repo
-s, --search string Query string for searching projects
--threads int Number of concurrent threads for scanning (default 4)
--truffle-hog-verification Enable TruffleHog credential verification to actively test found credentials and only report verified ones (enabled by default, disable with --truffle-hog-verification=false) (default true)
|
Options inherited from parent commands
| --color Enable colored log output (auto-disabled when using --logfile) (default true)
-g, --gitlab string GitLab instance URL
--ignore-proxy Ignore HTTP_PROXY environment variable
--json Use JSON as log output format
--log-level string Set log level globally (debug, info, warn, error). Example: --log-level=warn
-l, --logfile string Log output to a file
-t, --token string GitLab API Token
-v, --verbose Enable debug logging (shortcut for --log-level=debug)
|
SEE ALSO