Skip to content

Scan

pipeleek gluna scan

Scan public GitLab pipelines without an account

Synopsis

Scan public GitLab project pipelines for secrets in job traces and optionally artifacts.

This command does not require an API token and only covers resources that are publicly accessible. Dotenv artifacts are intentionally not scanned in this mode because they require a UI session cookie.

1
pipeleek gluna scan [flags]

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Scan public project pipelines and traces
pipeleek gluna scan --url https://gitlab.example.com

# Scan public pipelines with artifacts and tuned performance
pipeleek gluna scan --url https://gitlab.example.com --artifacts --job-limit 10 --max-artifact-size 200Mb --threads 8

# Scan one public repository
pipeleek gluna scan --url https://gitlab.example.com --repo mygroup/myproject

# Scan all public repositories in a namespace
pipeleek gluna scan --url https://gitlab.example.com --namespace mygroup

Options

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
  -a, --artifacts                  Scan artifacts
      --confidence strings         Filter for confidence level, separate by comma if multiple. See readme for more info.
  -h, --help                       help for scan
      --hit-timeout duration       Maximum time to wait for hit detection per scan item (e.g., 30s, 2m, 1h) (default 1m0s)
  -j, --job-limit int              Scan a max number of pipeline jobs - trade speed vs coverage. 0 scans all and is the default.
      --max-artifact-size string   Maximum artifact size to scan. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize (default "500Mb")
  -n, --namespace string           Namespace to scan (all public repos in the namespace will be scanned)
  -q, --queue string               Relative or absolute folderpath where the queue files will be stored. Defaults to system tmp. Non-existing folders will be created.
  -r, --repo string                Single public repository to scan, format: namespace/repo
  -s, --search string              Query string for searching public projects
      --threads int                Number of concurrent threads for scanning (default 4)
      --truffle-hog-verification   Enable TruffleHog credential verification to actively test found credentials and only report verified ones (enabled by default, disable with --truffle-hog-verification=false) (default true)
  -u, --url string                 GitLab instance URL

Options inherited from parent commands

1
2
3
4
5
6
7
      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
      --config string      Config file path. Example: ~/.config/pipeleek/pipeleek.yaml
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)

SEE ALSO

  • pipeleek gluna - GitLab related commands which do not require authentication