Skip to content

Configuration

Pipeleek can be configured via config files, environment variables, or CLI flags. This eliminates repetitive flag usage, simplifies and secures credential management.

Quick Start

Create ~/.config/pipeleek/pipeleek.yaml:

1
2
3
gitlab:
  url: https://gitlab.example.com
  token: glpat-xxxxxxxxxxxxxxxxxxxx

Run commands without flags:

1
2
pipeleek gl enum
pipeleek gl scan

Priority Order

Configuration sources are resolved in this order (highest to lowest):

  1. CLI flags - --gitlab, --token, etc.
  2. Environment variables - PIPELEEK_GITLAB_TOKEN
  3. Config file - ~/.config/pipeleek/pipeleek.yaml
  4. Defaults

Config File Locations

Pipeleek searches these locations in order:

  1. --config /path/to/file (explicit path)
  2. ~/.config/pipeleek/pipeleek.yaml (recommended)
  3. ~/pipeleek.yaml
  4. ./pipeleek.yaml

Configuration Schema

Config keys follow the pattern: <platform>.<subcommand>.<flag_name>

Platform-level settings (like url and token) are inherited by all commands under that platform.

GitLab

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
gitlab:
  url: https://gitlab.example.com # Shared across all gl commands
  token: glpat-xxxxxxxxxxxxxxxxxxxx # Shared across all gl commands
  cookie: "" # Optional: _gitlab_session cookie for dotenv artifacts

  enum:
    level: full # gl enum --level

  cicd:
    yaml:
      project: group/project # gl cicd yaml --project

  schedule: {} # gl schedule (inherits url/token)

  secureFiles: {} # gl secureFiles (inherits url/token)

  variables: {} # gl variables (inherits url/token)

  vuln: {} # gl vuln (inherits url/token)

  runners:
    list: {} # gl runners list (inherits url/token)

    exploit:
      tags: [docker, linux] # gl runners exploit --tags
      shell: bash # gl runners exploit --shell
      dry: false # gl runners exploit --dry
      age_public_key: "" # gl runners exploit --age-public-key
      repo_name: "" # gl runners exploit --repo-name

  renovate:
    enum:
      owned: true # gl renovate enum --owned
      member: true # gl renovate enum --member
      repo: false # gl renovate enum --repo
      namespace: false # gl renovate enum --namespace
      search: "" # gl renovate enum --search
      fast: false # gl renovate enum --fast
      dump: false # gl renovate enum --dump

    autodiscovery: {} # gl renovate autodiscovery (inherits url/token)

    privesc: {} # gl renovate privesc (inherits url/token)

  register:
    username: newuser # gl register --username
    password: secret # gl register --password
    email: user@example.com # gl register --email

  shodan:
    json: shodan_data.json # gl shodan --json

  scan:
    threads: 10 # gl scan --threads (can override common.threads)

GitHub

1
2
3
4
5
6
7
github:
  url: https://api.github.com
  token: ghp_xxxxxxxxxxxxxxxxxxxx

  scan:
    owner: myorg
    repo: myrepo

BitBucket

1
2
3
4
5
6
7
8
bitbucket:
  url: https://bitbucket.org
  email: user@example.com
  token: ATATTxxxxxx

  scan:
    workspace: myworkspace
    repo_slug: myrepo

Azure DevOps

1
2
3
4
5
6
azure_devops:
  url: https://dev.azure.com/myorg
  token: ado-token

  scan:
    project: myproject

Gitea

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
gitea:
  url: https://gitea.example.com
  token: gitea-token

  enum:
    owner: myorg # gitea enum --owner

  secrets:
    owner: myorg # gitea secrets --owner
    repo: myrepo # gitea secrets --repo

  variables:
    owner: myorg # gitea variables --owner
    repo: myrepo # gitea variables --repo

  scan:
    owner: myorg # gitea scan --owner
    repo: myrepo # gitea scan --repo (optional, scans all if not specified)

Common Settings

Scan commands inherit from common:

1
2
3
4
5
6
common:
  threads: 2
  trufflehog_verification: true
  max_artifact_size: 100Mb
  confidence_filter: medium # low, medium, high, high-verified
  hit_timeout: 120 # Seconds

Override per-command:

1
2
3
gitlab:
  scan:
    threads: 20 # Override common.threads for gl scan

Environment Variables

Set any config key using PIPELEEK_ prefix. Replace dots with underscores:

1
2
3
4
5
export PIPELEEK_GITLAB_URL=https://gitlab.example.com
export PIPELEEK_GITLAB_TOKEN=glpat-xxxxxxxxxxxxxxxxxxxx
export PIPELEEK_GITLAB_ENUM_LEVEL=full

pipeleek gl enum

Examples

Multi-Platform Setup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
gitlab:
  url: https://gitlab.company.com
  token: glpat-prod-token

github:
  url: https://api.github.com
  token: ghp-prod-token

common:
  threads: 8
  trufflehog_verification: false

1
2
pipeleek gl scan              # Uses GitLab config
pipeleek gh scan --owned      # Uses GitHub config

Override Config Values

1
2
3
4
5
# Use config token but different URL
pipeleek gl enum --gitlab https://gitlab-dev.company.com

# Use config URL/token but different level
pipeleek gl enum --level minimal

Partial Configuration

Config file can provide some values, flags provide others:

1
2
gitlab:
  url: https://gitlab.example.com

1
2
# URL from config, token from flag
pipeleek gl enum --token glpat-xxxxxxxxxxxxxxxxxxxx

Full Example

See pipeleek.example.yaml for a complete example with all platforms and commands documented.

Troubleshooting

1
2
# Use trace logging to see which keys are loaded
pipeleek --log-level=trace gl enum