Skip to content

Getting Started with Pipeleek

Root Leaf Colors Leaf Top Leaf Top Leaf Top Leaf Top Leaf Middle Leaf Middle Leaf Middle Leaf Middle Leaf Middle Leaf Middle Trunk Drops Drop-1 Drop Color Outline Drop Drop-2 Drop Color Outline Drop Drop-3 Drop Color Outline Drop Drop-4 Drop Color Outline Drop Outlines Outline Outline Outline Outline Outline Outline Outline Outline Stump Stump Stump Stump Stump Stump Stump Stump Face Eye Left Eye Right Nose Iris Left Iris Right

Why Pipeleek?

Scanning for credentials in CI/CD pipelines is interesting because secrets often end up in pipeline logs or build artifacts that traditional Git scanners won’t check. This means you can catch leaked secrets that are injected or generated at runtime, not just those committed to Git.

Once secrets are discovered, further exploitation often requires additional tooling. Pipeleek provides several helper commands to assist with this process.

Installation

Quick Install (Linux/macOS)

Install the latest version with a single command:

1
curl -sL https://compasssecurity.github.io/pipeleek/install.sh | sh

⚠️ Security Warning: Piping scripts directly to sh can be dangerous. Always review the script contents first at https://compasssecurity.github.io/pipeleek/install.sh before executing.

Install with Go

Alternatively, install using Go:

1
go install github.com/CompassSecurity/pipeleek/cmd/pipeleek@latest

Linux

  1. Visit the Pipeleek GitHub Releases page.

  2. Download the binary for your architecture:

  3. For Linux amd64: pipeleek_<version>_linux_amd64

  4. For Linux arm64: pipeleek_<version>_linux_arm64

  5. Make it executable and run it:

1
2
chmod +x pipeleek_<version>_linux_amd64
./pipeleek_<version>_linux_amd64 --version

You can rename and move it to a directory in your PATH:

1
2
sudo mv pipeleek_<version>_linux_amd64 /usr/local/bin/pipeleek
pipeleek --version

macOS

  1. Visit the Pipeleek GitHub Releases page.

  2. Download the binary for your Mac architecture:

  3. For Intel Macs (amd64): pipeleek_<version>_darwin_amd64

  4. For Apple Silicon Macs (arm64): pipeleek_<version>_darwin_arm64

  5. Make it executable and run it:

1
2
chmod +x pipeleek_<version>_darwin_arm64
./pipeleek_<version>_darwin_arm64 --version

You can move and rename it to a directory in your PATH:

1
2
sudo mv pipeleek_<version>_darwin_arm64 /usr/local/bin/pipeleek
pipeleek --version

Note: On first run, macOS may block the binary. You can allow it in System Settings → Privacy & Security, or run:

1
xattr -d com.apple.quarantine pipeleek

Windows

  1. Visit the Pipeleek GitHub Releases page.

  2. Download the Windows binary for your architecture:

  3. For Windows amd64: pipeleek_<version>_windows_amd64.exe

  4. For Windows arm64: pipeleek_<version>_windows_arm64.exe

  5. Open PowerShell or Command Prompt and verify installation:

1
.\pipeleek_<version>_windows_amd64.exe --version

You can rename it for convenience:

1
2
Rename-Item pipeleek_<version>_windows_amd64.exe pipeleek.exe
.\pipeleek.exe --version

Platform-Specific Binaries

Pipeleek also provides platform-specific binaries that include only the commands for a specific platform. These are smaller and can be downloaded manually at Pipeleek GitHub Releases:

  • pipeleek-gitlab_<version>_<os>_<arch> - GitLab commands only
  • pipeleek-github_<version>_<os>_<arch> - GitHub commands only
  • pipeleek-bitbucket_<version>_<os>_<arch> - BitBucket commands only
  • pipeleek-devops_<version>_<os>_<arch> - Azure DevOps commands only
  • pipeleek-gitea_<version>_<os>_<arch> - Gitea commands only

Usage Examples

Basic Scanning

The most basic example to scan e.g. GitLab pipeline logs for secrets.

1
pipeleek gl scan --token glpat-[redacted] --gitlab https://gitlab.example.com

Scanning Artifacts

In addition to logs, Pipeleek can also scan artifacts generated by pipelines.

💡Tip: All scan commands must be configured to scan artifacts. This feature is disabled by default.

1
pipeleek gl scan --token glpat-[redacted] --gitlab https://gitlab.example.com --artifacts