Skip to content

Gitleaks scanner

πŸ€– AI-Generated Content

This documentation was generated with AI assistance and is still being audited. Some, or potentially a lot, of this information may be inaccurate. Learn more.

provide.testkit.quality.security.gitleaks_scanner

GitLeaks secret detection scanner implementation.

Classes

GitLeaksScanner 

GitLeaksScanner(config: dict[str, Any] | None = None)

Secret detection scanner using GitLeaks.

Scans codebases for hardcoded secrets, API keys, passwords, and other sensitive information using pattern matching.

Note: GitLeaks is a Go binary and must be installed separately. Install via: brew install gitleaks (macOS) or download from GitHub releases.

Initialize GitLeaks scanner.

Parameters:

Name Type Description Default
config dict[str, Any] | None

Scanner configuration options. If "config_file" is not specified, will auto-detect .provide/security/gitleaks.toml if it exists.

 None
Source code in provide/testkit/quality/security/gitleaks_scanner.py 
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
def __init__(self, config: dict[str, Any] | None = None) -> None:
    """Initialize GitLeaks scanner.

    Args:
        config: Scanner configuration options. If "config_file" is not specified,
                will auto-detect .provide/security/gitleaks.toml if it exists.
    """
    if not GITLEAKS_AVAILABLE:
        raise QualityToolError(
            "GitLeaks not available. Install with: brew install gitleaks (macOS) "
            "or download from https://github.com/gitleaks/gitleaks/releases",
            tool="gitleaks",
        )

    self.config = config or {}
    self.artifact_dir: Path | None = None

    # Auto-detect config file if not explicitly specified
    if "config_file" not in self.config:
        default_config = self._get_default_config_path()
        if default_config:
            self.config["config_file"] = default_config
Functions
analyze 
analyze(path: Path, **kwargs: Any) -> QualityResult

Run GitLeaks analysis on the given path.

Parameters:

Name Type Description Default
path Path

Path to scan for secrets

 required
**kwargs Any

Additional options including artifact_dir

 {}

Returns:

Type Description
QualityResult

QualityResult with secret detection data
Source code in provide/testkit/quality/security/gitleaks_scanner.py 
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
def analyze(self, path: Path, **kwargs: Any) -> QualityResult:
    """Run GitLeaks analysis on the given path.

    Args:
        path: Path to scan for secrets
        **kwargs: Additional options including artifact_dir

    Returns:
        QualityResult with secret detection data
    """
    self.artifact_dir = kwargs.get("artifact_dir", Path(".provide/output/security"))
    start_time = time.time()

    try:
        result = self._run_gitleaks_scan(path)
        result.execution_time = time.time() - start_time
        self._generate_artifacts(result)
        return result

    except Exception as e:
        return QualityResult(
            tool="gitleaks",
            passed=False,
            details={"error": str(e), "error_type": type(e).__name__},
            execution_time=time.time() - start_time,
        )
report 
report(
    result: QualityResult, format: str = "terminal"
) -> str

Generate report from QualityResult.

Source code in provide/testkit/quality/security/gitleaks_scanner.py 
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
def report(self, result: QualityResult, format: str = "terminal") -> str:
    """Generate report from QualityResult."""
    if format == "terminal":
        return self._generate_text_report(result)
    elif format == "json":
        return json.dumps(
            {
                "tool": result.tool,
                "passed": result.passed,
                "score": result.score,
                "details": result.details,
            },
            indent=2,
        )
    else:
        return str(result.details)

Functions