Building upon its core functionality of fetching and injecting secrets into your applications, Infisical now takes a significant step forward in bolstering your code security. We’ve enhanced our CLI tool to include a powerful scanning feature, capable of identifying more than 140 different types of secret leaks in your codebase. In addition to scanning for past leaks, this new addition also actively aids in preventing future leaks.


infisical scan

# Display the full secret findings
infisical scan --verbose

The infisical scan command serves to scan repositories, directories, and files. It’s compatible with both individual developer machines and Continuous Integration (CI) environments.

When you run infisical scan on a Git repository, Infisical will parses the output of a git log -p command. This command generates patches that Infisical uses to identify secrets in your code. You can configure the range of commits that git log will cover using the --log-opts flag. Any options you can use with git log -p are valid for --log-opts.

For instance, to instruct Infisical to scan a specific range of commits, use the following command: infisical scan --log-opts="--all commitA..commitB". For more details, refer to the Git log documentation.

To scan individual files and directories, use the --no-git flag.

View full details for this command

Automatically scan changes before you commit

To lower the risk of committing hardcoded secrets to your code repository, we have designed a custom git pre-commit hook. This hook scans the changes you’re about to commit for any exposed secrets. If any hardcoded secrets are detected, it will block your commit.

Install pre-commit hook

To install this git hook, go into your local git repository and run the following command.

infisical scan install --pre-commit-hook

To disable this hook after installing it, run the command git config --bool hooks.infisical-scan false

Third party hooks management

If you would rather handle your pre-commit hook outside of the standard .git/hooks directory, you can quickly achieve this by adding the following command into your pre-commit script. For instance, if you utilize Husky for managing your Git hooks, you can insert the command provided below into your .husky/pre-commit file.

infisical scan git-changes --staged --verbose

Creating a baseline

When scanning large repositories or repositories with a long history, it can be helpful to use a baseline.

A baseline allows Infisical to ignore any old findings that are already present in the baseline findings. You can create a infisical scan report by running infisical scan with the --report-path flag.

To create a Infisical scan report and save it in a file called leaks-report.json, use the following command:

infisical scan --report-path leaks-report.json

Once a baseline is created, you can apply it when running the infisical scan command again. Use the following command:

infisical scan --baseline-path leaks-report.json --report-path findings.json

After running the scan command with the --baseline-path flag, the report output in findings.json will only contain new issues.

Configuration file

To customize the scan, such as specifying your own rules or establishing exceptions for certain files or paths that should not be flagged as risks, you can define these specifications in the configuration file.

Ignoring Known Secrets

If you’re intentionally committing a test secret that infisical scan might flag, you can instruct Infisical to overlook that secret with the methods listed below.


To ignore a secret contained in line of code, simply add infisical-scan:ignore at the end of the line as comment in the given programming.

function helloWorld() {
    console.log("8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"); // infisical-scan:ignore


An alternative method to exclude specific findings involves creating a .infisicalignore file at your repository’s root. You can then add the fingerprints of the findings you wish to exclude. The Infisical scan report provides a unique Fingerprint for each secret found. By incorporating these Fingerprints into the .infisicalignore file, Infisical will skip the corresponding secret findings in subsequent scans.