From ac130feb0b84631ecb17a8704e77c5cce88f38a9 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Mon, 25 May 2026 00:01:09 +0300 Subject: [PATCH 1/5] feat(action): Marketplace-ready GitHub Action with prebuilt-binary install Make Leakwatch usable from the GitHub Marketplace as `uses: HodeTech/Leakwatch@v1`, matching the low-friction adoption path of comparable tools. Action (action.yml, moved to repo root from action/): - Composite action that downloads the prebuilt release archive for the runner and verifies its SHA-256 checksum before running (Linux/macOS); replaces the compile-on-every-run `go install` approach. - New inputs: output, remediation, config, scan-diff, extra-args, working-directory. - PR-diff scanning: scan-diff=auto limits git scans to commits new to the event via --since-commit (PR base..HEAD / push before..HEAD). - Writes a findings job summary to $GITHUB_STEP_SUMMARY (parsed from SARIF). - Composite outputs now declare value: mappings, so findings-count/sarif-file are actually exposed (previously always empty). CLI: - New `github` output format emits ::error/::warning/::notice workflow commands for inline PR annotations. The raw secret is never printed (redacted only); command data/properties are percent-escaped. Registered in config.validFormats, selectFormatter, and the scan flag help. New internal/output/github package with 98% test coverage. Release & CI: - release.yml moves the floating major tag (v1) to each stable release via the REST API (gh), skipping pre-releases. - action-test.yml self-tests the action on ubuntu+macos and runs actionlint (+shellcheck) over all workflows. - ci.yml: quote the coverage-gate command substitution (SC2046) so the new actionlint job passes. Docs: - ADR-0009 records the decision (main-repo root + prebuilt-binary) and the manual Marketplace publish runbook. - github-action.md and output-formats.md (EN+TR), README badge + usage, CHANGELOG, CLAUDE.md, and the decisions index updated; all `leakwatch-action` references switched to `Leakwatch`. Linux/macOS runners only for now (composite + prebuilt binary); Windows is a documented future enhancement. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/action-test.yml | 106 +++++++ .github/workflows/ci.yml | 2 +- .github/workflows/release.yml | 26 ++ CHANGELOG.md | 7 + CLAUDE.md | 3 +- README.md | 20 +- action.yml | 290 ++++++++++++++++++ action/action.yml | 123 -------- cmd/init.go | 2 +- cmd/scan_common.go | 6 + cmd/scan_fs.go | 2 +- cmd/scan_gcs.go | 2 +- cmd/scan_git.go | 2 +- cmd/scan_image.go | 2 +- cmd/scan_repos.go | 2 +- cmd/scan_s3.go | 2 +- cmd/scan_slack.go | 2 +- .../ADR-0009-github-marketplace-action.md | 133 ++++++++ docs/decisions/README.md | 1 + docs/guides/ci-cd-integration.md | 10 +- docs/user-manuals/en/ci-cd/github-action.md | 64 +++- docs/user-manuals/en/output/output-formats.md | 29 +- docs/user-manuals/tr/ci-cd/github-action.md | 64 +++- docs/user-manuals/tr/output/output-formats.md | 29 +- internal/config/config.go | 9 +- internal/output/github/github_formatter.go | 129 ++++++++ .../output/github/github_formatter_test.go | 230 ++++++++++++++ 27 files changed, 1121 insertions(+), 176 deletions(-) create mode 100644 .github/workflows/action-test.yml create mode 100644 action.yml delete mode 100644 action/action.yml create mode 100644 docs/decisions/ADR-0009-github-marketplace-action.md create mode 100644 internal/output/github/github_formatter.go create mode 100644 internal/output/github/github_formatter_test.go diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml new file mode 100644 index 0000000..7c60a33 --- /dev/null +++ b/.github/workflows/action-test.yml @@ -0,0 +1,106 @@ +name: Action Test + +# Validates the composite GitHub Action (install → scan → exit-code/outputs) on +# real runners, plus lints all workflow files. Runs when the action or this +# workflow changes. The action installs the latest released leakwatch binary, so +# this exercises the action mechanics rather than the CLI in this PR (the CLI has +# its own unit tests in CI). +on: + push: + branches: [main] + paths: + - 'action.yml' + - '.github/workflows/action-test.yml' + pull_request: + paths: + - 'action.yml' + - '.github/workflows/action-test.yml' + workflow_dispatch: + +permissions: + contents: read + +jobs: + actionlint: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v6 + with: + go-version: '1.25.10' + - name: Install actionlint + run: go install github.com/rhysd/actionlint/cmd/actionlint@latest + # shellcheck is preinstalled on ubuntu runners, so actionlint also lints + # the run: scripts inside the workflows. + - name: Run actionlint + run: | + GOBIN="$(go env GOPATH)/bin" + "$GOBIN/actionlint" -color + + run-action: + name: run-action (${{ matrix.os }}) + needs: actionlint + runs-on: ${{ matrix.os }} + permissions: + contents: read + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest] + steps: + - uses: actions/checkout@v4 + + # Build the fixture at runtime so no secret-shaped literal is ever committed + # (which would trip push protection / secret scanning). Reassembled at + # runtime, the canonical AWS docs example key triggers the + # aws-access-key-id detector. + - name: Create fixtures + shell: bash + run: | + set -euo pipefail + mkdir -p _lwtest _lwclean + printf 'AWS_ACCESS_KEY_ID=%s%s\n' 'AKIA' 'IOSFODNN7EXAMPLE' > _lwtest/leak.env + echo 'just some harmless text, no secrets here' > _lwclean/ok.txt + + - name: Scan dirty fixture (expect a finding) + id: detect + uses: ./ + with: + scan-type: fs + path: _lwtest + format: sarif + no-verify: 'true' + fail-on-findings: 'false' + + - name: Assert a finding was reported + shell: bash + env: + COUNT: ${{ steps.detect.outputs.findings-count }} + SARIF: ${{ steps.detect.outputs.sarif-file }} + run: | + set -euo pipefail + echo "findings-count=$COUNT sarif-file=$SARIF" + [ "$COUNT" = "1" ] || { echo "::error::expected findings-count=1, got '$COUNT'"; exit 1; } + [ -n "$SARIF" ] && [ -f "$SARIF" ] || { echo "::error::expected SARIF file at '$SARIF'"; exit 1; } + echo "OK: finding detected and SARIF written" + + - name: Scan clean fixture (expect no findings) + id: clean + uses: ./ + with: + scan-type: fs + path: _lwclean + format: table + no-verify: 'true' + fail-on-findings: 'true' + + - name: Assert no findings reported + shell: bash + env: + COUNT: ${{ steps.clean.outputs.findings-count }} + run: | + set -euo pipefail + [ "$COUNT" = "0" ] || { echo "::error::expected findings-count=0, got '$COUNT'"; exit 1; } + echo "OK: clean directory reported no findings" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d09595..2747a94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ jobs: run: | COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | tr -d '%') echo "Total coverage: ${COVERAGE}%" - if [ $(echo "$COVERAGE < 70" | bc -l) -eq 1 ]; then + if [ "$(echo "$COVERAGE < 70" | bc -l)" -eq 1 ]; then echo "::error::Coverage ${COVERAGE}% is below 70% threshold" exit 1 fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2296df0..8a072d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,3 +45,29 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} + + # Move the floating major tag (e.g. v1) to this release so consumers can + # pin `uses: HodeTech/Leakwatch@v1` and always get the latest v1.x. Skipped + # for pre-releases (tags containing a hyphen, e.g. v1.5.0-rc.1). Uses the + # REST API via gh so it works with the persist-credentials: false checkout. + - name: Update major version tag + if: ${{ !contains(github.ref_name, '-') }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG: ${{ github.ref_name }} + REPO: ${{ github.repository }} + SHA: ${{ github.sha }} + run: | + set -euo pipefail + MAJOR="${TAG%%.*}" # v1.5.0 -> v1 + if [ "$MAJOR" = "$TAG" ] || [ -z "$MAJOR" ]; then + echo "Could not derive a major tag from '$TAG'; skipping." + exit 0 + fi + echo "Pointing ${MAJOR} at ${SHA} (${TAG})" + if gh api "repos/${REPO}/git/refs/tags/${MAJOR}" >/dev/null 2>&1; then + gh api -X PATCH "repos/${REPO}/git/refs/tags/${MAJOR}" -f sha="${SHA}" -F force=true >/dev/null + else + gh api -X POST "repos/${REPO}/git/refs" -f ref="refs/tags/${MAJOR}" -f sha="${SHA}" >/dev/null + fi + echo "Major tag ${MAJOR} now points at ${TAG}." diff --git a/CHANGELOG.md b/CHANGELOG.md index 529b1c6..d53021c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/). ## [Unreleased] ### Added +- **GitHub Action is now Marketplace-ready and installs a prebuilt binary** — the action metadata moved from `action/action.yml` to the repository root `action.yml` so it can be published to the GitHub Marketplace and consumed as `uses: HodeTech/Leakwatch@v1`. Instead of compiling from source with `go install` on every run, the action now downloads the platform's prebuilt release archive and verifies its SHA-256 checksum before running (Linux and macOS runners). New inputs: `output`, `remediation`, `config`, `scan-diff`, `extra-args`, `working-directory`. Composite `outputs` now declare `value:` mappings, so `findings-count` and `sarif-file` are actually exposed to downstream steps (previously always empty). +- **Pull-request diff scanning in the Action** — for `git` scans, `scan-diff: auto` (default) limits the scan to commits introduced by the event (`pull_request` base..HEAD or `push` before..HEAD) via `--since-commit`, so CI surfaces only newly added secrets. Requires `actions/checkout` with `fetch-depth: 0`. +- **GitHub Actions job summary** — the action writes a findings summary (counts and a per-finding table parsed from SARIF) to `$GITHUB_STEP_SUMMARY`. +- **`github` output format** — `--format github` emits GitHub Actions workflow commands (`::error`/`::warning`/`::notice`) so findings appear as inline annotations on pull requests. The raw secret is never emitted (redacted only), and command data/properties are percent-escaped. New `internal/output/github` formatter with full unit-test coverage. +- **Floating major version tag** — releases now move the `vN` tag (e.g. `v1`) to the latest `vN.x.y` so consumers can pin `uses: HodeTech/Leakwatch@v1`. Pre-releases (tags containing `-`) are skipped. +- **Action self-test workflow** — `.github/workflows/action-test.yml` runs the composite action against fixtures on Linux and macOS and lints all workflows with `actionlint` (which also shellchecks the `run:` scripts). - **Custom rules are now loaded from `.leakwatch.yaml`** — the documented `custom-rules:` block is finally wired into the scan. Previously `custom.RegisterCustomRules` existed and was tested but never called, so user-defined detectors were silently ignored. Registration is duplicate-safe: a rule whose ID collides with a built-in detector (or another custom rule) is skipped with a warning instead of panicking. (Resolves ROADMAP "Known Gaps" P0 #1.) - **Inline ignore (`# leakwatch:ignore` / `# leakwatch:ignore:`) is now honored** — the marker is checked on each finding's source line during scanning and ignored findings are dropped before verification, so they never trigger a network call. Repeated occurrences of the same secret are resolved to their own lines, so an ignore on one copy never suppresses a genuine leak elsewhere in the file. The library helpers existed but were never invoked by the engine. (Resolves ROADMAP "Known Gaps" P0 #2.) - **Line numbers are now reported for findings** — the engine computes the 1-based line of each match per occurrence (from its byte offset within the chunk). Previously every finding reported `line: 0` in JSON/SARIF/CSV/table output, and repeated matches of the same bytes would all have collapsed onto the first occurrence's line. This is also the prerequisite that makes inline ignore correct. @@ -17,6 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/). - **SARIF results carry location-independent `partialFingerprints`** — GitHub Code Scanning tracks an alert across line moves instead of closing and reopening it. (Important now that findings report real line numbers instead of `line: 0`.) ### Changed +- **CI coverage-gate script quoting** — quoted the `bc` command substitution in the coverage check (`ci.yml`) so the new `actionlint`/shellcheck job passes (SC2046). - **Config validation hardening** — `output.severity-threshold` is validated against the known severity set (a typo no longer silently falls back to "low"); a unit-less `verification.timeout` (e.g. `30`, which YAML decodes as 30 nanoseconds) is rejected with a hint to use a unit; a disabled `verification:` block no longer fails validation on leftover non-positive values; nested config keys are now overridable via environment variables (e.g. `LEAKWATCH_OUTPUT_SEVERITY_THRESHOLD`). - **`detector.RegisterIfAbsent`** — new atomic check-and-insert used by custom-rule registration to avoid a check-then-register race and the panic on duplicate IDs. - **Finding IDs include the line number** — disambiguates two findings that share the same redacted value in the same file (e.g. two private keys with identical redaction on different lines). diff --git a/CLAUDE.md b/CLAUDE.md index a4f7a8a..264fd01 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -45,7 +45,7 @@ leakwatch/ │ ├── config/ # Viper-based configuration │ └── filter/ # .leakwatchignore, inline ignore ├── pkg/ # Public packages (finding model) -├── action/ # GitHub Action definition +├── action.yml # GitHub Action definition (Marketplace, repo root) ├── Formula/ # Homebrew formula ├── Dockerfile # Multi-stage Docker build ├── docs/ # Documentation @@ -71,6 +71,7 @@ Architecture decisions are documented in ADR format under `docs/decisions/`. The | [ADR-0006](docs/decisions/ADR-0006-container-library.md) | go-containerregistry | Daemonless, layer-based analysis | | [ADR-0007](docs/decisions/ADR-0007-license.md) | MIT | Enterprise adoption, open-core compatibility | | [ADR-0008](docs/decisions/ADR-0008-concurrency-model.md) | Worker Pool | Fixed worker count, channel-based | +| [ADR-0009](docs/decisions/ADR-0009-github-marketplace-action.md) | Marketplace Action | Root `action.yml`, prebuilt-binary composite, `@v1` | ## Coding Standards diff --git a/README.md b/README.md index 06ce289..62466a3 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,7 @@ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Go Report Card](https://goreportcard.com/badge/github.com/HodeTech/leakwatch)](https://goreportcard.com/report/github.com/HodeTech/leakwatch) [![Go Reference](https://pkg.go.dev/badge/github.com/HodeTech/leakwatch.svg)](https://pkg.go.dev/github.com/HodeTech/leakwatch) +[![GitHub Marketplace](https://img.shields.io/badge/Marketplace-Leakwatch%20Secret%20Scanner-2ea44f?logo=github)](https://github.com/marketplace/actions/leakwatch-secret-scanner) > Next-generation secret scanning platform — fast, accurate, open source. @@ -15,18 +16,21 @@ | Feature | Leakwatch | TruffleHog | Gitleaks | |---------|-----------|------------|----------| -| **License** | MIT | AGPL-3.0 | MIT* | +| **License** | MIT | AGPL-3.0 | MIT [^gl-action] | | **Secret Verification** | Yes (54 verifiers, 51 packages) | Yes | No | | **Container Scanning** | Yes | Yes | No | -| **Aho-Corasick** | Yes | Partial | No | -| **Entropy Analysis** | Hybrid | Yes | Filter | -| **YAML Custom Rules** | Yes | No (Go) | TOML | -| **SARIF Output** | Yes | Yes | Yes | +| **SARIF Output** | Yes | No [^th-sarif] | Yes | +| **Aho-Corasick Prefilter** | Yes | Yes | Yes | +| **Entropy Analysis** | Yes | Yes | Yes | +| **Custom Rules** | YAML | YAML (config) | TOML | + +[^gl-action]: The Gitleaks CLI is MIT-licensed. The official `gitleaks-action` GitHub Action, however, runs under a commercial EULA and requires a (free) license key for **organization** accounts (personal accounts are exempt). +[^th-sarif]: TruffleHog emits JSON / plain / GitHub-Actions output; it has no native SARIF formatter (SARIF requires an external converter). All three tools use Aho-Corasick keyword pre-filtering and Shannon-entropy filtering, and all three support custom rules (Leakwatch: YAML, TruffleHog: `config.yaml` `detectors:` block, Gitleaks: TOML). **What makes Leakwatch different:** -- **Verification + MIT license** — A unique combination in the open source world +- **MIT license _with_ verification** — Among these tools, Leakwatch is the only one that is both permissively licensed (MIT, unlike TruffleHog's AGPL-3.0) and performs live secret verification (unlike Gitleaks, which is detection-only) - **85.7% verification coverage** — 54 of 63 detectors have live API or format validation verification -- **Hybrid detection engine** — Low false positives with Aho-Corasick + Regex + Entropy +- **Verification + container + SARIF in one MIT binary** — TruffleHog lacks SARIF; Gitleaks lacks verification and container scanning - **Easy extensibility** — YAML for simple rules, Go plugin for advanced ones - **Single binary, zero dependencies** — Runs on every platform - **Scan summary** — Every scan prints a summary to stderr (date, source, target, files scanned, duration, findings) @@ -190,7 +194,7 @@ leakwatch scan fs . --remediation ### GitHub Actions ```yaml -- uses: HodeTech/leakwatch-action@v1 +- uses: HodeTech/Leakwatch@v1 with: scan-type: git only-verified: true # only report verified live secrets (action default: false) diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..2423dbc --- /dev/null +++ b/action.yml @@ -0,0 +1,290 @@ +name: 'Leakwatch Secret Scanner' +description: 'Detect, verify & report leaked secrets (API keys, tokens, credentials) in code, Git history, and container images.' +author: 'HodeTech' + +branding: + icon: 'shield' + color: 'red' + +inputs: + scan-type: + description: 'What to scan: fs (filesystem), git (repository history), or image (container image).' + required: false + default: 'fs' + path: + description: 'Path to scan (for fs/git) or image reference (for image).' + required: false + default: '.' + format: + description: 'Output format: sarif, json, csv, table, or github (inline pull-request annotations).' + required: false + default: 'sarif' + output: + description: 'Write formatted output to this file (relative to working-directory). Ignored for format=github. When empty and format=sarif, defaults to results.sarif.' + required: false + default: '' + only-verified: + description: 'Report only findings confirmed active by live verification.' + required: false + default: 'false' + no-verify: + description: 'Disable live verification (no outbound calls to provider APIs). Recommended in CI.' + required: false + default: 'true' + min-severity: + description: 'Minimum severity to report: low, medium, high, or critical.' + required: false + default: 'low' + remediation: + description: 'Include remediation guidance in the output.' + required: false + default: 'false' + config: + description: 'Path to a .leakwatch.yaml configuration file.' + required: false + default: '' + scan-diff: + description: 'For git scans, scan only commits new to the event instead of full history. "auto" enables this on pull_request/push events, "true" forces it, "false" always scans full history. Requires a checkout with fetch-depth: 0.' + required: false + default: 'auto' + extra-args: + description: 'Additional raw arguments appended to the leakwatch scan command (space-separated).' + required: false + default: '' + working-directory: + description: 'Directory to run the scan from.' + required: false + default: '.' + sarif-upload: + description: 'Upload SARIF results to GitHub Code Scanning. Requires format=sarif and permissions: security-events: write.' + required: false + default: 'false' + fail-on-findings: + description: 'Fail the workflow step when leakwatch reports findings (exit code 1). When "false", a ::warning:: is emitted instead so the scan does not block the pipeline. Hard errors (exit code >= 2) always fail the step regardless of this setting.' + required: false + default: 'true' + version: + description: 'Leakwatch version to install: "latest" or a release tag such as v1.5.0.' + required: false + default: 'latest' + +outputs: + findings-count: + description: 'Number of secrets found (0 or 1; mirrors the leakwatch exit code).' + value: ${{ steps.scan.outputs.findings-count }} + sarif-file: + description: 'Path to the SARIF output file relative to the repository root (set when format=sarif).' + value: ${{ steps.scan.outputs.sarif-file }} + +runs: + using: 'composite' + steps: + - name: Install Leakwatch + shell: bash + env: + LW_VERSION: ${{ inputs.version }} + LW_REPO: HodeTech/Leakwatch + run: | + set -euo pipefail + + # ---- Resolve OS/arch (Linux and macOS only) ---------------------------- + case "$RUNNER_OS" in + Linux) GOOS=linux; EXT=tar.gz; BIN=leakwatch ;; + macOS) GOOS=darwin; EXT=tar.gz; BIN=leakwatch ;; + *) + echo "::error::The Leakwatch action supports Linux and macOS runners only (got '$RUNNER_OS'). Use ubuntu-latest or macos-latest, or run the container image ghcr.io/hodetech/leakwatch." + exit 1 ;; + esac + case "$RUNNER_ARCH" in + X64) GOARCH=amd64 ;; + ARM64) GOARCH=arm64 ;; + *) + echo "::error::Unsupported runner architecture '$RUNNER_ARCH' (expected X64 or ARM64)." + exit 1 ;; + esac + + # ---- Resolve the release tag ------------------------------------------ + if [ "$LW_VERSION" = "latest" ]; then + eff="$(curl -fsSLI -o /dev/null -w '%{url_effective}' "https://github.com/${LW_REPO}/releases/latest")" + TAG="${eff##*/}" + else + TAG="$LW_VERSION" + fi + if [ -z "$TAG" ] || [ "$TAG" = "latest" ] || [ "$TAG" = "releases" ]; then + echo "::error::Could not resolve a Leakwatch release tag (got '$TAG')." + exit 1 + fi + VER="${TAG#v}" # goreleaser archive names omit the leading 'v' + + # ---- Download, verify, extract ---------------------------------------- + ARCHIVE="leakwatch_${VER}_${GOOS}_${GOARCH}.${EXT}" + BASE_URL="https://github.com/${LW_REPO}/releases/download/${TAG}" + TMP="$(mktemp -d)" + echo "Installing Leakwatch ${TAG} (${ARCHIVE})" + curl -fsSL -o "${TMP}/${ARCHIVE}" "${BASE_URL}/${ARCHIVE}" + curl -fsSL -o "${TMP}/checksums.txt" "${BASE_URL}/checksums.txt" + + expected="$(awk -v f="$ARCHIVE" '$2 == f {print $1}' "${TMP}/checksums.txt")" + if [ -z "$expected" ]; then + echo "::error::Checksum for ${ARCHIVE} not found in checksums.txt." + exit 1 + fi + if command -v sha256sum >/dev/null 2>&1; then + actual="$(sha256sum "${TMP}/${ARCHIVE}" | awk '{print $1}')" + elif command -v shasum >/dev/null 2>&1; then + actual="$(shasum -a 256 "${TMP}/${ARCHIVE}" | awk '{print $1}')" + else + echo "::error::No sha256 tool (sha256sum/shasum) available to verify the download." + exit 1 + fi + if [ "$expected" != "$actual" ]; then + echo "::error::Checksum mismatch for ${ARCHIVE} (expected ${expected}, got ${actual})." + exit 1 + fi + + tar -xzf "${TMP}/${ARCHIVE}" -C "$TMP" + + # ---- Install onto PATH for the next step ------------------------------ + INSTALL_DIR="${TMP}/bin" + mkdir -p "$INSTALL_DIR" + mv "${TMP}/${BIN}" "${INSTALL_DIR}/${BIN}" + chmod +x "${INSTALL_DIR}/${BIN}" + echo "$INSTALL_DIR" >> "$GITHUB_PATH" + "${INSTALL_DIR}/${BIN}" version || true + + - name: Run scan + id: scan + shell: bash + env: + INPUT_SCAN_TYPE: ${{ inputs.scan-type }} + INPUT_PATH: ${{ inputs.path }} + INPUT_FORMAT: ${{ inputs.format }} + INPUT_OUTPUT: ${{ inputs.output }} + INPUT_MIN_SEVERITY: ${{ inputs.min-severity }} + INPUT_ONLY_VERIFIED: ${{ inputs.only-verified }} + INPUT_NO_VERIFY: ${{ inputs.no-verify }} + INPUT_REMEDIATION: ${{ inputs.remediation }} + INPUT_CONFIG: ${{ inputs.config }} + INPUT_SCAN_DIFF: ${{ inputs.scan-diff }} + INPUT_EXTRA_ARGS: ${{ inputs.extra-args }} + INPUT_WORKING_DIRECTORY: ${{ inputs.working-directory }} + INPUT_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }} + GH_EVENT_NAME: ${{ github.event_name }} + GH_PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + GH_PUSH_BEFORE: ${{ github.event.before }} + run: | + set -uo pipefail + + WORKDIR="${INPUT_WORKING_DIRECTORY:-.}" + cd "$WORKDIR" || { echo "::error::working-directory not found: $WORKDIR"; exit 1; } + + ARGS=(scan "$INPUT_SCAN_TYPE" "$INPUT_PATH" --format "$INPUT_FORMAT" --min-severity "$INPUT_MIN_SEVERITY") + + # Output file: explicit value, or default results.sarif for SARIF. + # The github format streams workflow commands to stdout, so it has no file. + OUT="$INPUT_OUTPUT" + if [ -z "$OUT" ] && [ "$INPUT_FORMAT" = "sarif" ]; then + OUT="results.sarif" + fi + if [ -n "$OUT" ] && [ "$INPUT_FORMAT" != "github" ]; then + ARGS+=(--output "$OUT") + fi + if [ "$INPUT_FORMAT" = "sarif" ] && [ -n "$OUT" ]; then + # Report the path relative to the repo root so a later upload step finds it. + if [ "$WORKDIR" = "." ]; then + echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" + else + echo "sarif-file=${WORKDIR%/}/$OUT" >> "$GITHUB_OUTPUT" + fi + fi + + [ "$INPUT_ONLY_VERIFIED" = "true" ] && ARGS+=(--only-verified) + [ "$INPUT_NO_VERIFY" = "true" ] && ARGS+=(--no-verify) + [ "$INPUT_REMEDIATION" = "true" ] && ARGS+=(--remediation) + [ -n "$INPUT_CONFIG" ] && ARGS+=(--config "$INPUT_CONFIG") + + # PR-diff: for git scans, limit to commits introduced by this event. + diff_enabled=false + case "$INPUT_SCAN_DIFF" in + true) diff_enabled=true ;; + auto) + if [ "$INPUT_SCAN_TYPE" = "git" ] && { [ "$GH_EVENT_NAME" = "pull_request" ] || [ "$GH_EVENT_NAME" = "push" ]; }; then + diff_enabled=true + fi ;; + esac + if [ "$diff_enabled" = "true" ] && [ "$INPUT_SCAN_TYPE" = "git" ]; then + base="" + [ "$GH_EVENT_NAME" = "pull_request" ] && base="$GH_PR_BASE_SHA" + [ "$GH_EVENT_NAME" = "push" ] && base="$GH_PUSH_BEFORE" + # Skip the all-zero SHA (first push of a branch, which has no parent). + if [ -n "$base" ] && [ "$base" != "0000000000000000000000000000000000000000" ]; then + ARGS+=(--since-commit "$base") + fi + fi + + # Append any extra raw arguments (deliberate word-splitting). + if [ -n "$INPUT_EXTRA_ARGS" ]; then + # shellcheck disable=SC2206 + extra=($INPUT_EXTRA_ARGS) + ARGS+=("${extra[@]}") + fi + + echo "+ leakwatch ${ARGS[*]}" + leakwatch "${ARGS[@]}" + EXIT_CODE=$? + + # ---- Job summary ------------------------------------------------------ + if [ -n "${GITHUB_STEP_SUMMARY:-}" ]; then + { + echo "## 🔍 Leakwatch secret scan" + echo "" + if [ "$INPUT_FORMAT" = "sarif" ] && [ -n "$OUT" ] && [ -f "$OUT" ] && command -v jq >/dev/null 2>&1; then + total="$(jq '[.runs[].results[]] | length' "$OUT" 2>/dev/null || echo 0)" + if [ "${total:-0}" = "0" ]; then + echo "✅ No secrets detected." + else + echo "Found **${total}** potential secret(s):" + echo "" + echo "| Level | Detector | Location |" + echo "| --- | --- | --- |" + jq -r '.runs[].results[] | "| \(.level) | \(.ruleId) | \((.locations[0].physicalLocation.artifactLocation.uri // "-"))\(if .locations[0].physicalLocation.region.startLine then ":" + (.locations[0].physicalLocation.region.startLine | tostring) else "" end) |"' "$OUT" 2>/dev/null | head -50 + fi + elif [ "$EXIT_CODE" -eq 0 ]; then + echo "✅ No secrets detected." + elif [ "$EXIT_CODE" -eq 1 ]; then + echo "⚠️ Potential secrets detected. See the step log above for details." + else + echo "❌ Scan failed (exit code ${EXIT_CODE})." + fi + echo "" + echo "Scanned with [Leakwatch](https://github.com/HodeTech/Leakwatch) · type: \`${INPUT_SCAN_TYPE}\` · format: \`${INPUT_FORMAT}\`" + } >> "$GITHUB_STEP_SUMMARY" + fi + + # ---- Exit-code mapping ------------------------------------------------ + # leakwatch exit codes (see cmd/root.go): + # 0 — no findings + # 1 — findings reported (gated by fail-on-findings) + # >=2 — hard error (always fails the step) + if [ "$EXIT_CODE" -eq 0 ]; then + echo "findings-count=0" >> "$GITHUB_OUTPUT" + elif [ "$EXIT_CODE" -eq 1 ]; then + echo "findings-count=1" >> "$GITHUB_OUTPUT" + if [ "$INPUT_FAIL_ON_FINDINGS" = "true" ]; then + echo "::error::Leakwatch found secrets in your code" + exit 1 + else + echo "::warning::Leakwatch found secrets in your code (fail-on-findings=false; step will not fail)" + fi + else + echo "findings-count=0" >> "$GITHUB_OUTPUT" + echo "::error::Leakwatch scan failed with exit code ${EXIT_CODE}" + exit "$EXIT_CODE" + fi + + - name: Upload SARIF + if: always() && inputs.sarif-upload == 'true' && inputs.format == 'sarif' + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif-file }} + category: leakwatch diff --git a/action/action.yml b/action/action.yml deleted file mode 100644 index a889918..0000000 --- a/action/action.yml +++ /dev/null @@ -1,123 +0,0 @@ -name: 'Leakwatch Secret Scanner' -description: 'Scan your codebase for leaked secrets (API keys, passwords, certificates)' -author: 'HodeTech' - -branding: - icon: 'shield' - color: 'red' - -inputs: - scan-type: - description: 'Scan type: fs, git, or image' - required: false - default: 'fs' - path: - description: 'Path to scan (for fs/git) or image reference (for image)' - required: false - default: '.' - format: - description: 'Output format: json, sarif, csv, table' - required: false - default: 'sarif' - only-verified: - description: 'Only report verified active secrets' - required: false - default: 'false' - no-verify: - description: 'Disable secret verification' - required: false - default: 'true' - min-severity: - description: 'Minimum severity to report: low, medium, high, critical' - required: false - default: 'low' - sarif-upload: - description: 'Upload SARIF results to GitHub Code Scanning' - required: false - default: 'false' - fail-on-findings: - description: 'Fail the workflow step when leakwatch finds secrets (exit code 1). When set to "false" the step prints a ::warning:: but still succeeds, so the scan does not block the pipeline. Hard errors (exit code >= 2) always fail the step regardless of this setting.' - required: false - default: 'true' - version: - description: 'Leakwatch version to use' - required: false - default: 'latest' - -outputs: - findings-count: - description: 'Number of secrets found (0 or 1; mirrors leakwatch exit code).' - sarif-file: - description: 'Path to SARIF output file (if format=sarif)' - -runs: - using: 'composite' - steps: - - name: Install Leakwatch - shell: bash - env: - INPUT_VERSION: ${{ inputs.version }} - run: | - if [ "$INPUT_VERSION" = "latest" ]; then - go install github.com/HodeTech/leakwatch@latest - else - go install "github.com/HodeTech/leakwatch@$INPUT_VERSION" - fi - - - name: Run scan - id: scan - shell: bash - env: - INPUT_SCAN_TYPE: ${{ inputs.scan-type }} - INPUT_PATH: ${{ inputs.path }} - INPUT_FORMAT: ${{ inputs.format }} - INPUT_MIN_SEVERITY: ${{ inputs.min-severity }} - INPUT_ONLY_VERIFIED: ${{ inputs.only-verified }} - INPUT_NO_VERIFY: ${{ inputs.no-verify }} - INPUT_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }} - run: | - ARGS=(scan "$INPUT_SCAN_TYPE" "$INPUT_PATH" --format "$INPUT_FORMAT" --min-severity "$INPUT_MIN_SEVERITY") - - if [ "$INPUT_ONLY_VERIFIED" = "true" ]; then - ARGS+=(--only-verified) - fi - - if [ "$INPUT_NO_VERIFY" = "true" ]; then - ARGS+=(--no-verify) - fi - - if [ "$INPUT_FORMAT" = "sarif" ]; then - ARGS+=(--output results.sarif) - echo "sarif-file=results.sarif" >> "$GITHUB_OUTPUT" - fi - - set +e - leakwatch "${ARGS[@]}" - EXIT_CODE=$? - set -e - - # leakwatch exit codes (see cmd/root.go): - # 0 — no findings - # 1 — findings reported (controlled by fail-on-findings) - # 2+ — hard error (always fails the step) - if [ "$EXIT_CODE" -eq 0 ]; then - echo "findings-count=0" >> "$GITHUB_OUTPUT" - elif [ "$EXIT_CODE" -eq 1 ]; then - echo "findings-count=1" >> "$GITHUB_OUTPUT" - if [ "$INPUT_FAIL_ON_FINDINGS" = "true" ]; then - echo "::error::Leakwatch found secrets in your code" - exit 1 - else - echo "::warning::Leakwatch found secrets in your code (fail-on-findings=false; step will not fail)" - fi - else - echo "::error::Leakwatch scan failed with exit code $EXIT_CODE" - exit "$EXIT_CODE" - fi - - - name: Upload SARIF - if: always() && inputs.sarif-upload == 'true' && inputs.format == 'sarif' - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif - category: leakwatch diff --git a/cmd/init.go b/cmd/init.go index 001346e..8e6b0b7 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -50,7 +50,7 @@ verification: timeout: 10s # Per-request timeout output: - format: json # Output format: json, sarif, csv, table + format: json # Output format: json, sarif, csv, table, github show-raw: false # Never show raw secret values filter: diff --git a/cmd/scan_common.go b/cmd/scan_common.go index 030642a..5b6f37d 100644 --- a/cmd/scan_common.go +++ b/cmd/scan_common.go @@ -24,6 +24,7 @@ import ( "github.com/HodeTech/leakwatch/internal/filter" "github.com/HodeTech/leakwatch/internal/output" csvout "github.com/HodeTech/leakwatch/internal/output/csv" + githubout "github.com/HodeTech/leakwatch/internal/output/github" jsonout "github.com/HodeTech/leakwatch/internal/output/json" sarifout "github.com/HodeTech/leakwatch/internal/output/sarif" tableout "github.com/HodeTech/leakwatch/internal/output/table" @@ -224,6 +225,11 @@ func selectFormatter(format string, showRaw bool, colorEnabled bool) output.Form return &csvout.Formatter{ShowRaw: showRaw} case "table": return &tableout.Formatter{ShowRaw: showRaw, ColorEnabled: colorEnabled} + case "github": + // The GitHub annotations formatter intentionally ignores showRaw: it + // only ever emits the redacted value, since annotations render in the + // (often public) PR UI and run logs. + return &githubout.Formatter{} default: return &jsonout.Formatter{ShowRaw: showRaw} } diff --git a/cmd/scan_fs.go b/cmd/scan_fs.go index 229b9ce..aa5ad7e 100644 --- a/cmd/scan_fs.go +++ b/cmd/scan_fs.go @@ -40,7 +40,7 @@ func init() { scanCmd.AddCommand(scanFsCmd) flags := scanFsCmd.Flags() - flags.StringP("format", "f", "json", "output format (json, sarif, csv, table)") + flags.StringP("format", "f", "json", "output format (json, sarif, csv, table, github)") flags.StringP("output", "o", "", "output file (default: stdout)") flags.IntP("concurrency", "c", runtime.NumCPU(), "number of concurrent workers") flags.Int64("max-file-size", 10*1024*1024, "maximum file size in bytes") diff --git a/cmd/scan_gcs.go b/cmd/scan_gcs.go index 54bd022..4682825 100644 --- a/cmd/scan_gcs.go +++ b/cmd/scan_gcs.go @@ -32,7 +32,7 @@ func init() { scanCmd.AddCommand(scanGCSCmd) flags := scanGCSCmd.Flags() - flags.StringP("format", "f", "json", "output format (json, sarif, csv, table)") + flags.StringP("format", "f", "json", "output format (json, sarif, csv, table, github)") flags.StringP("output", "o", "", "output file (default: stdout)") flags.IntP("concurrency", "c", runtime.NumCPU(), "number of concurrent workers") flags.Int64("max-file-size", 10*1024*1024, "maximum file size in bytes") diff --git a/cmd/scan_git.go b/cmd/scan_git.go index bbef156..bd54c0b 100644 --- a/cmd/scan_git.go +++ b/cmd/scan_git.go @@ -47,7 +47,7 @@ func init() { scanCmd.AddCommand(scanGitCmd) flags := scanGitCmd.Flags() - flags.StringP("format", "f", "json", "output format (json, sarif, csv, table)") + flags.StringP("format", "f", "json", "output format (json, sarif, csv, table, github)") flags.StringP("output", "o", "", "output file (default: stdout)") flags.IntP("concurrency", "c", runtime.NumCPU(), "number of concurrent workers") flags.Int64("max-file-size", 10*1024*1024, "maximum file size in bytes") diff --git a/cmd/scan_image.go b/cmd/scan_image.go index 4fbc6c2..50f8ee8 100644 --- a/cmd/scan_image.go +++ b/cmd/scan_image.go @@ -36,7 +36,7 @@ func init() { scanCmd.AddCommand(scanImageCmd) flags := scanImageCmd.Flags() - flags.StringP("format", "f", "json", "output format (json, sarif, csv, table)") + flags.StringP("format", "f", "json", "output format (json, sarif, csv, table, github)") flags.StringP("output", "o", "", "output file (default: stdout)") flags.IntP("concurrency", "c", runtime.NumCPU(), "number of concurrent workers") flags.Int64("max-file-size", 10*1024*1024, "maximum file size in bytes") diff --git a/cmd/scan_repos.go b/cmd/scan_repos.go index ab0123e..4d1e28c 100644 --- a/cmd/scan_repos.go +++ b/cmd/scan_repos.go @@ -42,7 +42,7 @@ func init() { scanCmd.AddCommand(scanReposCmd) flags := scanReposCmd.Flags() - flags.StringP("format", "f", "json", "output format (json, sarif, csv, table)") + flags.StringP("format", "f", "json", "output format (json, sarif, csv, table, github)") flags.StringP("output", "o", "", "output file (default: stdout)") flags.IntP("concurrency", "c", runtime.NumCPU(), "number of concurrent workers per repo") flags.Int("parallel", 3, "number of repositories to scan in parallel") diff --git a/cmd/scan_s3.go b/cmd/scan_s3.go index 96cfed3..b27b237 100644 --- a/cmd/scan_s3.go +++ b/cmd/scan_s3.go @@ -32,7 +32,7 @@ func init() { scanCmd.AddCommand(scanS3Cmd) flags := scanS3Cmd.Flags() - flags.StringP("format", "f", "json", "output format (json, sarif, csv, table)") + flags.StringP("format", "f", "json", "output format (json, sarif, csv, table, github)") flags.StringP("output", "o", "", "output file (default: stdout)") flags.IntP("concurrency", "c", runtime.NumCPU(), "number of concurrent workers") flags.Int64("max-file-size", 10*1024*1024, "maximum file size in bytes") diff --git a/cmd/scan_slack.go b/cmd/scan_slack.go index d5f605d..d331b7f 100644 --- a/cmd/scan_slack.go +++ b/cmd/scan_slack.go @@ -67,7 +67,7 @@ func init() { slog.Warn("failed to mark include-files deprecated", "error", err) } flags.Float64("rate-limit", 20, "max Slack API requests per second") - flags.StringP("format", "f", "json", "output format (json, sarif, csv, table)") + flags.StringP("format", "f", "json", "output format (json, sarif, csv, table, github)") flags.StringP("output", "o", "", "output file (default: stdout)") flags.IntP("concurrency", "c", runtime.NumCPU(), "number of concurrent workers") flags.Int64("max-file-size", 10*1024*1024, "maximum file size in bytes") diff --git a/docs/decisions/ADR-0009-github-marketplace-action.md b/docs/decisions/ADR-0009-github-marketplace-action.md new file mode 100644 index 0000000..e787fcd --- /dev/null +++ b/docs/decisions/ADR-0009-github-marketplace-action.md @@ -0,0 +1,133 @@ +# ADR-0009: GitHub Marketplace Action — Location & Runtime + +- **Status:** Accepted +- **Date:** 2026-05-24 +- **Decision Makers:** Project team + +## Context + +Leakwatch should be usable in GitHub workflows with a single line, discoverable +through the GitHub Marketplace — the same low-friction adoption path TruffleHog +OSS offers (`uses: trufflesecurity/trufflehog@main`). + +Two constraints shaped the design: + +1. **Marketplace requires the action metadata at the repository root.** GitHub + only publishes an action whose `action.yml`/`action.yaml` lives at the root of + a public repository, one published action per repository. +2. **Prebuilt artifacts already exist.** The release pipeline (`.goreleaser.yml`) + already produces cross-platform binaries + (`leakwatch___.tar.gz` + `checksums.txt`) and multi-arch + GHCR images on every `v*` tag. + +The previous action lived at `action/action.yml` (a subdirectory, not +publishable) and installed Leakwatch with `go install …@latest`, recompiling from +source on every run (slow, requires a Go toolchain). + +## Decision + +### 1. Publish from the main repository root + +The action metadata lives at the repository root `action.yml` and is consumed as +`uses: HodeTech/Leakwatch@v1`. No separate `leakwatch-action` repository is +created. + +A floating major tag (`v1`) is moved to each new stable release by the release +workflow, so consumers can pin `@v1` and receive the latest `v1.x`. + +### 2. Install a prebuilt binary (composite action) + +The action is a **composite** action that downloads the prebuilt release archive +matching the runner OS/arch, verifies its SHA-256 checksum against +`checksums.txt`, extracts it, and puts the binary on `PATH`. It does **not** +compile from source. + +```mermaid +flowchart TD + A["uses: HodeTech/Leakwatch@v1"] --> B{version} + B -->|latest| C["resolve releases/latest → tag"] + B -->|vX.Y.Z| D[use tag] + C --> E["map RUNNER_OS / RUNNER_ARCH"] + D --> E + E --> F["download leakwatch_VER_os_arch.tar.gz + checksums.txt"] + F --> G["verify sha256"] + G --> H["extract, add to PATH"] + H --> I{event} + I -->|pull_request / push, git scan| J["--since-commit BASE"] + I -->|otherwise| K[full scan] + J --> L["leakwatch scan …"] + K --> L + L --> M["map exit code 0/1/≥2"] + M --> N["job summary + optional SARIF upload"] +``` + +### Rationale + +- **TruffleHog model.** Publishing from the main repo keeps the action versioned + in lock-step with the tool, leverages the repo's existing visibility, and + avoids the synchronization burden of a second repository. +- **Prebuilt over `go install`.** Reuses artifacts the release already ships; + scans start in seconds with no Go toolchain, and the checksum step adds + supply-chain integrity. + +## Alternatives Considered + +### Separate `HodeTech/leakwatch-action` repository + +- **Pros:** main repo stays free of action metadata; independent versioning. +- **Cons:** two repositories to keep in sync; the action and tool versions + decouple; a new repo starts with no visibility. +- **Decision:** Rejected. + +### Docker container action (`image: docker://ghcr.io/hodetech/leakwatch`) + +- **Pros:** simplest, fastest pull; uses the GHCR image already built. +- **Cons:** Linux-only; the image tag is static per action tag. +- **Decision:** Rejected as the primary mechanism; the GHCR image remains a + documented manual alternative (and the only option on Windows runners). + +### Keep `go install` + +- **Cons:** recompiles every run, requires a Go toolchain, slow. +- **Decision:** Rejected. + +## Consequences + +### Positive + +- Single-line, Marketplace-discoverable usage: `uses: HodeTech/Leakwatch@v1`. +- Fast, reproducible, checksum-verified install. +- New inputs (`output`, `remediation`, `config`, `scan-diff`, `extra-args`, + `working-directory`) and a job summary improve the CI experience. +- PR-diff scanning (`--since-commit`) and the `github` output format (inline + annotations) bring parity with comparable tools. + +### Negative + +- **Linux and macOS only.** The composite install script relies on + `$GITHUB_PATH` and POSIX tooling, which are reliable on Linux/macOS. Windows + runners are not supported by the action; users run on Linux/macOS or invoke the + GHCR image directly. (Future enhancement.) +- The `v1` tag must be maintained automatically (handled in the release + workflow) and consumers who want strict reproducibility should pin a full + release tag or commit SHA. + +## Publishing to the Marketplace (maintainer runbook) + +Publishing is a **manual, one-time** step that cannot be automated: + +1. Ensure the repository is **public** and `action.yml` is at the root. +2. Confirm the action `name:` ("Leakwatch Secret Scanner") is **unique** across + the Marketplace and does not collide with an existing GitHub user/org name. +3. On the maintainer account: enable **2FA** and accept the **GitHub Marketplace + Developer Agreement**. +4. Draft a GitHub **Release** for a version tag (e.g. `v1.5.0`). On the release + form, tick **"Publish this Action to the GitHub Marketplace"**, choose the + primary category **Security** (and a secondary such as *Continuous + integration*), then publish. +5. Verify the listing resolves at + `https://github.com/marketplace/actions/leakwatch-secret-scanner` and that + `uses: HodeTech/Leakwatch@v1` works from an external repository. + +The release workflow moves the `v1` tag automatically on each stable release; no +manual tag bookkeeping is required after the first publish. diff --git a/docs/decisions/README.md b/docs/decisions/README.md index 46699bc..068972d 100644 --- a/docs/decisions/README.md +++ b/docs/decisions/README.md @@ -29,3 +29,4 @@ Each ADR follows the structure below: | [ADR-0006](ADR-0006-container-library.md) | Container Library: go-containerregistry | Accepted | 2026-03-24 | | [ADR-0007](ADR-0007-license.md) | License: MIT | Accepted | 2026-03-24 | | [ADR-0008](ADR-0008-concurrency-model.md) | Concurrency: Worker Pool | Accepted | 2026-03-24 | +| [ADR-0009](ADR-0009-github-marketplace-action.md) | GitHub Marketplace Action: Location & Runtime | Accepted | 2026-05-24 | diff --git a/docs/guides/ci-cd-integration.md b/docs/guides/ci-cd-integration.md index 8f8eae4..82a0bdc 100644 --- a/docs/guides/ci-cd-integration.md +++ b/docs/guides/ci-cd-integration.md @@ -107,7 +107,7 @@ jobs: go-version: '1.25' - name: Leakwatch Scan - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: scan-type: fs only-verified: true @@ -146,7 +146,7 @@ jobs: go-version: '1.25' - name: Leakwatch Scan - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: scan-type: git format: sarif @@ -254,7 +254,7 @@ jobs: go-version: '1.25' - name: Full history scan - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: scan-type: git format: sarif @@ -342,7 +342,7 @@ jobs: go-version: '1.25' - name: Filesystem scan - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: scan-type: fs format: sarif @@ -364,7 +364,7 @@ jobs: go-version: '1.25' - name: Full history scan - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: scan-type: git format: sarif diff --git a/docs/user-manuals/en/ci-cd/github-action.md b/docs/user-manuals/en/ci-cd/github-action.md index 6174ade..6aae537 100644 --- a/docs/user-manuals/en/ci-cd/github-action.md +++ b/docs/user-manuals/en/ci-cd/github-action.md @@ -5,7 +5,11 @@ description: "Use the official Leakwatch GitHub Action to scan for secrets in yo # GitHub Action -Every push to your repository is an opportunity for a secret to slip through. The official **Leakwatch GitHub Action** (`HodeTech/leakwatch-action@v1`) integrates Leakwatch directly into your GitHub workflow — it installs the tool, runs a scan, maps exit codes, and optionally uploads SARIF results to GitHub Code Scanning, all without any external service dependency. +Every push to your repository is an opportunity for a secret to slip through. The official **Leakwatch GitHub Action** — published on the GitHub Marketplace and used as `HodeTech/Leakwatch@v1` — integrates Leakwatch directly into your GitHub workflow. It downloads the prebuilt Leakwatch binary for the runner (no Go toolchain or compilation step), runs a scan, maps exit codes, writes a job summary, and optionally uploads SARIF results to GitHub Code Scanning — all without any external service dependency. + +:::note +**Supported runners:** the action runs on Linux (`ubuntu-*`) and macOS (`macos-*`) runners. Windows runners are not supported yet; run the scan on a Linux/macOS runner or use the container image `ghcr.io/hodetech/leakwatch`. +::: ## Quick start @@ -22,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: HodeTech/leakwatch-action@v1 + - uses: HodeTech/Leakwatch@v1 ``` With only the defaults, the action scans the filesystem (`scan-type: fs`), produces SARIF output, skips live verification (`no-verify: true`), and fails the job if any finding is reported. @@ -51,7 +55,7 @@ jobs: - uses: actions/checkout@v4 - name: Scan for secrets - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: scan-type: fs path: . @@ -72,13 +76,19 @@ SARIF upload requires the job to declare `permissions: security-events: write`. |-------|---------|-------------| | `scan-type` | `fs` | Scan type to run: `fs`, `git`, or `image`. | | `path` | `.` | Path to scan (for `fs`/`git`) or image reference (for `image`). | -| `format` | `sarif` | Output format: `json`, `sarif`, `csv`, or `table`. | +| `format` | `sarif` | Output format: `sarif`, `json`, `csv`, `table`, or `github` (inline pull-request annotations). | +| `output` | `` | Write formatted output to this file (relative to `working-directory`). Ignored for `format: github`. When empty and `format: sarif`, defaults to `results.sarif`. | | `only-verified` | `false` | Report only findings confirmed active by live verification. | | `no-verify` | `true` | Disable secret verification (no outbound calls to providers). | | `min-severity` | `low` | Minimum severity to report: `low`, `medium`, `high`, or `critical`. | +| `remediation` | `false` | Include remediation guidance in the output. | +| `config` | `` | Path to a `.leakwatch.yaml` configuration file. | +| `scan-diff` | `auto` | For `git` scans, scan only commits new to the event. `auto` enables this on `pull_request`/`push`, `true` forces it, `false` always scans full history. Requires `actions/checkout` with `fetch-depth: 0`. | +| `extra-args` | `` | Additional raw arguments appended to the `leakwatch scan` command (space-separated). | +| `working-directory` | `.` | Directory to run the scan from. | | `sarif-upload` | `false` | Upload SARIF results to GitHub Code Scanning after the scan. | -| `fail-on-findings` | `true` | Fail the workflow step when findings are reported (exit code 1). When `false`, a `::warning::` annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code 2) always fail the step regardless of this setting. | -| `version` | `latest` | Leakwatch version to install. Use a tag such as `v1.5.0` to pin a specific release. | +| `fail-on-findings` | `true` | Fail the workflow step when findings are reported (exit code 1). When `false`, a `::warning::` annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code ≥ 2) always fail the step regardless of this setting. | +| `version` | `latest` | Leakwatch version to install: `latest`, or a release tag such as `v1.5.0` to pin a specific release. | ## Outputs @@ -94,7 +104,7 @@ By default, `no-verify` is `true` — live verification is **off** in CI. This k To enable verification in CI, set `no-verify: "false"`: ```yaml -- uses: HodeTech/leakwatch-action@v1 +- uses: HodeTech/Leakwatch@v1 with: no-verify: "false" ``` @@ -118,7 +128,7 @@ The upload step runs with `if: always()`, so results are uploaded even when `fai ```yaml - name: Scan for secrets id: scan - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: fail-on-findings: "false" # let the workflow continue @@ -131,12 +141,46 @@ The upload step runs with `if: always()`, so results are uploaded even when `fai For reproducible builds, pin `version` to a specific tag: ```yaml -- uses: HodeTech/leakwatch-action@v1 +- uses: HodeTech/Leakwatch@v1 with: version: "v1.5.0" ``` -This installs exactly `github.com/HodeTech/leakwatch@v1.5.0` via `go install`. +This downloads the prebuilt `v1.5.0` binary from the [Leakwatch releases](https://github.com/HodeTech/Leakwatch/releases) and verifies its SHA-256 checksum before running. For maximum supply-chain safety you can also pin the action itself to a commit SHA, e.g. `uses: HodeTech/Leakwatch@`. + +## Scanning only changed code (pull-request diff) + +For `git` scans the action can limit the scan to the commits a pull request or push actually introduces, instead of the full history. This is faster and surfaces only newly added secrets. It is controlled by `scan-diff` (default `auto`) and requires a full checkout so the base commit is available locally: + +```yaml +jobs: + leakwatch: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # required so the PR base commit is present + - uses: HodeTech/Leakwatch@v1 + with: + scan-type: git + path: . + # scan-diff: auto (default) — on pull_request/push, scans base..HEAD only +``` + +On a `pull_request` event the action scans from `github.event.pull_request.base.sha`; on a `push` event from `github.event.before`. Set `scan-diff: "false"` to always scan the full history, or `scan-diff: "true"` to force diff mode. `scan-diff` has no effect on `fs`/`image` scans. + +## Inline pull-request annotations + +Set `format: github` to emit the findings as GitHub Actions workflow commands, which appear as inline annotations on the pull request's **Files changed** view and in the run log: + +```yaml +- uses: HodeTech/Leakwatch@v1 + with: + format: github + fail-on-findings: "false" # annotate without blocking, if you prefer +``` + +Annotations always show the **redacted** value only — the raw secret is never written to the (often public) PR UI or logs. Use `format: github` for fast, visible PR feedback, or `format: sarif` with `sarif-upload: true` to record findings as Code Scanning alerts under the **Security** tab. ## See also diff --git a/docs/user-manuals/en/output/output-formats.md b/docs/user-manuals/en/output/output-formats.md index 94b394f..0af6ee6 100644 --- a/docs/user-manuals/en/output/output-formats.md +++ b/docs/user-manuals/en/output/output-formats.md @@ -1,17 +1,18 @@ --- title: "Output Formats" -description: "The four output formats Leakwatch supports — JSON, SARIF, CSV, and table — with examples and guidance on when to use each." +description: "The five output formats Leakwatch supports — JSON, SARIF, CSV, table, and GitHub annotations — with examples and guidance on when to use each." --- # Output Formats -Leakwatch supports four output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, and human-readable terminal review. Select a format with `--format` (or `-f`); write to a file instead of stdout with `--output` (or `-o`). +Leakwatch supports five output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, human-readable terminal review, and GitHub Actions annotations. Select a format with `--format` (or `-f`); write to a file instead of stdout with `--output` (or `-o`). ```bash leakwatch scan fs . --format json leakwatch scan fs . --format sarif --output results.sarif leakwatch scan fs . --format csv --output findings.csv leakwatch scan fs . --format table +leakwatch scan fs . --format github # GitHub Actions annotations (CI use) ``` The default format is `json`. @@ -146,11 +147,33 @@ HIGH aws-access-key-id config/aws.yml AKIA****K7NP unveri Found 2 secrets (1 critical, 1 high). ``` +## GitHub annotations + +The `github` format emits [GitHub Actions workflow commands](https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions) (`::error` / `::warning` / `::notice`) so findings appear as **inline annotations** on a pull request's *Files changed* view and in the run log. It is intended to be streamed to the runner's stdout — writing it to a file has no effect. + +Severity maps to the annotation level: `critical` → `error`, `high` → `warning`, `medium`/`low` → `notice`. A finding with a file path is anchored to that file and line; a finding without one becomes a run-level annotation. + +For safety, this format **never** prints the raw secret — only the redacted value is shown, even with `--show-raw`, because annotations render in the (often public) PR UI and logs. + +### Example invocation + +```bash +leakwatch scan fs . --format github +``` + +### Example output + +```text +::error file=config/prod.env,line=12,title=Leakwatch%3A aws-access-key-id::Potential secret detected by aws-access-key-id (critical): AKIA****K7NP +``` + +This format is normally driven by the [GitHub Action](#/ci-cd/github-action) (`format: github`) rather than invoked by hand. + ## Common output flags | Flag | Short | Description | |---|---|---| -| `--format` | `-f` | Output format: `json`, `sarif`, `csv`, `table` (default `json`) | +| `--format` | `-f` | Output format: `json`, `sarif`, `csv`, `table`, `github` (default `json`) | | `--output` | `-o` | Write to file instead of stdout | | `--show-raw` | | Include unredacted secret value in output | | `--min-severity` | | Drop findings below this severity level | diff --git a/docs/user-manuals/tr/ci-cd/github-action.md b/docs/user-manuals/tr/ci-cd/github-action.md index ac870a2..c34c3dd 100644 --- a/docs/user-manuals/tr/ci-cd/github-action.md +++ b/docs/user-manuals/tr/ci-cd/github-action.md @@ -5,7 +5,11 @@ description: "GitHub iş akışlarında sır taraması yapmak için resmi Leakwa # GitHub Action -Deponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. Resmi **Leakwatch GitHub Action** (`HodeTech/leakwatch-action@v1`), Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder — aracı kurar, taramayı çalıştırır, çıkış kodlarını işler ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler; bunların hepsini harici bir servis bağımlılığı olmadan yapar. +Deponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. GitHub Marketplace'te yayımlanan ve `HodeTech/Leakwatch@v1` olarak kullanılan resmi **Leakwatch GitHub Action**, Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder. Runner için önceden derlenmiş Leakwatch ikilisini indirir (Go araç zinciri veya derleme adımı gerekmez), taramayı çalıştırır, çıkış kodlarını işler, bir iş özeti (job summary) yazar ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler — bunların hepsini harici bir servis bağımlılığı olmadan yapar. + +:::note +**Desteklenen runner'lar:** action, Linux (`ubuntu-*`) ve macOS (`macos-*`) runner'larında çalışır. Windows runner'ları henüz desteklenmemektedir; taramayı bir Linux/macOS runner'ında çalıştırın veya `ghcr.io/hodetech/leakwatch` konteyner imajını kullanın. +::: ## Hızlı başlangıç @@ -22,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: HodeTech/leakwatch-action@v1 + - uses: HodeTech/Leakwatch@v1 ``` Yalnızca varsayılan değerlerle action, dosya sistemi taraması yapar (`scan-type: fs`), SARIF çıktısı üretir, canlı doğrulamayı atlar (`no-verify: true`) ve herhangi bir bulgu raporlandığında işi başarısız kılar. @@ -51,7 +55,7 @@ jobs: - uses: actions/checkout@v4 - name: Sırları tara - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: scan-type: fs path: . @@ -72,13 +76,19 @@ SARIF yüklemesi, işin `permissions: security-events: write` bildirmesini gerek |-------|-----------|----------| | `scan-type` | `fs` | Çalıştırılacak tarama türü: `fs`, `git` veya `image`. | | `path` | `.` | Taranacak yol (`fs`/`git` için) veya imaj referansı (`image` için). | -| `format` | `sarif` | Çıktı biçimi: `json`, `sarif`, `csv` veya `table`. | +| `format` | `sarif` | Çıktı biçimi: `sarif`, `json`, `csv`, `table` veya `github` (satır içi pull-request ek açıklamaları). | +| `output` | `` | Biçimlendirilmiş çıktıyı bu dosyaya yaz (`working-directory`'ye göreli). `format: github` için yok sayılır. Boş ve `format: sarif` ise varsayılan `results.sarif`'tir. | | `only-verified` | `false` | Yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla. | | `no-verify` | `true` | Sır doğrulamasını devre dışı bırak (sağlayıcılara giden ağ çağrısı yapılmaz). | | `min-severity` | `low` | Raporlanacak minimum önem derecesi: `low`, `medium`, `high` veya `critical`. | +| `remediation` | `false` | Çıktıya giderme (remediation) rehberi ekle. | +| `config` | `` | Bir `.leakwatch.yaml` yapılandırma dosyasının yolu. | +| `scan-diff` | `auto` | `git` taramalarında yalnızca olaya yeni gelen commit'leri tara. `auto`, bunu `pull_request`/`push` olaylarında etkinleştirir; `true` zorlar; `false` her zaman tüm geçmişi tarar. `actions/checkout` ile `fetch-depth: 0` gerektirir. | +| `extra-args` | `` | `leakwatch scan` komutuna eklenen ek ham argümanlar (boşlukla ayrılmış). | +| `working-directory` | `.` | Taramanın çalıştırılacağı dizin. | | `sarif-upload` | `false` | Taramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle. | -| `fail-on-findings` | `true` | Bulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. `false` olarak ayarlandığında adım başarısız olmak yerine `::warning::` ek açıklaması yayar. Ciddi hatalar (çıkış kodu 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar. | -| `version` | `latest` | Kurulacak Leakwatch sürümü. Belirli bir sürümü sabitlemek için `v1.5.0` gibi bir etiket kullanın. | +| `fail-on-findings` | `true` | Bulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. `false` olarak ayarlandığında adım başarısız olmak yerine `::warning::` ek açıklaması yayar. Ciddi hatalar (çıkış kodu ≥ 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar. | +| `version` | `latest` | Kurulacak Leakwatch sürümü: `latest` veya belirli bir sürümü sabitlemek için `v1.5.0` gibi bir etiket. | ## Çıktılar @@ -94,7 +104,7 @@ Varsayılan olarak `no-verify` değeri `true`'dur — CI'da canlı doğrulama ** CI'da doğrulamayı etkinleştirmek için `no-verify: "false"` olarak ayarlayın: ```yaml -- uses: HodeTech/leakwatch-action@v1 +- uses: HodeTech/Leakwatch@v1 with: no-verify: "false" ``` @@ -118,7 +128,7 @@ Yükleme adımı `if: always()` ile çalışır; dolayısıyla `fail-on-findings ```yaml - name: Sırları tara id: scan - uses: HodeTech/leakwatch-action@v1 + uses: HodeTech/Leakwatch@v1 with: fail-on-findings: "false" # iş akışının devam etmesine izin ver @@ -131,12 +141,46 @@ Yükleme adımı `if: always()` ile çalışır; dolayısıyla `fail-on-findings Yeniden üretilebilir derlemeler için `version` değerini belirli bir etikete sabitleyin: ```yaml -- uses: HodeTech/leakwatch-action@v1 +- uses: HodeTech/Leakwatch@v1 with: version: "v1.5.0" ``` -Bu, `go install` aracılığıyla tam olarak `github.com/HodeTech/leakwatch@v1.5.0`'ı kurar. +Bu, önceden derlenmiş `v1.5.0` ikilisini [Leakwatch sürümlerinden](https://github.com/HodeTech/Leakwatch/releases) indirir ve çalıştırmadan önce SHA-256 sağlama toplamını doğrular. En yüksek tedarik zinciri güvenliği için action'ın kendisini de bir commit SHA'sına sabitleyebilirsiniz: `uses: HodeTech/Leakwatch@`. + +## Yalnızca değişen kodu tarama (pull-request diff) + +`git` taramalarında action, taramayı bir pull request veya push'un gerçekten getirdiği commit'lerle sınırlayabilir; bu daha hızlıdır ve yalnızca yeni eklenen sırları yüzeye çıkarır. `scan-diff` (varsayılan `auto`) ile kontrol edilir ve base commit'in yerel olarak bulunması için tam bir checkout gerektirir: + +```yaml +jobs: + leakwatch: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # PR base commit'inin mevcut olması için gerekli + - uses: HodeTech/Leakwatch@v1 + with: + scan-type: git + path: . + # scan-diff: auto (varsayılan) — pull_request/push'ta yalnızca base..HEAD taranır +``` + +`pull_request` olayında action `github.event.pull_request.base.sha`'dan; `push` olayında `github.event.before`'dan itibaren tarar. Her zaman tüm geçmişi taramak için `scan-diff: "false"`, diff modunu zorlamak için `scan-diff: "true"` kullanın. `scan-diff`'in `fs`/`image` taramalarında etkisi yoktur. + +## Satır içi pull-request ek açıklamaları + +Bulguları GitHub Actions iş akışı komutları olarak yaymak için `format: github` ayarlayın; bunlar pull request'in **Files changed** görünümünde ve çalışma günlüğünde satır içi ek açıklamalar olarak görünür: + +```yaml +- uses: HodeTech/Leakwatch@v1 + with: + format: github + fail-on-findings: "false" # isterseniz engellemeden yalnızca ek açıklama yapın +``` + +Ek açıklamalar her zaman yalnızca **redakte edilmiş** değeri gösterir — ham sır, (çoğu zaman herkese açık olan) PR arayüzüne veya günlüklere asla yazılmaz. Hızlı ve görünür PR geri bildirimi için `format: github`, bulguları **Security** sekmesinde Code Scanning uyarıları olarak kaydetmek için `sarif-upload: true` ile `format: sarif` kullanın. ## Ayrıca bakın diff --git a/docs/user-manuals/tr/output/output-formats.md b/docs/user-manuals/tr/output/output-formats.md index 4150aa3..b8251f4 100644 --- a/docs/user-manuals/tr/output/output-formats.md +++ b/docs/user-manuals/tr/output/output-formats.md @@ -1,17 +1,18 @@ --- title: "Çıktı Formatları" -description: "Leakwatch'ın desteklediği dört çıktı formatı — JSON, SARIF, CSV ve tablo — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik." +description: "Leakwatch'ın desteklediği beş çıktı formatı — JSON, SARIF, CSV, tablo ve GitHub ek açıklamaları — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik." --- # Çıktı Formatları -Leakwatch dört çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları ve insan tarafından okunabilir terminal incelemesi. `--format` (veya `-f`) ile bir format seçin; stdout yerine bir dosyaya yazmak için `--output` (veya `-o`) kullanın. +Leakwatch beş çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları, insan tarafından okunabilir terminal incelemesi ve GitHub Actions ek açıklamaları. `--format` (veya `-f`) ile bir format seçin; stdout yerine bir dosyaya yazmak için `--output` (veya `-o`) kullanın. ```bash leakwatch scan fs . --format json leakwatch scan fs . --format sarif --output results.sarif leakwatch scan fs . --format csv --output findings.csv leakwatch scan fs . --format table +leakwatch scan fs . --format github # GitHub Actions ek açıklamaları (CI kullanımı) ``` Varsayılan format `json`'dur. @@ -146,11 +147,33 @@ HIGH aws-access-key-id config/aws.yml AKIA****K7NP unveri Found 2 secrets (1 critical, 1 high). ``` +## GitHub ek açıklamaları + +`github` formatı, [GitHub Actions iş akışı komutlarını](https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions) (`::error` / `::warning` / `::notice`) yayar; böylece bulgular bir pull request'in *Files changed* görünümünde ve çalışma günlüğünde **satır içi ek açıklamalar** olarak görünür. Runner'ın stdout'una akıtılmak üzere tasarlanmıştır — bir dosyaya yazmanın etkisi yoktur. + +Önem derecesi ek açıklama seviyesine eşlenir: `critical` → `error`, `high` → `warning`, `medium`/`low` → `notice`. Dosya yolu olan bir bulgu o dosya ve satıra bağlanır; dosya yolu olmayan bir bulgu çalışma düzeyinde (run-level) bir ek açıklama olur. + +Güvenlik için bu format ham sırrı **asla** yazdırmaz — `--show-raw` ile bile yalnızca redakte edilmiş değer gösterilir; çünkü ek açıklamalar (çoğu zaman herkese açık olan) PR arayüzünde ve günlüklerde görüntülenir. + +### Örnek çağrı + +```bash +leakwatch scan fs . --format github +``` + +### Örnek çıktı + +```text +::error file=config/prod.env,line=12,title=Leakwatch%3A aws-access-key-id::Potential secret detected by aws-access-key-id (critical): AKIA****K7NP +``` + +Bu format normalde elle çağrılmak yerine [GitHub Action](#/ci-cd/github-action) (`format: github`) tarafından kullanılır. + ## Yaygın çıktı bayrakları | Bayrak | Kısa | Açıklama | |---|---|---| -| `--format` | `-f` | Çıktı formatı: `json`, `sarif`, `csv`, `table` (varsayılan `json`) | +| `--format` | `-f` | Çıktı formatı: `json`, `sarif`, `csv`, `table`, `github` (varsayılan `json`) | | `--output` | `-o` | stdout yerine dosyaya yaz | | `--show-raw` | | Çıktıya maskelenmemiş sır değerini dahil et | | `--min-severity` | | Bu önem seviyesinin altındaki bulguları bırak | diff --git a/internal/config/config.go b/internal/config/config.go index 96717c0..b8541c1 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -13,10 +13,11 @@ import ( // Supported output formats. var validFormats = map[string]bool{ - "json": true, - "sarif": true, - "csv": true, - "table": true, + "json": true, + "sarif": true, + "csv": true, + "table": true, + "github": true, } // Supported severity levels for output.severity-threshold. diff --git a/internal/output/github/github_formatter.go b/internal/output/github/github_formatter.go new file mode 100644 index 0000000..5bc2a05 --- /dev/null +++ b/internal/output/github/github_formatter.go @@ -0,0 +1,129 @@ +// Package github provides an output formatter that emits GitHub Actions +// workflow commands (::error / ::warning / ::notice) so Leakwatch findings show +// up as inline annotations on pull requests and in the workflow run log. +// +// The format is meant to be written to the Actions runner's stdout: workflow +// commands are only interpreted on the live command stream, so writing them to a +// file has no effect. For safety, this formatter NEVER emits the raw secret +// value — annotations render in the (often public) PR UI and run logs, so only +// the redacted value is shown regardless of any --show-raw setting. +// +// Reference: https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions +package github + +import ( + "fmt" + "io" + "strings" + + "github.com/HodeTech/leakwatch/pkg/finding" +) + +// Formatter emits findings as GitHub Actions workflow commands. +type Formatter struct{} + +// Format writes one workflow command per finding to w. A finding with a known +// file path is anchored to that file and line so GitHub renders it inline on the +// "Files changed" view; a finding without a file path becomes a run-level +// annotation (no file/line properties). +func (f *Formatter) Format(w io.Writer, findings []finding.Finding) error { + var b strings.Builder + for i := range findings { + writeCommand(&b, findings[i]) + } + if _, err := io.WriteString(w, b.String()); err != nil { + return fmt.Errorf("failed to write GitHub annotations: %w", err) + } + return nil +} + +// FileExtension returns the file extension for this format. Workflow commands +// are intended for stdout, not a file; ".txt" is returned to satisfy the +// Formatter contract. +func (f *Formatter) FileExtension() string { + return ".txt" +} + +// writeCommand appends a single workflow command for fd to b. +func writeCommand(b *strings.Builder, fd finding.Finding) { + props := make([]string, 0, 3) + if path := fd.SourceMetadata.FilePath; path != "" { + props = append(props, "file="+escapeProperty(path)) + if fd.SourceMetadata.Line > 0 { + props = append(props, fmt.Sprintf("line=%d", fd.SourceMetadata.Line)) + } + } + props = append(props, "title="+escapeProperty(annotationTitle(fd))) + + b.WriteString("::") + b.WriteString(severityToLevel(fd.Severity)) + b.WriteByte(' ') + b.WriteString(strings.Join(props, ",")) + b.WriteString("::") + b.WriteString(escapeData(annotationMessage(fd))) + b.WriteByte('\n') +} + +// severityToLevel maps a finding severity to a GitHub annotation level. GitHub +// supports only error/warning/notice, so medium and low both map to "notice". +func severityToLevel(s finding.Severity) string { + switch s { + case finding.SeverityCritical: + return "error" + case finding.SeverityHigh: + return "warning" + case finding.SeverityMedium, finding.SeverityLow: + return "notice" + default: + return "notice" + } +} + +// annotationTitle is the bold heading GitHub shows above the annotation. +func annotationTitle(fd finding.Finding) string { + return "Leakwatch: " + fd.DetectorID +} + +// annotationMessage is the annotation body. It uses only the redacted value and +// appends the verification verdict so an active key is visibly an incident. +func annotationMessage(fd finding.Finding) string { + var sb strings.Builder + sb.WriteString("Potential secret detected by ") + sb.WriteString(fd.DetectorID) + sb.WriteString(" (") + sb.WriteString(fd.Severity.String()) + sb.WriteByte(')') + if fd.Redacted != "" { + sb.WriteString(": ") + sb.WriteString(fd.Redacted) + } + switch fd.Verification.Status { + case finding.StatusVerifiedActive: + sb.WriteString(" — verified ACTIVE; rotate this credential immediately") + case finding.StatusVerifiedInactive: + sb.WriteString(" — verified inactive") + case finding.StatusUnverified, finding.StatusVerifyError: + // No suffix: status is unknown, so don't imply a verdict. + } + return sb.String() +} + +// escapeData escapes a workflow command's message payload. Percent is replaced +// first so the escape sequences introduced below are not double-escaped. +func escapeData(s string) string { + s = strings.ReplaceAll(s, "%", "%25") + s = strings.ReplaceAll(s, "\r", "%0D") + s = strings.ReplaceAll(s, "\n", "%0A") + return s +} + +// escapeProperty escapes a workflow command property value. In addition to the +// message escapes, "," and ":" are encoded because they delimit properties. +func escapeProperty(s string) string { + s = strings.ReplaceAll(s, "%", "%25") + s = strings.ReplaceAll(s, "\r", "%0D") + s = strings.ReplaceAll(s, "\n", "%0A") + s = strings.ReplaceAll(s, ":", "%3A") + s = strings.ReplaceAll(s, ",", "%2C") + return s +} diff --git a/internal/output/github/github_formatter_test.go b/internal/output/github/github_formatter_test.go new file mode 100644 index 0000000..85b1381 --- /dev/null +++ b/internal/output/github/github_formatter_test.go @@ -0,0 +1,230 @@ +package github + +import ( + "bytes" + "strings" + "testing" + + "github.com/HodeTech/leakwatch/pkg/finding" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestFormatter_Format_EmptyFindings_WritesNothing(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + err := f.Format(&buf, []finding.Finding{}) + require.NoError(t, err) + assert.Empty(t, buf.String()) +} + +func TestFormatter_Format_SingleFinding_EmitsErrorAnnotationWithFileAndLine(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + findings := []finding.Finding{ + { + DetectorID: "aws-access-key-id", + Severity: finding.SeverityCritical, + Redacted: "AKIA****MPLE", + SourceMetadata: finding.SourceMetadata{ + SourceType: "filesystem", + FilePath: "config/prod.yaml", + Line: 42, + }, + }, + } + + err := f.Format(&buf, findings) + require.NoError(t, err) + + out := buf.String() + assert.True(t, strings.HasPrefix(out, "::error "), "critical maps to ::error, got %q", out) + assert.Contains(t, out, "file=config/prod.yaml") + assert.Contains(t, out, "line=42") + assert.Contains(t, out, "title=Leakwatch%3A aws-access-key-id") // ':' escaped in property + assert.Contains(t, out, "AKIA****MPLE") + assert.True(t, strings.HasSuffix(out, "\n"), "command must end with newline") + assert.Equal(t, 1, strings.Count(out, "\n"), "exactly one annotation expected") +} + +func TestFormatter_Format_SeverityMapsToAnnotationLevel(t *testing.T) { + tests := []struct { + name string + severity finding.Severity + wantLevel string + }{ + {"critical -> error", finding.SeverityCritical, "::error "}, + {"high -> warning", finding.SeverityHigh, "::warning "}, + {"medium -> notice", finding.SeverityMedium, "::notice "}, + {"low -> notice", finding.SeverityLow, "::notice "}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "generic-api-key", + Severity: tt.severity, + Redacted: "abc****xyz", + SourceMetadata: finding.SourceMetadata{FilePath: "a.txt", Line: 1}, + }}) + require.NoError(t, err) + assert.True(t, strings.HasPrefix(buf.String(), tt.wantLevel), + "want prefix %q, got %q", tt.wantLevel, buf.String()) + }) + } +} + +func TestFormatter_Format_NoFilePath_EmitsRunLevelAnnotation(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + // Slack/container findings may have no file path. + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "slack-token", + Severity: finding.SeverityHigh, + Redacted: "xoxb-****", + SourceMetadata: finding.SourceMetadata{SourceType: "slack"}, + }}) + require.NoError(t, err) + + out := buf.String() + assert.True(t, strings.HasPrefix(out, "::warning ")) + assert.NotContains(t, out, "file=") + assert.NotContains(t, out, "line=") + assert.Contains(t, out, "title=Leakwatch%3A slack-token") +} + +func TestFormatter_Format_FilePathWithoutLine_OmitsLineProperty(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "private-key", + Severity: finding.SeverityHigh, + Redacted: "----****----", + SourceMetadata: finding.SourceMetadata{FilePath: "id_rsa"}, + }}) + require.NoError(t, err) + + out := buf.String() + assert.Contains(t, out, "file=id_rsa") + assert.NotContains(t, out, "line=") +} + +func TestFormatter_Format_VerifiedActive_MessageFlagsIncident(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "github-token", + Severity: finding.SeverityCritical, + Redacted: "ghp_****", + SourceMetadata: finding.SourceMetadata{FilePath: ".env", Line: 3}, + Verification: finding.VerificationResult{Status: finding.StatusVerifiedActive}, + }}) + require.NoError(t, err) + assert.Contains(t, buf.String(), "verified ACTIVE") +} + +func TestFormatter_Format_EscapesPropertiesAndData(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + // A file path with characters that delimit workflow-command properties, and + // a redacted value containing a newline, must be percent-encoded so the + // command is not broken or injectable. + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "generic-api-key", + Severity: finding.SeverityLow, + Redacted: "line1\nline2", + SourceMetadata: finding.SourceMetadata{FilePath: "weird,name:file.txt", Line: 7}, + }}) + require.NoError(t, err) + + out := buf.String() + // Property escaping: ',' -> %2C and ':' -> %3A inside file=... + assert.Contains(t, out, "file=weird%2Cname%3Afile.txt") + // Data escaping: newline -> %0A inside the message payload. + assert.Contains(t, out, "line1%0Aline2") + // The raw delimiters must not survive in the encoded path. + assert.NotContains(t, out, "weird,name:file.txt") + // Output is still a single line (no literal newline injected mid-command). + assert.Equal(t, 1, strings.Count(out, "\n")) +} + +func TestFormatter_Format_NeverEmitsRawSecret(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + const raw = "this-raw-value-must-never-be-emitted" + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "aws-access-key-id", + Severity: finding.SeverityCritical, + Raw: raw, + Redacted: "AKIA****ALUE", + SourceMetadata: finding.SourceMetadata{FilePath: "a.txt", Line: 1}, + }}) + require.NoError(t, err) + assert.NotContains(t, buf.String(), raw, "raw secret must never appear in annotations") +} + +func TestFormatter_Format_MultipleFindings_OneCommandPerLine(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + findings := []finding.Finding{ + {DetectorID: "aws-access-key-id", Severity: finding.SeverityCritical, Redacted: "AKIA****", SourceMetadata: finding.SourceMetadata{FilePath: "a", Line: 1}}, + {DetectorID: "jwt", Severity: finding.SeverityHigh, Redacted: "eyJ****", SourceMetadata: finding.SourceMetadata{FilePath: "b", Line: 2}}, + {DetectorID: "generic-api-key", Severity: finding.SeverityMedium, Redacted: "x****y", SourceMetadata: finding.SourceMetadata{FilePath: "c", Line: 3}}, + } + err := f.Format(&buf, findings) + require.NoError(t, err) + + lines := strings.Split(strings.TrimRight(buf.String(), "\n"), "\n") + require.Len(t, lines, 3) + assert.True(t, strings.HasPrefix(lines[0], "::error ")) + assert.True(t, strings.HasPrefix(lines[1], "::warning ")) + assert.True(t, strings.HasPrefix(lines[2], "::notice ")) +} + +func TestFormatter_Format_VerifiedInactive_MessageNotesInactive(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "stripe-api-key-test", + Severity: finding.SeverityMedium, + Redacted: "sk_test_****", + SourceMetadata: finding.SourceMetadata{FilePath: ".env", Line: 9}, + Verification: finding.VerificationResult{Status: finding.StatusVerifiedInactive}, + }}) + require.NoError(t, err) + + out := buf.String() + assert.Contains(t, out, "verified inactive") + assert.NotContains(t, out, "ACTIVE") +} + +func TestFormatter_Format_UnknownSeverity_FallsBackToNotice(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + // A severity outside the known set must not panic and should default to the + // lowest annotation level. + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "generic-api-key", + Severity: finding.Severity(99), + Redacted: "x****y", + SourceMetadata: finding.SourceMetadata{FilePath: "a.txt", Line: 1}, + }}) + require.NoError(t, err) + assert.True(t, strings.HasPrefix(buf.String(), "::notice ")) +} + +func TestFormatter_FileExtension_ReturnsTXT(t *testing.T) { + f := &Formatter{} + assert.Equal(t, ".txt", f.FileExtension()) +} From 91a2c0d348dd7244e5f01c597f9a29adb1287c65 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Mon, 25 May 2026 00:07:31 +0300 Subject: [PATCH 2/5] fix(docs): update competitive analysis with feature enhancements and clarifications --- docs/05-ROADMAP.md | 236 ++++++++++++++++--- docs/architecture/01-COMPETITIVE-ANALYSIS.md | 9 +- 2 files changed, 206 insertions(+), 39 deletions(-) diff --git a/docs/05-ROADMAP.md b/docs/05-ROADMAP.md index 4ed8849..8834f5a 100644 --- a/docs/05-ROADMAP.md +++ b/docs/05-ROADMAP.md @@ -1,9 +1,9 @@ # Leakwatch - Phased Development Roadmap -> **Document Version:** 6.1 +> **Document Version:** 7.0 > **Date:** 2026-04-09 > **Status:** Approved -> **Last Updated:** 2026-05-21 +> **Last Updated:** 2026-05-24 --- @@ -23,9 +23,14 @@ | Phase 8.2 — CLI UX Improvements | Completed | `v1.3.2` | 2026-03-25 | | Phase 8.3 — Scan Summary + Security | Completed | `v1.4.0` | 2026-04-08 | | Phase 8.4 — False Positive Reduction | Completed | `v1.5.0` | 2026-04-09 | -| Phase 9 — Confluence/Jira | Planned | `v1.6.0` | — | -| Phase 10 — Secrets Inventory | Planned | `v1.7.0` | — | -| Phase 11 — Honeytokens | Planned | `v1.8.0` | — | +| Phase 9 — Detection Accuracy & FP Reduction | Planned | `v1.6.0` | — | +| Phase 10 — Detector Library Expansion | Planned | `v1.7.0` | — | +| Phase 11 — Verification Depth & Credential Impact | Planned | `v1.8.0` | — | +| Phase 12 — Source Expansion (Confluence/Jira, org-scale) | Planned | `v1.9.0` | — | +| Phase 13 — Secrets Inventory | Planned | `v1.10.0` | — | +| Phase 14 — Honeytokens | Planned | `v1.11.0` | — | + +> **Prioritization note (v7.0):** the planned sequence is re-ordered so the work that most strengthens the core promise — accurate, verified, low-noise findings — comes first. Detection accuracy and false-positive reduction (Phase 9), broader coverage of high-blast-radius credential types (Phase 10), and deeper verification with credential-impact insight (Phase 11) precede new scan sources (Phase 12) and the inventory/honeytoken platform features (Phases 13–14). Rationale is detailed in [Planned Work — Prioritization](#planned-work--prioritization). ### v1.5.0 Highlights @@ -79,7 +84,7 @@ ## Roadmap Overview -Leakwatch development is planned in 5 phases, each building on the previous one. Each phase produces a usable deliverable upon completion. +Leakwatch development proceeds in incremental phases, each building on the previous one and each producing a usable deliverable. Phases 1–8 (through `v1.5.0`) are complete; Phases 9–14 are the planned forward path, sequenced by leverage on the product's core promise — see [Planned Work — Prioritization](#planned-work--prioritization). ```mermaid gantt @@ -113,8 +118,18 @@ gantt S3/GCS scanning :done, f5a, after f4c, 3w GitHub Action & Docker :done, f5b, after f5a, 2w v1.0.0 Release :milestone, after f5b, 0d - Slack/Confluence scanning :f5c, after f5b, 4w - SaaS platform & Dashboard :f5d, after f5c, 8w + + section Completed v1.1-v1.5 + Remediation, Slack, Verifiers :done, f6, after f5b, 6w + UX, Security, FP reduction :done, f8, after f6, 6w + + section Planned v1.6.0+ + Detection accuracy & FP :p9, after f8, 5w + Detector library expansion :p10, after p9, 6w + Verification depth & impact :p11, after p10, 6w + Source expansion :p12, after p11, 6w + Secrets inventory :p13, after p12, 5w + Honeytokens :p14, after p13, 4w ``` --- @@ -277,7 +292,7 @@ GitHub Release published with `v0.4.0` tag. | GCS bucket scanning | [x] Completed | `scan gcs ` with ADC auth, prefix filtering | | Homebrew formula | [x] Completed | `Formula/leakwatch.rb` | | Docker image | [x] Completed | Multi-stage Dockerfile, non-root alpine | -| GitHub Action | [x] Completed | `action/action.yml` with SARIF upload | +| GitHub Action | [x] Completed | Root `action.yml` (composite, prebuilt-binary install), Marketplace-ready, SARIF upload, PR-diff (`--since-commit`), inline annotations | | AWS & GitHub verifiers | [x] Completed | AWS STS GetCallerIdentity, GitHub /user API | | Parallel repo scanning | [x] Completed | `scan repos` with `--parallel` flag | | VS Code extension | [x] Completed | Diagnostics, scan-on-save, status bar, workspace/file scan | @@ -378,15 +393,126 @@ GitHub Release published with `v1.0.0` tag. --- -## Phase 9: Confluence/Jira Scanning — PLANNED +## Planned Work — Prioritization + +The product's core promise is **accurate, verified, low-noise secret findings**. Planned phases are sequenced by how directly they serve that promise, balanced against effort: +1. **Sharpen what we already detect first (Phase 9).** Tightening detector precision/recall and cutting false positives is the highest-leverage, lowest-effort work: it raises the quality of *every* scan immediately and protects user trust. It also closes the remaining "documented but not yet behaving as promised" gaps (see the [traceability index](#documented-gap-traceability)). +2. **Broaden coverage of high-impact credentials (Phase 10).** Once accuracy is solid, grow the detector library toward the credential types with the largest blast radius. +3. **Make verification deeper and more useful (Phase 11).** Verification is the differentiator; harden the engine, verify more credential classes, and tell users what a live secret can actually reach. +4. **Reach secrets in more places (Phase 12).** New scan sources (collaboration platforms, org-scale code hosting) extend reach after the core is strong. +5. **Platform features last (Phases 13–14).** Persistent inventory and decoy credentials build on a trustworthy, broad, well-verified core. -**Goal:** Scan Atlassian Confluence pages and Jira issues for leaked secrets. +**Prioritization lens** — each task is weighed on: *(a)* impact on finding quality (precision/recall/verification), *(b)* blast radius of the credentials it touches, *(c)* effort, and *(d)* whether it makes an already-promised capability behave correctly. Within each phase, tables list per-task priority (Critical / High / Medium / Low). + +--- + +## Phase 9: Detection Accuracy & False-Positive Reduction — PLANNED + +**Goal:** Make accuracy a measurable strength. Raise detector precision and recall, cut false positives across the board, and ensure every documented detection/verification behavior actually fires. This phase improves the quality of every existing scan without adding new surfaces. **Duration:** 4-5 weeks | **Version:** `v1.6.0` | **Status:** Planned ### Deliverables +| Task | Priority | Description | +|------|----------|-------------| +| Centralized false-positive filter | Critical | Shared module applied before verification: common placeholder values, a dictionary/word-list of dummy strings, and known non-secret patterns, so individual detectors no longer each re-implement ad-hoc skips | +| Engine-level entropy gating | Critical | Apply the configured `detection.entropy.threshold` in the detection engine itself (today only custom YAML rules honor it), so low-entropy matches are dropped consistently | +| Keyword pre-filters for high-noise detectors | High | Add Aho-Corasick pre-filter keywords / context anchors to detectors that currently scan every chunk (e.g. Telegram, Discord), which today fire on any token-shaped string | +| Broaden OpenAI key coverage | High | Detect legacy and service-account key variants in addition to project keys, anchoring on the embedded provider marker for precision (fewer misses, fewer false positives) | +| GitHub fine-grained PAT support | High | Extend the GitHub detector to cover fine-grained personal access tokens (`github_pat_`), now a default token type | +| Wire okta / shopify / bitbucket verification | High | Populate the `ExtraData` fields (`domain`, `store_domain`, `username`) these verifiers require, so the three detectors actually reach verified/inactive instead of always-unverified | +| Tighten Anthropic key regex | Medium | Anchor exact length and trailing marker; distinguish admin from standard keys | +| Mailgun & JWT format breadth | Medium | Add the alternate Mailgun key format; broaden JWT matching to pretty-printed / base64-variant headers and optional padding | +| Supabase service-role detection | Medium | Detect service-role JWTs (`role: service_role`) in addition to management PATs, so coverage matches the detector's name | +| Bounded / streaming result buffering | Medium | Cap or stream the in-memory finding buffer so adversarially large inputs cannot exhaust memory before the verification phase | +| Accuracy benchmark suite | High | Curated true/false corpus measuring precision and recall per detector, run in CI to guard against regressions | + +### Acceptance Criteria + +- [ ] Verified-mode false-positive rate is measured on the benchmark corpus and meets the `<5%` target +- [ ] The configured entropy threshold gates findings engine-wide, not only for custom rules +- [ ] Telegram/Discord (and other previously keyword-less detectors) no longer fire on unrelated numeric/base64 strings in the corpus +- [ ] okta, shopify, and bitbucket findings produce verified/inactive results end-to-end +- [ ] OpenAI legacy/service-account keys and GitHub `github_pat_` tokens are detected +- [ ] Detector test coverage stays ≥95% for every touched detector + +### Exit Criteria + +GitHub Release published with `v1.6.0` tag. + +--- + +## Phase 10: Detector Library Expansion — PLANNED + +**Goal:** Grow coverage of frequently-leaked, high-blast-radius credential types, prioritizing secrets whose exposure causes the most damage. Every new detector with a public verification endpoint ships with its verifier. + +**Duration:** 5-6 weeks | **Version:** `v1.7.0` | **Status:** Planned + +### Deliverables + +| Category | Priority | Target credential types | +|----------|----------|-------------------------| +| Elevated AI / model-platform keys | High | Admin-tier model-platform keys and additional widely-used model/inference providers (e.g. Gemini, Groq) | +| Cloud identity & platform | High | Cloud application-default credentials; expanded coverage of a major cloud's service family — managed database, search, DevOps tokens, SAS tokens, function keys, container registry, app-config connection strings | +| VCS & CI/CD | High | OAuth-type VCS tokens, application/installation private keys, and additional CI/CD provider tokens | +| Correlated multi-field detection | High | A general mechanism to detect credentials that span multiple fields (identifier + secret) and pair them — improving both precision (require the pair) and verifiability (need both parts) | +| Communication & delivery | Medium | Incoming-webhook URLs and additional email/SMS delivery providers | +| Observability | Medium | Application/event keys for monitoring and error-tracking platforms | +| Security & OSINT tooling | Medium | API keys for common security/recon services | + +### Acceptance Criteria + +- [ ] Detector count grows toward the 12-month coverage target, with ≥95% per-detector test coverage maintained +- [ ] Each new detector that has a public verification endpoint ships with a matching verifier +- [ ] Correlated multi-field detection pairs an identifier with its secret and feeds both to verification +- [ ] No regression in the Phase 9 accuracy benchmark + +### Exit Criteria + +GitHub Release published with `v1.7.0` tag. + +--- + +## Phase 11: Verification Depth & Credential Impact — PLANNED + +**Goal:** Deepen the verification differentiator. Harden the verification engine, verify more credential classes, and — for live secrets — tell users what the credential can actually reach so they can triage blast radius. + +**Duration:** 5-6 weeks | **Version:** `v1.8.0` | **Status:** Planned + +### Deliverables + +| Task | Priority | Description | +|------|----------|-------------| +| Per-provider rate limiting, caching & backoff | Critical | Replace the single global token-bucket limiter with per-provider limits, response caching to avoid re-verifying identical secrets, and exponential backoff/retry on transient failures | +| Canary-safe verification | High | Recognize well-known decoy/canary credential formats and skip live verification for them, so a scan never triggers an alert on someone else's planted token | +| Active private-key verification | High | Where a safe check exists, derive the public key from a detected private key and confirm liveness/association; introduce a distinct "verified key material" status that does not overstate access | +| Credential impact analysis | High | Opt-in: for a verified secret, enumerate its effective permissions and reachable resources, starting with the highest-value providers, so users understand blast radius — not just that a secret is live | +| Verification status refinements | Medium | Distinguish network/rate-limit failures from genuine "inactive"; surface the distinction in output and in `--only-verified`/filter semantics | + +### Acceptance Criteria + +- [ ] Per-provider limits and response caching are verified under load; transient failures retry with backoff +- [ ] Known canary credential formats are never sent to a live endpoint +- [ ] Private-key findings can reach a "verified key material" status without implying broader access +- [ ] Impact analysis produces a permission/resource summary for at least the top-priority providers +- [ ] Network/rate-limit errors are no longer reported as "inactive" + +### Exit Criteria + +GitHub Release published with `v1.8.0` tag. + +--- + +## Phase 12: Source Expansion — PLANNED + +**Goal:** Reach secrets wherever they live — collaboration platforms and org-scale code hosting — now that the detection/verification core is strong. + +**Duration:** 5-6 weeks | **Version:** `v1.9.0` | **Status:** Planned + +### Deliverables + | Task | Priority | Description | |------|----------|-------------| | Atlassian shared client | Critical | HTTP client with Cloud + Server/DC auth | @@ -394,9 +520,12 @@ GitHub Release published with `v1.0.0` tag. | JiraSource | Critical | JQL query, issue/comment scanning | | `scan confluence` command | Critical | Space filtering, attachment scanning | | `scan jira` command | Critical | Project filtering, JQL support | -| SourceMetadata fields | High | Space, page, issue key in findings | +| Org-scale repository enumeration | High | Scan every repository (and its history) under an organization/group via the hosting API, instead of a single local/remote repo at a time | +| Slack file content scanning | Medium | Fetch and scan file attachments via the Files API, completing the `--include-files` flag that is currently accepted but a no-op | +| SourceMetadata fields | High | Space, page, issue key, org/repo context in findings | +| Additional platform sources | Low | API-collection platforms, CI systems, and search clusters as demand warrants | | Tests | High | `httptest.NewServer` mocks | -| Guide | Medium | `docs/guides/atlassian-scanning.md` | +| Guide | Medium | `docs/guides/atlassian-scanning.md`, `docs/guides/org-scanning.md` | ### Acceptance Criteria @@ -404,14 +533,20 @@ GitHub Release published with `v1.0.0` tag. - [ ] `leakwatch scan jira --url URL --jql "project=SEC"` scans issues - [ ] Both Cloud and Server editions supported - [ ] HTML content properly extracted from Confluence storage format +- [ ] An entire organization's repositories can be enumerated and scanned from a single command +- [ ] Slack file attachments are fetched and scanned when `--include-files` is set + +### Exit Criteria + +GitHub Release published with `v1.9.0` tag. --- -## Phase 10: Secrets Inventory — PLANNED +## Phase 13: Secrets Inventory — PLANNED **Goal:** Persistent SQLite-based inventory tracking secrets across scans. -**Duration:** 4-5 weeks | **Version:** `v1.7.0` | **Status:** Planned +**Duration:** 4-5 weeks | **Version:** `v1.10.0` | **Status:** Planned ### Deliverables @@ -436,13 +571,17 @@ GitHub Release published with `v1.0.0` tag. - [ ] Deduplication across multiple scan runs - [ ] Only redacted values stored (never raw secrets) +### Exit Criteria + +GitHub Release published with `v1.10.0` tag. + --- -## Phase 11: Honeytokens — PLANNED +## Phase 14: Honeytokens — PLANNED **Goal:** Generate and deploy decoy credentials that alert on unauthorized use. -**Duration:** 3-4 weeks | **Version:** `v1.8.0` | **Status:** Planned +**Duration:** 3-4 weeks | **Version:** `v1.11.0` | **Status:** Planned ### Deliverables @@ -466,11 +605,33 @@ GitHub Release published with `v1.0.0` tag. - [ ] Webhook fires when honeytoken is detected in unexpected location - [ ] Value shown once during generation, only hash persisted +### Exit Criteria + +GitHub Release published with `v1.11.0` tag. + +--- + +## Documented Gap Traceability + +Earlier reviews recorded behaviors that the documentation or public interface promised but the code did not yet deliver. Rather than tracking them as a loose list, each is now **owned by a planned phase** above so it ships as part of a coherent release. This table is the index; the detail for the still-open code-quality items follows under [Engineering Hygiene Backlog](#engineering-hygiene-backlog). + +| Gap | Owning phase | +|-----|--------------| +| Engine-level entropy-threshold gating | Phase 9 | +| okta / shopify / bitbucket verification never reaches verified (missing `ExtraData`) | Phase 9 | +| Supabase service-role JWT not detected (only management PAT) | Phase 9 | +| Unbounded in-memory result buffering | Phase 9 | +| `--remediation-format brief\|full` flag not implemented | Phase 9 (minor) | +| Per-provider rate limiting, verification caching, exponential backoff/retry | Phase 11 | +| Slack file scanning (`--include-files` is a no-op) | Phase 12 | + +> **Minor item — `--remediation-format`:** today only a boolean `--remediation` flag exists; the `brief|full` variant referenced in the Phase 6 deliverables and the verification guide is unimplemented. Small UX task, folded into Phase 9. + --- -## Known Gaps & Follow-up Work +## Engineering Hygiene Backlog -These are not new phases — they are **work that the current `v1.5.0` release still owes**: features the documentation promises but the code does not (yet) deliver, code-quality findings that survived the PR #6 cleanup pass, and refactors flagged by SonarCloud that need their own focused review. Tracked here so nothing slips through the cracks. +These are **not feature phases** — they are ongoing code-quality and correctness items that run in parallel with the roadmap: features the documentation promised but the code did not deliver (now resolved), code-quality findings from the PR #6 cleanup pass, and refactors flagged by SonarCloud that warrant their own focused review. Tracked here so nothing slips through the cracks. **Source:** PR #6 (chore/docs-cleanup-and-sonar-alignment) verification pass and SonarCloud scan of `cemililik_Leakwatch` taken 2026-05-21. @@ -592,9 +753,12 @@ Source packages (no formal standard, but visible gaps): | `v1.3.2` | Phase 8.2 | CLI UX improvements | 2026-03-25 | | `v1.4.0` | Phase 8.3 | Scan summary, `init` command, colored table, security patches | 2026-04-08 | | `v1.5.0` | Phase 8.4 | False positive reduction, ADO.NET support | 2026-04-09 | -| `v1.6.0` | Phase 9 | Confluence/Jira scanning | — | -| `v1.7.0` | Phase 10 | Secrets inventory (SQLite) | — | -| `v1.8.0` | Phase 11 | Honeytokens | — | +| `v1.6.0` | Phase 9 | Detection accuracy & false-positive reduction | — | +| `v1.7.0` | Phase 10 | Detector library expansion | — | +| `v1.8.0` | Phase 11 | Verification depth & credential impact | — | +| `v1.9.0` | Phase 12 | Source expansion (Confluence/Jira, org-scale) | — | +| `v1.10.0` | Phase 13 | Secrets inventory (SQLite) | — | +| `v1.11.0` | Phase 14 | Honeytokens | — | | `v2.x.x` | Future | ML detection, SaaS platform, Vault | Ongoing | > **Note on v1.1.0 / v1.2.0:** Phase 6 (Remediation Guidance) and Phase 7 (Slack Scanning) were completed and merged into `main`, but no `v1.1.0` or `v1.2.0` git tags were ever created. The features shipped as part of the `v1.3.0` release. The version slots are preserved here to keep the phase-to-version mapping consistent. @@ -620,9 +784,9 @@ Source packages (no formal standard, but visible gaps): |--------|----------------|-----------------| | GitHub Stars | 500+ | 2,000+ | | Contributors | 5+ | 15+ | -| Detector count | 50+ | 200+ | -| Verifier count | 54 (achieved) | 60+ | -| Source count | 6 (fs, git, container, S3, GCS, Slack) | 8+ | +| Detector count | 63 (achieved) | 120+ | +| Verifier count | 54 (achieved) | 80+ | +| Source count | 6 (fs, git, container, S3, GCS, Slack) | 9+ | --- @@ -640,14 +804,14 @@ Source packages (no formal standard, but visible gaps): ## Master Review — Documented-but-Unimplemented Gaps -> This section consolidates gaps found in the 2026-05-22 full-project review. Each item is **planned / not yet implemented** — the documentation or public interface promises the feature but the code does not deliver it. - -| # | Gap | One-line description | Area affected | -|---|-----|----------------------|---------------| -| 1 | **Slack file scanning** | `--include-files` flag is accepted and documented but is a no-op; the `SlackSource` never fetches file content from the Slack Files API. | `internal/source/slack/slack.go`, `docs/guides/slack-scanning.md`, CHANGELOG v1.2.0 | -| 2 | **Per-provider rate limiting, verification caching, exponential backoff/retry** | The verifier engine has a single global token-bucket rate limiter; there is no per-provider limit, no response caching, and no retry with backoff. Phase 8 deliverables and the ROADMAP claim per-provider rate limiting is implemented. | `internal/verifier/engine.go`, Phase 8 deliverables table, v1.3.0 highlights | -| 3 | **`--remediation-format brief\|full` flag** | Only a boolean `--remediation` flag exists; the two-value `brief\|full` variant mentioned in Phase 6 deliverables and `docs/guides/secret-verification.md` is not implemented. | `cmd/scan_common.go`, Phase 6 deliverables table | -| 4 | **Engine-level entropy-threshold gating** | The `detection.entropy.threshold` config value is read and displayed in scan summaries, but the detection engine does not gate findings on it; only custom YAML rules apply their own per-rule entropy threshold. | `internal/engine/`, `internal/config/`, `docs/guides/configuration.md` | -| 5 | **okta / shopify / bitbucket live verification** | The verifiers for these three providers exist and compile, but their `Verify()` implementations read `ExtraData` keys (`domain`, `store_domain`, `username` respectively) that no detector currently emits. The findings will always produce a `StatusUnverified` result until the corresponding detectors are updated to populate those `ExtraData` fields. | `internal/verifier/okta/`, `internal/verifier/shopify/`, `internal/verifier/bitbucket/`, and their matching detectors | -| 6 | **Supabase real service-role JWT detection** | The `supabase` detector matches the `sbp_` prefix which identifies Supabase Management PATs, not service-role JWTs. Service-role JWTs (`eyJ...` with `role: service_role`) are not detected; the name `supabase-service-key` implies broader coverage than is implemented. | `internal/detector/supabase/supabase_key.go`, README detector table | -| 7 | **Unbounded in-memory result buffering** | The scan engine collects all raw findings into a single in-memory slice before passing them to the verification phase — there is no streaming path and no cap on the buffer size. This is acceptable for typical inputs but is a known limitation for very large or adversarial inputs (e.g., a repository engineered to maximise regex matches) where memory consumption could become excessive. Streaming verification or an explicit buffer cap is planned. | `internal/engine/engine.go` | +> This section is the **detailed reference** for the gaps found in the 2026-05-22 full-project review. Each item is now scheduled into a planned phase (see the concise [Documented Gap Traceability](#documented-gap-traceability) index); the "Owning phase" column below shows where each is delivered. Each remains **not yet implemented** — the documentation or public interface promises the feature but the code does not deliver it. + +| # | Gap | One-line description | Area affected | Owning phase | +|---|-----|----------------------|---------------|--------------| +| 1 | **Slack file scanning** | `--include-files` flag is accepted and documented but is a no-op; the `SlackSource` never fetches file content from the Slack Files API. | `internal/source/slack/slack.go`, `docs/guides/slack-scanning.md`, CHANGELOG v1.2.0 | Phase 12 | +| 2 | **Per-provider rate limiting, verification caching, exponential backoff/retry** | The verifier engine has a single global token-bucket rate limiter; there is no per-provider limit, no response caching, and no retry with backoff. Phase 8 deliverables and the ROADMAP claim per-provider rate limiting is implemented. | `internal/verifier/engine.go`, Phase 8 deliverables table, v1.3.0 highlights | Phase 11 | +| 3 | **`--remediation-format brief\|full` flag** | Only a boolean `--remediation` flag exists; the two-value `brief\|full` variant mentioned in Phase 6 deliverables and `docs/guides/secret-verification.md` is not implemented. | `cmd/scan_common.go`, Phase 6 deliverables table | Phase 9 (minor) | +| 4 | **Engine-level entropy-threshold gating** | The `detection.entropy.threshold` config value is read and displayed in scan summaries, but the detection engine does not gate findings on it; only custom YAML rules apply their own per-rule entropy threshold. | `internal/engine/`, `internal/config/`, `docs/guides/configuration.md` | Phase 9 | +| 5 | **okta / shopify / bitbucket live verification** | The verifiers for these three providers exist and compile, but their `Verify()` implementations read `ExtraData` keys (`domain`, `store_domain`, `username` respectively) that no detector currently emits. The findings will always produce a `StatusUnverified` result until the corresponding detectors are updated to populate those `ExtraData` fields. | `internal/verifier/okta/`, `internal/verifier/shopify/`, `internal/verifier/bitbucket/`, and their matching detectors | Phase 9 | +| 6 | **Supabase real service-role JWT detection** | The `supabase` detector matches the `sbp_` prefix which identifies Supabase Management PATs, not service-role JWTs. Service-role JWTs (`eyJ...` with `role: service_role`) are not detected; the name `supabase-service-key` implies broader coverage than is implemented. | `internal/detector/supabase/supabase_key.go`, README detector table | Phase 9 | +| 7 | **Unbounded in-memory result buffering** | The scan engine collects all raw findings into a single in-memory slice before passing them to the verification phase — there is no streaming path and no cap on the buffer size. This is acceptable for typical inputs but is a known limitation for very large or adversarial inputs (e.g., a repository engineered to maximise regex matches) where memory consumption could become excessive. Streaming verification or an explicit buffer cap is planned. | `internal/engine/engine.go` | Phase 9 | diff --git a/docs/architecture/01-COMPETITIVE-ANALYSIS.md b/docs/architecture/01-COMPETITIVE-ANALYSIS.md index 01e20d0..0aacdd0 100644 --- a/docs/architecture/01-COMPETITIVE-ANALYSIS.md +++ b/docs/architecture/01-COMPETITIVE-ANALYSIS.md @@ -188,13 +188,16 @@ While existing open-source tools (TruffleHog, Gitleaks) are strong in certain ar | **Container Images** | Yes | No | No | No | Yes | **Yes** | | **Cloud Sources** | Yes (S3, GCS) | No | No | No | No | **Yes (Phase 5)** | | **SaaS Scanning** | Yes (Slack, Jira) | No | No | No | Public monitoring | **Planned** | -| **Aho-Corasick** | Partial | No | No | Unknown | Unknown | **Yes** | +| **Aho-Corasick** | Yes | Yes | No | Unknown | Unknown | **Yes** | | **Entropy Analysis** | Yes | As filter | Yes | No | With ML | **Yes (hybrid)** | -| **SARIF Output** | Yes | Yes | No | Native | Yes | **Yes** | +| **SARIF Output** | No | Yes | No | Native | Yes | **Yes** | | **Pre-commit** | Yes | Yes (primary) | Yes | Push Protection | Yes | **Yes** | -| **Custom Rules** | Requires Go code | TOML (easy) | Plugin (Python) | Limited | Enterprise | **YAML (easy)** | +| **Custom Rules** | YAML config | TOML (easy) | Plugin (Python) | Limited | Enterprise | **YAML (easy)** | | **Allowlist/Ignore** | Basic | Advanced | Baseline | None | Yes | **Advanced** | | **License** | AGPL-3.0 | MIT* | Apache 2.0 | Commercial | Commercial | **MIT** | + +> \* The Gitleaks CLI is MIT-licensed; the official `gitleaks-action` runs under a commercial EULA and requires a free license key for **organization** accounts (personal accounts are exempt). +> **TruffleHog notes:** it fully uses Aho-Corasick keyword pre-filtering (`pkg/engine/ahocorasick/`); it has **no native SARIF** output (JSON / plain / GitHub-Actions only); and it **does** support custom detectors via a YAML `config.yaml` (`detectors:` block) — not "Go code only". | **Single Binary** | Yes | Yes | No (Python) | N/A | No (Python) | **Yes** | | **Remediation** | No | No | No | Partner revoke | Dashboard | **Planned** | From 9cdc2ac495ffa48eb6608cdfd4efb557dee18402 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Mon, 25 May 2026 01:13:30 +0300 Subject: [PATCH 3/5] =?UTF-8?q?fix(action):=20address=20review=20=E2=80=94?= =?UTF-8?q?=20harden=20install/run,=20SHA-pin,=20escalate=20live=20secrets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security: - Stop echoing the assembled scan command (path/extra-args may carry tokens or authenticated URLs that GitHub log masking would not catch). - Reject action-managed flags (--format/--output/--config/--show-raw) in extra-args so the action's output/summary/upload bookkeeping cannot be bypassed. - SHA-pin github/codeql-action/upload-sarif (runs in consumers' repos) and pin actions/checkout, actions/setup-go and actionlint in action-test.yml and ci.yml; add a least-privilege permissions block to ci.yml. Correctness/robustness: - Add a release-repo input (default HodeTech/Leakwatch) so the self-test can target the current repo and verify the install path end-to-end (the canonical default still applies for consumers; org transfer auto-redirects). - Validate scan-diff (auto|true|false) and fail loudly when "true" has no usable base commit instead of silently scanning full history. - curl --retry on downloads; friendly ::error on a missing/invalid release tag; warn when only-verified is combined with no-verify (which reports nothing); guard absolute working-directory for the SARIF path; note summary truncation. - github formatter: escalate live-verified findings to ::error regardless of severity. Formatter tests now cover %/\r escaping, verify-error, the write error path, and the escalation (100% coverage). - release.yml: require a vX.Y.Z tag before moving the major tag. CI: - New cli-github-format job builds this branch and exercises --format github end-to-end (the released binary the action installs predates that format). - selectFormatter test now covers the github format. Docs: - Fix only-verified examples (README, CI/CD guide) to set no-verify: false; remove now-dead setup-go steps before the action; fix the README binary-download example (goreleaser naming); document release-repo and the extra-args restriction; soften ADR-0009's checksum claim and record provenance as a future enhancement. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/action-test.yml | 49 ++++++++++-- .github/workflows/ci.yml | 15 ++-- .github/workflows/release.yml | 8 +- CHANGELOG.md | 2 +- README.md | 7 +- action.yml | 76 +++++++++++++++---- cmd/scan_common_test.go | 7 ++ .../ADR-0009-github-marketplace-action.md | 11 ++- docs/guides/ci-cd-integration.md | 24 +----- docs/user-manuals/en/ci-cd/github-action.md | 3 +- docs/user-manuals/tr/ci-cd/github-action.md | 3 +- internal/output/github/github_formatter.go | 12 ++- .../output/github/github_formatter_test.go | 75 ++++++++++++++++++ 13 files changed, 229 insertions(+), 63 deletions(-) diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml index 7c60a33..a85fd1a 100644 --- a/.github/workflows/action-test.yml +++ b/.github/workflows/action-test.yml @@ -1,20 +1,22 @@ name: Action Test # Validates the composite GitHub Action (install → scan → exit-code/outputs) on -# real runners, plus lints all workflow files. Runs when the action or this -# workflow changes. The action installs the latest released leakwatch binary, so -# this exercises the action mechanics rather than the CLI in this PR (the CLI has -# its own unit tests in CI). +# real runners, lints all workflow files, and exercises the new `github` output +# format with a binary built from this branch. The run-action job installs a +# released binary via the action, pointing release-repo at the current repo so it +# works both pre- and post-org-transfer. on: push: branches: [main] paths: - 'action.yml' - '.github/workflows/action-test.yml' + - 'internal/output/github/**' pull_request: paths: - 'action.yml' - '.github/workflows/action-test.yml' + - 'internal/output/github/**' workflow_dispatch: permissions: @@ -26,12 +28,12 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.25.10' - name: Install actionlint - run: go install github.com/rhysd/actionlint/cmd/actionlint@latest + run: go install github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 # shellcheck is preinstalled on ubuntu runners, so actionlint also lints # the run: scripts inside the workflows. - name: Run actionlint @@ -50,7 +52,7 @@ jobs: matrix: os: [ubuntu-latest, macos-latest] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 # Build the fixture at runtime so no secret-shaped literal is ever committed # (which would trip push protection / secret scanning). Reassembled at @@ -73,6 +75,9 @@ jobs: format: sarif no-verify: 'true' fail-on-findings: 'false' + # Download from the repo running this workflow (works pre- and + # post-org-transfer); consumers use the default HodeTech/Leakwatch. + release-repo: ${{ github.repository }} - name: Assert a finding was reported shell: bash @@ -95,6 +100,7 @@ jobs: format: table no-verify: 'true' fail-on-findings: 'true' + release-repo: ${{ github.repository }} - name: Assert no findings reported shell: bash @@ -104,3 +110,30 @@ jobs: set -euo pipefail [ "$COUNT" = "0" ] || { echo "::error::expected findings-count=0, got '$COUNT'"; exit 1; } echo "OK: clean directory reported no findings" + + # The released binary the action installs predates the `github` output format, + # so exercise that format with a binary built from this branch. + cli-github-format: + name: cli-github-format + needs: actionlint + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + with: + go-version: '1.25.10' + - name: Build leakwatch from this branch + run: go build -o "${RUNNER_TEMP}/leakwatch" . + - name: github format emits inline annotations + shell: bash + run: | + set -uo pipefail + mkdir -p _fx + printf 'AWS_ACCESS_KEY_ID=%s%s\n' 'AKIA' 'IOSFODNN7EXAMPLE' > _fx/leak.env + out="$("${RUNNER_TEMP}/leakwatch" scan fs _fx --format github --no-verify 2>/dev/null)" + echo "$out" + echo "$out" | grep -q '^::error .*aws-access-key-id' \ + || { echo "::error::expected an ::error annotation for aws-access-key-id"; exit 1; } + echo "OK: --format github emitted an inline annotation" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2747a94..ab85775 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest @@ -13,8 +16,8 @@ jobs: matrix: go-version: ['1.25.10'] steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: ${{ matrix.go-version }} cache: true @@ -32,8 +35,8 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.25.10' - run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 @@ -42,8 +45,8 @@ jobs: security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.25.10' - run: go install golang.org/x/vuln/cmd/govulncheck@latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8a072d4..9b89bb2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,11 +59,13 @@ jobs: SHA: ${{ github.sha }} run: | set -euo pipefail - MAJOR="${TAG%%.*}" # v1.5.0 -> v1 - if [ "$MAJOR" = "$TAG" ] || [ -z "$MAJOR" ]; then - echo "Could not derive a major tag from '$TAG'; skipping." + # Only move the major tag for a proper vMAJOR.MINOR.PATCH release tag, so + # a malformed tag (e.g. vnext.1) can never force-move an unrelated ref. + if ! printf '%s' "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then + echo "Tag '$TAG' is not a vX.Y.Z release tag; skipping major-tag move." exit 0 fi + MAJOR="${TAG%%.*}" # v1.5.0 -> v1 echo "Pointing ${MAJOR} at ${SHA} (${TAG})" if gh api "repos/${REPO}/git/refs/tags/${MAJOR}" >/dev/null 2>&1; then gh api -X PATCH "repos/${REPO}/git/refs/tags/${MAJOR}" -f sha="${SHA}" -F force=true >/dev/null diff --git a/CHANGELOG.md b/CHANGELOG.md index d53021c..405bf4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/). ## [Unreleased] ### Added -- **GitHub Action is now Marketplace-ready and installs a prebuilt binary** — the action metadata moved from `action/action.yml` to the repository root `action.yml` so it can be published to the GitHub Marketplace and consumed as `uses: HodeTech/Leakwatch@v1`. Instead of compiling from source with `go install` on every run, the action now downloads the platform's prebuilt release archive and verifies its SHA-256 checksum before running (Linux and macOS runners). New inputs: `output`, `remediation`, `config`, `scan-diff`, `extra-args`, `working-directory`. Composite `outputs` now declare `value:` mappings, so `findings-count` and `sarif-file` are actually exposed to downstream steps (previously always empty). +- **GitHub Action is now Marketplace-ready and installs a prebuilt binary** — the action metadata moved from `action/action.yml` to the repository root `action.yml` so it can be published to the GitHub Marketplace and consumed as `uses: HodeTech/Leakwatch@v1`. Instead of compiling from source with `go install` on every run, the action now downloads the platform's prebuilt release archive and verifies its SHA-256 checksum before running (Linux and macOS runners). New inputs: `output`, `remediation`, `config`, `scan-diff`, `extra-args`, `working-directory`, `release-repo`. Composite `outputs` now declare `value:` mappings, so `findings-count` and `sarif-file` are actually exposed to downstream steps (previously always empty). The download is checksum-verified and retried; `extra-args` rejects flags the action manages (`--format`/`--output`/`--config`/`--show-raw`); the assembled command is not echoed (path/extra-args may carry credentials); and `scan-diff` is validated. The nested `upload-sarif` and all CI workflow actions are SHA-pinned. - **Pull-request diff scanning in the Action** — for `git` scans, `scan-diff: auto` (default) limits the scan to commits introduced by the event (`pull_request` base..HEAD or `push` before..HEAD) via `--since-commit`, so CI surfaces only newly added secrets. Requires `actions/checkout` with `fetch-depth: 0`. - **GitHub Actions job summary** — the action writes a findings summary (counts and a per-finding table parsed from SARIF) to `$GITHUB_STEP_SUMMARY`. - **`github` output format** — `--format github` emits GitHub Actions workflow commands (`::error`/`::warning`/`::notice`) so findings appear as inline annotations on pull requests. The raw secret is never emitted (redacted only), and command data/properties are percent-escaped. New `internal/output/github` formatter with full unit-test coverage. diff --git a/README.md b/README.md index 62466a3..7c4e61b 100644 --- a/README.md +++ b/README.md @@ -52,8 +52,8 @@ go install github.com/HodeTech/leakwatch@latest # Docker docker run --rm -v $(pwd):/scan ghcr.io/hodetech/leakwatch:latest scan fs /scan -# Binary download -curl -sSfL https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_$(uname -s)_$(uname -m).tar.gz | tar xz +# Binary download — pick the archive for your OS/arch from the releases page: +# https://github.com/HodeTech/Leakwatch/releases (e.g. leakwatch_1.5.0_linux_amd64.tar.gz) ``` ### Quick Setup @@ -197,7 +197,8 @@ leakwatch scan fs . --remediation - uses: HodeTech/Leakwatch@v1 with: scan-type: git - only-verified: true # only report verified live secrets (action default: false) + no-verify: false # turn verification ON (required for only-verified) + only-verified: true # report only secrets confirmed live sarif-upload: true ``` diff --git a/action.yml b/action.yml index 2423dbc..04c8b7e 100644 --- a/action.yml +++ b/action.yml @@ -67,6 +67,10 @@ inputs: description: 'Leakwatch version to install: "latest" or a release tag such as v1.5.0.' required: false default: 'latest' + release-repo: + description: 'GitHub repository (owner/name) to download the release binary from. Defaults to the canonical Leakwatch repo; override only for forks or self-hosted mirrors.' + required: false + default: 'HodeTech/Leakwatch' outputs: findings-count: @@ -83,7 +87,7 @@ runs: shell: bash env: LW_VERSION: ${{ inputs.version }} - LW_REPO: HodeTech/Leakwatch + LW_REPO: ${{ inputs.release-repo }} run: | set -euo pipefail @@ -121,8 +125,14 @@ runs: BASE_URL="https://github.com/${LW_REPO}/releases/download/${TAG}" TMP="$(mktemp -d)" echo "Installing Leakwatch ${TAG} (${ARCHIVE})" - curl -fsSL -o "${TMP}/${ARCHIVE}" "${BASE_URL}/${ARCHIVE}" - curl -fsSL -o "${TMP}/checksums.txt" "${BASE_URL}/checksums.txt" + if ! curl -fsSL --retry 3 --retry-delay 2 -o "${TMP}/${ARCHIVE}" "${BASE_URL}/${ARCHIVE}"; then + echo "::error::Failed to download ${ARCHIVE}. Is '${TAG}' a valid release in ${LW_REPO}? See https://github.com/${LW_REPO}/releases" + exit 1 + fi + if ! curl -fsSL --retry 3 --retry-delay 2 -o "${TMP}/checksums.txt" "${BASE_URL}/checksums.txt"; then + echo "::error::Failed to download checksums.txt for ${TAG} from ${LW_REPO}." + exit 1 + fi expected="$(awk -v f="$ARCHIVE" '$2 == f {print $1}' "${TMP}/checksums.txt")" if [ -z "$expected" ]; then @@ -191,11 +201,12 @@ runs: fi if [ "$INPUT_FORMAT" = "sarif" ] && [ -n "$OUT" ]; then # Report the path relative to the repo root so a later upload step finds it. - if [ "$WORKDIR" = "." ]; then - echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" - else - echo "sarif-file=${WORKDIR%/}/$OUT" >> "$GITHUB_OUTPUT" - fi + case "$WORKDIR" in + .) echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" ;; + /*) echo "::warning::working-directory is absolute; the SARIF upload step may not locate the file. Use a repository-relative working-directory." + echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" ;; + *) echo "sarif-file=${WORKDIR%/}/$OUT" >> "$GITHUB_OUTPUT" ;; + esac fi [ "$INPUT_ONLY_VERIFIED" = "true" ] && ARGS+=(--only-verified) @@ -203,7 +214,17 @@ runs: [ "$INPUT_REMEDIATION" = "true" ] && ARGS+=(--remediation) [ -n "$INPUT_CONFIG" ] && ARGS+=(--config "$INPUT_CONFIG") + # only-verified needs verification ON. With no-verify (the default), nothing + # can be "verified active", so the scan would silently report zero findings. + if [ "$INPUT_ONLY_VERIFIED" = "true" ] && [ "$INPUT_NO_VERIFY" = "true" ]; then + echo "::warning::only-verified is set while no-verify is also true (the default). Verification is OFF, so no finding can be 'verified active' and the scan will report nothing. Set no-verify: false to use only-verified." + fi + # PR-diff: for git scans, limit to commits introduced by this event. + case "$INPUT_SCAN_DIFF" in + auto|true|false) ;; + *) echo "::error::Invalid scan-diff '${INPUT_SCAN_DIFF}' (expected auto, true, or false)."; exit 1 ;; + esac diff_enabled=false case "$INPUT_SCAN_DIFF" in true) diff_enabled=true ;; @@ -212,24 +233,45 @@ runs: diff_enabled=true fi ;; esac - if [ "$diff_enabled" = "true" ] && [ "$INPUT_SCAN_TYPE" = "git" ]; then + if [ "$diff_enabled" = "true" ]; then + if [ "$INPUT_SCAN_TYPE" != "git" ]; then + # Only "true" reaches here for a non-git scan (auto never enables it); + # fail loudly so "true" is never silently ignored. + echo "::error::scan-diff requires scan-type: git (got '${INPUT_SCAN_TYPE}')."; exit 1 + fi base="" [ "$GH_EVENT_NAME" = "pull_request" ] && base="$GH_PR_BASE_SHA" [ "$GH_EVENT_NAME" = "push" ] && base="$GH_PUSH_BEFORE" - # Skip the all-zero SHA (first push of a branch, which has no parent). - if [ -n "$base" ] && [ "$base" != "0000000000000000000000000000000000000000" ]; then + # The all-zero SHA means no parent (first push of a branch). + if [ -z "$base" ] || [ "$base" = "0000000000000000000000000000000000000000" ]; then + if [ "$INPUT_SCAN_DIFF" = "true" ]; then + echo "::error::scan-diff: true but no base commit is available for event '${GH_EVENT_NAME}'. Use pull_request/push and checkout with fetch-depth: 0."; exit 1 + fi + echo "::notice::scan-diff: auto found no base commit for '${GH_EVENT_NAME}'; scanning full history." + else ARGS+=(--since-commit "$base") fi fi - # Append any extra raw arguments (deliberate word-splitting). + # Append any extra raw arguments (deliberate word-splitting). Reject the + # flags the action manages itself, so its output/summary/upload bookkeeping + # can never silently disagree with the actual CLI invocation. if [ -n "$INPUT_EXTRA_ARGS" ]; then # shellcheck disable=SC2206 extra=($INPUT_EXTRA_ARGS) + for a in "${extra[@]}"; do + case "$a" in + -f|--format|--format=*|-o|--output|--output=*|--config|--config=*|--show-raw|--show-raw=*) + echo "::error::extra-args may not contain '${a%%=*}'; use the dedicated action input (format/output/config) instead." + exit 1 ;; + esac + done ARGS+=("${extra[@]}") fi - echo "+ leakwatch ${ARGS[*]}" + # Do NOT echo the assembled args: path/extra-args may carry credentials + # (tokens, authenticated URLs) that GitHub log masking would not catch. + echo "Running leakwatch scan (type=${INPUT_SCAN_TYPE}, format=${INPUT_FORMAT})" leakwatch "${ARGS[@]}" EXIT_CODE=$? @@ -248,6 +290,10 @@ runs: echo "| Level | Detector | Location |" echo "| --- | --- | --- |" jq -r '.runs[].results[] | "| \(.level) | \(.ruleId) | \((.locations[0].physicalLocation.artifactLocation.uri // "-"))\(if .locations[0].physicalLocation.region.startLine then ":" + (.locations[0].physicalLocation.region.startLine | tostring) else "" end) |"' "$OUT" 2>/dev/null | head -50 + if [ "${total:-0}" -gt 50 ] 2>/dev/null; then + echo "" + echo "_…showing the first 50 of ${total} findings._" + fi fi elif [ "$EXIT_CODE" -eq 0 ]; then echo "✅ No secrets detected." @@ -284,7 +330,9 @@ runs: - name: Upload SARIF if: always() && inputs.sarif-upload == 'true' && inputs.format == 'sarif' - uses: github/codeql-action/upload-sarif@v3 + # github/codeql-action/upload-sarif@v3.36.0 (SHA-pinned: this runs inside + # consumers' repositories, so the floating tag is the most important to pin). + uses: github/codeql-action/upload-sarif@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 with: sarif_file: ${{ steps.scan.outputs.sarif-file }} category: leakwatch diff --git a/cmd/scan_common_test.go b/cmd/scan_common_test.go index 9d918c9..0410342 100644 --- a/cmd/scan_common_test.go +++ b/cmd/scan_common_test.go @@ -8,6 +8,7 @@ import ( "github.com/stretchr/testify/require" csvout "github.com/HodeTech/leakwatch/internal/output/csv" + githubout "github.com/HodeTech/leakwatch/internal/output/github" jsonout "github.com/HodeTech/leakwatch/internal/output/json" sarifout "github.com/HodeTech/leakwatch/internal/output/sarif" tableout "github.com/HodeTech/leakwatch/internal/output/table" @@ -96,6 +97,12 @@ func TestSelectFormatter_AllFormats_ReturnsCorrectType(t *testing.T) { showRaw: false, expectedType: &tableout.Formatter{}, }, + { + name: "github format", + format: "github", + showRaw: false, + expectedType: &githubout.Formatter{}, + }, { name: "unknown format defaults to json", format: "unknown", diff --git a/docs/decisions/ADR-0009-github-marketplace-action.md b/docs/decisions/ADR-0009-github-marketplace-action.md index e787fcd..b19ff82 100644 --- a/docs/decisions/ADR-0009-github-marketplace-action.md +++ b/docs/decisions/ADR-0009-github-marketplace-action.md @@ -67,8 +67,11 @@ flowchart TD in lock-step with the tool, leverages the repo's existing visibility, and avoids the synchronization burden of a second repository. - **Prebuilt over `go install`.** Reuses artifacts the release already ships; - scans start in seconds with no Go toolchain, and the checksum step adds - supply-chain integrity. + scans start in seconds with no Go toolchain. The mandatory checksum step + guards against a corrupted or truncated download. (It is **not** full + supply-chain provenance: the archive and `checksums.txt` come from the same + release, so an attacker who can replace one can replace both. Cryptographic + provenance — cosign/minisign/SLSA — is a future enhancement; see below.) ## Alternatives Considered @@ -111,6 +114,10 @@ flowchart TD - The `v1` tag must be maintained automatically (handled in the release workflow) and consumers who want strict reproducibility should pin a full release tag or commit SHA. +- **No cryptographic provenance yet.** The checksum step only detects a + corrupted/truncated download, not a malicious release. A future enhancement + should add signed artifacts (cosign/minisign) and/or SLSA build provenance, + with the action verifying the signature before running. ## Publishing to the Marketplace (maintainer runbook) diff --git a/docs/guides/ci-cd-integration.md b/docs/guides/ci-cd-integration.md index 82a0bdc..df291ff 100644 --- a/docs/guides/ci-cd-integration.md +++ b/docs/guides/ci-cd-integration.md @@ -101,15 +101,11 @@ jobs: with: fetch-depth: 0 # Required for full Git history - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: '1.25' - - name: Leakwatch Scan uses: HodeTech/Leakwatch@v1 with: scan-type: fs + no-verify: false # verification ON (required for only-verified) only-verified: true ``` @@ -140,11 +136,6 @@ jobs: with: fetch-depth: 0 - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: '1.25' - - name: Leakwatch Scan uses: HodeTech/Leakwatch@v1 with: @@ -248,11 +239,6 @@ jobs: with: fetch-depth: 0 - - name: Setup Go - uses: actions/setup-go@v5 - with: - go-version: '1.25' - - name: Full history scan uses: HodeTech/Leakwatch@v1 with: @@ -337,10 +323,6 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version: '1.25' - - name: Filesystem scan uses: HodeTech/Leakwatch@v1 with: @@ -359,10 +341,6 @@ jobs: with: fetch-depth: 0 - - uses: actions/setup-go@v5 - with: - go-version: '1.25' - - name: Full history scan uses: HodeTech/Leakwatch@v1 with: diff --git a/docs/user-manuals/en/ci-cd/github-action.md b/docs/user-manuals/en/ci-cd/github-action.md index 6aae537..d2d41d4 100644 --- a/docs/user-manuals/en/ci-cd/github-action.md +++ b/docs/user-manuals/en/ci-cd/github-action.md @@ -84,11 +84,12 @@ SARIF upload requires the job to declare `permissions: security-events: write`. | `remediation` | `false` | Include remediation guidance in the output. | | `config` | `` | Path to a `.leakwatch.yaml` configuration file. | | `scan-diff` | `auto` | For `git` scans, scan only commits new to the event. `auto` enables this on `pull_request`/`push`, `true` forces it, `false` always scans full history. Requires `actions/checkout` with `fetch-depth: 0`. | -| `extra-args` | `` | Additional raw arguments appended to the `leakwatch scan` command (space-separated). | +| `extra-args` | `` | Additional raw arguments appended to the `leakwatch scan` command (space-separated). Flags the action manages itself (`--format`, `--output`, `--config`, `--show-raw`) are rejected — use the dedicated inputs instead. | | `working-directory` | `.` | Directory to run the scan from. | | `sarif-upload` | `false` | Upload SARIF results to GitHub Code Scanning after the scan. | | `fail-on-findings` | `true` | Fail the workflow step when findings are reported (exit code 1). When `false`, a `::warning::` annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code ≥ 2) always fail the step regardless of this setting. | | `version` | `latest` | Leakwatch version to install: `latest`, or a release tag such as `v1.5.0` to pin a specific release. | +| `release-repo` | `HodeTech/Leakwatch` | Repository (`owner/name`) to download the release binary from. Override only for forks or self-hosted mirrors. | ## Outputs diff --git a/docs/user-manuals/tr/ci-cd/github-action.md b/docs/user-manuals/tr/ci-cd/github-action.md index c34c3dd..59018f4 100644 --- a/docs/user-manuals/tr/ci-cd/github-action.md +++ b/docs/user-manuals/tr/ci-cd/github-action.md @@ -84,11 +84,12 @@ SARIF yüklemesi, işin `permissions: security-events: write` bildirmesini gerek | `remediation` | `false` | Çıktıya giderme (remediation) rehberi ekle. | | `config` | `` | Bir `.leakwatch.yaml` yapılandırma dosyasının yolu. | | `scan-diff` | `auto` | `git` taramalarında yalnızca olaya yeni gelen commit'leri tara. `auto`, bunu `pull_request`/`push` olaylarında etkinleştirir; `true` zorlar; `false` her zaman tüm geçmişi tarar. `actions/checkout` ile `fetch-depth: 0` gerektirir. | -| `extra-args` | `` | `leakwatch scan` komutuna eklenen ek ham argümanlar (boşlukla ayrılmış). | +| `extra-args` | `` | `leakwatch scan` komutuna eklenen ek ham argümanlar (boşlukla ayrılmış). Action'ın kendi yönettiği bayraklar (`--format`, `--output`, `--config`, `--show-raw`) reddedilir — bunun yerine ilgili input'ları kullanın. | | `working-directory` | `.` | Taramanın çalıştırılacağı dizin. | | `sarif-upload` | `false` | Taramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle. | | `fail-on-findings` | `true` | Bulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. `false` olarak ayarlandığında adım başarısız olmak yerine `::warning::` ek açıklaması yayar. Ciddi hatalar (çıkış kodu ≥ 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar. | | `version` | `latest` | Kurulacak Leakwatch sürümü: `latest` veya belirli bir sürümü sabitlemek için `v1.5.0` gibi bir etiket. | +| `release-repo` | `HodeTech/Leakwatch` | Sürüm ikilisinin indirileceği depo (`owner/name`). Yalnızca fork veya kendi sunucunuzdaki aynalar için değiştirin. | ## Çıktılar diff --git a/internal/output/github/github_formatter.go b/internal/output/github/github_formatter.go index 5bc2a05..52a707c 100644 --- a/internal/output/github/github_formatter.go +++ b/internal/output/github/github_formatter.go @@ -56,7 +56,7 @@ func writeCommand(b *strings.Builder, fd finding.Finding) { props = append(props, "title="+escapeProperty(annotationTitle(fd))) b.WriteString("::") - b.WriteString(severityToLevel(fd.Severity)) + b.WriteString(annotationLevel(fd)) b.WriteByte(' ') b.WriteString(strings.Join(props, ",")) b.WriteString("::") @@ -64,6 +64,16 @@ func writeCommand(b *strings.Builder, fd finding.Finding) { b.WriteByte('\n') } +// annotationLevel decides the GitHub annotation level for a finding. A secret +// confirmed live by verification is an incident and is always emitted as an +// error, regardless of its nominal severity; otherwise severity decides. +func annotationLevel(fd finding.Finding) string { + if fd.Verification.Status == finding.StatusVerifiedActive { + return "error" + } + return severityToLevel(fd.Severity) +} + // severityToLevel maps a finding severity to a GitHub annotation level. GitHub // supports only error/warning/notice, so medium and low both map to "notice". func severityToLevel(s finding.Severity) string { diff --git a/internal/output/github/github_formatter_test.go b/internal/output/github/github_formatter_test.go index 85b1381..82657ef 100644 --- a/internal/output/github/github_formatter_test.go +++ b/internal/output/github/github_formatter_test.go @@ -2,6 +2,7 @@ package github import ( "bytes" + "errors" "strings" "testing" @@ -10,6 +11,11 @@ import ( "github.com/stretchr/testify/require" ) +// errWriter always fails, to exercise the Format write-error path. +type errWriter struct{} + +func (errWriter) Write([]byte) (int, error) { return 0, errors.New("disk full") } + func TestFormatter_Format_EmptyFindings_WritesNothing(t *testing.T) { f := &Formatter{} var buf bytes.Buffer @@ -224,6 +230,75 @@ func TestFormatter_Format_UnknownSeverity_FallsBackToNotice(t *testing.T) { assert.True(t, strings.HasPrefix(buf.String(), "::notice ")) } +func TestFormatter_Format_VerifiedActiveLowSeverity_ElevatedToError(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + // A live-verified secret is an incident even at a low nominal severity, so it + // must be emitted as ::error, not ::notice. + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "generic-api-key", + Severity: finding.SeverityLow, + Redacted: "abc****xyz", + SourceMetadata: finding.SourceMetadata{FilePath: "a.txt", Line: 1}, + Verification: finding.VerificationResult{Status: finding.StatusVerifiedActive}, + }}) + require.NoError(t, err) + assert.True(t, strings.HasPrefix(buf.String(), "::error "), "verified-active must elevate to error, got %q", buf.String()) +} + +func TestFormatter_Format_VerifyError_NoVerdictSuffix(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "github-token", + Severity: finding.SeverityHigh, + Redacted: "ghp_****", + SourceMetadata: finding.SourceMetadata{FilePath: ".env", Line: 3}, + Verification: finding.VerificationResult{Status: finding.StatusVerifyError}, + }}) + require.NoError(t, err) + + out := buf.String() + assert.NotContains(t, out, "ACTIVE") + assert.NotContains(t, out, "inactive") + // A verify error is not a confirmed-active verdict, so it stays a warning. + assert.True(t, strings.HasPrefix(out, "::warning ")) +} + +func TestFormatter_Format_EscapesPercentAndCarriageReturn(t *testing.T) { + f := &Formatter{} + var buf bytes.Buffer + + // '%' must be encoded first (so the encodings below are not double-escaped), + // and a carriage return must become %0D. + err := f.Format(&buf, []finding.Finding{{ + DetectorID: "generic-api-key", + Severity: finding.SeverityLow, + Redacted: "a%b\rc", + SourceMetadata: finding.SourceMetadata{FilePath: "f.txt", Line: 1}, + }}) + require.NoError(t, err) + + out := buf.String() + assert.Contains(t, out, "a%25b%0Dc") + assert.NotContains(t, out, "%2525", "percent must not be double-escaped") +} + +func TestFormatter_Format_WriteError_IsWrapped(t *testing.T) { + f := &Formatter{} + err := f.Format(errWriter{}, []finding.Finding{{ + DetectorID: "aws-access-key-id", + Severity: finding.SeverityCritical, + Redacted: "AKIA****", + SourceMetadata: finding.SourceMetadata{FilePath: "a", Line: 1}, + }}) + require.Error(t, err) + assert.Contains(t, err.Error(), "GitHub annotations") + assert.Contains(t, err.Error(), "disk full") +} + func TestFormatter_FileExtension_ReturnsTXT(t *testing.T) { f := &Formatter{} assert.Equal(t, ".txt", f.FileExtension()) From 8726065396f4ead0570d28d736d159ae3fb8eac1 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Mon, 25 May 2026 09:13:27 +0300 Subject: [PATCH 4/5] =?UTF-8?q?fix(action):=20second-review=20fixes=20?= =?UTF-8?q?=E2=80=94=20extra-args=20bypass,=20scan-diff=20degrade,=20doc/b?= =?UTF-8?q?undle=20sync?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - extra-args guard now prefix-matches (-f*/-o*/--format*/--output*/--config*/ --show-raw*), so combined shorthand like `-fcsv` or `-o/tmp/x` can no longer override the action's managed flags (the previous exact-token guard was bypassable; -f/-o are format/output only in this CLI). - scan-diff: auto now degrades to a full scan with a ::warning:: when the base commit isn't in the local clone (shallow checkout), instead of letting leakwatch hard-fail (exit 2). scan-diff: true still fails with guidance. - latest-version resolution: `|| true` on the redirect probe so a repo with no releases shows the curated ::error:: instead of aborting under set -e; message now names the repo and links its releases page. - github format now always writes annotations to stdout even if an output file is configured (e.g. output.file in .leakwatch.yaml) — workflow commands are inert in a file, so this prevents silently swallowing them (cmd/scan_common.go). - findings-count output description clarified (it is 0/1, not a count). - Fix the broken comparison table in 01-COMPETITIVE-ANALYSIS.md (footnotes were mid-table, terminating it; moved to the end so the last rows render). - Regenerate site/js/manuals/{en,tr}.js so the updated CI/CD manuals ship (the generated bundle was stale vs source). Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 2 +- action.yml | 24 +++++++++++++++----- cmd/scan_common.go | 9 ++++++++ docs/architecture/01-COMPETITIVE-ANALYSIS.md | 5 ++-- site/js/manuals/en.js | 2 +- site/js/manuals/tr.js | 2 +- 6 files changed, 33 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 405bf4f..f26c75a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/). ## [Unreleased] ### Added -- **GitHub Action is now Marketplace-ready and installs a prebuilt binary** — the action metadata moved from `action/action.yml` to the repository root `action.yml` so it can be published to the GitHub Marketplace and consumed as `uses: HodeTech/Leakwatch@v1`. Instead of compiling from source with `go install` on every run, the action now downloads the platform's prebuilt release archive and verifies its SHA-256 checksum before running (Linux and macOS runners). New inputs: `output`, `remediation`, `config`, `scan-diff`, `extra-args`, `working-directory`, `release-repo`. Composite `outputs` now declare `value:` mappings, so `findings-count` and `sarif-file` are actually exposed to downstream steps (previously always empty). The download is checksum-verified and retried; `extra-args` rejects flags the action manages (`--format`/`--output`/`--config`/`--show-raw`); the assembled command is not echoed (path/extra-args may carry credentials); and `scan-diff` is validated. The nested `upload-sarif` and all CI workflow actions are SHA-pinned. +- **GitHub Action is now Marketplace-ready and installs a prebuilt binary** — the action metadata moved from `action/action.yml` to the repository root `action.yml` so it can be published to the GitHub Marketplace and consumed as `uses: HodeTech/Leakwatch@v1`. Instead of compiling from source with `go install` on every run, the action now downloads the platform's prebuilt release archive and verifies its SHA-256 checksum before running (Linux and macOS runners). New inputs: `output`, `remediation`, `config`, `scan-diff`, `extra-args`, `working-directory`, `release-repo`. Composite `outputs` now declare `value:` mappings, so `findings-count` and `sarif-file` are actually exposed to downstream steps (previously always empty). The download is checksum-verified and retried; `extra-args` rejects (by prefix, so combined shorthand like `-fcsv` is caught too) flags the action manages (`--format`/`--output`/`--config`/`--show-raw`); the assembled command is not echoed (path/extra-args may carry credentials); `scan-diff` is validated and `auto` degrades to a full scan with a warning when the base commit is absent (e.g. a shallow checkout) instead of hard-failing; and the `github` format always writes annotations to stdout even if an output file is configured. The nested `upload-sarif` and all CI workflow actions are SHA-pinned. - **Pull-request diff scanning in the Action** — for `git` scans, `scan-diff: auto` (default) limits the scan to commits introduced by the event (`pull_request` base..HEAD or `push` before..HEAD) via `--since-commit`, so CI surfaces only newly added secrets. Requires `actions/checkout` with `fetch-depth: 0`. - **GitHub Actions job summary** — the action writes a findings summary (counts and a per-finding table parsed from SARIF) to `$GITHUB_STEP_SUMMARY`. - **`github` output format** — `--format github` emits GitHub Actions workflow commands (`::error`/`::warning`/`::notice`) so findings appear as inline annotations on pull requests. The raw secret is never emitted (redacted only), and command data/properties are percent-escaped. New `internal/output/github` formatter with full unit-test coverage. diff --git a/action.yml b/action.yml index 04c8b7e..2828a18 100644 --- a/action.yml +++ b/action.yml @@ -74,7 +74,7 @@ inputs: outputs: findings-count: - description: 'Number of secrets found (0 or 1; mirrors the leakwatch exit code).' + description: 'Whether secrets were reported: 1 if any finding was reported, else 0 (mirrors the leakwatch exit code; not a count).' value: ${{ steps.scan.outputs.findings-count }} sarif-file: description: 'Path to the SARIF output file relative to the repository root (set when format=sarif).' @@ -109,13 +109,15 @@ runs: # ---- Resolve the release tag ------------------------------------------ if [ "$LW_VERSION" = "latest" ]; then - eff="$(curl -fsSLI -o /dev/null -w '%{url_effective}' "https://github.com/${LW_REPO}/releases/latest")" + # `|| true` so a 404 (repo has no releases) does not abort under set -e + # before the curated error below can run. + eff="$(curl -fsSLI -o /dev/null -w '%{url_effective}' "https://github.com/${LW_REPO}/releases/latest" || true)" TAG="${eff##*/}" else TAG="$LW_VERSION" fi if [ -z "$TAG" ] || [ "$TAG" = "latest" ] || [ "$TAG" = "releases" ]; then - echo "::error::Could not resolve a Leakwatch release tag (got '$TAG')." + echo "::error::Could not resolve the latest release tag for ${LW_REPO}. Does it have any releases? See https://github.com/${LW_REPO}/releases" exit 1 fi VER="${TAG#v}" # goreleaser archive names omit the leading 'v' @@ -248,8 +250,16 @@ runs: echo "::error::scan-diff: true but no base commit is available for event '${GH_EVENT_NAME}'. Use pull_request/push and checkout with fetch-depth: 0."; exit 1 fi echo "::notice::scan-diff: auto found no base commit for '${GH_EVENT_NAME}'; scanning full history." - else + elif git -C "$INPUT_PATH" cat-file -e "${base}^{commit}" 2>/dev/null; then ARGS+=(--since-commit "$base") + elif [ "$INPUT_SCAN_DIFF" = "true" ]; then + # The base exists upstream but not in this clone (default fetch-depth: 1). + # leakwatch would hard-fail (exit 2); since the user forced diff, fail + # with actionable guidance rather than silently scanning everything. + echo "::error::scan-diff: true but base commit ${base} is not in the local clone. Check out with fetch-depth: 0."; exit 1 + else + # auto: degrade gracefully instead of hard-failing a pipeline. + echo "::warning::scan-diff: auto could not find base commit ${base} locally (shallow checkout?); scanning full history. Use fetch-depth: 0 for diff scans." fi fi @@ -260,9 +270,11 @@ runs: # shellcheck disable=SC2206 extra=($INPUT_EXTRA_ARGS) for a in "${extra[@]}"; do + # Prefix-match so combined shorthand (-fcsv, -o/tmp/x) and =forms are + # all caught. -f/-o are format/output here and have no other meaning. case "$a" in - -f|--format|--format=*|-o|--output|--output=*|--config|--config=*|--show-raw|--show-raw=*) - echo "::error::extra-args may not contain '${a%%=*}'; use the dedicated action input (format/output/config) instead." + -f*|--format*|-o*|--output*|--config*|--show-raw*) + echo "::error::extra-args may not set format/output/config/show-raw ('$a'); use the dedicated action inputs instead." exit 1 ;; esac done diff --git a/cmd/scan_common.go b/cmd/scan_common.go index 5b6f37d..4304360 100644 --- a/cmd/scan_common.go +++ b/cmd/scan_common.go @@ -314,6 +314,15 @@ func renderResult(cfg *scanConfig, result *engine.ScanResult, sourceType, ignore result.Findings = []finding.Finding{} } + // The "github" format emits GitHub Actions workflow commands, which only take + // effect on the live stdout stream — writing them to a file does nothing. If an + // output file was configured (e.g. output.file in .leakwatch.yaml), ignore it + // so the annotations always reach stdout instead of being silently swallowed. + if cfg.format == "github" && cfg.outputFile != "" { + slog.Debug("ignoring output file for github format; annotations are written to stdout", "file", cfg.outputFile) + cfg.outputFile = "" + } + colorEnabled := resolveColorEnabled(cfg.format, cfg.outputFile) formatter := selectFormatter(cfg.format, cfg.showRaw, colorEnabled) diff --git a/docs/architecture/01-COMPETITIVE-ANALYSIS.md b/docs/architecture/01-COMPETITIVE-ANALYSIS.md index 0aacdd0..4a5cc13 100644 --- a/docs/architecture/01-COMPETITIVE-ANALYSIS.md +++ b/docs/architecture/01-COMPETITIVE-ANALYSIS.md @@ -195,11 +195,12 @@ While existing open-source tools (TruffleHog, Gitleaks) are strong in certain ar | **Custom Rules** | YAML config | TOML (easy) | Plugin (Python) | Limited | Enterprise | **YAML (easy)** | | **Allowlist/Ignore** | Basic | Advanced | Baseline | None | Yes | **Advanced** | | **License** | AGPL-3.0 | MIT* | Apache 2.0 | Commercial | Commercial | **MIT** | +| **Single Binary** | Yes | Yes | No (Python) | N/A | No (Python) | **Yes** | +| **Remediation** | No | No | No | Partner revoke | Dashboard | **Planned** | > \* The Gitleaks CLI is MIT-licensed; the official `gitleaks-action` runs under a commercial EULA and requires a free license key for **organization** accounts (personal accounts are exempt). +> > **TruffleHog notes:** it fully uses Aho-Corasick keyword pre-filtering (`pkg/engine/ahocorasick/`); it has **no native SARIF** output (JSON / plain / GitHub-Actions only); and it **does** support custom detectors via a YAML `config.yaml` (`detectors:` block) — not "Go code only". -| **Single Binary** | Yes | Yes | No (Python) | N/A | No (Python) | **Yes** | -| **Remediation** | No | No | No | Partner revoke | Dashboard | **Planned** | --- diff --git a/site/js/manuals/en.js b/site/js/manuals/en.js index 940073a..2f519c4 100644 --- a/site/js/manuals/en.js +++ b/site/js/manuals/en.js @@ -1,3 +1,3 @@ // Generated by tools/site-build. Do not edit by hand. window.LW_MANUAL = window.LW_MANUAL || {}; -window.LW_MANUAL["en"] = {"ci-cd/docker-usage":{"title":"Docker Usage","description":"Run Leakwatch scans inside a container using the official Docker image.","html":"\u003ch1 id=\"docker-usage\"\u003eDocker Usage\u003c/h1\u003e\n\u003cp\u003eThe official Leakwatch container image lets you run scans without installing anything on the host machine. Because the image is statically compiled with \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e and runs as a non-root user, it is safe to use in locked-down CI environments and on shared machines where you do not want to modify the host system.\u003c/p\u003e\n\u003ch2 id=\"image-reference\"\u003eImage reference\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe image is based on Alpine, runs as the non-root user \u003ccode\u003eleakwatch\u003c/code\u003e, uses \u003ccode\u003e/scan\u003c/code\u003e as the working directory, and has \u003ccode\u003eleakwatch\u003c/code\u003e as its entrypoint.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause the entrypoint is \u003ccode\u003eleakwatch\u003c/code\u003e, you append the subcommand and flags directly after the image name — for example, \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. There is no need to repeat the binary name.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"scanning-a-local-directory\"\u003eScanning a local directory\u003c/h2\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo write results to a file on the host, write the output file into the mounted volume:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe file \u003ccode\u003eleakwatch.sarif\u003c/code\u003e appears in the current directory on your host after the container exits.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-remote-git-repository\"\u003eScanning a remote Git repository\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo volume mount is required for remote Git repositories — Leakwatch clones them into a temporary directory inside the container.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-container-image\"\u003eScanning a container image\u003c/h2\u003e\n\u003cp\u003eLeakwatch is daemonless: it pulls image layers directly from the registry without a Docker daemon. This means you can scan a remote image from within the Leakwatch container without mounting the host Docker socket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor private registries, pass the credentials as environment variables consumed by the registry client (for example, \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e pointing to a mounted credentials file, or the standard registry environment variables your registry supports).\u003c/p\u003e\n\u003ch2 id=\"passing-a-configuration-file\"\u003ePassing a configuration file\u003c/h2\u003e\n\u003cp\u003eMount \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e into \u003ccode\u003e/scan\u003c/code\u003e so Leakwatch picks it up automatically:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAs long as \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is in the mounted directory, Leakwatch finds it because \u003ccode\u003e/scan\u003c/code\u003e is both the working directory and the path passed to the scan. If your config file lives elsewhere, mount it explicitly and use \u003ccode\u003e--config\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-environment-variables\"\u003ePassing environment variables\u003c/h2\u003e\n\u003cp\u003eEnvironment variables for cloud scanning and token-based authentication can be injected with \u003ccode\u003e-e\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# S3 scan with AWS credentials\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor CI environments, prefer injecting secrets as masked CI variables rather than embedding them in the command line.\u003c/p\u003e\n\u003ch2 id=\"output-file-pattern\"\u003eOutput file pattern\u003c/h2\u003e\n\u003cp\u003eA common Docker pattern in CI is to write results into the mounted volume and then upload or archive the file as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install the native binary instead of using Docker.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e flags and behavior.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eContainer Images\u003c/a\u003e — scanning OCI/Docker image layers for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — using the Docker image in GitLab CI and other pipelines.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — complete flag reference for all subcommands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"Use the official Leakwatch GitHub Action to scan for secrets in your GitHub workflows.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eEvery push to your repository is an opportunity for a secret to slip through. The official \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e) integrates Leakwatch directly into your GitHub workflow — it installs the tool, runs a scan, maps exit codes, and optionally uploads SARIF results to GitHub Code Scanning, all without any external service dependency.\u003c/p\u003e\n\u003ch2 id=\"quick-start\"\u003eQuick start\u003c/h2\u003e\n\u003cp\u003eThe minimal configuration blocks the workflow when secrets are found:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Secret scan (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith only the defaults, the action scans the filesystem (\u003ccode\u003escan-type: fs\u003c/code\u003e), produces SARIF output, skips live verification (\u003ccode\u003eno-verify: true\u003c/code\u003e), and fails the job if any finding is reported.\u003c/p\u003e\n\u003ch2 id=\"full-example-with-sarif-upload\"\u003eFull example with SARIF upload\u003c/h2\u003e\n\u003cp\u003eThe following workflow enables SARIF upload to GitHub Code Scanning, which surfaces findings as security alerts inside the repository:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Secret scan\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # required for SARIF upload\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Scan for secrets\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF upload requires the job to declare \u003ccode\u003epermissions: security-events: write\u003c/code\u003e. Without it, the upload step fails with a 403 error. The \u003ccode\u003econtents: read\u003c/code\u003e permission is also needed for \u003ccode\u003eactions/checkout@v4\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inputs\"\u003eInputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eInput\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan type to run: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e, or \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to scan (for \u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e) or image reference (for \u003ccode\u003eimage\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification (no outbound calls to providers).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUpload SARIF results to GitHub Code Scanning after the scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFail the workflow step when findings are reported (exit code 1). When \u003ccode\u003efalse\u003c/code\u003e, a \u003ccode\u003e::warning::\u003c/code\u003e annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code 2) always fail the step regardless of this setting.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLeakwatch version to install. Use a tag such as \u003ccode\u003ev1.5.0\u003c/code\u003e to pin a specific release.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"outputs\"\u003eOutputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eOutput\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e if no findings were reported; \u003ccode\u003e1\u003c/code\u003e if findings were reported. Mirrors the Leakwatch exit code.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the SARIF output file on the runner (set when \u003ccode\u003eformat: sarif\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"verification-in-ci\"\u003eVerification in CI\u003c/h2\u003e\n\u003cp\u003eBy default, \u003ccode\u003eno-verify\u003c/code\u003e is \u003ccode\u003etrue\u003c/code\u003e — live verification is \u003cstrong\u003eoff\u003c/strong\u003e in CI. This keeps the scan fast and avoids making outbound network calls to provider APIs from CI runners, which may be behind a firewall or have rate-limited credentials.\u003c/p\u003e\n\u003cp\u003eTo enable verification in CI, set \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnabling verification in CI causes Leakwatch to make authenticated API calls to providers (AWS, GitHub, Stripe, etc.) for each candidate finding. Be aware of provider rate limits and ensure the runner has outbound internet access.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"how-sarif-upload-works\"\u003eHow SARIF upload works\u003c/h2\u003e\n\u003cp\u003eWhen \u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e and \u003ccode\u003eformat: sarif\u003c/code\u003e, the action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTells Leakwatch to write output to \u003ccode\u003eresults.sarif\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter the scan, calls \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e with \u003ccode\u003ecategory: leakwatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGitHub processes the file and surfaces findings as \u003cstrong\u003eCode Scanning alerts\u003c/strong\u003e under the repository's \u003cstrong\u003eSecurity\u003c/strong\u003e tab.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe upload step runs with \u003ccode\u003eif: always()\u003c/code\u003e, so results are uploaded even when \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e causes the scan step to set a failure.\u003c/p\u003e\n\u003ch2 id=\"using-action-outputs\"\u003eUsing action outputs\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Scan for secrets\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # let the workflow continue\n\n- name: Print result\n run: echo \u0026quot;Findings reported: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"pinning-a-specific-version\"\u003ePinning a specific version\u003c/h2\u003e\n\u003cp\u003eFor reproducible builds, pin \u003ccode\u003eversion\u003c/code\u003e to a specific tag:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis installs exactly \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e via \u003ccode\u003ego install\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — understanding JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — when and how Leakwatch calls provider APIs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Hook\u003c/a\u003e — catch secrets before they are committed.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — GitLab CI, Jenkins, and generic shell integration.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Other CI Systems","description":"Integrate Leakwatch into GitLab CI, Jenkins, Bitbucket Pipelines, and any other CI system.","html":"\u003ch1 id=\"other-ci-systems\"\u003eOther CI Systems\u003c/h1\u003e\n\u003cp\u003eBecause Leakwatch is a single static binary with no runtime dependencies, it runs in any CI environment that can execute a shell command — GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps, and others. There is no built-in integration for these systems beyond what is described on this page; the pattern is always: install the binary, run the scan, act on the exit code.\u003c/p\u003e\n\u003ch2 id=\"installing-leakwatch-in-ci\"\u003eInstalling Leakwatch in CI\u003c/h2\u003e\n\u003cp\u003eChoose the method that best suits your runner environment:\u003c/p\u003e\n\u003ch3 id=\"via-go-install-requires-go-on-the-runner\"\u003evia \u003ccode\u003ego install\u003c/code\u003e (requires Go on the runner)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePin to a specific version for reproducible builds:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"via-the-docker-image-no-go-required\"\u003evia the Docker image (no Go required)\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e as a job image or run it with \u003ccode\u003edocker run\u003c/code\u003e. See \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e for the full pattern.\u003c/p\u003e\n\u003ch3 id=\"via-a-prebuilt-release-binary\"\u003evia a prebuilt release binary\u003c/h3\u003e\n\u003cp\u003eDownload the appropriate tarball from \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e, extract, and place on \u003ccode\u003ePATH\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch exits with one of three codes, which is the primary mechanism for failing a CI build:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended CI action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo findings\u003c/td\u003e\n\u003ctd\u003ePass the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSecrets found\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHard error (bad config, unreadable path, etc.)\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA generic shell snippet that branches on the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;No secrets found.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Secrets found — failing build.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Scan error (exit $EXIT_CODE) — failing build.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-example\"\u003eGitLab CI example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e job installs Leakwatch, runs a filesystem scan, and stores the JSON report as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 days\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (the default) means exit code \u003ccode\u003e1\u003c/code\u003e fails the pipeline stage. Set \u003ccode\u003eallow_failure: true\u003c/code\u003e if you want the scan to report without blocking the merge.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab supports SAST report artifacts. Leakwatch produces SARIF (\u003ccode\u003e--format sarif\u003c/code\u003e), not GitLab's native SAST JSON schema, so use the \u003ccode\u003epaths:\u003c/code\u003e artifact approach rather than the \u003ccode\u003ereports: sast:\u003c/code\u003e key.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"recommendations-for-ci-runners\"\u003eRecommendations for CI runners\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eUse \u003ccode\u003e--no-verify\u003c/code\u003e on runners without outbound internet access.\u003c/strong\u003e Verification makes live API calls to providers (AWS, GitHub, Stripe, etc.). On air-gapped or firewall-restricted runners, these calls time out and slow the scan. Pass \u003ccode\u003e--no-verify\u003c/code\u003e to skip verification entirely:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSave output as an artifact.\u003c/strong\u003e Use \u003ccode\u003e--format sarif\u003c/code\u003e or \u003ccode\u003e--format json\u003c/code\u003e with \u003ccode\u003e--output\u003c/code\u003e to write a file that can be stored, uploaded to a vulnerability management platform, or reviewed after the job completes.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSet \u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e to focus on the secrets that matter most. In a noisy codebase, start with \u003ccode\u003e--min-severity high\u003c/code\u003e and lower the threshold once you have cleared the backlog.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-example\"\u003eAzure DevOps example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch secret scan\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-results\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-example\"\u003eJenkins example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Secret scan') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — full reference for all exit code meanings.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e — use the container image instead of installing the binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — the official action for GitHub workflows.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Hook","description":"Use the Leakwatch pre-commit hook to scan for secrets before every commit.","html":"\u003ch1 id=\"pre-commit-hook\"\u003ePre-commit Hook\u003c/h1\u003e\n\u003cp\u003eThe cheapest time to catch a secret is before it enters the repository at all. Leakwatch ships a native \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e hook that runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e automatically on every \u003ccode\u003egit commit\u003c/code\u003e, so a leaked API key or password fails the commit rather than appearing in history.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eYou need:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit is a Python tool).\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e installed globally (\u003ccode\u003epip install pre-commit\u003c/code\u003e or \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGo 1.25+ on \u003ccode\u003ePATH\u003c/code\u003e — the hook language is \u003ccode\u003egolang\u003c/code\u003e, so pre-commit compiles Leakwatch from source on first run.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"configuration\"\u003eConfiguration\u003c/h2\u003e\n\u003cp\u003eAdd a \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e file to the root of your repository (or extend an existing one):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInstall the hooks into the local Git repo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThat is all. From this point on, every \u003ccode\u003egit commit\u003c/code\u003e triggers a filesystem scan. If Leakwatch finds any secrets, the commit is blocked and the findings are printed to the terminal.\u003c/p\u003e\n\u003ch2 id=\"running-manually\"\u003eRunning manually\u003c/h2\u003e\n\u003cp\u003eTo scan the entire repository (not just staged files) at any time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo run only the Leakwatch hook without triggering others:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-extra-arguments\"\u003ePassing extra arguments\u003c/h2\u003e\n\u003cp\u003eThe hook's default behavior matches \u003ccode\u003eleakwatch scan fs\u003c/code\u003e with no additional flags. You can pass extra arguments via the \u003ccode\u003eargs:\u003c/code\u003e key:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis example reports only high-severity secrets that Leakwatch has confirmed are still active — a strict policy suitable for teams that want to avoid false-positive noise without sacrificing coverage.\u003c/p\u003e\n\u003cp\u003eOther useful arguments:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # skip live verification for faster commits\n - --min-severity\n - medium # suppress low-severity noise\n - --format\n - table # human-readable output in the terminal\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003epass_filenames: false\u003c/code\u003e is set in the hook definition, which means the hook always scans the full working tree rather than only the files staged for the current commit. This guarantees that secrets already present in unstaged files are also detected.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-the-hook-scans\"\u003eWhat the hook scans\u003c/h2\u003e\n\u003cp\u003eThe hook runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e against the repository working directory. It uses the same detection pipeline as the CLI: Aho-Corasick pre-filtering, regex validation, entropy calculation, and (unless \u003ccode\u003e--no-verify\u003c/code\u003e is set) live verification.\u003c/p\u003e\n\u003cp\u003eConfiguration in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is respected automatically — exclusion patterns, entropy thresholds, and verification settings all apply without any extra hook configuration.\u003c/p\u003e\n\u003ch2 id=\"skipping-the-hook-temporarily\"\u003eSkipping the hook temporarily\u003c/h2\u003e\n\u003cp\u003eTo commit without running the hook (for example, when committing a controlled test fixture that contains a redacted secret):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: add test fixture\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUsing \u003ccode\u003eSKIP=leakwatch\u003c/code\u003e bypasses all secret scanning for that commit. Use it only when you have confirmed the content is safe, and prefer \u003ccode\u003e.leakwatchignore\u003c/code\u003e or inline \u003ccode\u003eleakwatch:ignore\u003c/code\u003e comments for permanent suppressions instead.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"keeping-the-hook-version-pinned\"\u003eKeeping the hook version pinned\u003c/h2\u003e\n\u003cp\u003ePin \u003ccode\u003erev:\u003c/code\u003e to a specific tag rather than a branch name. This ensures all developers on the team use the same detector set and the hook does not silently upgrade mid-sprint:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # pin; do not use 'main' or 'HEAD'\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUpdate by running:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ewhich bumps \u003ccode\u003erev\u003c/code\u003e to the latest tag and lets you review the change before committing it.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — the underlying scan command the hook runs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — control exclusions, entropy, and verification in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — scan on every push and pull request in GitHub CI.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Configuration File","description":"How to configure Leakwatch with .leakwatch.yaml — full schema, defaults, validation rules, environment overrides, and the leakwatch init command.","html":"\u003ch1 id=\"configuration-file\"\u003eConfiguration File\u003c/h1\u003e\n\u003cp\u003eLeakwatch's behaviour across every scan command is driven by a single YAML file named \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e. Understanding this file lets you tune concurrency, verification, output format, and path filtering once — and have every scan pick it up automatically.\u003c/p\u003e\n\u003ch2 id=\"file-discovery\"\u003eFile discovery\u003c/h2\u003e\n\u003cp\u003eLeakwatch resolves the config file in the following order:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e flag\u003c/strong\u003e — use an explicit path regardless of the working directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCurrent directory\u003c/strong\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the directory where the command is run.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHome directory\u003c/strong\u003e — \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e as a fallback.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf no file is found, built-in defaults are used for every setting.\u003c/p\u003e\n\u003ch2 id=\"generating-a-starter-file\"\u003eGenerating a starter file\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003eleakwatch init\u003c/code\u003e command writes a ready-to-edit file with recommended defaults:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default the file is written to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory. Use \u003ccode\u003e--output\u003c/code\u003e to choose a different path:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the target file already exists, \u003ccode\u003eleakwatch init\u003c/code\u003e will refuse to overwrite it and exit with an error. Pass \u003ccode\u003e--force\u003c/code\u003e to overwrite:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"environment-variable-overrides\"\u003eEnvironment variable overrides\u003c/h2\u003e\n\u003cp\u003eEvery config key can be overridden with an environment variable. The naming rule is:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrefix: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eReplace \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eUppercase\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eExamples:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003cth\u003eEnvironment variable\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence\"\u003ePrecedence\u003c/h2\u003e\n\u003cp\u003eWhen the same setting is specified in multiple places, the highest-priority source wins:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCommand-line flag (highest)\u003c/li\u003e\n\u003cli\u003eEnvironment variable\u003c/li\u003e\n\u003cli\u003eConfig file value\u003c/li\u003e\n\u003cli\u003eBuilt-in default (lowest)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"full-schema\"\u003eFull schema\u003c/h2\u003e\n\u003cp\u003eThe annotated schema below shows every supported key, its default value, and valid range.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Scan engine ──────────────────────────────────────────────────────────────\n\nscan:\n # Number of concurrent file-processing workers.\n # Defaults to the number of logical CPU cores on the host.\n # Must be \u0026gt;= 1.\n concurrency: 8\n\n # Maximum file size to scan, in bytes. Files larger than this limit are\n # skipped entirely. Default is 10 MB (10485760). Must be \u0026gt;= 1.\n max-file-size: 10485760\n\n# ── Detection ─────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Enable Shannon entropy calculation for each candidate match.\n enabled: true\n\n # Entropy threshold used for display and custom-rule gating.\n # Range: 0–8. Default: 4.0.\n # See note below about built-in findings.\n threshold: 4.0\n\n# ── Verification ─────────────────────────────────────────────────────────────\n\nverification:\n # Enable live verification against provider APIs.\n enabled: true\n\n # Per-request HTTP timeout. Must be \u0026gt;= 1ms when verification is enabled.\n # Use a duration string (e.g. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — a bare integer is\n # treated as nanoseconds and will fail validation.\n timeout: 10s\n\n # Number of concurrent verification workers. Must be \u0026gt;= 1.\n concurrency: 4\n\n # Maximum verification requests per second (token-bucket rate limiter).\n # Must be \u0026gt; 0.\n rate-limit: 10.0\n\n# ── Filtering ─────────────────────────────────────────────────────────────────\n\nfilter:\n # Glob patterns for paths to exclude from scanning.\n # Supported glob styles: filepath.Match patterns, ** double-star spanning\n # zero or more path segments, and trailing-slash dir/ patterns that match\n # the named directory at any depth. Each pattern is tested against both the\n # full path and the base filename, so simple patterns like \u0026quot;*.min.js\u0026quot; match\n # nested files without a leading path prefix.\n # Applies to all scan sources. (On `scan fs` the --exclude flag also sets this.)\n # Default: [] (no exclusions beyond the built-in binary/lock-file skips).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Detector IDs to disable entirely. Findings from listed detectors are never\n # produced regardless of other settings. Default: [].\n exclude-detectors: []\n\n# ── Output ────────────────────────────────────────────────────────────────────\n\noutput:\n # Output format. One of: json, sarif, csv, table. Default: json.\n # The --format / -f flag overrides this at run time.\n format: json\n\n # Write output to this file path instead of stdout. Default: \u0026quot;\u0026quot; (stdout).\n # The --output / -o flag overrides this at run time.\n file: \u0026quot;\u0026quot;\n\n # Drop findings below this severity level.\n # One of: low, medium, high, critical. Default: \u0026quot;\u0026quot; (show all).\n # The --min-severity flag overrides this at run time.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Include the unredacted secret value in output.\n # Default: false. The --show-raw flag overrides this at run time.\n show-raw: false\n\n# ── Custom rules ──────────────────────────────────────────────────────────────\n\n# Define your own detectors as YAML rules. See the custom rules page for the\n# full rule schema.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e controls which entropy value is displayed alongside a finding and acts as a gate for custom rules (a custom rule match whose entropy falls below the threshold is suppressed). It does \u003cstrong\u003enot\u003c/strong\u003e suppress findings from built-in detectors — built-in detectors have their own match criteria and are never dropped by this setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"validation\"\u003eValidation\u003c/h2\u003e\n\u003cp\u003eLeakwatch validates the loaded configuration before starting a scan and exits with an error for any of the following:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCondition\u003c/th\u003e\n\u003cth\u003eError\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid concurrency value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid max-file-size value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e not in \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnsupported output format\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e outside 0–8\u003c/td\u003e\n\u003ctd\u003eInvalid entropy threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e not a valid level (when non-empty)\u003c/td\u003e\n\u003ctd\u003eInvalid severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification timeout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification concurrency\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Ignoring Findings","description":"Suppress false positives with .leakwatchignore files, inline ignore markers, and built-in binary and lock-file skips.","html":"\u003ch1 id=\"ignoring-findings\"\u003eIgnoring Findings\u003c/h1\u003e\n\u003cp\u003eNo scanner has zero false positives. Leakwatch gives you three layered mechanisms to suppress the noise: a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file for path-based exclusions, inline markers for line-level suppression, and a set of always-on built-in skips for binary files and common lock files.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-file\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e file\u003c/h2\u003e\n\u003cp\u003eCreate a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your repository root (or in the current directory) to exclude paths from the scan results. It uses a gitignore-style syntax:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLines starting with \u003ccode\u003e#\u003c/code\u003e are comments.\u003c/li\u003e\n\u003cli\u003eBlank lines are skipped.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003e!\u003c/code\u003e prefix \u003cstrong\u003enegates\u003c/strong\u003e a pattern, re-including a path that a previous pattern would have excluded.\u003c/li\u003e\n\u003cli\u003eThe \u003cstrong\u003elast matching pattern wins\u003c/strong\u003e — order matters.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"loading-order\"\u003eLoading order\u003c/h3\u003e\n\u003cp\u003eLeakwatch loads \u003ccode\u003e.leakwatchignore\u003c/code\u003e from the scan root first, then from the current working directory. If both exist and contain patterns for the same path, the current-directory file's patterns take precedence because they are evaluated last.\u003c/p\u003e\n\u003ch3 id=\"glob-syntax\"\u003eGlob syntax\u003c/h3\u003e\n\u003cp\u003eThree pattern styles are supported:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStyle\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003cth\u003eExample\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandard glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e-style, matched against both the full path and the base filename\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDouble-star \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpans zero or more path segments\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTrailing slash \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMatches every file inside the named directory at any depth\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-leakwatchignore\"\u003eExample \u003ccode\u003e.leakwatchignore\u003c/code\u003e\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Ignore all test fixture files\ntest/fixtures/**\n\n# Ignore known placeholder keys in documentation\ndocs/examples/\n\n# Ignore files with a specific extension anywhere in the tree\n*.pem.example\n\n# Re-include a specific file excluded by the rule above\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtering is applied \u003cstrong\u003eafter\u003c/strong\u003e the scan completes, based on the file path of each finding. It does not prevent files from being read — it suppresses the findings they produce. To skip files before they are read at all, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file or \u003ccode\u003e--exclude\u003c/code\u003e on \u003ccode\u003escan fs\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inline-ignore-markers\"\u003eInline ignore markers\u003c/h2\u003e\n\u003cp\u003ePlace a marker directly on any source line to suppress detectors for that specific line. The marker can appear anywhere on the line — typically inside a comment — and is applied by the engine \u003cstrong\u003ebefore\u003c/strong\u003e verification, so an ignored line never triggers a network call.\u003c/p\u003e\n\u003ch3 id=\"suppress-all-detectors-on-a-line\"\u003eSuppress all detectors on a line\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Payment processing configuration\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"suppress-a-specific-detector-on-a-line\"\u003eSuppress a specific detector on a line\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e to suppress only one detector while leaving others active:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// This token is intentionally a placeholder for documentation\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# CI environment variable set by the platform — not a real secret\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePrefer the detector-specific form (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) over the generic one whenever possible. It documents which detector you are suppressing and keeps all other detectors active on that line.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"built-in-skips-always-applied\"\u003eBuilt-in skips (always applied)\u003c/h2\u003e\n\u003cp\u003eLeakwatch unconditionally skips the following before running any detector:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary file extensions\u003c/strong\u003e — files with extensions such as \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e, and others are never scanned.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary content detection\u003c/strong\u003e — any file whose first 8 KB contains a null byte is treated as binary and skipped, regardless of extension.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCommon lock files\u003c/strong\u003e — the following filenames are always skipped because they contain hashes and checksums that produce high rates of false positives:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFile\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThese built-in skips cannot be disabled. They are separate from the \u003ccode\u003efilter.exclude-paths\u003c/code\u003e setting and run before any config-based filtering.\u003c/p\u003e\n\u003ch2 id=\"path-based-exclusion-before-scanning\"\u003ePath-based exclusion before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before they are even read by the scan engine, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in your config file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis setting applies to \u003cstrong\u003eall scan sources\u003c/strong\u003e (filesystem, Git history, container images, cloud storage, Slack). On the \u003ccode\u003escan fs\u003c/code\u003e command you can also pass \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e on the command line, which is the flag-equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full config schema and \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e for detector-level and severity-level filtering.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Severity \u0026 Filtering","description":"Control which findings reach your output using severity thresholds, verified-only mode, detector exclusions, and path exclusions.","html":"\u003ch1 id=\"severity--filtering\"\u003eSeverity \u0026amp; Filtering\u003c/h1\u003e\n\u003cp\u003eA busy codebase can produce many findings. Leakwatch provides several independent filters you can combine to focus on the signals that matter most: severity thresholds drop low-priority noise, verified-only mode surfaces only confirmed live secrets, detector exclusions silence known false-positive sources, and path exclusions remove entire directory trees from scope.\u003c/p\u003e\n\u003ch2 id=\"severity-levels\"\u003eSeverity levels\u003c/h2\u003e\n\u003cp\u003eEvery built-in detector ships with a default severity. The four levels, from lowest to highest priority, are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eLevel\u003c/th\u003e\n\u003cth\u003eTypical use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric patterns with a higher false-positive rate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRecognizable credential formats, unconfirmed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWell-structured secrets where exposure is likely significant\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLive secrets confirmed or formats with near-zero false-positive rates\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe severity assigned to each detector is listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-drop-findings-below-a-threshold\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: drop findings below a threshold\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e to discard findings whose severity is below the specified level. Only findings at or above the threshold reach the output.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Show only high and critical findings\nleakwatch scan fs . --min-severity high\n\n# Show medium, high, and critical findings\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYou can set a persistent default in the config file under \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e. The \u003ccode\u003e--min-severity\u003c/code\u003e flag overrides the config value at run time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-confirmed-active-secrets-only\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: confirmed active secrets only\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--only-verified\u003c/code\u003e to keep only findings whose verification status is \u003ccode\u003everified_active\u003c/code\u003e — secrets that Leakwatch confirmed are still valid by making a controlled read-only call to the provider API. All other findings (unverified, verified-inactive, or verify-error) are dropped.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis flag is most useful in CI pipelines where you want to fail the build \u003cstrong\u003eonly\u003c/strong\u003e on confirmed incidents, not on suspicious patterns that may be placeholders or already-rotated credentials.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for which detectors support live verification.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-disable-specific-detectors\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: disable specific detectors\u003c/h2\u003e\n\u003cp\u003eTo permanently disable one or more detectors, list their IDs under \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in the config file. Findings from listed detectors are never produced, regardless of any other setting:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDetector IDs are listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e. Use this setting when a detector consistently produces false positives for your codebase and other suppression mechanisms (inline ignores or \u003ccode\u003e.leakwatchignore\u003c/code\u003e) are not granular enough.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-skip-paths-before-scanning\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: skip paths before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before the scan engine reads them, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file. The patterns use the same glob syntax as \u003ccode\u003e.leakwatchignore\u003c/code\u003e (standard globs, \u003ccode\u003e**\u003c/code\u003e double-star, and trailing-slash directory patterns), and apply to \u003cstrong\u003eall scan sources\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOn the \u003ccode\u003escan fs\u003c/code\u003e command, the \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e flag is the command-line equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. The \u003ccode\u003e--exclude\u003c/code\u003e flag exists \u003cstrong\u003eonly\u003c/strong\u003e on \u003ccode\u003escan fs\u003c/code\u003e — for all other sources, use the config file setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"combining-filters-in-ci\"\u003eCombining filters in CI\u003c/h2\u003e\n\u003cp\u003eIn a CI pipeline you typically want a low-noise, high-signal run that fails only on real incidents. A recommended combination:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith a config file handling the persistent path exclusions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThen override just the format and destination at the command line for CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for verification details, \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for inline and file-based suppression, and \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full schema.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Custom Rules","description":"How to define your own secret detection patterns in YAML and add them to a Leakwatch scan alongside the 63 built-in detectors.","html":"\u003ch1 id=\"custom-rules\"\u003eCustom Rules\u003c/h1\u003e\n\u003cp\u003eThe 63 built-in detectors cover widely used credential formats, but every organisation has internal tokens, proprietary service keys, or environment-specific patterns that no generic tool can anticipate. Custom rules let you extend Leakwatch with your own patterns — defined in plain YAML, loaded at runtime — without modifying source code or rebuilding the binary.\u003c/p\u003e\n\u003ch2 id=\"where-custom-rules-live\"\u003eWhere custom rules live\u003c/h2\u003e\n\u003cp\u003eCustom rules are defined under a top-level \u003ccode\u003ecustom-rules:\u003c/code\u003e list in your \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe rules are registered at runtime when Leakwatch starts. They run alongside the built-in detectors using the same Aho-Corasick pre-filter pipeline.\u003c/p\u003e\n\u003ch2 id=\"rule-fields\"\u003eRule fields\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eRequired\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eUnique detector ID. Used in output and in \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e. Must not collide with a built-in detector ID or another custom rule ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eHuman-readable description shown in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2-compatible regular expression. Maximum 4096 characters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003elist of strings\u003c/td\u003e\n\u003ctd\u003eAho-Corasick pre-filter keywords. The regex only runs on chunks that contain at least one of these strings. Omitting this field causes the regex to run on every chunk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, or \u003ccode\u003elow\u003c/code\u003e. Defaults to \u003ccode\u003emedium\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropy threshold (0–8). Matches whose entropy is \u003cstrong\u003ebelow\u003c/strong\u003e this value are discarded. Useful for filtering low-randomness false positives.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eAlways supply \u003ccode\u003ekeywords\u003c/code\u003e. Even a single short keyword (like a token prefix) dramatically reduces the number of chunks the regex engine processes, keeping scans fast on large repositories. For example, if all your internal tokens begin with \u003ccode\u003eacme_\u003c/code\u003e, set \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003eentropy\u003c/code\u003e to suppress matches on placeholder values like \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e that satisfy the pattern but are clearly not real secrets. A threshold around 3.0–3.5 is a good starting point.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"collision-handling\"\u003eCollision handling\u003c/h2\u003e\n\u003cp\u003eIf a custom rule's \u003ccode\u003eid\u003c/code\u003e matches an already-registered detector — either a built-in detector or a previously loaded custom rule — the duplicate is \u003cstrong\u003eskipped\u003c/strong\u003e and an error is logged. Leakwatch does not crash; the rest of the rules load normally. Check the log output if a custom rule appears to have no effect.\u003c/p\u003e\n\u003ch2 id=\"verification\"\u003eVerification\u003c/h2\u003e\n\u003cp\u003eCustom rules have no paired verifier. Findings from custom rules are always reported with status \u003ccode\u003eunverified\u003c/code\u003e — they never become \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"complete-example\"\u003eComplete example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e defines two custom rules: one for an internal service token and one for a signing secret used in webhooks.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook signing secret (format: whsec_ + 40 base64url chars)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRun a scan with this config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSample JSON output for a custom-rule finding (secret value redacted):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe \u003ccode\u003eraw_redacted\u003c/code\u003e field always masks the actual secret. The raw value is never written to output unless you explicitly pass \u003ccode\u003e--show-raw\u003c/code\u003e (not recommended outside controlled environments).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"excluding-a-custom-rule\"\u003eExcluding a custom rule\u003c/h2\u003e\n\u003cp\u003eCustom rules participate in the same filtering as built-in detectors. To disable a custom rule without removing it from config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, including where \u003ccode\u003ecustom-rules:\u003c/code\u003e sits in the document structure.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the 63 built-in detectors, to check for ID conflicts before naming your custom rule.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the Aho-Corasick pre-filter pipeline that \u003ccode\u003ekeywords\u003c/code\u003e plugs into.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Detector Catalog","description":"All 63 built-in detectors grouped by category, with their IDs, what they detect, and their default severity.","html":"\u003ch1 id=\"detector-catalog\"\u003eDetector Catalog\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e that cover a wide range of credential types — from cloud provider access keys and AI API tokens to database connection strings and private cryptographic keys. Each detector has a stable ID, a default severity, and (for most) a paired verifier that can confirm whether a found secret is still live.\u003c/p\u003e\n\u003cp\u003eThis page lists every built-in detector. For verification coverage details see \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e. To add your own patterns, see \u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"how-to-read-this-catalog\"\u003eHow to read this catalog\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — the stable string identifier used in config and output. Pass it to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e to skip a detector, or use it with \u003ccode\u003e--min-severity\u003c/code\u003e filtering (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetects\u003c/strong\u003e — what the detector is looking for.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSeverity\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e, \u003ccode\u003eHigh\u003c/code\u003e, or \u003ccode\u003eMedium\u003c/code\u003e. This is the default; it feeds the \u003ccode\u003e--min-severity\u003c/code\u003e flag and the \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e config key.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"cloud-and-infrastructure\"\u003eCloud and Infrastructure\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Service Account Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID Client Secret\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Service Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ai--ml\"\u003eAI / ML\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"payments-and-commerce\"\u003ePayments and Commerce\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Live API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dev-tools-ci-and-packages\"\u003eDev Tools, CI, and Packages\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket App Password\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Personal API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"communication-and-collaboration\"\u003eCommunication and Collaboration\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/User Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Incoming Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Internal Integration Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"email-and-messaging-delivery\"\u003eEmail and Messaging Delivery\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Server API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"monitoring-and-observability\"\u003eMonitoring and Observability\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Auth Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"databases-and-connection-strings\"\u003eDatabases and Connection Strings\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabase Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Connection Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Service Role Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"identity-and-access\"\u003eIdentity and Access\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bind Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"generic-and-cryptographic\"\u003eGeneric and Cryptographic\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric API Key\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePrivate Key (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eTotal: 63 built-in detectors.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"filtering-by-severity\"\u003eFiltering by severity\u003c/h2\u003e\n\u003cp\u003eFindings are filterable by severity using \u003ccode\u003e--min-severity\u003c/code\u003e at the command line or \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e in config. Only findings at or above the specified level are included in the output. See \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"excluding-specific-detectors\"\u003eExcluding specific detectors\u003c/h2\u003e\n\u003cp\u003eTo skip one or more detectors entirely, add their IDs to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for the full filtering reference.\u003c/p\u003e\n\u003ch2 id=\"verification-coverage\"\u003eVerification coverage\u003c/h2\u003e\n\u003cp\u003eSome detectors have a live verifier; others are format-validated only; nine have no verifier at all. See \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e for the complete breakdown.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e — define your own detection patterns in YAML.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detectors can be live-verified.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e — filtering findings by severity or detector.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"How It Works","description":"Architecture of the Leakwatch scan pipeline: sources, detection, verification, and output.","html":"\u003ch1 id=\"how-it-works\"\u003eHow It Works\u003c/h1\u003e\n\u003cp\u003eUnderstanding the Leakwatch pipeline helps you tune performance, interpret results, and decide which flags to reach for. This page explains what happens from the moment you run a scan command to the moment a finding appears in your output.\u003c/p\u003e\n\u003ch2 id=\"the-pipeline-at-a-glance\"\u003eThe pipeline at a glance\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Source\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[Worker Pool\\n—concurrency workers]\n B --\u0026gt; C[Aho-Corasick\\nPre-filter]\n C --\u0026gt; D[Regex\\nDetectors]\n D --\u0026gt; E[Inline-ignore\\nCheck]\n E --\u0026gt; F[Verification\\nPool\\n4 workers / 10 rps]\n F --\u0026gt; G[Post-scan\\nFilters]\n G --\u0026gt; H([Output\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach stage is described in detail below.\u003c/p\u003e\n\u003ch2 id=\"1-source\"\u003e1. Source\u003c/h2\u003e\n\u003cp\u003eEvery scan starts with a \u003cstrong\u003eSource\u003c/strong\u003e — an abstraction that emits chunks of data for the engine to process. Leakwatch ships six sources:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it emits\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFile contents from a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLayer contents of an OCI/Docker image, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text from channels and DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e. The contents of files uploaded to Slack are not scanned.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eChunks flow into a buffered channel consumed by the worker pool.\u003c/p\u003e\n\u003ch2 id=\"2-worker-pool\"\u003e2. Worker pool\u003c/h2\u003e\n\u003cp\u003eThe engine maintains a fixed pool of \u003cstrong\u003egoroutines\u003c/strong\u003e — one per \u003ccode\u003e--concurrency\u003c/code\u003e value (default: number of CPUs). Each worker pulls a chunk from the channel and runs the detection pipeline independently. Because workers share no mutable state, the pool scales linearly with concurrency up to the limits of I/O and memory.\u003c/p\u003e\n\u003cp\u003eScans respond to \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e: when a cancellation signal arrives, the context is cancelled, workers drain their current chunk and stop, and partial results are collected before output is written.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-keyword-pre-filter\"\u003e3. Aho-Corasick keyword pre-filter\u003c/h2\u003e\n\u003cp\u003eRunning 63 regex patterns on every chunk would be slow. Instead, the engine builds a single \u003cstrong\u003eAho-Corasick multi-pattern automaton\u003c/strong\u003e at startup from the keyword lists declared by each detector. For each chunk, this automaton does a single linear pass and returns only the detectors whose keywords appeared in the chunk's bytes.\u003c/p\u003e\n\u003cp\u003eThis means most detectors never run their regex on most chunks. Detectors that declare no keywords always run (they skip the pre-filter and proceed directly to regex).\u003c/p\u003e\n\u003cp\u003eThe Aho-Corasick implementation comes from \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"4-regex-detectors\"\u003e4. Regex detectors\u003c/h2\u003e\n\u003cp\u003eEach shortlisted detector runs its compiled \u003cstrong\u003eregular expression\u003c/strong\u003e against the chunk bytes. When a pattern matches, the detector returns a \u003ccode\u003eRawFinding\u003c/code\u003e containing:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe raw secret bytes (held in memory only for verification; never logged or written to disk).\u003c/li\u003e\n\u003cli\u003eA \u003cstrong\u003eredacted\u003c/strong\u003e representation safe for output.\u003c/li\u003e\n\u003cli\u003eOptional extra metadata (e.g. account ID for an AWS key).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via \u003ca href=\"#/detectors/custom-rules\"\u003ecustom YAML rules\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eAll detectors are registered at compile time using Go's \u003ccode\u003einit()\u003c/code\u003e function and blank imports (ADR-0004). There is no plugin loader or dynamic discovery at runtime.\u003c/p\u003e\n\u003ch2 id=\"5-inline-ignore-check\"\u003e5. Inline-ignore check\u003c/h2\u003e\n\u003cp\u003eBefore a finding is sent to verification, the engine checks whether the source line contains an \u003cstrong\u003einline ignore marker\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eor a detector-scoped variant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the marker is present, the finding is silently dropped \u003cstrong\u003ebefore any network call is made\u003c/strong\u003e. This is intentional: ignored secrets should never trigger a live API request.\u003c/p\u003e\n\u003ch2 id=\"6-verification\"\u003e6. Verification\u003c/h2\u003e\n\u003cp\u003eAfter detection completes for all chunks, the engine passes findings to a separate \u003cstrong\u003everification worker pool\u003c/strong\u003e (default 4 workers). Verification:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIs guarded by a global \u003cstrong\u003erate limiter\u003c/strong\u003e (default 10 requests per second) shared across all workers.\u003c/li\u003e\n\u003cli\u003eApplies a \u003cstrong\u003eper-request timeout\u003c/strong\u003e (default 10 seconds) to every API call.\u003c/li\u003e\n\u003cli\u003eMakes only \u003cstrong\u003eread-only, non-destructive\u003c/strong\u003e calls to the provider (e.g. \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys).\u003c/li\u003e\n\u003cli\u003eMarks each finding with one of four statuses: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e54 verifiers\u003c/strong\u003e, covering 85.7% of the 63 built-in detector types. The remaining 9 types (such as JWTs and generic API keys) cannot be safely verified and are always reported as \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003ePass \u003ccode\u003e--no-verify\u003c/code\u003e to skip this stage entirely — useful for fast, offline scans.\u003c/p\u003e\n\u003cp\u003eFor a deep dive into verification behavior and status meanings, see \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"7-finding-id-and-entropy\"\u003e7. Finding ID and entropy\u003c/h2\u003e\n\u003cp\u003eEach finding receives a \u003cstrong\u003edeterministic ID\u003c/strong\u003e computed as:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(detectorID + redacted + filePath + line) → truncated to 16 hex characters\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe same secret at the same location always produces the same ID, making it safe to deduplicate findings across runs or track them in issue trackers.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropy\u003c/strong\u003e (range 0–8) is computed for each finding and exposed in output for informational purposes. At the engine level, entropy does \u003cstrong\u003enot\u003c/strong\u003e gate or drop built-in findings — a low-entropy match still appears in results. Entropy thresholds only apply inside custom rules, where each rule can declare its own minimum.\u003c/p\u003e\n\u003ch2 id=\"8-post-scan-filters\"\u003e8. Post-scan filters\u003c/h2\u003e\n\u003cp\u003eAfter verification, two filters apply:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — drops all findings that are not \u003ccode\u003everified:active\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — drops findings below the specified severity level (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; default \u003ccode\u003elow\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth filters run after verification so that verification status is available when \u003ccode\u003e--only-verified\u003c/code\u003e is evaluated.\u003c/p\u003e\n\u003ch2 id=\"9-output\"\u003e9. Output\u003c/h2\u003e\n\u003cp\u003eSurviving findings are passed to one of four \u003cstrong\u003eformatters\u003c/strong\u003e:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFormat\u003c/th\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eCommon use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (default)\u003c/td\u003e\n\u003ctd\u003eMachine-readable, pipeline-friendly\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, security dashboards\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpreadsheets, data analysis\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTable\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal review, color-coded by severity\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eOutput goes to stdout by default; use \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e to write to a file.\u003c/p\u003e\n\u003cp\u003eA \u003cstrong\u003escan summary\u003c/strong\u003e (date, source type, target, files scanned, duration, findings count, interrupted status) is always printed to \u003cstrong\u003estderr\u003c/strong\u003e after every scan, regardless of format or output destination.\u003c/p\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eLeakwatch is designed so that discovered secrets never leave the process boundary except for verification calls:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRaw secret bytes live only in memory during detection and verification.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e--show-raw\u003c/code\u003e flag is \u003ccode\u003efalse\u003c/code\u003e by default; without it, only the redacted representation appears in output.\u003c/li\u003e\n\u003cli\u003eSecrets are never written to disk, logged via \u003ccode\u003eslog\u003c/code\u003e, or cached between runs.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"design-decisions\"\u003eDesign decisions\u003c/h2\u003e\n\u003cp\u003eThe architecture reflects several deliberate choices documented as ADRs:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO disabled\u003c/strong\u003e (ADR-0001) — single static binary, no runtime dependencies, cross-compiles to all platforms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — hierarchical CLI with \u003ccode\u003eflag \u0026gt; env \u0026gt; config \u0026gt; default\u003c/code\u003e precedence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — pure Go Git library; no external \u003ccode\u003egit\u003c/code\u003e binary required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompile-time detector registration\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + blank imports; type-safe, no runtime plugin loader.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hybrid matching\u003c/strong\u003e (ADR-0005) — pre-filter eliminates most regex work on irrelevant chunks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonless layer analysis; no Docker daemon required to scan images.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWorker pool\u003c/strong\u003e (ADR-0008) — fixed goroutine count, channel-based fan-out; predictable memory and CPU usage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Installation","description":"Install Leakwatch via Homebrew, go install, Docker, or a prebuilt binary.","html":"\u003ch1 id=\"installation\"\u003eInstallation\u003c/h1\u003e\n\u003cp\u003eGetting Leakwatch onto your machine takes less than a minute. Choose the method that best fits your workflow: Homebrew is the simplest option on macOS and Linux, \u003ccode\u003ego install\u003c/code\u003e is ideal if you already have a Go toolchain, Docker keeps your host system clean, and prebuilt binaries work everywhere without any toolchain at all.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-and-linux\"\u003eHomebrew (macOS and Linux)\u003c/h2\u003e\n\u003cp\u003eThe official tap supports macOS and Linux on both amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe tap is hosted at \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e. Homebrew handles upgrades with \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003eGo install\u003c/h2\u003e\n\u003cp\u003eIf you have Go 1.25 or later installed, you can build and install the latest release directly from source:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe binary is placed in \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e. Make sure that directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e always fetches the latest tagged release. To pin a specific version, replace \u003ccode\u003e@latest\u003c/code\u003e with a tag such as \u003ccode\u003e@v1.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eA minimal, multi-stage Alpine image is published to the GitHub Container Registry. The image runs as a non-root user (\u003ccode\u003eleakwatch\u003c/code\u003e), has CGO disabled, and uses \u003ccode\u003e/scan\u003c/code\u003e as its working directory.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAvailable tags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container. Flags and options work identically to the native binary — see \u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e for the full list.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFor Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see \u003ca href=\"#/ci-cd/docker-usage\"\u003eUsing Docker\u003c/a\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"prebuilt-binary\"\u003ePrebuilt binary\u003c/h2\u003e\n\u003cp\u003eEvery release publishes tarballs for all supported platforms on the \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e page. Download the archive for your platform, extract it, and place the binary on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSupported platforms:\u003c/strong\u003e Linux, macOS, and Windows on amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Example for Linux amd64 — replace OS and ARCH to match your platform\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform naming follows the pattern \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e where \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e is \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e, or \u003ccode\u003eWindows\u003c/code\u003e and \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e is \u003ccode\u003eamd64\u003c/code\u003e or \u003ccode\u003earm64\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"verifying-your-installation\"\u003eVerifying your installation\u003c/h2\u003e\n\u003cp\u003eAfter any installation method, confirm the binary is reachable and check the version:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExpected output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the command is not found, check that the install directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind a Leakwatch scan.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — customize scan behavior with \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eUsing Docker\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Introduction","description":"What Leakwatch is, what it scans, and how it detects and verifies leaked secrets.","html":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e is a high-performance, open-source (MIT) security tool that \u003cstrong\u003edetects, verifies, and reports leaked secrets\u003c/strong\u003e — API keys, tokens, passwords, connection strings, and private keys — across your codebases, Git history, container images, cloud storage, and Slack workspaces.\u003c/p\u003e\n\u003cp\u003eIt is written in Go, ships as a single static binary with no runtime dependencies (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e), and is built to run anywhere: a developer laptop, a pre-commit hook, or a CI/CD pipeline.\u003c/p\u003e\n\u003ch2 id=\"why-leakwatch\"\u003eWhy Leakwatch\u003c/h2\u003e\n\u003cp\u003eA leaked credential in a single commit — even one later deleted — can stay reachable in Git history forever and be exploited within minutes of being pushed. Leakwatch is designed to catch those secrets early and tell you which ones are \u003cem\u003eactually dangerous\u003c/em\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBroad detection\u003c/strong\u003e — 63 built-in detectors covering cloud providers, AI APIs, payment platforms, databases, messaging tools, and more, plus your own YAML custom rules.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification, not just detection\u003c/strong\u003e — for 54 detector types Leakwatch can confirm whether a found secret is \u003cem\u003estill live\u003c/em\u003e by making a controlled, read-only call to the provider. A verified-active key is an incident; an inactive one is noise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMany sources\u003c/strong\u003e — scan a local filesystem, a full Git history, an OCI/Docker image, AWS S3, Google Cloud Storage, and Slack messages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-native output\u003c/strong\u003e — JSON, SARIF (for GitHub Code Scanning), CSV, and a colorized terminal table.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecret-safe by design\u003c/strong\u003e — discovered secrets are redacted by default and are never logged, cached, or written to disk.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"what-it-scans\"\u003eWhat it scans\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it covers\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFiles in a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history (local or remote)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker image layers, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text in channels and (optionally) DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eMultiple repos\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSeveral Git repositories at once\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-detection-works-briefly\"\u003eHow detection works, briefly\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses a layered pipeline so it stays fast even on large inputs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick keyword pre-filter\u003c/strong\u003e — a single multi-pattern automaton quickly decides which detectors \u003cem\u003ecould\u003c/em\u003e match a chunk, so most detectors never run their regex.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex validation\u003c/strong\u003e — only the shortlisted detectors run their precise patterns.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropy\u003c/strong\u003e — Shannon entropy is computed for display (and used by custom rules to drop low-randomness matches).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification\u003c/strong\u003e — eligible findings are checked against the live provider API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYou don't have to understand the pipeline to use Leakwatch — but it explains why scans are fast and why some findings show a verification status while others don't. See \u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e for the full picture.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-leakwatch-is-not\"\u003eWhat Leakwatch is \u003cem\u003enot\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eTo set expectations accurately:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIt does \u003cstrong\u003enot\u003c/strong\u003e rewrite Git history or remove secrets for you — it finds and reports them, and (with \u003ccode\u003e--remediation\u003c/code\u003e) tells you how to rotate them.\u003c/li\u003e\n\u003cli\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e; scanning the \u003cem\u003econtents\u003c/em\u003e of uploaded files is not implemented.\u003c/li\u003e\n\u003cli\u003eVerification is available for many but not all secret types — 9 detector types (such as JWTs and generic API keys) cannot be safely verified and are always reported as unverified.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install via Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker, or a prebuilt binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind the scan.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Quick Start","description":"Run your first Leakwatch scan in under a minute.","html":"\u003ch1 id=\"quick-start\"\u003eQuick Start\u003c/h1\u003e\n\u003cp\u003eThe fastest way to understand what Leakwatch can do is to point it at a real directory. This page walks you through your first scan, explains what the output means, and shows the flags you will reach for most often.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eLeakwatch must be installed and accessible on your \u003ccode\u003ePATH\u003c/code\u003e. If you have not done that yet, see \u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"your-first-scan\"\u003eYour first scan\u003c/h2\u003e\n\u003cp\u003eScan the current directory with one command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default, output is JSON written to stdout. To get a human-readable, colorized table instead, add \u003ccode\u003e--format table\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHere is what a result looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe scan summary is always printed to \u003cstrong\u003estderr\u003c/strong\u003e, so it never interferes with piped or redirected output.\u003c/p\u003e\n\u003ch2 id=\"understanding-a-finding\"\u003eUnderstanding a finding\u003c/h2\u003e\n\u003cp\u003eEach row in the table (or object in JSON) represents one finding. The key fields are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHow critical the secret type is: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eThe detector that matched — identifies the secret type (e.g. \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the file where the secret was found, relative to the scan root\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eLine number of the match\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eA masked representation of the secret — never the raw value unless \u003ccode\u003e--show-raw\u003c/code\u003e is set\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eVerification outcome: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA \u003ccode\u003everified:active\u003c/code\u003e status means Leakwatch confirmed the secret is still live by making a read-only API call to the provider. \u003cstrong\u003eTreat every \u003ccode\u003everified:active\u003c/code\u003e finding as an open incident.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"common-scan-options\"\u003eCommon scan options\u003c/h2\u003e\n\u003ch3 id=\"focus-on-confirmed-secrets-only\"\u003eFocus on confirmed secrets only\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis hides unverified and inactive findings, leaving only those confirmed live. Useful for triage when you have many results.\u003c/p\u003e\n\u003ch3 id=\"skip-network-verification-for-a-fast-offline-scan\"\u003eSkip network verification for a fast offline scan\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVerification is skipped entirely — no outbound network calls are made. Results appear faster and work without internet access, but all findings are marked \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"add-remediation-guidance\"\u003eAdd remediation guidance\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach finding gains a \u003cstrong\u003eREMEDIATION\u003c/strong\u003e column explaining how to rotate or revoke the specific secret type. The same data is included in JSON, SARIF, and CSV output when the flag is set.\u003c/p\u003e\n\u003ch3 id=\"filter-by-minimum-severity\"\u003eFilter by minimum severity\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnly findings at \u003ccode\u003ehigh\u003c/code\u003e or \u003ccode\u003ecritical\u003c/code\u003e severity are reported.\u003c/p\u003e\n\u003ch3 id=\"save-results-to-a-file\"\u003eSave results to a file\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe \u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e flag writes to a file instead of stdout. SARIF output is compatible with \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"generate-a-configuration-file\"\u003eGenerate a configuration file\u003c/h2\u003e\n\u003cp\u003eRunning Leakwatch with defaults is fine for a first try, but for repeated use you will want a project-level configuration:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis writes \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory with recommended defaults for concurrency, entropy, verification, output format, and common path exclusions. Use \u003ccode\u003e--force\u003c/code\u003e to overwrite an existing file, or \u003ccode\u003e--output\u003c/code\u003e to write to a different path.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for a full explanation of every option.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses distinct exit codes so CI scripts can act on results without parsing output:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — no findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — one or more secrets found\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed due to an error\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA typical CI gate looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Active secrets found — failing build\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is returned whenever \u003cem\u003eany\u003c/em\u003e finding passes the active filters (including \u003ccode\u003e--min-severity\u003c/code\u003e and \u003ccode\u003e--only-verified\u003c/code\u003e). A clean exit code \u003ccode\u003e0\u003c/code\u003e means no findings matched — not that no secrets exist in the codebase.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cancelling-a-scan\"\u003eCancelling a scan\u003c/h2\u003e\n\u003cp\u003ePress \u003ccode\u003eCtrl+C\u003c/code\u003e (or send \u003ccode\u003eSIGTERM\u003c/code\u003e) to cancel a running scan. Leakwatch stops gracefully: in-flight chunks finish, partial results are written, and the summary indicates \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Output Formats","description":"The four output formats Leakwatch supports — JSON, SARIF, CSV, and table — with examples and guidance on when to use each.","html":"\u003ch1 id=\"output-formats\"\u003eOutput Formats\u003c/h1\u003e\n\u003cp\u003eLeakwatch supports four output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, and human-readable terminal review. Select a format with \u003ccode\u003e--format\u003c/code\u003e (or \u003ccode\u003e-f\u003c/code\u003e); write to a file instead of stdout with \u003ccode\u003e--output\u003c/code\u003e (or \u003ccode\u003e-o\u003c/code\u003e).\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe default format is \u003ccode\u003ejson\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON is the default format and the most complete representation. Leakwatch writes a JSON \u003cstrong\u003earray\u003c/strong\u003e of finding objects to stdout (or to the file given by \u003ccode\u003e--output\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003eThe raw secret value is \u003cstrong\u003enever\u003c/strong\u003e serialized unless \u003ccode\u003e--show-raw\u003c/code\u003e is explicitly set. With \u003ccode\u003e--show-raw\u003c/code\u003e, a \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e field is added to each object.\u003c/p\u003e\n\u003ch3 id=\"example-invocation\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-finding-object\"\u003eExample finding object\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--remediation\u003c/code\u003e is also set, a \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e object is nested inside each finding. See \u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003esarif\u003c/code\u003e format produces a SARIF v2.1.0 document, designed for upload to \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e. The tool name is \u003ccode\u003eLeakwatch\u003c/code\u003e and \u003ccode\u003einformationUri\u003c/code\u003e points to \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eEach detector that appears in the findings becomes a \u003cstrong\u003erule\u003c/strong\u003e in the SARIF driver, complete with \u003ccode\u003ehelp\u003c/code\u003e text (populated from remediation steps when \u003ccode\u003e--remediation\u003c/code\u003e is set) and a \u003ccode\u003ehelpUri\u003c/code\u003e pointing to the provider documentation. Results carry a \u003ccode\u003eleakwatch/v1\u003c/code\u003e partial fingerprint computed from the detector ID, redacted value, and file path — this lets GitHub Code Scanning track the same alert even when surrounding code shifts.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-1\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"uploading-to-github-code-scanning\"\u003eUploading to GitHub Code Scanning\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# In a GitHub Actions workflow step:\n- name: Upload SARIF results\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e for the full CI setup.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003ecsv\u003c/code\u003e format writes a header row followed by one row per finding, using standard comma-separated values. Every cell is sanitized against spreadsheet formula injection before writing.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns (default):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eraw\u003c/code\u003e column is appended.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003eremediation\u003c/code\u003e column contains the remediation title (e.g. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) when \u003ccode\u003e--remediation\u003c/code\u003e is set, and is empty otherwise.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-2\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"table\"\u003eTable\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003etable\u003c/code\u003e format writes a human-readable tab-aligned table, best suited for interactive terminal sessions where you want a quick visual scan of the results.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eRAW\u003c/code\u003e column is appended. A summary line is printed at the bottom of the table (e.g. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI color\u003c/strong\u003e is applied to the \u003ccode\u003eSEVERITY\u003c/code\u003e column automatically, but only when all four conditions are met:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e is selected\u003c/li\u003e\n\u003cli\u003eOutput goes to stdout (no \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003estdout is a TTY (not a pipe or redirect)\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNO_COLOR\u003c/code\u003e environment variable is unset\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003cth\u003eColor\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBold red\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYellow\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBlue\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-invocation-3\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output-1\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"common-output-flags\"\u003eCommon output flags\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (default \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite to file instead of stdout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eInclude unredacted secret value in output\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eDrop findings below this severity level\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eKeep only \u003ccode\u003everified_active\u003c/code\u003e findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eEnrich findings with provider remediation guidance\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Remediation Guidance","description":"Use --remediation to enrich findings with provider-specific rotation and revocation steps, urgency ratings, and official documentation links.","html":"\u003ch1 id=\"remediation-guidance\"\u003eRemediation Guidance\u003c/h1\u003e\n\u003cp\u003eKnowing a secret is leaked is only half the work — you also need to know what to do about it. Passing \u003ccode\u003e--remediation\u003c/code\u003e to any scan command enriches each finding with structured, provider-specific guidance: the steps to rotate or revoke the credential, a link to the provider's documentation, a link to the management console, an urgency rating, and a verification checklist.\u003c/p\u003e\n\u003ch2 id=\"how-to-enable-it\"\u003eHow to enable it\u003c/h2\u003e\n\u003cp\u003eAdd \u003ccode\u003e--remediation\u003c/code\u003e to any scan command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRemediation enrichment is disabled by default. When the flag is absent, the \u003ccode\u003eremediation\u003c/code\u003e field in each finding is \u003ccode\u003enull\u003c/code\u003e and no extra data is fetched or computed.\u003c/p\u003e\n\u003ch2 id=\"what-it-contains\"\u003eWhat it contains\u003c/h2\u003e\n\u003cp\u003eEach remediation entry includes the following fields:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShort name of the remediation action (e.g. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOrdered list of steps to rotate or revoke the secret\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLink to the provider's official credential-management documentation\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDirect link to the provider's management console page\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHow quickly to act: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e, or \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePost-rotation verification steps (e.g. review audit logs, notify the security team)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch ships 63 remediation entries — one for every built-in detector. All 63 entries are included in the binary; no network calls are made to fetch guidance.\u003c/p\u003e\n\u003ch2 id=\"how-it-appears-in-each-format\"\u003eHow it appears in each format\u003c/h2\u003e\n\u003cp\u003eEnrichment adds the guidance to the finding object in memory. How it surfaces depends on the output format:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — the full structured \u003ccode\u003eremediation\u003c/code\u003e object is nested inside each finding:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — the \u003ccode\u003esteps\u003c/code\u003e are embedded in the rule's \u003ccode\u003ehelp.text\u003c/code\u003e field, and \u003ccode\u003edoc_url\u003c/code\u003e is set as the rule's \u003ccode\u003ehelpUri\u003c/code\u003e. This surfaces directly in GitHub Code Scanning's alert details panel.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is written to the \u003ccode\u003eremediation\u003c/code\u003e column. The full structured guidance is not included in the CSV output.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is shown in the \u003ccode\u003eREMEDIATION\u003c/code\u003e column.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--remediation --format json\u003c/code\u003e when you need the full structured guidance for automated incident-response workflows. Use \u003ccode\u003e--remediation --format table\u003c/code\u003e for a quick human-readable triage session in the terminal.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnrichment runs only when \u003ccode\u003e--remediation\u003c/code\u003e is set. Without the flag, the \u003ccode\u003eremediation\u003c/code\u003e field is absent from JSON and SARIF output, and the CSV and table \u003ccode\u003eremediation\u003c/code\u003e columns are empty. The flag does not modify the original scan results — it adds a layer on top.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Reference","description":"Complete reference for every Leakwatch command, subcommand, and flag.","html":"\u003ch1 id=\"cli-reference\"\u003eCLI Reference\u003c/h1\u003e\n\u003cp\u003eThis page is the authoritative reference for all Leakwatch commands and flags. For conceptual explanations and worked examples, follow the cross-links to the relevant scanning or configuration pages.\u003c/p\u003e\n\u003ch2 id=\"global-flags\"\u003eGlobal flags\u003c/h2\u003e\n\u003cp\u003eThese flags are available on every command and subcommand.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eauto-discovered \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a configuration file. When omitted, Leakwatch searches the current directory and its parents for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLogging verbosity: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e, or \u003ccode\u003eerror\u003c/code\u003e. Log output goes to stderr and does not affect scan results.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003ePrints the binary version, commit hash, and build timestamp, then exits.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGenerates a \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file in the current directory with recommended defaults.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite the config file to this path instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOverwrite an existing config file. Without this flag, \u003ccode\u003einit\u003c/code\u003e exits with an error if the output file already exists.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Generate the default config\nleakwatch init\n\n# Overwrite an existing config\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eParent command for all scan subcommands. Has no behavior on its own; run a subcommand.\u003c/p\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003cp\u003eThe following flags are available on \u003cstrong\u003eall\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e subcommands.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file path instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files or blobs larger than this number of bytes.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw (unredacted) secret value in output. Use with caution.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable live secret verification. No outbound API calls are made.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings that Leakwatch has confirmed are active via live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to include in output: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance (rotation/revocation steps) to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans a local directory tree.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e defaults to \u003ccode\u003e.\u003c/code\u003e. Accepts at most one positional argument.\u003c/p\u003e\n\u003ch4 id=\"filesystem-specific-flags\"\u003eFilesystem-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob pattern for paths to exclude. Repeatable.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory, print a colorized table\nleakwatch scan fs . --format table\n\n# Save SARIF output, exclude test files and vendor\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the full commit history of a local or remote Git repository.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required: a local path or an HTTP/HTTPS/SSH URL.\u003c/p\u003e\n\u003ch4 id=\"git-specific-flags\"\u003eGit-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;name\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default branch.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eShallow clone depth for remote repositories. \u003ccode\u003e0\u003c/code\u003e fetches the full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-1\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan full local history\nleakwatch scan git . --format table\n\n# Scan only commits added by a pull request\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the layers of an OCI/Docker image for secrets. Leakwatch is daemonless and pulls directly from the registry — no Docker socket is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"examples-2\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a public image\nleakwatch scan image nginx:latest --format table\n\n# Scan a private registry image and save JSON output\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in an AWS S3 bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket. Falls back to \u003ccode\u003eAWS_REGION\u003c/code\u003e environment variable or the AWS SDK default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-3\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire bucket\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Scan only a specific prefix\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in a Google Cloud Storage bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID. Required when the bucket's project cannot be inferred from the default credentials.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-4\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire GCS bucket\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Scan a prefix\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans message text in a Slack workspace.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo positional arguments.\u003c/p\u003e\n\u003ch4 id=\"slack-specific-flags\"\u003eSlack-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token. Can also be set via \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to scan. Scans all accessible channels when omitted.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only messages posted after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude direct messages (requires additional OAuth scopes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-5\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan all accessible channels\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Scan specific channels since a date\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans multiple Git repositories in parallel.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRequires at least two positional arguments (repository URLs or local paths).\u003c/p\u003e\n\u003ch4 id=\"repos-specific-flags\"\u003eRepos-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan concurrently.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eWorker concurrency within each repository scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-6\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan two repositories in parallel\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Increase parallelism for a large set of repos\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e — configure Leakwatch without flags.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — detailed \u003ccode\u003escan fs\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — detailed \u003ccode\u003escan git\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Environment Variables","description":"Environment variables that configure Leakwatch behavior without flags.","html":"\u003ch1 id=\"environment-variables\"\u003eEnvironment Variables\u003c/h1\u003e\n\u003cp\u003eLeakwatch reads configuration from three sources in priority order: \u003cstrong\u003ecommand-line flags\u003c/strong\u003e override \u003cstrong\u003eenvironment variables\u003c/strong\u003e, which override the \u003cstrong\u003econfig file\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e), which falls back to built-in \u003cstrong\u003edefaults\u003c/strong\u003e. Environment variables are useful in CI environments where you cannot modify a config file or pass flags to every invocation.\u003c/p\u003e\n\u003ch2 id=\"configuration-variable-pattern\"\u003eConfiguration variable pattern\u003c/h2\u003e\n\u003cp\u003eAny key from \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e can be set as an environment variable by:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eUppercasing the key name.\u003c/li\u003e\n\u003cli\u003eReplacing \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrepending \u003ccode\u003eLEAKWATCH_\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor example, the config key \u003ccode\u003escan.concurrency\u003c/code\u003e becomes \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"variable-reference\"\u003eVariable reference\u003c/h2\u003e\n\u003ch3 id=\"leakwatch-specific-variables\"\u003eLeakwatch-specific variables\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack bot token for \u003ccode\u003escan slack\u003c/code\u003e. Equivalent to \u003ccode\u003e--token\u003c/code\u003e. Set this instead of passing the token as a flag to avoid it appearing in shell history or CI logs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers. Equivalent to \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSet to \u003ccode\u003efalse\u003c/code\u003e to disable live verification globally. Equivalent to \u003ccode\u003e--no-verify\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum verification requests per second across all verifiers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault output format (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e). Equivalent to \u003ccode\u003e--format\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum Shannon entropy for a match to be reported. Float value, e.g. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"display-variable\"\u003eDisplay variable\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWhen set to any non-empty value, disables ANSI color codes in the \u003ccode\u003etable\u003c/code\u003e output formatter. Follows the \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e convention.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-variables-for-scan-s3-and-aws-secret-verification\"\u003eAWS variables (for \u003ccode\u003escan s3\u003c/code\u003e and AWS secret verification)\u003c/h3\u003e\n\u003cp\u003eThese are standard AWS SDK environment variables. Leakwatch passes them through to the AWS SDK v2 default credential chain.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS access key ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS secret access key.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS session token (for temporary credentials).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault AWS region.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNamed profile from \u003ccode\u003e~/.aws/credentials\u003c/code\u003e to use.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-variable-for-scan-gcs\"\u003eGCS variable (for \u003ccode\u003escan gcs\u003c/code\u003e)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a Google service-account JSON key file. Used by Application Default Credentials when scanning a GCS bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence-example\"\u003ePrecedence example\u003c/h2\u003e\n\u003cp\u003eGiven this setup:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e sets \u003ccode\u003eoutput.format: table\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e is set in the environment\u003c/li\u003e\n\u003cli\u003eThe command is run as \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e (no \u003ccode\u003e--format\u003c/code\u003e flag)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe effective format is \u003ccode\u003ejson\u003c/code\u003e because the environment variable overrides the config file.\u003c/p\u003e\n\u003cp\u003eIf the command is run as \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e, the effective format is \u003ccode\u003esarif\u003c/code\u003e because the flag overrides everything.\u003c/p\u003e\n\u003ch2 id=\"credentials-for-verification-vs-credentials-for-scanning\"\u003eCredentials for verification vs. credentials for scanning\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe AWS and GCP variables above are consumed to \u003cstrong\u003eauthenticate Leakwatch itself\u003c/strong\u003e when it connects to S3 or GCS to retrieve objects for scanning. They are not used to verify found secrets. Verification of a discovered AWS key, for example, uses that discovered key itself to call AWS STS — not the runner's credentials.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"passing-secrets-safely-in-ci\"\u003ePassing secrets safely in CI\u003c/h2\u003e\n\u003cp\u003eIn GitHub Actions, use encrypted secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIn GitLab CI, use masked CI/CD variables:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # defined as a masked variable in project settings\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNever hard-code token values in workflow files or Dockerfiles.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — full \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e key reference.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eCloud Storage Scanning\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e and \u003ccode\u003escan gcs\u003c/code\u003e credentials.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Scanning\u003c/a\u003e — Slack token scopes and permissions.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — equivalent command-line flags.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Exit Codes","description":"Leakwatch exit code reference and how to use them in scripts and CI pipelines.","html":"\u003ch1 id=\"exit-codes\"\u003eExit Codes\u003c/h1\u003e\n\u003cp\u003eLeakwatch uses a small, well-defined set of exit codes so that CI pipelines and shell scripts can act on scan results without parsing output. Every scan subcommand exits with one of three codes.\u003c/p\u003e\n\u003ch2 id=\"code-reference\"\u003eCode reference\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eName\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eClean\u003c/td\u003e\n\u003ctd\u003eThe scan completed successfully and no findings passed the active filters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFindings\u003c/td\u003e\n\u003ctd\u003eThe scan completed and one or more secrets were found (and passed the active filters).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eError\u003c/td\u003e\n\u003ctd\u003eA hard error occurred — for example, an invalid flag, an unreadable path, or an authentication failure. An \u003ccode\u003eError: ...\u003c/code\u003e message and a usage hint are printed to stderr.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-filters-affect-exit-code-1\"\u003eHow filters affect exit code 1\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is only emitted when at least one finding survives all active output filters. The two most relevant filters are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — findings below the threshold are suppressed. If all findings are \u003ccode\u003elow\u003c/code\u003e severity and you run with \u003ccode\u003e--min-severity high\u003c/code\u003e, exit code \u003ccode\u003e0\u003c/code\u003e is returned even though secrets exist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — only findings confirmed active by live verification are reported. If no active secrets are found, exit code \u003ccode\u003e0\u003c/code\u003e is returned.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis means exit code \u003ccode\u003e0\u003c/code\u003e means \u0026quot;no findings matched your current filter settings\u0026quot; — not necessarily that the codebase contains no secrets at all.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eA clean \u003ccode\u003e0\u003c/code\u003e exit under \u003ccode\u003e--only-verified\u003c/code\u003e does not guarantee the codebase is secret-free. Secrets for which verification is unavailable (9 detector types) are always reported as unverified and are suppressed by \u003ccode\u003e--only-verified\u003c/code\u003e. Pair \u003ccode\u003e--only-verified\u003c/code\u003e with a separate unfiltered scan if you need full coverage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"using-exit-codes-in-shell-scripts\"\u003eUsing exit codes in shell scripts\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;No secrets found. Build continues.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Secrets found — review leakwatch.json and remediate before merging.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch encountered an error (exit $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eset +e\u003c/code\u003e before the scan prevents the shell from exiting on non-zero codes, giving you the chance to capture and handle the code yourself.\u003c/p\u003e\n\u003ch2 id=\"using-exit-codes-in-ci-pipelines\"\u003eUsing exit codes in CI pipelines\u003c/h2\u003e\n\u003cp\u003eMost CI systems treat any non-zero exit code as a step failure. Since Leakwatch exits \u003ccode\u003e1\u003c/code\u003e when secrets are found, the pipeline fails automatically without any extra configuration — simply run the scan command.\u003c/p\u003e\n\u003cp\u003eTo allow the pipeline to continue even when secrets are found (for example, to collect the report without blocking the build), explicitly ignore the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in GitLab CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in the GitHub Action, set \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"exit-code-2-in-practice\"\u003eExit code 2 in practice\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e2\u003c/code\u003e indicates a configuration or runtime error that prevented the scan from running at all. Common causes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn invalid flag value (for example, \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA path that does not exist or is not readable.\u003c/li\u003e\n\u003cli\u003eA missing required argument (for example, \u003ccode\u003escan git\u003c/code\u003e with no URL).\u003c/li\u003e\n\u003cli\u003eAn authentication error when connecting to a cloud source.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe error message is printed to stderr and includes context to help diagnose the problem:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — how to wire exit codes into GitLab CI, Jenkins, and others.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — how the official action maps exit codes to step outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Cloud Storage (S3 \u0026 GCS)","description":"Scan AWS S3 and Google Cloud Storage buckets for leaked secrets.","html":"\u003ch1 id=\"cloud-storage-s3--gcs\"\u003eCloud Storage (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSecrets regularly end up in cloud storage — exported database dumps, environment files, CI artefacts, and log archives all flow into buckets that may be readable by more people than intended. Leakwatch can scan AWS S3 and Google Cloud Storage buckets object-by-object and flag any secrets it finds before they become an incident.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"usage\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003es3://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses the standard \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS default credential chain\u003c/a\u003e:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eEnvironment variables (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared credentials file (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared configuration file (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIAM role attached to the instance or task (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNo additional configuration is required if you are already authenticated with the AWS CLI (\u003ccode\u003eaws configure\u003c/code\u003e or an assumed role).\u003c/p\u003e\n\u003ch3 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eFrom AWS config\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-examples\"\u003eS3 examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific key prefix in a given region:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--prefix\u003c/code\u003e to limit the scan to a relevant sub-path. Scanning a large bucket with millions of objects can be slow and may incur S3 GET request costs. Narrow the prefix to what actually matters — for example \u003ccode\u003econfigs/\u003c/code\u003e or \u003ccode\u003eexports/\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"usage-1\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003egs://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication-1\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e. The credential search order is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e environment variable pointing to a service-account key file.\u003c/li\u003e\n\u003cli\u003eUser credentials set up by \u003ccode\u003egcloud auth application-default login\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eService account attached to a Google Compute Engine instance, Cloud Run service, or GKE workload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID (required by some ADC configurations).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-examples\"\u003eGCS examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket with a specific GCP project:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific prefix:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOutput as CSV:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h2\u003e\n\u003cp\u003eBoth \u003ccode\u003es3\u003c/code\u003e and \u003ccode\u003egcs\u003c/code\u003e support the same common scan flags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip objects larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions (applied to object keys) are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (authentication error, bucket not found, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Container Images","description":"Scan OCI and Docker image layers for leaked secrets without a Docker daemon.","html":"\u003ch1 id=\"container-images\"\u003eContainer Images\u003c/h1\u003e\n\u003cp\u003eContainer images are a common hiding place for secrets: API keys baked into environment variables, credentials embedded in build layers, and configuration files copied into image layers and then forgotten. \u003ccode\u003eleakwatch scan image\u003c/code\u003e inspects every layer of an OCI or Docker image and surfaces those secrets before the image is deployed.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: an image reference in standard \u003ccode\u003ename:tag\u003c/code\u003e notation. Leakwatch uses \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e to pull and inspect images \u003cstrong\u003edaemonlessly\u003c/strong\u003e — no running Docker daemon is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a Docker Hub image\nleakwatch scan image nginx:latest\n\n# Scan a private GitHub Container Registry image\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Scan an Amazon ECR image\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"supported-registries\"\u003eSupported registries\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eRegistry\u003c/th\u003e\n\u003cth\u003eExample reference\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAny OCI-compatible registry\u003c/td\u003e\n\u003ctd\u003eStandard \u003ccode\u003eregistry/name:tag\u003c/code\u003e form\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses the standard credential keychain used by Docker and other OCI tools. If you are already authenticated via \u003ccode\u003edocker login\u003c/code\u003e (or an equivalent tool such as \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, or cloud-provider credential helpers), Leakwatch will use those credentials automatically.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Log in to GHCR first\ndocker login ghcr.io\n\n# Then scan — credentials are picked up automatically\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor Amazon ECR, configure the ECR credential helper or set \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e and related environment variables before scanning.\u003c/p\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch pulls the image manifest, iterates over each layer in order, and extracts the files within each layer. Each file's content is run through the same detection pipeline as a filesystem scan. Path exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply here, limiting which file paths inside layers are examined.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003cp\u003eThere are no image-specific flags. All common scan flags apply:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e for details.\u003c/p\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan a Docker Hub image and print results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a private registry image and save SARIF output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan and show only verified active secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInclude remediation guidance in JSON output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from an image scan includes layer metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe image reference that was scanned.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe layer digest where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe path of the file within the layer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIntegrate container image scanning into your CI/CD pipeline's build stage to catch secrets before the image is pushed to a registry. Use \u003ccode\u003e--format sarif\u003c/code\u003e to upload results directly to GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (image not found, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Filesystem","description":"Scan a local directory tree for leaked secrets with leakwatch scan fs.","html":"\u003ch1 id=\"filesystem\"\u003eFilesystem\u003c/h1\u003e\n\u003cp\u003eLocal source code is where secrets most often appear first. The \u003ccode\u003eleakwatch scan fs\u003c/code\u003e command walks every file in a directory tree, runs the full detection pipeline on each one, and reports any findings before they can be committed — or after the fact on an existing codebase.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e is optional. When omitted, Leakwatch scans the current working directory (\u003ccode\u003e.\u003c/code\u003e). Only one path argument is accepted.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory\nleakwatch scan fs\n\n# Scan a specific project folder\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"what-the-filesystem-source-skips-automatically\"\u003eWhat the filesystem source skips automatically\u003c/h2\u003e\n\u003cp\u003eTo keep scans fast and noise-free, the filesystem source skips the following without any configuration:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBinary files\u003c/strong\u003e — detected by the presence of a null byte in the first 8 KB of the file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKnown binary extensions\u003c/strong\u003e — common compiled, image, audio, video, and archive formats.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLock files\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e, and similar.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"filesystem-specific\"\u003eFilesystem-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (repeatable)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob patterns for paths to exclude. Can be repeated or comma-separated.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the current directory and print a colorized table to the terminal:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude test files and vendor directories, then save SARIF output for GitHub Code Scanning:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eLimit file size to 5 MB and increase worker count for a large monorepo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eShow only high-severity findings and include rotation instructions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"excluding-paths\"\u003eExcluding paths\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003e--exclude\u003c/code\u003e flag accepts glob patterns and can be specified multiple times or as a comma-separated list:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Two separate flags\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Comma-separated\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor permanent exclusion rules shared across your team, add them to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Those rules apply to every source, not just filesystem scans. You can also create a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your project root. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e and \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (configuration error, unreadable path, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary (source type, target, file count, duration, and finding count) is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eRun \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e during development to get a quick visual overview. Switch to \u003ccode\u003e--format sarif\u003c/code\u003e in CI pipelines to integrate with GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure default format, exclusions, and more.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e and inline suppression.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history, not just the working tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git History","description":"Scan the full commit history of a local or remote Git repository for leaked secrets.","html":"\u003ch1 id=\"git-history\"\u003eGit History\u003c/h1\u003e\n\u003cp\u003eA secret that was committed and then deleted is still present in every earlier commit, reachable to anyone with repository access. \u003ccode\u003eleakwatch scan git\u003c/code\u003e walks the \u003cem\u003eentire\u003c/em\u003e commit history of a repository — local or remote — and surfaces those secrets before they can be exploited.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: either a \u003cstrong\u003elocal filesystem path\u003c/strong\u003e to a repository (\u003ccode\u003e.\u003c/code\u003e for the current directory) or a \u003cstrong\u003eremote HTTP/HTTPS or SSH URL\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e for all Git operations — a pure Go implementation with no dependency on a system \u003ccode\u003egit\u003c/code\u003e binary.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the local repository in the current directory\nleakwatch scan git .\n\n# Scan a remote repository over HTTPS\nleakwatch scan git https://github.com/org/repo.git\n\n# Scan over SSH\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch walks every commit in the history and examines the blobs introduced by each commit. \u003cstrong\u003eBlob-hash deduplication\u003c/strong\u003e ensures that identical file content is scanned only once, no matter how many commits reference it. This keeps scan time proportional to the \u003cem\u003eunique content\u003c/em\u003e in the repository rather than to the raw commit count.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause Leakwatch examines commit-by-commit diffs, it finds secrets that were introduced and later deleted — content that is invisible in the current working tree.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"git-specific\"\u003eGit-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD (diff-based).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eClone depth for \u003cstrong\u003eremote repositories only\u003c/strong\u003e. \u003ccode\u003e0\u003c/code\u003e means full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the full history of the local repository and print a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only commits made after a specific date on the \u003ccode\u003edevelop\u003c/code\u003e branch:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan changes introduced since a specific commit (useful in CI to check only new commits):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDo a shallow clone of a large remote repository to speed up the initial scan:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a remote repository and save verified findings only as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Git scan includes commit metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eURL or path of the scanned repository (credentials stripped).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit hash where the secret was introduced.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit author name and email.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit timestamp.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBranch context (when available).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--since-commit\u003c/code\u003e in pull-request CI jobs to scan only the commits added by the PR. Use \u003ccode\u003e--since \u0026lt;date\u0026gt;\u003c/code\u003e for scheduled nightly scans covering recent activity.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eWhen a repository URL contains embedded credentials (for example \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch strips those credentials before writing anything to logs or output, so the token never appears in scan results or CI traces.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (invalid URL, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eMultiple Repositories\u003c/a\u003e — scan several repositories in one command.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan the working tree instead of history.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Multiple Repositories","description":"Scan several Git repositories concurrently and combine results into a single report.","html":"\u003ch1 id=\"multiple-repositories\"\u003eMultiple Repositories\u003c/h1\u003e\n\u003cp\u003eWhen an organization grows, secrets can land in any of dozens or hundreds of repositories. Checking them one by one is impractical. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e accepts multiple repository URLs and scans them concurrently, merging all findings into a single output — one command, one report.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command requires \u003cstrong\u003eat least two\u003c/strong\u003e repository URLs. All repositories are cloned, scanned, and cleaned up automatically. The combined finding count and a single scan summary are reported at the end.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-works\"\u003eHow it works\u003c/h2\u003e\n\u003cp\u003eLeakwatch spawns up to \u003ccode\u003e--parallel\u003c/code\u003e repository scans at once. Each repository is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCloned from the provided URL (credentials are stripped from logs and output for safety).\u003c/li\u003e\n\u003cli\u003eScanned with the full detection pipeline, using \u003ccode\u003e--concurrency\u003c/code\u003e workers for that repository.\u003c/li\u003e\n\u003cli\u003eCleaned up (the temporary clone is deleted) once the scan completes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAll findings from all repositories are collected and written as a single output, as if the scan had been a single-source run. The displayed target is \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"multi-repo-specific\"\u003eMulti-repo-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan in parallel.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers \u003cstrong\u003eper repository\u003c/strong\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply to all repositories. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan two repositories and display results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan five repositories with higher parallelism and save the combined results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan with more workers per repository and show only verified findings:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tuning-parallelism\"\u003eTuning parallelism\u003c/h2\u003e\n\u003cp\u003eTwo knobs control throughput:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e controls how many repository clones and scans run simultaneously. The default of \u003ccode\u003e3\u003c/code\u003e is appropriate for most workloads. Raise it when network bandwidth and CPU headroom allow; lower it on constrained machines.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e) controls how many worker goroutines process file blobs \u003cem\u003ewithin\u003c/em\u003e each individual repository. This is the same flag available on all scan commands.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTotal concurrent operations at peak = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf one or more repository scans fail (for example, due to a network error or authentication failure), Leakwatch logs the error and continues scanning the remaining repositories. The exit code will be \u003ccode\u003e2\u003c/code\u003e if any individual repo scan failed, even if other repos produced findings.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eAny embedded credentials in repository URLs (e.g. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e) are stripped before the URL is written to logs, output, or the scan summary.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOne or more repository scans failed, or a configuration error occurred.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan a single repository in depth.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure shared defaults for all sources.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Workspace","description":"Scan Slack channel and DM message text for leaked secrets.","html":"\u003ch1 id=\"slack-workspace\"\u003eSlack Workspace\u003c/h1\u003e\n\u003cp\u003eDevelopers frequently share credentials in chat — a token pasted into a channel for a quick test, a password sent in a DM, or an API key mentioned in an incident thread. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e reads message text across your Slack workspace and flags any secrets it finds.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch scans \u003cstrong\u003emessage text only\u003c/strong\u003e. Scanning the contents of uploaded files (attachments, snippets) is not implemented. Only the text body of messages is analysed.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis command takes \u003cstrong\u003eno positional arguments\u003c/strong\u003e. All configuration is provided through flags or environment variables.\u003c/p\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eA Slack Bot Token is required. Provide it via the \u003ccode\u003e--token\u003c/code\u003e flag or the \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e environment variable. Using an environment variable is recommended so the token never appears in shell history or process listings.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"required-bot-token-scopes\"\u003eRequired bot token scopes\u003c/h3\u003e\n\u003cp\u003eThe bot token must be associated with a Slack app that has the following OAuth scopes:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eScope\u003c/th\u003e\n\u003cth\u003ePurpose\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in public channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in private channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead group direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"slack-specific\"\u003eSlack-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. Prefer \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e env var.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eall channels\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan messages posted on or after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAlso scan direct messages and group DMs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eInternal chunk size limit (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan all channels the bot has access to, using an environment variable for the token:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan specific channels and limit to messages since the start of the year:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude noisy channels and include direct messages:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eReduce the API request rate to avoid Slack rate-limit errors on large workspaces:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave only verified active findings to a JSON file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Slack scan includes message and channel metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe channel name where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack message timestamp (unique message ID).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack user ID of the message author.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performance-considerations\"\u003ePerformance considerations\u003c/h2\u003e\n\u003cp\u003eSlack API requests are subject to rate limits enforced by Slack. The \u003ccode\u003e--rate-limit\u003c/code\u003e flag (default \u003ccode\u003e20\u003c/code\u003e requests/second) controls how aggressively Leakwatch makes requests. Lower this value if you see \u003ccode\u003e429 Too Many Requests\u003c/code\u003e errors, especially on large workspaces.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003e--channels\u003c/code\u003e to target specific channels rather than scanning the entire workspace on every run. Combine with \u003ccode\u003e--since\u003c/code\u003e to scan only recent messages incrementally.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (missing token, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure defaults in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"How Verification Works","description":"How Leakwatch confirms whether a detected secret is still active, which verification modes it uses, and how to configure or disable verification.","html":"\u003ch1 id=\"how-verification-works\"\u003eHow Verification Works\u003c/h1\u003e\n\u003cp\u003eFinding a secret in a codebase is only half the story. A key that was rotated six months ago is noise; a key that is still live is an active incident. Verification is the step that draws that line — it takes each detected finding and, where possible, confirms whether the secret is currently valid at the provider.\u003c/p\u003e\n\u003ch2 id=\"from-detection-to-verification\"\u003eFrom detection to verification\u003c/h2\u003e\n\u003cp\u003eAfter the scan engine collects findings, the verifier pool picks them up. Each finding carries a \u003ccode\u003edetector_id\u003c/code\u003e; Leakwatch looks up whether a verifier is registered for that ID:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIf a verifier exists, it runs and returns a status.\u003c/li\u003e\n\u003cli\u003eIf no verifier is registered for that detector type, the finding passes through unchanged with status \u003ccode\u003eunverified\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"two-verification-modes\"\u003eTwo verification modes\u003c/h2\u003e\n\u003cp\u003eNot all secrets can be verified the same way. Leakwatch uses two distinct approaches depending on what is safe for each credential type.\u003c/p\u003e\n\u003ch3 id=\"live-api-verification\"\u003eLive API verification\u003c/h3\u003e\n\u003cp\u003eFor approximately 49 detector types, Leakwatch makes a \u003cstrong\u003econtrolled, read-only API call\u003c/strong\u003e to the provider — for example, calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys or \u003ccode\u003eGET /user\u003c/code\u003e for GitHub tokens. The call uses only the minimum endpoint required to confirm identity; it never modifies data, creates resources, or triggers billing events.\u003c/p\u003e\n\u003cp\u003eIf the provider returns a success response, the finding is marked \u003ccode\u003everified_active\u003c/code\u003e. If the provider rejects the credential (for example with HTTP 401 or 403), the finding is marked \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"format-validation-only\"\u003eFormat validation only\u003c/h3\u003e\n\u003cp\u003eFor five credential types, no safe live check exists — the provider has no anonymous identity endpoint, or a real call would have side effects. For these, Leakwatch validates the structure of the credential without making any network request:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e fields present\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check only — a valid format proves nothing, result is always \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEven when the format check passes, the result remains \u003ccode\u003eunverified\u003c/code\u003e. A structurally valid credential may be expired or revoked. These findings always require manual triage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"verification-statuses\"\u003eVerification statuses\u003c/h2\u003e\n\u003cp\u003eEvery finding in Leakwatch output carries one of four statuses:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStatus\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe secret was confirmed live by the provider.\u003c/td\u003e\n\u003ctd\u003eTreat as an active incident. Rotate immediately.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe provider rejected the credential.\u003c/td\u003e\n\u003ctd\u003eLikely already rotated. Review context and close.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo verifier exists for this type, or format validation returned no result, or verification was disabled.\u003c/td\u003e\n\u003ctd\u003eTriage manually; context determines risk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe verifier ran but encountered a network error, timeout, or unexpected response.\u003c/td\u003e\n\u003ctd\u003eTreat as potentially active. Retry or triage manually.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"the-verification-engine\"\u003eThe verification engine\u003c/h2\u003e\n\u003cp\u003eVerification runs in a dedicated concurrent worker pool, isolated from the scan worker pool. The defaults are conservative to avoid triggering provider rate limits:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSetting\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eWorker count\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal rate limit\u003c/td\u003e\n\u003ctd\u003e10 requests/second\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003ePer-request timeout\u003c/td\u003e\n\u003ctd\u003e10 s\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eAll three values are tunable under the \u003ccode\u003everification:\u003c/code\u003e block in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # requests per second (global)\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf you are scanning a repository that triggers hundreds of findings, consider lowering \u003ccode\u003erate-limit\u003c/code\u003e to 5 or enabling \u003ccode\u003e--only-verified\u003c/code\u003e to keep the verified-active set small and actionable.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"controlling-verification-at-the-command-line\"\u003eControlling verification at the command line\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eDisable verification entirely\u003c/strong\u003e with \u003ccode\u003e--no-verify\u003c/code\u003e (or set \u003ccode\u003everification.enabled: false\u003c/code\u003e in config). Every finding passes through as \u003ccode\u003eunverified\u003c/code\u003e. Use this for offline or air-gapped environments, or when you want the fastest possible scan without touching any provider API.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eShow only confirmed-live secrets\u003c/strong\u003e with \u003ccode\u003e--only-verified\u003c/code\u003e. Everything that is not \u003ccode\u003everified_active\u003c/code\u003e is dropped from the output. This is the fastest way to triage a large result set — you see only the keys you must act on now.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e silently drops \u003ccode\u003eunverified\u003c/code\u003e and \u003ccode\u003everify_error\u003c/code\u003e findings. Do not use it as your sole filter in a compliance context — some credential types (JWTs, generic API keys, private keys) can never be verified and would always be excluded.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eVerification is designed so that the raw secret value never leaves the process boundary in an unsafe way:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eVerifiers pass the secret directly to the provider's HTTP endpoint over TLS — it is never written to disk, emitted to a log, or cached between runs.\u003c/li\u003e\n\u003cli\u003eA verifier that fails to initialise or encounters a panic is caught by the engine, which marks the finding \u003ccode\u003everify_error\u003c/code\u003e and continues rather than crashing the scan.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detector types are live-verified, format-validated, or not verifiable at all.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for the \u003ccode\u003everification:\u003c/code\u003e block.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — how the verification status appears in JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Verification Coverage","description":"Which of the 63 built-in detectors are live-verified, format-validated only, or not verifiable — and what that means for triage.","html":"\u003ch1 id=\"verification-coverage\"\u003eVerification Coverage\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships 63 built-in detectors and 54 verifiers, giving a coverage rate of \u003cstrong\u003e85.7%\u003c/strong\u003e (54 of 63 detector types have some form of verification). This page maps every detector to its verification status so you know what to expect in your output.\u003c/p\u003e\n\u003ch2 id=\"live-verified-49-detector-types\"\u003eLive-verified (49 detector types)\u003c/h2\u003e\n\u003cp\u003eFor these types, Leakwatch makes a controlled, read-only API call to the provider and returns \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e. No data is created or modified; the call uses the minimum endpoint needed to confirm identity.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector type\u003c/th\u003e\n\u003cth\u003eProvider\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"format-validated-only-5-detector-types\"\u003eFormat-validated only (5 detector types)\u003c/h2\u003e\n\u003cp\u003eThese verifiers run entirely offline. No network request is made. Because a valid format does not prove a credential is active, all five always return \u003ccode\u003eunverified\u003c/code\u003e regardless of whether the format check passes or fails.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003cth\u003eWhy no live check\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eLive check requires a GCP OAuth2 token exchange, which has side effects\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003ctd\u003eNo public unauthenticated health endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePassword length and host substring check\u003c/td\u003e\n\u003ctd\u003eLive check requires a JDBC/ODBC database connection\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eRequires per-account HMAC signing; no generic identity endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eClient credential flow would create sessions\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"not-verifiable-9-detector-types\"\u003eNot verifiable (9 detector types)\u003c/h2\u003e\n\u003cp\u003eThese detector types have no verifier at all. Findings from them are always \u003ccode\u003eunverified\u003c/code\u003e. This is \u003cstrong\u003enot\u003c/strong\u003e because they are unimportant — they are detected and reported in full — but because no public verification API exists, or because any verification attempt would have side effects.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eReason\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eA JWT can be issued by any party; there is no universal validation endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo provider to call; active use cannot be detected remotely\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnknown provider by definition\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would create sessions on the target database\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would open a live connection to the Redis instance\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo safe read-only FTP probe\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind would create an authenticated session\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConfirming a webhook is active requires sending a message\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token validation requires knowing the Vault endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Not verifiable\u0026quot; does not mean \u0026quot;not found\u0026quot;. All 9 of these types are still detected and appear in your output. They require manual triage to determine whether the credential is live and whether it needs rotation.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"coverage-summary\"\u003eCoverage summary\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCategory\u003c/th\u003e\n\u003cth\u003eCount\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eLive-verified\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eFormat-validated only\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eNot verifiable\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eTotal detectors\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eVerifiers (any coverage)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (85.7%)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — the two verification modes, statuses, and the verification engine.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the full list of built-in detectors with severities.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; +window.LW_MANUAL["en"] = {"ci-cd/docker-usage":{"title":"Docker Usage","description":"Run Leakwatch scans inside a container using the official Docker image.","html":"\u003ch1 id=\"docker-usage\"\u003eDocker Usage\u003c/h1\u003e\n\u003cp\u003eThe official Leakwatch container image lets you run scans without installing anything on the host machine. Because the image is statically compiled with \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e and runs as a non-root user, it is safe to use in locked-down CI environments and on shared machines where you do not want to modify the host system.\u003c/p\u003e\n\u003ch2 id=\"image-reference\"\u003eImage reference\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe image is based on Alpine, runs as the non-root user \u003ccode\u003eleakwatch\u003c/code\u003e, uses \u003ccode\u003e/scan\u003c/code\u003e as the working directory, and has \u003ccode\u003eleakwatch\u003c/code\u003e as its entrypoint.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause the entrypoint is \u003ccode\u003eleakwatch\u003c/code\u003e, you append the subcommand and flags directly after the image name — for example, \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. There is no need to repeat the binary name.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"scanning-a-local-directory\"\u003eScanning a local directory\u003c/h2\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo write results to a file on the host, write the output file into the mounted volume:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe file \u003ccode\u003eleakwatch.sarif\u003c/code\u003e appears in the current directory on your host after the container exits.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-remote-git-repository\"\u003eScanning a remote Git repository\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo volume mount is required for remote Git repositories — Leakwatch clones them into a temporary directory inside the container.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-container-image\"\u003eScanning a container image\u003c/h2\u003e\n\u003cp\u003eLeakwatch is daemonless: it pulls image layers directly from the registry without a Docker daemon. This means you can scan a remote image from within the Leakwatch container without mounting the host Docker socket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor private registries, pass the credentials as environment variables consumed by the registry client (for example, \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e pointing to a mounted credentials file, or the standard registry environment variables your registry supports).\u003c/p\u003e\n\u003ch2 id=\"passing-a-configuration-file\"\u003ePassing a configuration file\u003c/h2\u003e\n\u003cp\u003eMount \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e into \u003ccode\u003e/scan\u003c/code\u003e so Leakwatch picks it up automatically:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAs long as \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is in the mounted directory, Leakwatch finds it because \u003ccode\u003e/scan\u003c/code\u003e is both the working directory and the path passed to the scan. If your config file lives elsewhere, mount it explicitly and use \u003ccode\u003e--config\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-environment-variables\"\u003ePassing environment variables\u003c/h2\u003e\n\u003cp\u003eEnvironment variables for cloud scanning and token-based authentication can be injected with \u003ccode\u003e-e\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# S3 scan with AWS credentials\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor CI environments, prefer injecting secrets as masked CI variables rather than embedding them in the command line.\u003c/p\u003e\n\u003ch2 id=\"output-file-pattern\"\u003eOutput file pattern\u003c/h2\u003e\n\u003cp\u003eA common Docker pattern in CI is to write results into the mounted volume and then upload or archive the file as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install the native binary instead of using Docker.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e flags and behavior.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eContainer Images\u003c/a\u003e — scanning OCI/Docker image layers for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — using the Docker image in GitLab CI and other pipelines.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — complete flag reference for all subcommands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"Use the official Leakwatch GitHub Action to scan for secrets in your GitHub workflows.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eEvery push to your repository is an opportunity for a secret to slip through. The official \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e — published on the GitHub Marketplace and used as \u003ccode\u003eHodeTech/Leakwatch@v1\u003c/code\u003e — integrates Leakwatch directly into your GitHub workflow. It downloads the prebuilt Leakwatch binary for the runner (no Go toolchain or compilation step), runs a scan, maps exit codes, writes a job summary, and optionally uploads SARIF results to GitHub Code Scanning — all without any external service dependency.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003cstrong\u003eSupported runners:\u003c/strong\u003e the action runs on Linux (\u003ccode\u003eubuntu-*\u003c/code\u003e) and macOS (\u003ccode\u003emacos-*\u003c/code\u003e) runners. Windows runners are not supported yet; run the scan on a Linux/macOS runner or use the container image \u003ccode\u003eghcr.io/hodetech/leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"quick-start\"\u003eQuick start\u003c/h2\u003e\n\u003cp\u003eThe minimal configuration blocks the workflow when secrets are found:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Secret scan (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/Leakwatch@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith only the defaults, the action scans the filesystem (\u003ccode\u003escan-type: fs\u003c/code\u003e), produces SARIF output, skips live verification (\u003ccode\u003eno-verify: true\u003c/code\u003e), and fails the job if any finding is reported.\u003c/p\u003e\n\u003ch2 id=\"full-example-with-sarif-upload\"\u003eFull example with SARIF upload\u003c/h2\u003e\n\u003cp\u003eThe following workflow enables SARIF upload to GitHub Code Scanning, which surfaces findings as security alerts inside the repository:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Secret scan\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # required for SARIF upload\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Scan for secrets\n uses: HodeTech/Leakwatch@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF upload requires the job to declare \u003ccode\u003epermissions: security-events: write\u003c/code\u003e. Without it, the upload step fails with a 403 error. The \u003ccode\u003econtents: read\u003c/code\u003e permission is also needed for \u003ccode\u003eactions/checkout@v4\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inputs\"\u003eInputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eInput\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan type to run: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e, or \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to scan (for \u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e) or image reference (for \u003ccode\u003eimage\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e, or \u003ccode\u003egithub\u003c/code\u003e (inline pull-request annotations).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e``\u003c/td\u003e\n\u003ctd\u003eWrite formatted output to this file (relative to \u003ccode\u003eworking-directory\u003c/code\u003e). Ignored for \u003ccode\u003eformat: github\u003c/code\u003e. When empty and \u003ccode\u003eformat: sarif\u003c/code\u003e, defaults to \u003ccode\u003eresults.sarif\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification (no outbound calls to providers).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eremediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude remediation guidance in the output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econfig\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e``\u003c/td\u003e\n\u003ctd\u003ePath to a \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-diff\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eauto\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFor \u003ccode\u003egit\u003c/code\u003e scans, scan only commits new to the event. \u003ccode\u003eauto\u003c/code\u003e enables this on \u003ccode\u003epull_request\u003c/code\u003e/\u003ccode\u003epush\u003c/code\u003e, \u003ccode\u003etrue\u003c/code\u003e forces it, \u003ccode\u003efalse\u003c/code\u003e always scans full history. Requires \u003ccode\u003eactions/checkout\u003c/code\u003e with \u003ccode\u003efetch-depth: 0\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eextra-args\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e``\u003c/td\u003e\n\u003ctd\u003eAdditional raw arguments appended to the \u003ccode\u003eleakwatch scan\u003c/code\u003e command (space-separated). Flags the action manages itself (\u003ccode\u003e--format\u003c/code\u003e, \u003ccode\u003e--output\u003c/code\u003e, \u003ccode\u003e--config\u003c/code\u003e, \u003ccode\u003e--show-raw\u003c/code\u003e) are rejected — use the dedicated inputs instead.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eworking-directory\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDirectory to run the scan from.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUpload SARIF results to GitHub Code Scanning after the scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFail the workflow step when findings are reported (exit code 1). When \u003ccode\u003efalse\u003c/code\u003e, a \u003ccode\u003e::warning::\u003c/code\u003e annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code ≥ 2) always fail the step regardless of this setting.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLeakwatch version to install: \u003ccode\u003elatest\u003c/code\u003e, or a release tag such as \u003ccode\u003ev1.5.0\u003c/code\u003e to pin a specific release.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erelease-repo\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eHodeTech/Leakwatch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRepository (\u003ccode\u003eowner/name\u003c/code\u003e) to download the release binary from. Override only for forks or self-hosted mirrors.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"outputs\"\u003eOutputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eOutput\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e if no findings were reported; \u003ccode\u003e1\u003c/code\u003e if findings were reported. Mirrors the Leakwatch exit code.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the SARIF output file on the runner (set when \u003ccode\u003eformat: sarif\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"verification-in-ci\"\u003eVerification in CI\u003c/h2\u003e\n\u003cp\u003eBy default, \u003ccode\u003eno-verify\u003c/code\u003e is \u003ccode\u003etrue\u003c/code\u003e — live verification is \u003cstrong\u003eoff\u003c/strong\u003e in CI. This keeps the scan fast and avoids making outbound network calls to provider APIs from CI runners, which may be behind a firewall or have rate-limited credentials.\u003c/p\u003e\n\u003cp\u003eTo enable verification in CI, set \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/Leakwatch@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnabling verification in CI causes Leakwatch to make authenticated API calls to providers (AWS, GitHub, Stripe, etc.) for each candidate finding. Be aware of provider rate limits and ensure the runner has outbound internet access.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"how-sarif-upload-works\"\u003eHow SARIF upload works\u003c/h2\u003e\n\u003cp\u003eWhen \u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e and \u003ccode\u003eformat: sarif\u003c/code\u003e, the action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTells Leakwatch to write output to \u003ccode\u003eresults.sarif\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter the scan, calls \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e with \u003ccode\u003ecategory: leakwatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGitHub processes the file and surfaces findings as \u003cstrong\u003eCode Scanning alerts\u003c/strong\u003e under the repository's \u003cstrong\u003eSecurity\u003c/strong\u003e tab.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe upload step runs with \u003ccode\u003eif: always()\u003c/code\u003e, so results are uploaded even when \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e causes the scan step to set a failure.\u003c/p\u003e\n\u003ch2 id=\"using-action-outputs\"\u003eUsing action outputs\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Scan for secrets\n id: scan\n uses: HodeTech/Leakwatch@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # let the workflow continue\n\n- name: Print result\n run: echo \u0026quot;Findings reported: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"pinning-a-specific-version\"\u003ePinning a specific version\u003c/h2\u003e\n\u003cp\u003eFor reproducible builds, pin \u003ccode\u003eversion\u003c/code\u003e to a specific tag:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/Leakwatch@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis downloads the prebuilt \u003ccode\u003ev1.5.0\u003c/code\u003e binary from the \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eLeakwatch releases\u003c/a\u003e and verifies its SHA-256 checksum before running. For maximum supply-chain safety you can also pin the action itself to a commit SHA, e.g. \u003ccode\u003euses: HodeTech/Leakwatch@\u0026lt;sha\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"scanning-only-changed-code-pull-request-diff\"\u003eScanning only changed code (pull-request diff)\u003c/h2\u003e\n\u003cp\u003eFor \u003ccode\u003egit\u003c/code\u003e scans the action can limit the scan to the commits a pull request or push actually introduces, instead of the full history. This is faster and surfaces only newly added secrets. It is controlled by \u003ccode\u003escan-diff\u003c/code\u003e (default \u003ccode\u003eauto\u003c/code\u003e) and requires a full checkout so the base commit is available locally:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ejobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0 # required so the PR base commit is present\n - uses: HodeTech/Leakwatch@v1\n with:\n scan-type: git\n path: .\n # scan-diff: auto (default) — on pull_request/push, scans base..HEAD only\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOn a \u003ccode\u003epull_request\u003c/code\u003e event the action scans from \u003ccode\u003egithub.event.pull_request.base.sha\u003c/code\u003e; on a \u003ccode\u003epush\u003c/code\u003e event from \u003ccode\u003egithub.event.before\u003c/code\u003e. Set \u003ccode\u003escan-diff: \u0026quot;false\u0026quot;\u003c/code\u003e to always scan the full history, or \u003ccode\u003escan-diff: \u0026quot;true\u0026quot;\u003c/code\u003e to force diff mode. \u003ccode\u003escan-diff\u003c/code\u003e has no effect on \u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003eimage\u003c/code\u003e scans.\u003c/p\u003e\n\u003ch2 id=\"inline-pull-request-annotations\"\u003eInline pull-request annotations\u003c/h2\u003e\n\u003cp\u003eSet \u003ccode\u003eformat: github\u003c/code\u003e to emit the findings as GitHub Actions workflow commands, which appear as inline annotations on the pull request's \u003cstrong\u003eFiles changed\u003c/strong\u003e view and in the run log:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/Leakwatch@v1\n with:\n format: github\n fail-on-findings: \u0026quot;false\u0026quot; # annotate without blocking, if you prefer\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAnnotations always show the \u003cstrong\u003eredacted\u003c/strong\u003e value only — the raw secret is never written to the (often public) PR UI or logs. Use \u003ccode\u003eformat: github\u003c/code\u003e for fast, visible PR feedback, or \u003ccode\u003eformat: sarif\u003c/code\u003e with \u003ccode\u003esarif-upload: true\u003c/code\u003e to record findings as Code Scanning alerts under the \u003cstrong\u003eSecurity\u003c/strong\u003e tab.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — understanding JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — when and how Leakwatch calls provider APIs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Hook\u003c/a\u003e — catch secrets before they are committed.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — GitLab CI, Jenkins, and generic shell integration.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Other CI Systems","description":"Integrate Leakwatch into GitLab CI, Jenkins, Bitbucket Pipelines, and any other CI system.","html":"\u003ch1 id=\"other-ci-systems\"\u003eOther CI Systems\u003c/h1\u003e\n\u003cp\u003eBecause Leakwatch is a single static binary with no runtime dependencies, it runs in any CI environment that can execute a shell command — GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps, and others. There is no built-in integration for these systems beyond what is described on this page; the pattern is always: install the binary, run the scan, act on the exit code.\u003c/p\u003e\n\u003ch2 id=\"installing-leakwatch-in-ci\"\u003eInstalling Leakwatch in CI\u003c/h2\u003e\n\u003cp\u003eChoose the method that best suits your runner environment:\u003c/p\u003e\n\u003ch3 id=\"via-go-install-requires-go-on-the-runner\"\u003evia \u003ccode\u003ego install\u003c/code\u003e (requires Go on the runner)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePin to a specific version for reproducible builds:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"via-the-docker-image-no-go-required\"\u003evia the Docker image (no Go required)\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e as a job image or run it with \u003ccode\u003edocker run\u003c/code\u003e. See \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e for the full pattern.\u003c/p\u003e\n\u003ch3 id=\"via-a-prebuilt-release-binary\"\u003evia a prebuilt release binary\u003c/h3\u003e\n\u003cp\u003eDownload the appropriate tarball from \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e, extract, and place on \u003ccode\u003ePATH\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch exits with one of three codes, which is the primary mechanism for failing a CI build:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended CI action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo findings\u003c/td\u003e\n\u003ctd\u003ePass the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSecrets found\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHard error (bad config, unreadable path, etc.)\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA generic shell snippet that branches on the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;No secrets found.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Secrets found — failing build.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Scan error (exit $EXIT_CODE) — failing build.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-example\"\u003eGitLab CI example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e job installs Leakwatch, runs a filesystem scan, and stores the JSON report as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 days\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (the default) means exit code \u003ccode\u003e1\u003c/code\u003e fails the pipeline stage. Set \u003ccode\u003eallow_failure: true\u003c/code\u003e if you want the scan to report without blocking the merge.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab supports SAST report artifacts. Leakwatch produces SARIF (\u003ccode\u003e--format sarif\u003c/code\u003e), not GitLab's native SAST JSON schema, so use the \u003ccode\u003epaths:\u003c/code\u003e artifact approach rather than the \u003ccode\u003ereports: sast:\u003c/code\u003e key.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"recommendations-for-ci-runners\"\u003eRecommendations for CI runners\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eUse \u003ccode\u003e--no-verify\u003c/code\u003e on runners without outbound internet access.\u003c/strong\u003e Verification makes live API calls to providers (AWS, GitHub, Stripe, etc.). On air-gapped or firewall-restricted runners, these calls time out and slow the scan. Pass \u003ccode\u003e--no-verify\u003c/code\u003e to skip verification entirely:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSave output as an artifact.\u003c/strong\u003e Use \u003ccode\u003e--format sarif\u003c/code\u003e or \u003ccode\u003e--format json\u003c/code\u003e with \u003ccode\u003e--output\u003c/code\u003e to write a file that can be stored, uploaded to a vulnerability management platform, or reviewed after the job completes.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSet \u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e to focus on the secrets that matter most. In a noisy codebase, start with \u003ccode\u003e--min-severity high\u003c/code\u003e and lower the threshold once you have cleared the backlog.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-example\"\u003eAzure DevOps example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch secret scan\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-results\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-example\"\u003eJenkins example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Secret scan') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — full reference for all exit code meanings.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e — use the container image instead of installing the binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — the official action for GitHub workflows.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Hook","description":"Use the Leakwatch pre-commit hook to scan for secrets before every commit.","html":"\u003ch1 id=\"pre-commit-hook\"\u003ePre-commit Hook\u003c/h1\u003e\n\u003cp\u003eThe cheapest time to catch a secret is before it enters the repository at all. Leakwatch ships a native \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e hook that runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e automatically on every \u003ccode\u003egit commit\u003c/code\u003e, so a leaked API key or password fails the commit rather than appearing in history.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eYou need:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit is a Python tool).\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e installed globally (\u003ccode\u003epip install pre-commit\u003c/code\u003e or \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGo 1.25+ on \u003ccode\u003ePATH\u003c/code\u003e — the hook language is \u003ccode\u003egolang\u003c/code\u003e, so pre-commit compiles Leakwatch from source on first run.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"configuration\"\u003eConfiguration\u003c/h2\u003e\n\u003cp\u003eAdd a \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e file to the root of your repository (or extend an existing one):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInstall the hooks into the local Git repo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThat is all. From this point on, every \u003ccode\u003egit commit\u003c/code\u003e triggers a filesystem scan. If Leakwatch finds any secrets, the commit is blocked and the findings are printed to the terminal.\u003c/p\u003e\n\u003ch2 id=\"running-manually\"\u003eRunning manually\u003c/h2\u003e\n\u003cp\u003eTo scan the entire repository (not just staged files) at any time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo run only the Leakwatch hook without triggering others:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-extra-arguments\"\u003ePassing extra arguments\u003c/h2\u003e\n\u003cp\u003eThe hook's default behavior matches \u003ccode\u003eleakwatch scan fs\u003c/code\u003e with no additional flags. You can pass extra arguments via the \u003ccode\u003eargs:\u003c/code\u003e key:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis example reports only high-severity secrets that Leakwatch has confirmed are still active — a strict policy suitable for teams that want to avoid false-positive noise without sacrificing coverage.\u003c/p\u003e\n\u003cp\u003eOther useful arguments:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # skip live verification for faster commits\n - --min-severity\n - medium # suppress low-severity noise\n - --format\n - table # human-readable output in the terminal\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003epass_filenames: false\u003c/code\u003e is set in the hook definition, which means the hook always scans the full working tree rather than only the files staged for the current commit. This guarantees that secrets already present in unstaged files are also detected.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-the-hook-scans\"\u003eWhat the hook scans\u003c/h2\u003e\n\u003cp\u003eThe hook runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e against the repository working directory. It uses the same detection pipeline as the CLI: Aho-Corasick pre-filtering, regex validation, entropy calculation, and (unless \u003ccode\u003e--no-verify\u003c/code\u003e is set) live verification.\u003c/p\u003e\n\u003cp\u003eConfiguration in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is respected automatically — exclusion patterns, entropy thresholds, and verification settings all apply without any extra hook configuration.\u003c/p\u003e\n\u003ch2 id=\"skipping-the-hook-temporarily\"\u003eSkipping the hook temporarily\u003c/h2\u003e\n\u003cp\u003eTo commit without running the hook (for example, when committing a controlled test fixture that contains a redacted secret):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: add test fixture\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUsing \u003ccode\u003eSKIP=leakwatch\u003c/code\u003e bypasses all secret scanning for that commit. Use it only when you have confirmed the content is safe, and prefer \u003ccode\u003e.leakwatchignore\u003c/code\u003e or inline \u003ccode\u003eleakwatch:ignore\u003c/code\u003e comments for permanent suppressions instead.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"keeping-the-hook-version-pinned\"\u003eKeeping the hook version pinned\u003c/h2\u003e\n\u003cp\u003ePin \u003ccode\u003erev:\u003c/code\u003e to a specific tag rather than a branch name. This ensures all developers on the team use the same detector set and the hook does not silently upgrade mid-sprint:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # pin; do not use 'main' or 'HEAD'\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUpdate by running:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ewhich bumps \u003ccode\u003erev\u003c/code\u003e to the latest tag and lets you review the change before committing it.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — the underlying scan command the hook runs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — control exclusions, entropy, and verification in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — scan on every push and pull request in GitHub CI.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Configuration File","description":"How to configure Leakwatch with .leakwatch.yaml — full schema, defaults, validation rules, environment overrides, and the leakwatch init command.","html":"\u003ch1 id=\"configuration-file\"\u003eConfiguration File\u003c/h1\u003e\n\u003cp\u003eLeakwatch's behaviour across every scan command is driven by a single YAML file named \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e. Understanding this file lets you tune concurrency, verification, output format, and path filtering once — and have every scan pick it up automatically.\u003c/p\u003e\n\u003ch2 id=\"file-discovery\"\u003eFile discovery\u003c/h2\u003e\n\u003cp\u003eLeakwatch resolves the config file in the following order:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e flag\u003c/strong\u003e — use an explicit path regardless of the working directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCurrent directory\u003c/strong\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the directory where the command is run.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHome directory\u003c/strong\u003e — \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e as a fallback.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf no file is found, built-in defaults are used for every setting.\u003c/p\u003e\n\u003ch2 id=\"generating-a-starter-file\"\u003eGenerating a starter file\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003eleakwatch init\u003c/code\u003e command writes a ready-to-edit file with recommended defaults:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default the file is written to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory. Use \u003ccode\u003e--output\u003c/code\u003e to choose a different path:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the target file already exists, \u003ccode\u003eleakwatch init\u003c/code\u003e will refuse to overwrite it and exit with an error. Pass \u003ccode\u003e--force\u003c/code\u003e to overwrite:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"environment-variable-overrides\"\u003eEnvironment variable overrides\u003c/h2\u003e\n\u003cp\u003eEvery config key can be overridden with an environment variable. The naming rule is:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrefix: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eReplace \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eUppercase\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eExamples:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003cth\u003eEnvironment variable\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence\"\u003ePrecedence\u003c/h2\u003e\n\u003cp\u003eWhen the same setting is specified in multiple places, the highest-priority source wins:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCommand-line flag (highest)\u003c/li\u003e\n\u003cli\u003eEnvironment variable\u003c/li\u003e\n\u003cli\u003eConfig file value\u003c/li\u003e\n\u003cli\u003eBuilt-in default (lowest)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"full-schema\"\u003eFull schema\u003c/h2\u003e\n\u003cp\u003eThe annotated schema below shows every supported key, its default value, and valid range.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Scan engine ──────────────────────────────────────────────────────────────\n\nscan:\n # Number of concurrent file-processing workers.\n # Defaults to the number of logical CPU cores on the host.\n # Must be \u0026gt;= 1.\n concurrency: 8\n\n # Maximum file size to scan, in bytes. Files larger than this limit are\n # skipped entirely. Default is 10 MB (10485760). Must be \u0026gt;= 1.\n max-file-size: 10485760\n\n# ── Detection ─────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Enable Shannon entropy calculation for each candidate match.\n enabled: true\n\n # Entropy threshold used for display and custom-rule gating.\n # Range: 0–8. Default: 4.0.\n # See note below about built-in findings.\n threshold: 4.0\n\n# ── Verification ─────────────────────────────────────────────────────────────\n\nverification:\n # Enable live verification against provider APIs.\n enabled: true\n\n # Per-request HTTP timeout. Must be \u0026gt;= 1ms when verification is enabled.\n # Use a duration string (e.g. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — a bare integer is\n # treated as nanoseconds and will fail validation.\n timeout: 10s\n\n # Number of concurrent verification workers. Must be \u0026gt;= 1.\n concurrency: 4\n\n # Maximum verification requests per second (token-bucket rate limiter).\n # Must be \u0026gt; 0.\n rate-limit: 10.0\n\n# ── Filtering ─────────────────────────────────────────────────────────────────\n\nfilter:\n # Glob patterns for paths to exclude from scanning.\n # Supported glob styles: filepath.Match patterns, ** double-star spanning\n # zero or more path segments, and trailing-slash dir/ patterns that match\n # the named directory at any depth. Each pattern is tested against both the\n # full path and the base filename, so simple patterns like \u0026quot;*.min.js\u0026quot; match\n # nested files without a leading path prefix.\n # Applies to all scan sources. (On `scan fs` the --exclude flag also sets this.)\n # Default: [] (no exclusions beyond the built-in binary/lock-file skips).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Detector IDs to disable entirely. Findings from listed detectors are never\n # produced regardless of other settings. Default: [].\n exclude-detectors: []\n\n# ── Output ────────────────────────────────────────────────────────────────────\n\noutput:\n # Output format. One of: json, sarif, csv, table. Default: json.\n # The --format / -f flag overrides this at run time.\n format: json\n\n # Write output to this file path instead of stdout. Default: \u0026quot;\u0026quot; (stdout).\n # The --output / -o flag overrides this at run time.\n file: \u0026quot;\u0026quot;\n\n # Drop findings below this severity level.\n # One of: low, medium, high, critical. Default: \u0026quot;\u0026quot; (show all).\n # The --min-severity flag overrides this at run time.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Include the unredacted secret value in output.\n # Default: false. The --show-raw flag overrides this at run time.\n show-raw: false\n\n# ── Custom rules ──────────────────────────────────────────────────────────────\n\n# Define your own detectors as YAML rules. See the custom rules page for the\n# full rule schema.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e controls which entropy value is displayed alongside a finding and acts as a gate for custom rules (a custom rule match whose entropy falls below the threshold is suppressed). It does \u003cstrong\u003enot\u003c/strong\u003e suppress findings from built-in detectors — built-in detectors have their own match criteria and are never dropped by this setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"validation\"\u003eValidation\u003c/h2\u003e\n\u003cp\u003eLeakwatch validates the loaded configuration before starting a scan and exits with an error for any of the following:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCondition\u003c/th\u003e\n\u003cth\u003eError\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid concurrency value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid max-file-size value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e not in \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnsupported output format\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e outside 0–8\u003c/td\u003e\n\u003ctd\u003eInvalid entropy threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e not a valid level (when non-empty)\u003c/td\u003e\n\u003ctd\u003eInvalid severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification timeout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification concurrency\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Ignoring Findings","description":"Suppress false positives with .leakwatchignore files, inline ignore markers, and built-in binary and lock-file skips.","html":"\u003ch1 id=\"ignoring-findings\"\u003eIgnoring Findings\u003c/h1\u003e\n\u003cp\u003eNo scanner has zero false positives. Leakwatch gives you three layered mechanisms to suppress the noise: a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file for path-based exclusions, inline markers for line-level suppression, and a set of always-on built-in skips for binary files and common lock files.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-file\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e file\u003c/h2\u003e\n\u003cp\u003eCreate a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your repository root (or in the current directory) to exclude paths from the scan results. It uses a gitignore-style syntax:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLines starting with \u003ccode\u003e#\u003c/code\u003e are comments.\u003c/li\u003e\n\u003cli\u003eBlank lines are skipped.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003e!\u003c/code\u003e prefix \u003cstrong\u003enegates\u003c/strong\u003e a pattern, re-including a path that a previous pattern would have excluded.\u003c/li\u003e\n\u003cli\u003eThe \u003cstrong\u003elast matching pattern wins\u003c/strong\u003e — order matters.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"loading-order\"\u003eLoading order\u003c/h3\u003e\n\u003cp\u003eLeakwatch loads \u003ccode\u003e.leakwatchignore\u003c/code\u003e from the scan root first, then from the current working directory. If both exist and contain patterns for the same path, the current-directory file's patterns take precedence because they are evaluated last.\u003c/p\u003e\n\u003ch3 id=\"glob-syntax\"\u003eGlob syntax\u003c/h3\u003e\n\u003cp\u003eThree pattern styles are supported:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStyle\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003cth\u003eExample\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandard glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e-style, matched against both the full path and the base filename\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDouble-star \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpans zero or more path segments\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTrailing slash \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMatches every file inside the named directory at any depth\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-leakwatchignore\"\u003eExample \u003ccode\u003e.leakwatchignore\u003c/code\u003e\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Ignore all test fixture files\ntest/fixtures/**\n\n# Ignore known placeholder keys in documentation\ndocs/examples/\n\n# Ignore files with a specific extension anywhere in the tree\n*.pem.example\n\n# Re-include a specific file excluded by the rule above\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtering is applied \u003cstrong\u003eafter\u003c/strong\u003e the scan completes, based on the file path of each finding. It does not prevent files from being read — it suppresses the findings they produce. To skip files before they are read at all, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file or \u003ccode\u003e--exclude\u003c/code\u003e on \u003ccode\u003escan fs\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inline-ignore-markers\"\u003eInline ignore markers\u003c/h2\u003e\n\u003cp\u003ePlace a marker directly on any source line to suppress detectors for that specific line. The marker can appear anywhere on the line — typically inside a comment — and is applied by the engine \u003cstrong\u003ebefore\u003c/strong\u003e verification, so an ignored line never triggers a network call.\u003c/p\u003e\n\u003ch3 id=\"suppress-all-detectors-on-a-line\"\u003eSuppress all detectors on a line\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Payment processing configuration\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"suppress-a-specific-detector-on-a-line\"\u003eSuppress a specific detector on a line\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e to suppress only one detector while leaving others active:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// This token is intentionally a placeholder for documentation\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# CI environment variable set by the platform — not a real secret\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePrefer the detector-specific form (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) over the generic one whenever possible. It documents which detector you are suppressing and keeps all other detectors active on that line.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"built-in-skips-always-applied\"\u003eBuilt-in skips (always applied)\u003c/h2\u003e\n\u003cp\u003eLeakwatch unconditionally skips the following before running any detector:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary file extensions\u003c/strong\u003e — files with extensions such as \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e, and others are never scanned.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary content detection\u003c/strong\u003e — any file whose first 8 KB contains a null byte is treated as binary and skipped, regardless of extension.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCommon lock files\u003c/strong\u003e — the following filenames are always skipped because they contain hashes and checksums that produce high rates of false positives:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFile\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThese built-in skips cannot be disabled. They are separate from the \u003ccode\u003efilter.exclude-paths\u003c/code\u003e setting and run before any config-based filtering.\u003c/p\u003e\n\u003ch2 id=\"path-based-exclusion-before-scanning\"\u003ePath-based exclusion before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before they are even read by the scan engine, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in your config file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis setting applies to \u003cstrong\u003eall scan sources\u003c/strong\u003e (filesystem, Git history, container images, cloud storage, Slack). On the \u003ccode\u003escan fs\u003c/code\u003e command you can also pass \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e on the command line, which is the flag-equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full config schema and \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e for detector-level and severity-level filtering.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Severity \u0026 Filtering","description":"Control which findings reach your output using severity thresholds, verified-only mode, detector exclusions, and path exclusions.","html":"\u003ch1 id=\"severity--filtering\"\u003eSeverity \u0026amp; Filtering\u003c/h1\u003e\n\u003cp\u003eA busy codebase can produce many findings. Leakwatch provides several independent filters you can combine to focus on the signals that matter most: severity thresholds drop low-priority noise, verified-only mode surfaces only confirmed live secrets, detector exclusions silence known false-positive sources, and path exclusions remove entire directory trees from scope.\u003c/p\u003e\n\u003ch2 id=\"severity-levels\"\u003eSeverity levels\u003c/h2\u003e\n\u003cp\u003eEvery built-in detector ships with a default severity. The four levels, from lowest to highest priority, are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eLevel\u003c/th\u003e\n\u003cth\u003eTypical use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric patterns with a higher false-positive rate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRecognizable credential formats, unconfirmed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWell-structured secrets where exposure is likely significant\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLive secrets confirmed or formats with near-zero false-positive rates\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe severity assigned to each detector is listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-drop-findings-below-a-threshold\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: drop findings below a threshold\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e to discard findings whose severity is below the specified level. Only findings at or above the threshold reach the output.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Show only high and critical findings\nleakwatch scan fs . --min-severity high\n\n# Show medium, high, and critical findings\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYou can set a persistent default in the config file under \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e. The \u003ccode\u003e--min-severity\u003c/code\u003e flag overrides the config value at run time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-confirmed-active-secrets-only\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: confirmed active secrets only\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--only-verified\u003c/code\u003e to keep only findings whose verification status is \u003ccode\u003everified_active\u003c/code\u003e — secrets that Leakwatch confirmed are still valid by making a controlled read-only call to the provider API. All other findings (unverified, verified-inactive, or verify-error) are dropped.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis flag is most useful in CI pipelines where you want to fail the build \u003cstrong\u003eonly\u003c/strong\u003e on confirmed incidents, not on suspicious patterns that may be placeholders or already-rotated credentials.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for which detectors support live verification.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-disable-specific-detectors\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: disable specific detectors\u003c/h2\u003e\n\u003cp\u003eTo permanently disable one or more detectors, list their IDs under \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in the config file. Findings from listed detectors are never produced, regardless of any other setting:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDetector IDs are listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e. Use this setting when a detector consistently produces false positives for your codebase and other suppression mechanisms (inline ignores or \u003ccode\u003e.leakwatchignore\u003c/code\u003e) are not granular enough.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-skip-paths-before-scanning\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: skip paths before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before the scan engine reads them, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file. The patterns use the same glob syntax as \u003ccode\u003e.leakwatchignore\u003c/code\u003e (standard globs, \u003ccode\u003e**\u003c/code\u003e double-star, and trailing-slash directory patterns), and apply to \u003cstrong\u003eall scan sources\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOn the \u003ccode\u003escan fs\u003c/code\u003e command, the \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e flag is the command-line equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. The \u003ccode\u003e--exclude\u003c/code\u003e flag exists \u003cstrong\u003eonly\u003c/strong\u003e on \u003ccode\u003escan fs\u003c/code\u003e — for all other sources, use the config file setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"combining-filters-in-ci\"\u003eCombining filters in CI\u003c/h2\u003e\n\u003cp\u003eIn a CI pipeline you typically want a low-noise, high-signal run that fails only on real incidents. A recommended combination:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith a config file handling the persistent path exclusions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThen override just the format and destination at the command line for CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for verification details, \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for inline and file-based suppression, and \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full schema.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Custom Rules","description":"How to define your own secret detection patterns in YAML and add them to a Leakwatch scan alongside the 63 built-in detectors.","html":"\u003ch1 id=\"custom-rules\"\u003eCustom Rules\u003c/h1\u003e\n\u003cp\u003eThe 63 built-in detectors cover widely used credential formats, but every organisation has internal tokens, proprietary service keys, or environment-specific patterns that no generic tool can anticipate. Custom rules let you extend Leakwatch with your own patterns — defined in plain YAML, loaded at runtime — without modifying source code or rebuilding the binary.\u003c/p\u003e\n\u003ch2 id=\"where-custom-rules-live\"\u003eWhere custom rules live\u003c/h2\u003e\n\u003cp\u003eCustom rules are defined under a top-level \u003ccode\u003ecustom-rules:\u003c/code\u003e list in your \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe rules are registered at runtime when Leakwatch starts. They run alongside the built-in detectors using the same Aho-Corasick pre-filter pipeline.\u003c/p\u003e\n\u003ch2 id=\"rule-fields\"\u003eRule fields\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eRequired\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eUnique detector ID. Used in output and in \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e. Must not collide with a built-in detector ID or another custom rule ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eHuman-readable description shown in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2-compatible regular expression. Maximum 4096 characters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003elist of strings\u003c/td\u003e\n\u003ctd\u003eAho-Corasick pre-filter keywords. The regex only runs on chunks that contain at least one of these strings. Omitting this field causes the regex to run on every chunk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, or \u003ccode\u003elow\u003c/code\u003e. Defaults to \u003ccode\u003emedium\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropy threshold (0–8). Matches whose entropy is \u003cstrong\u003ebelow\u003c/strong\u003e this value are discarded. Useful for filtering low-randomness false positives.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eAlways supply \u003ccode\u003ekeywords\u003c/code\u003e. Even a single short keyword (like a token prefix) dramatically reduces the number of chunks the regex engine processes, keeping scans fast on large repositories. For example, if all your internal tokens begin with \u003ccode\u003eacme_\u003c/code\u003e, set \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003eentropy\u003c/code\u003e to suppress matches on placeholder values like \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e that satisfy the pattern but are clearly not real secrets. A threshold around 3.0–3.5 is a good starting point.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"collision-handling\"\u003eCollision handling\u003c/h2\u003e\n\u003cp\u003eIf a custom rule's \u003ccode\u003eid\u003c/code\u003e matches an already-registered detector — either a built-in detector or a previously loaded custom rule — the duplicate is \u003cstrong\u003eskipped\u003c/strong\u003e and an error is logged. Leakwatch does not crash; the rest of the rules load normally. Check the log output if a custom rule appears to have no effect.\u003c/p\u003e\n\u003ch2 id=\"verification\"\u003eVerification\u003c/h2\u003e\n\u003cp\u003eCustom rules have no paired verifier. Findings from custom rules are always reported with status \u003ccode\u003eunverified\u003c/code\u003e — they never become \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"complete-example\"\u003eComplete example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e defines two custom rules: one for an internal service token and one for a signing secret used in webhooks.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook signing secret (format: whsec_ + 40 base64url chars)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRun a scan with this config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSample JSON output for a custom-rule finding (secret value redacted):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe \u003ccode\u003eraw_redacted\u003c/code\u003e field always masks the actual secret. The raw value is never written to output unless you explicitly pass \u003ccode\u003e--show-raw\u003c/code\u003e (not recommended outside controlled environments).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"excluding-a-custom-rule\"\u003eExcluding a custom rule\u003c/h2\u003e\n\u003cp\u003eCustom rules participate in the same filtering as built-in detectors. To disable a custom rule without removing it from config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, including where \u003ccode\u003ecustom-rules:\u003c/code\u003e sits in the document structure.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the 63 built-in detectors, to check for ID conflicts before naming your custom rule.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the Aho-Corasick pre-filter pipeline that \u003ccode\u003ekeywords\u003c/code\u003e plugs into.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Detector Catalog","description":"All 63 built-in detectors grouped by category, with their IDs, what they detect, and their default severity.","html":"\u003ch1 id=\"detector-catalog\"\u003eDetector Catalog\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e that cover a wide range of credential types — from cloud provider access keys and AI API tokens to database connection strings and private cryptographic keys. Each detector has a stable ID, a default severity, and (for most) a paired verifier that can confirm whether a found secret is still live.\u003c/p\u003e\n\u003cp\u003eThis page lists every built-in detector. For verification coverage details see \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e. To add your own patterns, see \u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"how-to-read-this-catalog\"\u003eHow to read this catalog\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — the stable string identifier used in config and output. Pass it to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e to skip a detector, or use it with \u003ccode\u003e--min-severity\u003c/code\u003e filtering (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetects\u003c/strong\u003e — what the detector is looking for.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSeverity\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e, \u003ccode\u003eHigh\u003c/code\u003e, or \u003ccode\u003eMedium\u003c/code\u003e. This is the default; it feeds the \u003ccode\u003e--min-severity\u003c/code\u003e flag and the \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e config key.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"cloud-and-infrastructure\"\u003eCloud and Infrastructure\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Service Account Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID Client Secret\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Service Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ai--ml\"\u003eAI / ML\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"payments-and-commerce\"\u003ePayments and Commerce\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Live API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dev-tools-ci-and-packages\"\u003eDev Tools, CI, and Packages\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket App Password\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Personal API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"communication-and-collaboration\"\u003eCommunication and Collaboration\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/User Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Incoming Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Internal Integration Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"email-and-messaging-delivery\"\u003eEmail and Messaging Delivery\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Server API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"monitoring-and-observability\"\u003eMonitoring and Observability\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Auth Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"databases-and-connection-strings\"\u003eDatabases and Connection Strings\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabase Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Connection Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Service Role Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"identity-and-access\"\u003eIdentity and Access\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bind Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"generic-and-cryptographic\"\u003eGeneric and Cryptographic\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric API Key\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePrivate Key (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eTotal: 63 built-in detectors.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"filtering-by-severity\"\u003eFiltering by severity\u003c/h2\u003e\n\u003cp\u003eFindings are filterable by severity using \u003ccode\u003e--min-severity\u003c/code\u003e at the command line or \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e in config. Only findings at or above the specified level are included in the output. See \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"excluding-specific-detectors\"\u003eExcluding specific detectors\u003c/h2\u003e\n\u003cp\u003eTo skip one or more detectors entirely, add their IDs to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for the full filtering reference.\u003c/p\u003e\n\u003ch2 id=\"verification-coverage\"\u003eVerification coverage\u003c/h2\u003e\n\u003cp\u003eSome detectors have a live verifier; others are format-validated only; nine have no verifier at all. See \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e for the complete breakdown.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e — define your own detection patterns in YAML.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detectors can be live-verified.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e — filtering findings by severity or detector.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"How It Works","description":"Architecture of the Leakwatch scan pipeline: sources, detection, verification, and output.","html":"\u003ch1 id=\"how-it-works\"\u003eHow It Works\u003c/h1\u003e\n\u003cp\u003eUnderstanding the Leakwatch pipeline helps you tune performance, interpret results, and decide which flags to reach for. This page explains what happens from the moment you run a scan command to the moment a finding appears in your output.\u003c/p\u003e\n\u003ch2 id=\"the-pipeline-at-a-glance\"\u003eThe pipeline at a glance\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Source\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[Worker Pool\\n—concurrency workers]\n B --\u0026gt; C[Aho-Corasick\\nPre-filter]\n C --\u0026gt; D[Regex\\nDetectors]\n D --\u0026gt; E[Inline-ignore\\nCheck]\n E --\u0026gt; F[Verification\\nPool\\n4 workers / 10 rps]\n F --\u0026gt; G[Post-scan\\nFilters]\n G --\u0026gt; H([Output\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach stage is described in detail below.\u003c/p\u003e\n\u003ch2 id=\"1-source\"\u003e1. Source\u003c/h2\u003e\n\u003cp\u003eEvery scan starts with a \u003cstrong\u003eSource\u003c/strong\u003e — an abstraction that emits chunks of data for the engine to process. Leakwatch ships six sources:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it emits\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFile contents from a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLayer contents of an OCI/Docker image, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text from channels and DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e. The contents of files uploaded to Slack are not scanned.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eChunks flow into a buffered channel consumed by the worker pool.\u003c/p\u003e\n\u003ch2 id=\"2-worker-pool\"\u003e2. Worker pool\u003c/h2\u003e\n\u003cp\u003eThe engine maintains a fixed pool of \u003cstrong\u003egoroutines\u003c/strong\u003e — one per \u003ccode\u003e--concurrency\u003c/code\u003e value (default: number of CPUs). Each worker pulls a chunk from the channel and runs the detection pipeline independently. Because workers share no mutable state, the pool scales linearly with concurrency up to the limits of I/O and memory.\u003c/p\u003e\n\u003cp\u003eScans respond to \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e: when a cancellation signal arrives, the context is cancelled, workers drain their current chunk and stop, and partial results are collected before output is written.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-keyword-pre-filter\"\u003e3. Aho-Corasick keyword pre-filter\u003c/h2\u003e\n\u003cp\u003eRunning 63 regex patterns on every chunk would be slow. Instead, the engine builds a single \u003cstrong\u003eAho-Corasick multi-pattern automaton\u003c/strong\u003e at startup from the keyword lists declared by each detector. For each chunk, this automaton does a single linear pass and returns only the detectors whose keywords appeared in the chunk's bytes.\u003c/p\u003e\n\u003cp\u003eThis means most detectors never run their regex on most chunks. Detectors that declare no keywords always run (they skip the pre-filter and proceed directly to regex).\u003c/p\u003e\n\u003cp\u003eThe Aho-Corasick implementation comes from \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"4-regex-detectors\"\u003e4. Regex detectors\u003c/h2\u003e\n\u003cp\u003eEach shortlisted detector runs its compiled \u003cstrong\u003eregular expression\u003c/strong\u003e against the chunk bytes. When a pattern matches, the detector returns a \u003ccode\u003eRawFinding\u003c/code\u003e containing:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe raw secret bytes (held in memory only for verification; never logged or written to disk).\u003c/li\u003e\n\u003cli\u003eA \u003cstrong\u003eredacted\u003c/strong\u003e representation safe for output.\u003c/li\u003e\n\u003cli\u003eOptional extra metadata (e.g. account ID for an AWS key).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via \u003ca href=\"#/detectors/custom-rules\"\u003ecustom YAML rules\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eAll detectors are registered at compile time using Go's \u003ccode\u003einit()\u003c/code\u003e function and blank imports (ADR-0004). There is no plugin loader or dynamic discovery at runtime.\u003c/p\u003e\n\u003ch2 id=\"5-inline-ignore-check\"\u003e5. Inline-ignore check\u003c/h2\u003e\n\u003cp\u003eBefore a finding is sent to verification, the engine checks whether the source line contains an \u003cstrong\u003einline ignore marker\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eor a detector-scoped variant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the marker is present, the finding is silently dropped \u003cstrong\u003ebefore any network call is made\u003c/strong\u003e. This is intentional: ignored secrets should never trigger a live API request.\u003c/p\u003e\n\u003ch2 id=\"6-verification\"\u003e6. Verification\u003c/h2\u003e\n\u003cp\u003eAfter detection completes for all chunks, the engine passes findings to a separate \u003cstrong\u003everification worker pool\u003c/strong\u003e (default 4 workers). Verification:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIs guarded by a global \u003cstrong\u003erate limiter\u003c/strong\u003e (default 10 requests per second) shared across all workers.\u003c/li\u003e\n\u003cli\u003eApplies a \u003cstrong\u003eper-request timeout\u003c/strong\u003e (default 10 seconds) to every API call.\u003c/li\u003e\n\u003cli\u003eMakes only \u003cstrong\u003eread-only, non-destructive\u003c/strong\u003e calls to the provider (e.g. \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys).\u003c/li\u003e\n\u003cli\u003eMarks each finding with one of four statuses: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e54 verifiers\u003c/strong\u003e, covering 85.7% of the 63 built-in detector types. The remaining 9 types (such as JWTs and generic API keys) cannot be safely verified and are always reported as \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003ePass \u003ccode\u003e--no-verify\u003c/code\u003e to skip this stage entirely — useful for fast, offline scans.\u003c/p\u003e\n\u003cp\u003eFor a deep dive into verification behavior and status meanings, see \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"7-finding-id-and-entropy\"\u003e7. Finding ID and entropy\u003c/h2\u003e\n\u003cp\u003eEach finding receives a \u003cstrong\u003edeterministic ID\u003c/strong\u003e computed as:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(detectorID + redacted + filePath + line) → truncated to 16 hex characters\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe same secret at the same location always produces the same ID, making it safe to deduplicate findings across runs or track them in issue trackers.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropy\u003c/strong\u003e (range 0–8) is computed for each finding and exposed in output for informational purposes. At the engine level, entropy does \u003cstrong\u003enot\u003c/strong\u003e gate or drop built-in findings — a low-entropy match still appears in results. Entropy thresholds only apply inside custom rules, where each rule can declare its own minimum.\u003c/p\u003e\n\u003ch2 id=\"8-post-scan-filters\"\u003e8. Post-scan filters\u003c/h2\u003e\n\u003cp\u003eAfter verification, two filters apply:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — drops all findings that are not \u003ccode\u003everified:active\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — drops findings below the specified severity level (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; default \u003ccode\u003elow\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth filters run after verification so that verification status is available when \u003ccode\u003e--only-verified\u003c/code\u003e is evaluated.\u003c/p\u003e\n\u003ch2 id=\"9-output\"\u003e9. Output\u003c/h2\u003e\n\u003cp\u003eSurviving findings are passed to one of four \u003cstrong\u003eformatters\u003c/strong\u003e:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFormat\u003c/th\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eCommon use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (default)\u003c/td\u003e\n\u003ctd\u003eMachine-readable, pipeline-friendly\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, security dashboards\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpreadsheets, data analysis\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTable\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal review, color-coded by severity\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eOutput goes to stdout by default; use \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e to write to a file.\u003c/p\u003e\n\u003cp\u003eA \u003cstrong\u003escan summary\u003c/strong\u003e (date, source type, target, files scanned, duration, findings count, interrupted status) is always printed to \u003cstrong\u003estderr\u003c/strong\u003e after every scan, regardless of format or output destination.\u003c/p\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eLeakwatch is designed so that discovered secrets never leave the process boundary except for verification calls:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRaw secret bytes live only in memory during detection and verification.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e--show-raw\u003c/code\u003e flag is \u003ccode\u003efalse\u003c/code\u003e by default; without it, only the redacted representation appears in output.\u003c/li\u003e\n\u003cli\u003eSecrets are never written to disk, logged via \u003ccode\u003eslog\u003c/code\u003e, or cached between runs.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"design-decisions\"\u003eDesign decisions\u003c/h2\u003e\n\u003cp\u003eThe architecture reflects several deliberate choices documented as ADRs:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO disabled\u003c/strong\u003e (ADR-0001) — single static binary, no runtime dependencies, cross-compiles to all platforms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — hierarchical CLI with \u003ccode\u003eflag \u0026gt; env \u0026gt; config \u0026gt; default\u003c/code\u003e precedence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — pure Go Git library; no external \u003ccode\u003egit\u003c/code\u003e binary required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompile-time detector registration\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + blank imports; type-safe, no runtime plugin loader.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hybrid matching\u003c/strong\u003e (ADR-0005) — pre-filter eliminates most regex work on irrelevant chunks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonless layer analysis; no Docker daemon required to scan images.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWorker pool\u003c/strong\u003e (ADR-0008) — fixed goroutine count, channel-based fan-out; predictable memory and CPU usage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Installation","description":"Install Leakwatch via Homebrew, go install, Docker, or a prebuilt binary.","html":"\u003ch1 id=\"installation\"\u003eInstallation\u003c/h1\u003e\n\u003cp\u003eGetting Leakwatch onto your machine takes less than a minute. Choose the method that best fits your workflow: Homebrew is the simplest option on macOS and Linux, \u003ccode\u003ego install\u003c/code\u003e is ideal if you already have a Go toolchain, Docker keeps your host system clean, and prebuilt binaries work everywhere without any toolchain at all.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-and-linux\"\u003eHomebrew (macOS and Linux)\u003c/h2\u003e\n\u003cp\u003eThe official tap supports macOS and Linux on both amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe tap is hosted at \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e. Homebrew handles upgrades with \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003eGo install\u003c/h2\u003e\n\u003cp\u003eIf you have Go 1.25 or later installed, you can build and install the latest release directly from source:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe binary is placed in \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e. Make sure that directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e always fetches the latest tagged release. To pin a specific version, replace \u003ccode\u003e@latest\u003c/code\u003e with a tag such as \u003ccode\u003e@v1.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eA minimal, multi-stage Alpine image is published to the GitHub Container Registry. The image runs as a non-root user (\u003ccode\u003eleakwatch\u003c/code\u003e), has CGO disabled, and uses \u003ccode\u003e/scan\u003c/code\u003e as its working directory.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAvailable tags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container. Flags and options work identically to the native binary — see \u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e for the full list.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFor Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see \u003ca href=\"#/ci-cd/docker-usage\"\u003eUsing Docker\u003c/a\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"prebuilt-binary\"\u003ePrebuilt binary\u003c/h2\u003e\n\u003cp\u003eEvery release publishes tarballs for all supported platforms on the \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e page. Download the archive for your platform, extract it, and place the binary on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSupported platforms:\u003c/strong\u003e Linux, macOS, and Windows on amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Example for Linux amd64 — replace OS and ARCH to match your platform\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform naming follows the pattern \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e where \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e is \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e, or \u003ccode\u003eWindows\u003c/code\u003e and \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e is \u003ccode\u003eamd64\u003c/code\u003e or \u003ccode\u003earm64\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"verifying-your-installation\"\u003eVerifying your installation\u003c/h2\u003e\n\u003cp\u003eAfter any installation method, confirm the binary is reachable and check the version:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExpected output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the command is not found, check that the install directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind a Leakwatch scan.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — customize scan behavior with \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eUsing Docker\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Introduction","description":"What Leakwatch is, what it scans, and how it detects and verifies leaked secrets.","html":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e is a high-performance, open-source (MIT) security tool that \u003cstrong\u003edetects, verifies, and reports leaked secrets\u003c/strong\u003e — API keys, tokens, passwords, connection strings, and private keys — across your codebases, Git history, container images, cloud storage, and Slack workspaces.\u003c/p\u003e\n\u003cp\u003eIt is written in Go, ships as a single static binary with no runtime dependencies (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e), and is built to run anywhere: a developer laptop, a pre-commit hook, or a CI/CD pipeline.\u003c/p\u003e\n\u003ch2 id=\"why-leakwatch\"\u003eWhy Leakwatch\u003c/h2\u003e\n\u003cp\u003eA leaked credential in a single commit — even one later deleted — can stay reachable in Git history forever and be exploited within minutes of being pushed. Leakwatch is designed to catch those secrets early and tell you which ones are \u003cem\u003eactually dangerous\u003c/em\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBroad detection\u003c/strong\u003e — 63 built-in detectors covering cloud providers, AI APIs, payment platforms, databases, messaging tools, and more, plus your own YAML custom rules.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification, not just detection\u003c/strong\u003e — for 54 detector types Leakwatch can confirm whether a found secret is \u003cem\u003estill live\u003c/em\u003e by making a controlled, read-only call to the provider. A verified-active key is an incident; an inactive one is noise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMany sources\u003c/strong\u003e — scan a local filesystem, a full Git history, an OCI/Docker image, AWS S3, Google Cloud Storage, and Slack messages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-native output\u003c/strong\u003e — JSON, SARIF (for GitHub Code Scanning), CSV, and a colorized terminal table.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecret-safe by design\u003c/strong\u003e — discovered secrets are redacted by default and are never logged, cached, or written to disk.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"what-it-scans\"\u003eWhat it scans\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it covers\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFiles in a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history (local or remote)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker image layers, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text in channels and (optionally) DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eMultiple repos\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSeveral Git repositories at once\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-detection-works-briefly\"\u003eHow detection works, briefly\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses a layered pipeline so it stays fast even on large inputs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick keyword pre-filter\u003c/strong\u003e — a single multi-pattern automaton quickly decides which detectors \u003cem\u003ecould\u003c/em\u003e match a chunk, so most detectors never run their regex.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex validation\u003c/strong\u003e — only the shortlisted detectors run their precise patterns.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropy\u003c/strong\u003e — Shannon entropy is computed for display (and used by custom rules to drop low-randomness matches).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification\u003c/strong\u003e — eligible findings are checked against the live provider API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYou don't have to understand the pipeline to use Leakwatch — but it explains why scans are fast and why some findings show a verification status while others don't. See \u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e for the full picture.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-leakwatch-is-not\"\u003eWhat Leakwatch is \u003cem\u003enot\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eTo set expectations accurately:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIt does \u003cstrong\u003enot\u003c/strong\u003e rewrite Git history or remove secrets for you — it finds and reports them, and (with \u003ccode\u003e--remediation\u003c/code\u003e) tells you how to rotate them.\u003c/li\u003e\n\u003cli\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e; scanning the \u003cem\u003econtents\u003c/em\u003e of uploaded files is not implemented.\u003c/li\u003e\n\u003cli\u003eVerification is available for many but not all secret types — 9 detector types (such as JWTs and generic API keys) cannot be safely verified and are always reported as unverified.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install via Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker, or a prebuilt binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind the scan.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Quick Start","description":"Run your first Leakwatch scan in under a minute.","html":"\u003ch1 id=\"quick-start\"\u003eQuick Start\u003c/h1\u003e\n\u003cp\u003eThe fastest way to understand what Leakwatch can do is to point it at a real directory. This page walks you through your first scan, explains what the output means, and shows the flags you will reach for most often.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eLeakwatch must be installed and accessible on your \u003ccode\u003ePATH\u003c/code\u003e. If you have not done that yet, see \u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"your-first-scan\"\u003eYour first scan\u003c/h2\u003e\n\u003cp\u003eScan the current directory with one command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default, output is JSON written to stdout. To get a human-readable, colorized table instead, add \u003ccode\u003e--format table\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHere is what a result looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe scan summary is always printed to \u003cstrong\u003estderr\u003c/strong\u003e, so it never interferes with piped or redirected output.\u003c/p\u003e\n\u003ch2 id=\"understanding-a-finding\"\u003eUnderstanding a finding\u003c/h2\u003e\n\u003cp\u003eEach row in the table (or object in JSON) represents one finding. The key fields are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHow critical the secret type is: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eThe detector that matched — identifies the secret type (e.g. \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the file where the secret was found, relative to the scan root\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eLine number of the match\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eA masked representation of the secret — never the raw value unless \u003ccode\u003e--show-raw\u003c/code\u003e is set\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eVerification outcome: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA \u003ccode\u003everified:active\u003c/code\u003e status means Leakwatch confirmed the secret is still live by making a read-only API call to the provider. \u003cstrong\u003eTreat every \u003ccode\u003everified:active\u003c/code\u003e finding as an open incident.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"common-scan-options\"\u003eCommon scan options\u003c/h2\u003e\n\u003ch3 id=\"focus-on-confirmed-secrets-only\"\u003eFocus on confirmed secrets only\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis hides unverified and inactive findings, leaving only those confirmed live. Useful for triage when you have many results.\u003c/p\u003e\n\u003ch3 id=\"skip-network-verification-for-a-fast-offline-scan\"\u003eSkip network verification for a fast offline scan\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVerification is skipped entirely — no outbound network calls are made. Results appear faster and work without internet access, but all findings are marked \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"add-remediation-guidance\"\u003eAdd remediation guidance\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach finding gains a \u003cstrong\u003eREMEDIATION\u003c/strong\u003e column explaining how to rotate or revoke the specific secret type. The same data is included in JSON, SARIF, and CSV output when the flag is set.\u003c/p\u003e\n\u003ch3 id=\"filter-by-minimum-severity\"\u003eFilter by minimum severity\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnly findings at \u003ccode\u003ehigh\u003c/code\u003e or \u003ccode\u003ecritical\u003c/code\u003e severity are reported.\u003c/p\u003e\n\u003ch3 id=\"save-results-to-a-file\"\u003eSave results to a file\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe \u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e flag writes to a file instead of stdout. SARIF output is compatible with \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"generate-a-configuration-file\"\u003eGenerate a configuration file\u003c/h2\u003e\n\u003cp\u003eRunning Leakwatch with defaults is fine for a first try, but for repeated use you will want a project-level configuration:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis writes \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory with recommended defaults for concurrency, entropy, verification, output format, and common path exclusions. Use \u003ccode\u003e--force\u003c/code\u003e to overwrite an existing file, or \u003ccode\u003e--output\u003c/code\u003e to write to a different path.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for a full explanation of every option.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses distinct exit codes so CI scripts can act on results without parsing output:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — no findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — one or more secrets found\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed due to an error\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA typical CI gate looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Active secrets found — failing build\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is returned whenever \u003cem\u003eany\u003c/em\u003e finding passes the active filters (including \u003ccode\u003e--min-severity\u003c/code\u003e and \u003ccode\u003e--only-verified\u003c/code\u003e). A clean exit code \u003ccode\u003e0\u003c/code\u003e means no findings matched — not that no secrets exist in the codebase.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cancelling-a-scan\"\u003eCancelling a scan\u003c/h2\u003e\n\u003cp\u003ePress \u003ccode\u003eCtrl+C\u003c/code\u003e (or send \u003ccode\u003eSIGTERM\u003c/code\u003e) to cancel a running scan. Leakwatch stops gracefully: in-flight chunks finish, partial results are written, and the summary indicates \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Output Formats","description":"The five output formats Leakwatch supports — JSON, SARIF, CSV, table, and GitHub annotations — with examples and guidance on when to use each.","html":"\u003ch1 id=\"output-formats\"\u003eOutput Formats\u003c/h1\u003e\n\u003cp\u003eLeakwatch supports five output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, human-readable terminal review, and GitHub Actions annotations. Select a format with \u003ccode\u003e--format\u003c/code\u003e (or \u003ccode\u003e-f\u003c/code\u003e); write to a file instead of stdout with \u003ccode\u003e--output\u003c/code\u003e (or \u003ccode\u003e-o\u003c/code\u003e).\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\nleakwatch scan fs . --format github # GitHub Actions annotations (CI use)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe default format is \u003ccode\u003ejson\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON is the default format and the most complete representation. Leakwatch writes a JSON \u003cstrong\u003earray\u003c/strong\u003e of finding objects to stdout (or to the file given by \u003ccode\u003e--output\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003eThe raw secret value is \u003cstrong\u003enever\u003c/strong\u003e serialized unless \u003ccode\u003e--show-raw\u003c/code\u003e is explicitly set. With \u003ccode\u003e--show-raw\u003c/code\u003e, a \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e field is added to each object.\u003c/p\u003e\n\u003ch3 id=\"example-invocation\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-finding-object\"\u003eExample finding object\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--remediation\u003c/code\u003e is also set, a \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e object is nested inside each finding. See \u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003esarif\u003c/code\u003e format produces a SARIF v2.1.0 document, designed for upload to \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e. The tool name is \u003ccode\u003eLeakwatch\u003c/code\u003e and \u003ccode\u003einformationUri\u003c/code\u003e points to \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eEach detector that appears in the findings becomes a \u003cstrong\u003erule\u003c/strong\u003e in the SARIF driver, complete with \u003ccode\u003ehelp\u003c/code\u003e text (populated from remediation steps when \u003ccode\u003e--remediation\u003c/code\u003e is set) and a \u003ccode\u003ehelpUri\u003c/code\u003e pointing to the provider documentation. Results carry a \u003ccode\u003eleakwatch/v1\u003c/code\u003e partial fingerprint computed from the detector ID, redacted value, and file path — this lets GitHub Code Scanning track the same alert even when surrounding code shifts.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-1\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"uploading-to-github-code-scanning\"\u003eUploading to GitHub Code Scanning\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# In a GitHub Actions workflow step:\n- name: Upload SARIF results\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e for the full CI setup.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003ecsv\u003c/code\u003e format writes a header row followed by one row per finding, using standard comma-separated values. Every cell is sanitized against spreadsheet formula injection before writing.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns (default):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eraw\u003c/code\u003e column is appended.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003eremediation\u003c/code\u003e column contains the remediation title (e.g. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) when \u003ccode\u003e--remediation\u003c/code\u003e is set, and is empty otherwise.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-2\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"table\"\u003eTable\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003etable\u003c/code\u003e format writes a human-readable tab-aligned table, best suited for interactive terminal sessions where you want a quick visual scan of the results.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eRAW\u003c/code\u003e column is appended. A summary line is printed at the bottom of the table (e.g. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI color\u003c/strong\u003e is applied to the \u003ccode\u003eSEVERITY\u003c/code\u003e column automatically, but only when all four conditions are met:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e is selected\u003c/li\u003e\n\u003cli\u003eOutput goes to stdout (no \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003estdout is a TTY (not a pipe or redirect)\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNO_COLOR\u003c/code\u003e environment variable is unset\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003cth\u003eColor\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBold red\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYellow\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBlue\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-invocation-3\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output-1\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"github-annotations\"\u003eGitHub annotations\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003egithub\u003c/code\u003e format emits \u003ca href=\"https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions\"\u003eGitHub Actions workflow commands\u003c/a\u003e (\u003ccode\u003e::error\u003c/code\u003e / \u003ccode\u003e::warning\u003c/code\u003e / \u003ccode\u003e::notice\u003c/code\u003e) so findings appear as \u003cstrong\u003einline annotations\u003c/strong\u003e on a pull request's \u003cem\u003eFiles changed\u003c/em\u003e view and in the run log. It is intended to be streamed to the runner's stdout — writing it to a file has no effect.\u003c/p\u003e\n\u003cp\u003eSeverity maps to the annotation level: \u003ccode\u003ecritical\u003c/code\u003e → \u003ccode\u003eerror\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e → \u003ccode\u003ewarning\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e/\u003ccode\u003elow\u003c/code\u003e → \u003ccode\u003enotice\u003c/code\u003e. A finding with a file path is anchored to that file and line; a finding without one becomes a run-level annotation.\u003c/p\u003e\n\u003cp\u003eFor safety, this format \u003cstrong\u003enever\u003c/strong\u003e prints the raw secret — only the redacted value is shown, even with \u003ccode\u003e--show-raw\u003c/code\u003e, because annotations render in the (often public) PR UI and logs.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-4\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format github\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output-2\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e::error file=config/prod.env,line=12,title=Leakwatch%3A aws-access-key-id::Potential secret detected by aws-access-key-id (critical): AKIA****K7NP\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis format is normally driven by the \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e (\u003ccode\u003eformat: github\u003c/code\u003e) rather than invoked by hand.\u003c/p\u003e\n\u003ch2 id=\"common-output-flags\"\u003eCommon output flags\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e, \u003ccode\u003egithub\u003c/code\u003e (default \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite to file instead of stdout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eInclude unredacted secret value in output\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eDrop findings below this severity level\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eKeep only \u003ccode\u003everified_active\u003c/code\u003e findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eEnrich findings with provider remediation guidance\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Remediation Guidance","description":"Use --remediation to enrich findings with provider-specific rotation and revocation steps, urgency ratings, and official documentation links.","html":"\u003ch1 id=\"remediation-guidance\"\u003eRemediation Guidance\u003c/h1\u003e\n\u003cp\u003eKnowing a secret is leaked is only half the work — you also need to know what to do about it. Passing \u003ccode\u003e--remediation\u003c/code\u003e to any scan command enriches each finding with structured, provider-specific guidance: the steps to rotate or revoke the credential, a link to the provider's documentation, a link to the management console, an urgency rating, and a verification checklist.\u003c/p\u003e\n\u003ch2 id=\"how-to-enable-it\"\u003eHow to enable it\u003c/h2\u003e\n\u003cp\u003eAdd \u003ccode\u003e--remediation\u003c/code\u003e to any scan command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRemediation enrichment is disabled by default. When the flag is absent, the \u003ccode\u003eremediation\u003c/code\u003e field in each finding is \u003ccode\u003enull\u003c/code\u003e and no extra data is fetched or computed.\u003c/p\u003e\n\u003ch2 id=\"what-it-contains\"\u003eWhat it contains\u003c/h2\u003e\n\u003cp\u003eEach remediation entry includes the following fields:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShort name of the remediation action (e.g. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOrdered list of steps to rotate or revoke the secret\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLink to the provider's official credential-management documentation\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDirect link to the provider's management console page\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHow quickly to act: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e, or \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePost-rotation verification steps (e.g. review audit logs, notify the security team)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch ships 63 remediation entries — one for every built-in detector. All 63 entries are included in the binary; no network calls are made to fetch guidance.\u003c/p\u003e\n\u003ch2 id=\"how-it-appears-in-each-format\"\u003eHow it appears in each format\u003c/h2\u003e\n\u003cp\u003eEnrichment adds the guidance to the finding object in memory. How it surfaces depends on the output format:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — the full structured \u003ccode\u003eremediation\u003c/code\u003e object is nested inside each finding:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — the \u003ccode\u003esteps\u003c/code\u003e are embedded in the rule's \u003ccode\u003ehelp.text\u003c/code\u003e field, and \u003ccode\u003edoc_url\u003c/code\u003e is set as the rule's \u003ccode\u003ehelpUri\u003c/code\u003e. This surfaces directly in GitHub Code Scanning's alert details panel.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is written to the \u003ccode\u003eremediation\u003c/code\u003e column. The full structured guidance is not included in the CSV output.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is shown in the \u003ccode\u003eREMEDIATION\u003c/code\u003e column.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--remediation --format json\u003c/code\u003e when you need the full structured guidance for automated incident-response workflows. Use \u003ccode\u003e--remediation --format table\u003c/code\u003e for a quick human-readable triage session in the terminal.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnrichment runs only when \u003ccode\u003e--remediation\u003c/code\u003e is set. Without the flag, the \u003ccode\u003eremediation\u003c/code\u003e field is absent from JSON and SARIF output, and the CSV and table \u003ccode\u003eremediation\u003c/code\u003e columns are empty. The flag does not modify the original scan results — it adds a layer on top.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Reference","description":"Complete reference for every Leakwatch command, subcommand, and flag.","html":"\u003ch1 id=\"cli-reference\"\u003eCLI Reference\u003c/h1\u003e\n\u003cp\u003eThis page is the authoritative reference for all Leakwatch commands and flags. For conceptual explanations and worked examples, follow the cross-links to the relevant scanning or configuration pages.\u003c/p\u003e\n\u003ch2 id=\"global-flags\"\u003eGlobal flags\u003c/h2\u003e\n\u003cp\u003eThese flags are available on every command and subcommand.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eauto-discovered \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a configuration file. When omitted, Leakwatch searches the current directory and its parents for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLogging verbosity: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e, or \u003ccode\u003eerror\u003c/code\u003e. Log output goes to stderr and does not affect scan results.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003ePrints the binary version, commit hash, and build timestamp, then exits.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGenerates a \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file in the current directory with recommended defaults.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite the config file to this path instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOverwrite an existing config file. Without this flag, \u003ccode\u003einit\u003c/code\u003e exits with an error if the output file already exists.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Generate the default config\nleakwatch init\n\n# Overwrite an existing config\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eParent command for all scan subcommands. Has no behavior on its own; run a subcommand.\u003c/p\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003cp\u003eThe following flags are available on \u003cstrong\u003eall\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e subcommands.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file path instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files or blobs larger than this number of bytes.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw (unredacted) secret value in output. Use with caution.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable live secret verification. No outbound API calls are made.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings that Leakwatch has confirmed are active via live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to include in output: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance (rotation/revocation steps) to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans a local directory tree.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e defaults to \u003ccode\u003e.\u003c/code\u003e. Accepts at most one positional argument.\u003c/p\u003e\n\u003ch4 id=\"filesystem-specific-flags\"\u003eFilesystem-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob pattern for paths to exclude. Repeatable.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory, print a colorized table\nleakwatch scan fs . --format table\n\n# Save SARIF output, exclude test files and vendor\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the full commit history of a local or remote Git repository.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required: a local path or an HTTP/HTTPS/SSH URL.\u003c/p\u003e\n\u003ch4 id=\"git-specific-flags\"\u003eGit-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;name\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default branch.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eShallow clone depth for remote repositories. \u003ccode\u003e0\u003c/code\u003e fetches the full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-1\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan full local history\nleakwatch scan git . --format table\n\n# Scan only commits added by a pull request\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the layers of an OCI/Docker image for secrets. Leakwatch is daemonless and pulls directly from the registry — no Docker socket is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"examples-2\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a public image\nleakwatch scan image nginx:latest --format table\n\n# Scan a private registry image and save JSON output\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in an AWS S3 bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket. Falls back to \u003ccode\u003eAWS_REGION\u003c/code\u003e environment variable or the AWS SDK default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-3\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire bucket\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Scan only a specific prefix\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in a Google Cloud Storage bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID. Required when the bucket's project cannot be inferred from the default credentials.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-4\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire GCS bucket\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Scan a prefix\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans message text in a Slack workspace.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo positional arguments.\u003c/p\u003e\n\u003ch4 id=\"slack-specific-flags\"\u003eSlack-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token. Can also be set via \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to scan. Scans all accessible channels when omitted.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only messages posted after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude direct messages (requires additional OAuth scopes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-5\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan all accessible channels\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Scan specific channels since a date\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans multiple Git repositories in parallel.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRequires at least two positional arguments (repository URLs or local paths).\u003c/p\u003e\n\u003ch4 id=\"repos-specific-flags\"\u003eRepos-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan concurrently.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eWorker concurrency within each repository scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-6\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan two repositories in parallel\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Increase parallelism for a large set of repos\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e — configure Leakwatch without flags.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — detailed \u003ccode\u003escan fs\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — detailed \u003ccode\u003escan git\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Environment Variables","description":"Environment variables that configure Leakwatch behavior without flags.","html":"\u003ch1 id=\"environment-variables\"\u003eEnvironment Variables\u003c/h1\u003e\n\u003cp\u003eLeakwatch reads configuration from three sources in priority order: \u003cstrong\u003ecommand-line flags\u003c/strong\u003e override \u003cstrong\u003eenvironment variables\u003c/strong\u003e, which override the \u003cstrong\u003econfig file\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e), which falls back to built-in \u003cstrong\u003edefaults\u003c/strong\u003e. Environment variables are useful in CI environments where you cannot modify a config file or pass flags to every invocation.\u003c/p\u003e\n\u003ch2 id=\"configuration-variable-pattern\"\u003eConfiguration variable pattern\u003c/h2\u003e\n\u003cp\u003eAny key from \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e can be set as an environment variable by:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eUppercasing the key name.\u003c/li\u003e\n\u003cli\u003eReplacing \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrepending \u003ccode\u003eLEAKWATCH_\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor example, the config key \u003ccode\u003escan.concurrency\u003c/code\u003e becomes \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"variable-reference\"\u003eVariable reference\u003c/h2\u003e\n\u003ch3 id=\"leakwatch-specific-variables\"\u003eLeakwatch-specific variables\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack bot token for \u003ccode\u003escan slack\u003c/code\u003e. Equivalent to \u003ccode\u003e--token\u003c/code\u003e. Set this instead of passing the token as a flag to avoid it appearing in shell history or CI logs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers. Equivalent to \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSet to \u003ccode\u003efalse\u003c/code\u003e to disable live verification globally. Equivalent to \u003ccode\u003e--no-verify\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum verification requests per second across all verifiers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault output format (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e). Equivalent to \u003ccode\u003e--format\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum Shannon entropy for a match to be reported. Float value, e.g. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"display-variable\"\u003eDisplay variable\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWhen set to any non-empty value, disables ANSI color codes in the \u003ccode\u003etable\u003c/code\u003e output formatter. Follows the \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e convention.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-variables-for-scan-s3-and-aws-secret-verification\"\u003eAWS variables (for \u003ccode\u003escan s3\u003c/code\u003e and AWS secret verification)\u003c/h3\u003e\n\u003cp\u003eThese are standard AWS SDK environment variables. Leakwatch passes them through to the AWS SDK v2 default credential chain.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS access key ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS secret access key.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS session token (for temporary credentials).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault AWS region.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNamed profile from \u003ccode\u003e~/.aws/credentials\u003c/code\u003e to use.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-variable-for-scan-gcs\"\u003eGCS variable (for \u003ccode\u003escan gcs\u003c/code\u003e)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a Google service-account JSON key file. Used by Application Default Credentials when scanning a GCS bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence-example\"\u003ePrecedence example\u003c/h2\u003e\n\u003cp\u003eGiven this setup:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e sets \u003ccode\u003eoutput.format: table\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e is set in the environment\u003c/li\u003e\n\u003cli\u003eThe command is run as \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e (no \u003ccode\u003e--format\u003c/code\u003e flag)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe effective format is \u003ccode\u003ejson\u003c/code\u003e because the environment variable overrides the config file.\u003c/p\u003e\n\u003cp\u003eIf the command is run as \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e, the effective format is \u003ccode\u003esarif\u003c/code\u003e because the flag overrides everything.\u003c/p\u003e\n\u003ch2 id=\"credentials-for-verification-vs-credentials-for-scanning\"\u003eCredentials for verification vs. credentials for scanning\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe AWS and GCP variables above are consumed to \u003cstrong\u003eauthenticate Leakwatch itself\u003c/strong\u003e when it connects to S3 or GCS to retrieve objects for scanning. They are not used to verify found secrets. Verification of a discovered AWS key, for example, uses that discovered key itself to call AWS STS — not the runner's credentials.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"passing-secrets-safely-in-ci\"\u003ePassing secrets safely in CI\u003c/h2\u003e\n\u003cp\u003eIn GitHub Actions, use encrypted secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIn GitLab CI, use masked CI/CD variables:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # defined as a masked variable in project settings\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNever hard-code token values in workflow files or Dockerfiles.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — full \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e key reference.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eCloud Storage Scanning\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e and \u003ccode\u003escan gcs\u003c/code\u003e credentials.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Scanning\u003c/a\u003e — Slack token scopes and permissions.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — equivalent command-line flags.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Exit Codes","description":"Leakwatch exit code reference and how to use them in scripts and CI pipelines.","html":"\u003ch1 id=\"exit-codes\"\u003eExit Codes\u003c/h1\u003e\n\u003cp\u003eLeakwatch uses a small, well-defined set of exit codes so that CI pipelines and shell scripts can act on scan results without parsing output. Every scan subcommand exits with one of three codes.\u003c/p\u003e\n\u003ch2 id=\"code-reference\"\u003eCode reference\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eName\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eClean\u003c/td\u003e\n\u003ctd\u003eThe scan completed successfully and no findings passed the active filters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFindings\u003c/td\u003e\n\u003ctd\u003eThe scan completed and one or more secrets were found (and passed the active filters).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eError\u003c/td\u003e\n\u003ctd\u003eA hard error occurred — for example, an invalid flag, an unreadable path, or an authentication failure. An \u003ccode\u003eError: ...\u003c/code\u003e message and a usage hint are printed to stderr.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-filters-affect-exit-code-1\"\u003eHow filters affect exit code 1\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is only emitted when at least one finding survives all active output filters. The two most relevant filters are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — findings below the threshold are suppressed. If all findings are \u003ccode\u003elow\u003c/code\u003e severity and you run with \u003ccode\u003e--min-severity high\u003c/code\u003e, exit code \u003ccode\u003e0\u003c/code\u003e is returned even though secrets exist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — only findings confirmed active by live verification are reported. If no active secrets are found, exit code \u003ccode\u003e0\u003c/code\u003e is returned.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis means exit code \u003ccode\u003e0\u003c/code\u003e means \u0026quot;no findings matched your current filter settings\u0026quot; — not necessarily that the codebase contains no secrets at all.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eA clean \u003ccode\u003e0\u003c/code\u003e exit under \u003ccode\u003e--only-verified\u003c/code\u003e does not guarantee the codebase is secret-free. Secrets for which verification is unavailable (9 detector types) are always reported as unverified and are suppressed by \u003ccode\u003e--only-verified\u003c/code\u003e. Pair \u003ccode\u003e--only-verified\u003c/code\u003e with a separate unfiltered scan if you need full coverage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"using-exit-codes-in-shell-scripts\"\u003eUsing exit codes in shell scripts\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;No secrets found. Build continues.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Secrets found — review leakwatch.json and remediate before merging.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch encountered an error (exit $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eset +e\u003c/code\u003e before the scan prevents the shell from exiting on non-zero codes, giving you the chance to capture and handle the code yourself.\u003c/p\u003e\n\u003ch2 id=\"using-exit-codes-in-ci-pipelines\"\u003eUsing exit codes in CI pipelines\u003c/h2\u003e\n\u003cp\u003eMost CI systems treat any non-zero exit code as a step failure. Since Leakwatch exits \u003ccode\u003e1\u003c/code\u003e when secrets are found, the pipeline fails automatically without any extra configuration — simply run the scan command.\u003c/p\u003e\n\u003cp\u003eTo allow the pipeline to continue even when secrets are found (for example, to collect the report without blocking the build), explicitly ignore the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in GitLab CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in the GitHub Action, set \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"exit-code-2-in-practice\"\u003eExit code 2 in practice\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e2\u003c/code\u003e indicates a configuration or runtime error that prevented the scan from running at all. Common causes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn invalid flag value (for example, \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA path that does not exist or is not readable.\u003c/li\u003e\n\u003cli\u003eA missing required argument (for example, \u003ccode\u003escan git\u003c/code\u003e with no URL).\u003c/li\u003e\n\u003cli\u003eAn authentication error when connecting to a cloud source.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe error message is printed to stderr and includes context to help diagnose the problem:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — how to wire exit codes into GitLab CI, Jenkins, and others.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — how the official action maps exit codes to step outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Cloud Storage (S3 \u0026 GCS)","description":"Scan AWS S3 and Google Cloud Storage buckets for leaked secrets.","html":"\u003ch1 id=\"cloud-storage-s3--gcs\"\u003eCloud Storage (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSecrets regularly end up in cloud storage — exported database dumps, environment files, CI artefacts, and log archives all flow into buckets that may be readable by more people than intended. Leakwatch can scan AWS S3 and Google Cloud Storage buckets object-by-object and flag any secrets it finds before they become an incident.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"usage\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003es3://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses the standard \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS default credential chain\u003c/a\u003e:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eEnvironment variables (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared credentials file (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared configuration file (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIAM role attached to the instance or task (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNo additional configuration is required if you are already authenticated with the AWS CLI (\u003ccode\u003eaws configure\u003c/code\u003e or an assumed role).\u003c/p\u003e\n\u003ch3 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eFrom AWS config\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-examples\"\u003eS3 examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific key prefix in a given region:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--prefix\u003c/code\u003e to limit the scan to a relevant sub-path. Scanning a large bucket with millions of objects can be slow and may incur S3 GET request costs. Narrow the prefix to what actually matters — for example \u003ccode\u003econfigs/\u003c/code\u003e or \u003ccode\u003eexports/\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"usage-1\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003egs://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication-1\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e. The credential search order is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e environment variable pointing to a service-account key file.\u003c/li\u003e\n\u003cli\u003eUser credentials set up by \u003ccode\u003egcloud auth application-default login\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eService account attached to a Google Compute Engine instance, Cloud Run service, or GKE workload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID (required by some ADC configurations).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-examples\"\u003eGCS examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket with a specific GCP project:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific prefix:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOutput as CSV:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h2\u003e\n\u003cp\u003eBoth \u003ccode\u003es3\u003c/code\u003e and \u003ccode\u003egcs\u003c/code\u003e support the same common scan flags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip objects larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions (applied to object keys) are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (authentication error, bucket not found, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Container Images","description":"Scan OCI and Docker image layers for leaked secrets without a Docker daemon.","html":"\u003ch1 id=\"container-images\"\u003eContainer Images\u003c/h1\u003e\n\u003cp\u003eContainer images are a common hiding place for secrets: API keys baked into environment variables, credentials embedded in build layers, and configuration files copied into image layers and then forgotten. \u003ccode\u003eleakwatch scan image\u003c/code\u003e inspects every layer of an OCI or Docker image and surfaces those secrets before the image is deployed.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: an image reference in standard \u003ccode\u003ename:tag\u003c/code\u003e notation. Leakwatch uses \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e to pull and inspect images \u003cstrong\u003edaemonlessly\u003c/strong\u003e — no running Docker daemon is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a Docker Hub image\nleakwatch scan image nginx:latest\n\n# Scan a private GitHub Container Registry image\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Scan an Amazon ECR image\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"supported-registries\"\u003eSupported registries\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eRegistry\u003c/th\u003e\n\u003cth\u003eExample reference\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAny OCI-compatible registry\u003c/td\u003e\n\u003ctd\u003eStandard \u003ccode\u003eregistry/name:tag\u003c/code\u003e form\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses the standard credential keychain used by Docker and other OCI tools. If you are already authenticated via \u003ccode\u003edocker login\u003c/code\u003e (or an equivalent tool such as \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, or cloud-provider credential helpers), Leakwatch will use those credentials automatically.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Log in to GHCR first\ndocker login ghcr.io\n\n# Then scan — credentials are picked up automatically\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor Amazon ECR, configure the ECR credential helper or set \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e and related environment variables before scanning.\u003c/p\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch pulls the image manifest, iterates over each layer in order, and extracts the files within each layer. Each file's content is run through the same detection pipeline as a filesystem scan. Path exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply here, limiting which file paths inside layers are examined.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003cp\u003eThere are no image-specific flags. All common scan flags apply:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e for details.\u003c/p\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan a Docker Hub image and print results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a private registry image and save SARIF output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan and show only verified active secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInclude remediation guidance in JSON output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from an image scan includes layer metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe image reference that was scanned.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe layer digest where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe path of the file within the layer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIntegrate container image scanning into your CI/CD pipeline's build stage to catch secrets before the image is pushed to a registry. Use \u003ccode\u003e--format sarif\u003c/code\u003e to upload results directly to GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (image not found, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Filesystem","description":"Scan a local directory tree for leaked secrets with leakwatch scan fs.","html":"\u003ch1 id=\"filesystem\"\u003eFilesystem\u003c/h1\u003e\n\u003cp\u003eLocal source code is where secrets most often appear first. The \u003ccode\u003eleakwatch scan fs\u003c/code\u003e command walks every file in a directory tree, runs the full detection pipeline on each one, and reports any findings before they can be committed — or after the fact on an existing codebase.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e is optional. When omitted, Leakwatch scans the current working directory (\u003ccode\u003e.\u003c/code\u003e). Only one path argument is accepted.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory\nleakwatch scan fs\n\n# Scan a specific project folder\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"what-the-filesystem-source-skips-automatically\"\u003eWhat the filesystem source skips automatically\u003c/h2\u003e\n\u003cp\u003eTo keep scans fast and noise-free, the filesystem source skips the following without any configuration:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBinary files\u003c/strong\u003e — detected by the presence of a null byte in the first 8 KB of the file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKnown binary extensions\u003c/strong\u003e — common compiled, image, audio, video, and archive formats.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLock files\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e, and similar.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"filesystem-specific\"\u003eFilesystem-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (repeatable)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob patterns for paths to exclude. Can be repeated or comma-separated.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the current directory and print a colorized table to the terminal:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude test files and vendor directories, then save SARIF output for GitHub Code Scanning:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eLimit file size to 5 MB and increase worker count for a large monorepo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eShow only high-severity findings and include rotation instructions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"excluding-paths\"\u003eExcluding paths\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003e--exclude\u003c/code\u003e flag accepts glob patterns and can be specified multiple times or as a comma-separated list:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Two separate flags\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Comma-separated\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor permanent exclusion rules shared across your team, add them to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Those rules apply to every source, not just filesystem scans. You can also create a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your project root. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e and \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (configuration error, unreadable path, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary (source type, target, file count, duration, and finding count) is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eRun \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e during development to get a quick visual overview. Switch to \u003ccode\u003e--format sarif\u003c/code\u003e in CI pipelines to integrate with GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure default format, exclusions, and more.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e and inline suppression.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history, not just the working tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git History","description":"Scan the full commit history of a local or remote Git repository for leaked secrets.","html":"\u003ch1 id=\"git-history\"\u003eGit History\u003c/h1\u003e\n\u003cp\u003eA secret that was committed and then deleted is still present in every earlier commit, reachable to anyone with repository access. \u003ccode\u003eleakwatch scan git\u003c/code\u003e walks the \u003cem\u003eentire\u003c/em\u003e commit history of a repository — local or remote — and surfaces those secrets before they can be exploited.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: either a \u003cstrong\u003elocal filesystem path\u003c/strong\u003e to a repository (\u003ccode\u003e.\u003c/code\u003e for the current directory) or a \u003cstrong\u003eremote HTTP/HTTPS or SSH URL\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e for all Git operations — a pure Go implementation with no dependency on a system \u003ccode\u003egit\u003c/code\u003e binary.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the local repository in the current directory\nleakwatch scan git .\n\n# Scan a remote repository over HTTPS\nleakwatch scan git https://github.com/org/repo.git\n\n# Scan over SSH\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch walks every commit in the history and examines the blobs introduced by each commit. \u003cstrong\u003eBlob-hash deduplication\u003c/strong\u003e ensures that identical file content is scanned only once, no matter how many commits reference it. This keeps scan time proportional to the \u003cem\u003eunique content\u003c/em\u003e in the repository rather than to the raw commit count.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause Leakwatch examines commit-by-commit diffs, it finds secrets that were introduced and later deleted — content that is invisible in the current working tree.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"git-specific\"\u003eGit-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD (diff-based).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eClone depth for \u003cstrong\u003eremote repositories only\u003c/strong\u003e. \u003ccode\u003e0\u003c/code\u003e means full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the full history of the local repository and print a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only commits made after a specific date on the \u003ccode\u003edevelop\u003c/code\u003e branch:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan changes introduced since a specific commit (useful in CI to check only new commits):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDo a shallow clone of a large remote repository to speed up the initial scan:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a remote repository and save verified findings only as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Git scan includes commit metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eURL or path of the scanned repository (credentials stripped).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit hash where the secret was introduced.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit author name and email.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit timestamp.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBranch context (when available).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--since-commit\u003c/code\u003e in pull-request CI jobs to scan only the commits added by the PR. Use \u003ccode\u003e--since \u0026lt;date\u0026gt;\u003c/code\u003e for scheduled nightly scans covering recent activity.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eWhen a repository URL contains embedded credentials (for example \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch strips those credentials before writing anything to logs or output, so the token never appears in scan results or CI traces.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (invalid URL, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eMultiple Repositories\u003c/a\u003e — scan several repositories in one command.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan the working tree instead of history.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Multiple Repositories","description":"Scan several Git repositories concurrently and combine results into a single report.","html":"\u003ch1 id=\"multiple-repositories\"\u003eMultiple Repositories\u003c/h1\u003e\n\u003cp\u003eWhen an organization grows, secrets can land in any of dozens or hundreds of repositories. Checking them one by one is impractical. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e accepts multiple repository URLs and scans them concurrently, merging all findings into a single output — one command, one report.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command requires \u003cstrong\u003eat least two\u003c/strong\u003e repository URLs. All repositories are cloned, scanned, and cleaned up automatically. The combined finding count and a single scan summary are reported at the end.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-works\"\u003eHow it works\u003c/h2\u003e\n\u003cp\u003eLeakwatch spawns up to \u003ccode\u003e--parallel\u003c/code\u003e repository scans at once. Each repository is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCloned from the provided URL (credentials are stripped from logs and output for safety).\u003c/li\u003e\n\u003cli\u003eScanned with the full detection pipeline, using \u003ccode\u003e--concurrency\u003c/code\u003e workers for that repository.\u003c/li\u003e\n\u003cli\u003eCleaned up (the temporary clone is deleted) once the scan completes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAll findings from all repositories are collected and written as a single output, as if the scan had been a single-source run. The displayed target is \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"multi-repo-specific\"\u003eMulti-repo-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan in parallel.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers \u003cstrong\u003eper repository\u003c/strong\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply to all repositories. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan two repositories and display results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan five repositories with higher parallelism and save the combined results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan with more workers per repository and show only verified findings:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tuning-parallelism\"\u003eTuning parallelism\u003c/h2\u003e\n\u003cp\u003eTwo knobs control throughput:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e controls how many repository clones and scans run simultaneously. The default of \u003ccode\u003e3\u003c/code\u003e is appropriate for most workloads. Raise it when network bandwidth and CPU headroom allow; lower it on constrained machines.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e) controls how many worker goroutines process file blobs \u003cem\u003ewithin\u003c/em\u003e each individual repository. This is the same flag available on all scan commands.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTotal concurrent operations at peak = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf one or more repository scans fail (for example, due to a network error or authentication failure), Leakwatch logs the error and continues scanning the remaining repositories. The exit code will be \u003ccode\u003e2\u003c/code\u003e if any individual repo scan failed, even if other repos produced findings.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eAny embedded credentials in repository URLs (e.g. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e) are stripped before the URL is written to logs, output, or the scan summary.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOne or more repository scans failed, or a configuration error occurred.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan a single repository in depth.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure shared defaults for all sources.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Workspace","description":"Scan Slack channel and DM message text for leaked secrets.","html":"\u003ch1 id=\"slack-workspace\"\u003eSlack Workspace\u003c/h1\u003e\n\u003cp\u003eDevelopers frequently share credentials in chat — a token pasted into a channel for a quick test, a password sent in a DM, or an API key mentioned in an incident thread. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e reads message text across your Slack workspace and flags any secrets it finds.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch scans \u003cstrong\u003emessage text only\u003c/strong\u003e. Scanning the contents of uploaded files (attachments, snippets) is not implemented. Only the text body of messages is analysed.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis command takes \u003cstrong\u003eno positional arguments\u003c/strong\u003e. All configuration is provided through flags or environment variables.\u003c/p\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eA Slack Bot Token is required. Provide it via the \u003ccode\u003e--token\u003c/code\u003e flag or the \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e environment variable. Using an environment variable is recommended so the token never appears in shell history or process listings.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"required-bot-token-scopes\"\u003eRequired bot token scopes\u003c/h3\u003e\n\u003cp\u003eThe bot token must be associated with a Slack app that has the following OAuth scopes:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eScope\u003c/th\u003e\n\u003cth\u003ePurpose\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in public channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in private channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead group direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"slack-specific\"\u003eSlack-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. Prefer \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e env var.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eall channels\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan messages posted on or after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAlso scan direct messages and group DMs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eInternal chunk size limit (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan all channels the bot has access to, using an environment variable for the token:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan specific channels and limit to messages since the start of the year:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude noisy channels and include direct messages:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eReduce the API request rate to avoid Slack rate-limit errors on large workspaces:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave only verified active findings to a JSON file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Slack scan includes message and channel metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe channel name where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack message timestamp (unique message ID).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack user ID of the message author.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performance-considerations\"\u003ePerformance considerations\u003c/h2\u003e\n\u003cp\u003eSlack API requests are subject to rate limits enforced by Slack. The \u003ccode\u003e--rate-limit\u003c/code\u003e flag (default \u003ccode\u003e20\u003c/code\u003e requests/second) controls how aggressively Leakwatch makes requests. Lower this value if you see \u003ccode\u003e429 Too Many Requests\u003c/code\u003e errors, especially on large workspaces.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003e--channels\u003c/code\u003e to target specific channels rather than scanning the entire workspace on every run. Combine with \u003ccode\u003e--since\u003c/code\u003e to scan only recent messages incrementally.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (missing token, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure defaults in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"How Verification Works","description":"How Leakwatch confirms whether a detected secret is still active, which verification modes it uses, and how to configure or disable verification.","html":"\u003ch1 id=\"how-verification-works\"\u003eHow Verification Works\u003c/h1\u003e\n\u003cp\u003eFinding a secret in a codebase is only half the story. A key that was rotated six months ago is noise; a key that is still live is an active incident. Verification is the step that draws that line — it takes each detected finding and, where possible, confirms whether the secret is currently valid at the provider.\u003c/p\u003e\n\u003ch2 id=\"from-detection-to-verification\"\u003eFrom detection to verification\u003c/h2\u003e\n\u003cp\u003eAfter the scan engine collects findings, the verifier pool picks them up. Each finding carries a \u003ccode\u003edetector_id\u003c/code\u003e; Leakwatch looks up whether a verifier is registered for that ID:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIf a verifier exists, it runs and returns a status.\u003c/li\u003e\n\u003cli\u003eIf no verifier is registered for that detector type, the finding passes through unchanged with status \u003ccode\u003eunverified\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"two-verification-modes\"\u003eTwo verification modes\u003c/h2\u003e\n\u003cp\u003eNot all secrets can be verified the same way. Leakwatch uses two distinct approaches depending on what is safe for each credential type.\u003c/p\u003e\n\u003ch3 id=\"live-api-verification\"\u003eLive API verification\u003c/h3\u003e\n\u003cp\u003eFor approximately 49 detector types, Leakwatch makes a \u003cstrong\u003econtrolled, read-only API call\u003c/strong\u003e to the provider — for example, calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys or \u003ccode\u003eGET /user\u003c/code\u003e for GitHub tokens. The call uses only the minimum endpoint required to confirm identity; it never modifies data, creates resources, or triggers billing events.\u003c/p\u003e\n\u003cp\u003eIf the provider returns a success response, the finding is marked \u003ccode\u003everified_active\u003c/code\u003e. If the provider rejects the credential (for example with HTTP 401 or 403), the finding is marked \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"format-validation-only\"\u003eFormat validation only\u003c/h3\u003e\n\u003cp\u003eFor five credential types, no safe live check exists — the provider has no anonymous identity endpoint, or a real call would have side effects. For these, Leakwatch validates the structure of the credential without making any network request:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e fields present\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check only — a valid format proves nothing, result is always \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEven when the format check passes, the result remains \u003ccode\u003eunverified\u003c/code\u003e. A structurally valid credential may be expired or revoked. These findings always require manual triage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"verification-statuses\"\u003eVerification statuses\u003c/h2\u003e\n\u003cp\u003eEvery finding in Leakwatch output carries one of four statuses:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStatus\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe secret was confirmed live by the provider.\u003c/td\u003e\n\u003ctd\u003eTreat as an active incident. Rotate immediately.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe provider rejected the credential.\u003c/td\u003e\n\u003ctd\u003eLikely already rotated. Review context and close.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo verifier exists for this type, or format validation returned no result, or verification was disabled.\u003c/td\u003e\n\u003ctd\u003eTriage manually; context determines risk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe verifier ran but encountered a network error, timeout, or unexpected response.\u003c/td\u003e\n\u003ctd\u003eTreat as potentially active. Retry or triage manually.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"the-verification-engine\"\u003eThe verification engine\u003c/h2\u003e\n\u003cp\u003eVerification runs in a dedicated concurrent worker pool, isolated from the scan worker pool. The defaults are conservative to avoid triggering provider rate limits:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSetting\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eWorker count\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal rate limit\u003c/td\u003e\n\u003ctd\u003e10 requests/second\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003ePer-request timeout\u003c/td\u003e\n\u003ctd\u003e10 s\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eAll three values are tunable under the \u003ccode\u003everification:\u003c/code\u003e block in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # requests per second (global)\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf you are scanning a repository that triggers hundreds of findings, consider lowering \u003ccode\u003erate-limit\u003c/code\u003e to 5 or enabling \u003ccode\u003e--only-verified\u003c/code\u003e to keep the verified-active set small and actionable.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"controlling-verification-at-the-command-line\"\u003eControlling verification at the command line\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eDisable verification entirely\u003c/strong\u003e with \u003ccode\u003e--no-verify\u003c/code\u003e (or set \u003ccode\u003everification.enabled: false\u003c/code\u003e in config). Every finding passes through as \u003ccode\u003eunverified\u003c/code\u003e. Use this for offline or air-gapped environments, or when you want the fastest possible scan without touching any provider API.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eShow only confirmed-live secrets\u003c/strong\u003e with \u003ccode\u003e--only-verified\u003c/code\u003e. Everything that is not \u003ccode\u003everified_active\u003c/code\u003e is dropped from the output. This is the fastest way to triage a large result set — you see only the keys you must act on now.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e silently drops \u003ccode\u003eunverified\u003c/code\u003e and \u003ccode\u003everify_error\u003c/code\u003e findings. Do not use it as your sole filter in a compliance context — some credential types (JWTs, generic API keys, private keys) can never be verified and would always be excluded.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eVerification is designed so that the raw secret value never leaves the process boundary in an unsafe way:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eVerifiers pass the secret directly to the provider's HTTP endpoint over TLS — it is never written to disk, emitted to a log, or cached between runs.\u003c/li\u003e\n\u003cli\u003eA verifier that fails to initialise or encounters a panic is caught by the engine, which marks the finding \u003ccode\u003everify_error\u003c/code\u003e and continues rather than crashing the scan.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detector types are live-verified, format-validated, or not verifiable at all.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for the \u003ccode\u003everification:\u003c/code\u003e block.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — how the verification status appears in JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Verification Coverage","description":"Which of the 63 built-in detectors are live-verified, format-validated only, or not verifiable — and what that means for triage.","html":"\u003ch1 id=\"verification-coverage\"\u003eVerification Coverage\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships 63 built-in detectors and 54 verifiers, giving a coverage rate of \u003cstrong\u003e85.7%\u003c/strong\u003e (54 of 63 detector types have some form of verification). This page maps every detector to its verification status so you know what to expect in your output.\u003c/p\u003e\n\u003ch2 id=\"live-verified-49-detector-types\"\u003eLive-verified (49 detector types)\u003c/h2\u003e\n\u003cp\u003eFor these types, Leakwatch makes a controlled, read-only API call to the provider and returns \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e. No data is created or modified; the call uses the minimum endpoint needed to confirm identity.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector type\u003c/th\u003e\n\u003cth\u003eProvider\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"format-validated-only-5-detector-types\"\u003eFormat-validated only (5 detector types)\u003c/h2\u003e\n\u003cp\u003eThese verifiers run entirely offline. No network request is made. Because a valid format does not prove a credential is active, all five always return \u003ccode\u003eunverified\u003c/code\u003e regardless of whether the format check passes or fails.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003cth\u003eWhy no live check\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eLive check requires a GCP OAuth2 token exchange, which has side effects\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003ctd\u003eNo public unauthenticated health endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePassword length and host substring check\u003c/td\u003e\n\u003ctd\u003eLive check requires a JDBC/ODBC database connection\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eRequires per-account HMAC signing; no generic identity endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eClient credential flow would create sessions\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"not-verifiable-9-detector-types\"\u003eNot verifiable (9 detector types)\u003c/h2\u003e\n\u003cp\u003eThese detector types have no verifier at all. Findings from them are always \u003ccode\u003eunverified\u003c/code\u003e. This is \u003cstrong\u003enot\u003c/strong\u003e because they are unimportant — they are detected and reported in full — but because no public verification API exists, or because any verification attempt would have side effects.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eReason\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eA JWT can be issued by any party; there is no universal validation endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo provider to call; active use cannot be detected remotely\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnknown provider by definition\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would create sessions on the target database\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would open a live connection to the Redis instance\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo safe read-only FTP probe\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind would create an authenticated session\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConfirming a webhook is active requires sending a message\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token validation requires knowing the Vault endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Not verifiable\u0026quot; does not mean \u0026quot;not found\u0026quot;. All 9 of these types are still detected and appear in your output. They require manual triage to determine whether the credential is live and whether it needs rotation.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"coverage-summary\"\u003eCoverage summary\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCategory\u003c/th\u003e\n\u003cth\u003eCount\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eLive-verified\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eFormat-validated only\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eNot verifiable\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eTotal detectors\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eVerifiers (any coverage)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (85.7%)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — the two verification modes, statuses, and the verification engine.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the full list of built-in detectors with severities.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; diff --git a/site/js/manuals/tr.js b/site/js/manuals/tr.js index 93148ce..15049ed 100644 --- a/site/js/manuals/tr.js +++ b/site/js/manuals/tr.js @@ -1,3 +1,3 @@ // Generated by tools/site-build. Do not edit by hand. window.LW_MANUAL = window.LW_MANUAL || {}; -window.LW_MANUAL["tr"] = {"ci-cd/docker-usage":{"title":"Docker Kullanımı","description":"Resmi Docker imajını kullanarak Leakwatch taramalarını bir konteyner içinde çalıştırın.","html":"\u003ch1 id=\"docker-kullanm\"\u003eDocker Kullanımı\u003c/h1\u003e\n\u003cp\u003eResmi Leakwatch konteyner imajı, ana makineye herhangi bir şey kurmadan tarama yapmanızı sağlar. İmaj \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e ile statik olarak derlenmiş ve root olmayan bir kullanıcı olarak çalışır; bu nedenle kilitli CI ortamlarında ve ana sistemi değiştirmek istemediğiniz paylaşımlı makinelerde güvenle kullanılabilir.\u003c/p\u003e\n\u003ch2 id=\"maj-referans\"\u003eİmaj referansı\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eİmaj Alpine tabanlıdır, root olmayan \u003ccode\u003eleakwatch\u003c/code\u003e kullanıcısı olarak çalışır, çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır ve giriş noktası olarak \u003ccode\u003eleakwatch\u003c/code\u003e'ı ayarlar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGiriş noktası \u003ccode\u003eleakwatch\u003c/code\u003e olduğundan alt komutu ve bayrakları doğrudan imaj adının ardına eklersiniz — örneğin \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. İkili dosya adını tekrar yazmanıza gerek yoktur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerel-dizin-tarama\"\u003eYerel dizin tarama\u003c/h2\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAna makinedeki bir dosyaya sonuç yazmak için çıktı dosyasını bağlı birime yazın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch.sarif\u003c/code\u003e dosyası, konteyner çıktıktan sonra ana makinedeki geçerli dizinde görünür.\u003c/p\u003e\n\u003ch2 id=\"uzak-git-deposu-tarama\"\u003eUzak Git deposu tarama\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak Git depoları için birim bağlaması gerekli değildir — Leakwatch bunları konteyner içindeki geçici bir dizine klonlar.\u003c/p\u003e\n\u003ch2 id=\"konteyner-imaj-tarama\"\u003eKonteyner imajı tarama\u003c/h2\u003e\n\u003cp\u003eLeakwatch daemonsuz çalışır: imaj katmanlarını Docker daemon'ına ihtiyaç duymadan doğrudan kayıt defterinden çeker. Bu, Leakwatch konteynerinden, ana makine Docker soketini bağlamadan uzak bir imajı tarayabileceğiniz anlamına gelir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt defterleri için kimlik bilgilerini, kayıt defterinizin desteklediği standart ortam değişkenleri aracılığıyla geçirin (örneğin, bağlı bir kimlik bilgisi dosyasına işaret eden \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e).\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-geirme\"\u003eYapılandırma dosyası geçirme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasını \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın; Leakwatch onu otomatik olarak bulur:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e bağlanan dizinde olduğu sürece Leakwatch onu bulur çünkü \u003ccode\u003e/scan\u003c/code\u003e hem çalışma dizini hem de taramaya geçirilen yoldur. Yapılandırma dosyanız başka bir yerdeyse onu ayrıca bağlayın ve \u003ccode\u003e--config\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikenleri-geirme\"\u003eOrtam değişkenleri geçirme\u003c/h2\u003e\n\u003cp\u003eBulut taraması ve token tabanlı kimlik doğrulama için ortam değişkenleri \u003ccode\u003e-e\u003c/code\u003e ile enjekte edilebilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# AWS kimlik bilgileriyle S3 taraması\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCI ortamlarında, kimlik bilgilerini komut satırına gömmek yerine maskelenmiş CI değişkenleri olarak enjekte etmeyi tercih edin.\u003c/p\u003e\n\u003ch2 id=\"kt-dosyas-kalb\"\u003eÇıktı dosyası kalıbı\u003c/h2\u003e\n\u003cp\u003eCI'da yaygın bir Docker kalıbı, sonuçları bağlı birime yazmak ve ardından dosyayı bir pipeline artifact'i olarak yüklemek veya arşivlemektir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Docker kullanmak yerine yerel ikili dosyayı kurma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e bayrakları ve davranışı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eKonteyner İmajları\u003c/a\u003e — OCI/Docker imaj katmanlarını sır açısından tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI ve diğer pipeline'larda Docker imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm alt komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"GitHub iş akışlarında sır taraması yapmak için resmi Leakwatch GitHub Action'ını kullanın.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eDeponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. Resmi \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e), Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder — aracı kurar, taramayı çalıştırır, çıkış kodlarını işler ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler; bunların hepsini harici bir servis bağımlılığı olmadan yapar.\u003c/p\u003e\n\u003ch2 id=\"hzl-balang\"\u003eHızlı başlangıç\u003c/h2\u003e\n\u003cp\u003eSır bulunduğunda iş akışını engelleyen minimal yapılandırma:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Sır taraması (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca varsayılan değerlerle action, dosya sistemi taraması yapar (\u003ccode\u003escan-type: fs\u003c/code\u003e), SARIF çıktısı üretir, canlı doğrulamayı atlar (\u003ccode\u003eno-verify: true\u003c/code\u003e) ve herhangi bir bulgu raporlandığında işi başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"sarif-ykleme-ile-tam-rnek\"\u003eSARIF yükleme ile tam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki iş akışı, GitHub Code Scanning'e SARIF yüklemeyi etkinleştirir ve bulguları depo içinde güvenlik uyarıları olarak gösterir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Sır taraması\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # SARIF yüklemesi için gerekli\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Sırları tara\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF yüklemesi, işin \u003ccode\u003epermissions: security-events: write\u003c/code\u003e bildirmesini gerektirir. Bu olmadan yükleme adımı 403 hatasıyla başarısız olur. \u003ccode\u003eactions/checkout@v4\u003c/code\u003e için \u003ccode\u003econtents: read\u003c/code\u003e izni de gereklidir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"girdiler\"\u003eGirdiler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eGirdi\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇalıştırılacak tarama türü: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e veya \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranacak yol (\u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e için) veya imaj referansı (\u003ccode\u003eimage\u003c/code\u003e için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak (sağlayıcılara giden ağ çağrısı yapılmaz).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. \u003ccode\u003efalse\u003c/code\u003e olarak ayarlandığında adım başarısız olmak yerine \u003ccode\u003e::warning::\u003c/code\u003e ek açıklaması yayar. Ciddi hatalar (çıkış kodu 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKurulacak Leakwatch sürümü. Belirli bir sürümü sabitlemek için \u003ccode\u003ev1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ktlar\"\u003eÇıktılar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÇıktı\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu raporlanmadıysa \u003ccode\u003e0\u003c/code\u003e; bulgu raporlandıysa \u003ccode\u003e1\u003c/code\u003e. Leakwatch çıkış kodunu yansıtır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRunner üzerindeki SARIF çıktı dosyasının yolu (\u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda ayarlanır).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"cida-dorulama\"\u003eCI'da doğrulama\u003c/h2\u003e\n\u003cp\u003eVarsayılan olarak \u003ccode\u003eno-verify\u003c/code\u003e değeri \u003ccode\u003etrue\u003c/code\u003e'dur — CI'da canlı doğrulama \u003cstrong\u003ekapalıdır\u003c/strong\u003e. Bu, taramayı hızlı tutar ve CI runner'larından sağlayıcı API'lerine giden ağ çağrılarını önler; runner'lar güvenlik duvarı arkasında olabilir veya hız sınırlı kimlik bilgilerine sahip olabilir.\u003c/p\u003e\n\u003cp\u003eCI'da doğrulamayı etkinleştirmek için \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eCI'da doğrulamayı etkinleştirmek, Leakwatch'ın her aday bulgu için sağlayıcılara (AWS, GitHub, Stripe vb.) kimlik doğrulamalı API çağrıları yapmasına neden olur. Sağlayıcı hız limitlerinden haberdar olun ve runner'ın giden internet erişimine sahip olduğundan emin olun.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sarif-yklemesi-nasl-alr\"\u003eSARIF yüklemesi nasıl çalışır\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e ve \u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLeakwatch'a çıktıyı \u003ccode\u003eresults.sarif\u003c/code\u003e dosyasına yazmasını söyler.\u003c/li\u003e\n\u003cli\u003eTaramanın ardından \u003ccode\u003ecategory: leakwatch\u003c/code\u003e ile \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e'ü çağırır.\u003c/li\u003e\n\u003cli\u003eGitHub dosyayı işler ve bulguları deponun \u003cstrong\u003eSecurity\u003c/strong\u003e sekmesinde \u003cstrong\u003eCode Scanning uyarıları\u003c/strong\u003e olarak gösterir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eYükleme adımı \u003ccode\u003eif: always()\u003c/code\u003e ile çalışır; dolayısıyla \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e tarama adımını başarısız kılsa bile sonuçlar yüklenir.\u003c/p\u003e\n\u003ch2 id=\"action-ktlarn-kullanmak\"\u003eAction çıktılarını kullanmak\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Sırları tara\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # iş akışının devam etmesine izin ver\n\n- name: Sonucu yazdır\n run: echo \u0026quot;Raporlanan bulgular: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"belirli-bir-srm-sabitleme\"\u003eBelirli bir sürümü sabitleme\u003c/h2\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için \u003ccode\u003eversion\u003c/code\u003e değerini belirli bir etikete sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu, \u003ccode\u003ego install\u003c/code\u003e aracılığıyla tam olarak \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e'ı kurar.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısını anlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — Leakwatch'ın sağlayıcı API'lerini ne zaman ve nasıl çağırdığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Kancası\u003c/a\u003e — commit edilmeden önce sırları yakalama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI, Jenkins ve genel kabuk entegrasyonu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Diğer CI Sistemleri","description":"Leakwatch'ı GitLab CI, Jenkins, Bitbucket Pipelines ve diğer CI sistemlerine entegre edin.","html":"\u003ch1 id=\"dier-ci-sistemleri\"\u003eDiğer CI Sistemleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olduğundan, kabuk komutu çalıştırabilen herhangi bir CI ortamında çalışır: GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps ve diğerleri. Bu sayfada açıklananların ötesinde bu sistemler için yerleşik bir entegrasyon yoktur; kalıp her zaman aynıdır: ikili dosyayı kur, taramayı çalıştır, çıkış koduna göre hareket et.\u003c/p\u003e\n\u003ch2 id=\"cida-leakwatch-kurma\"\u003eCI'da Leakwatch kurma\u003c/h2\u003e\n\u003cp\u003eRunner ortamınıza en uygun yöntemi seçin:\u003c/p\u003e\n\u003ch3 id=\"go-install-araclyla-runnerda-go-gerektirir\"\u003e\u003ccode\u003ego install\u003c/code\u003e aracılığıyla (runner'da Go gerektirir)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için belirli bir sürüme sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"docker-imaj-araclyla-go-gerekmez\"\u003eDocker imajı aracılığıyla (Go gerekmez)\u003c/h3\u003e\n\u003cp\u003e\u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e'i iş imajı olarak kullanın veya \u003ccode\u003edocker run\u003c/code\u003e ile çalıştırın. Tam kalıp için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch3 id=\"hazr-bir-srm-ikili-dosyas-araclyla\"\u003eHazır bir sürüm ikili dosyası aracılığıyla\u003c/h3\u003e\n\u003cp\u003eUygun tar arşivini \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasından indirin, çıkarın ve \u003ccode\u003ePATH\u003c/code\u003e'e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için iyi tanımlanmış üç çıkış kodu kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen CI eylemi\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu yok\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını geç\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırlar bulundu\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCiddi hata (hatalı yapılandırma, okunamaz yol vb.)\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıkış koduna göre dallanma yapan genel bir kabuk parçacığı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;Sır bulunamadı.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Sırlar bulundu — derlemeyi başarısız kılıyorum.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Tarama hatası (çıkış $EXIT_CODE) — derlemeyi başarısız kılıyorum.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-rnei\"\u003eGitLab CI örneği\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e işi Leakwatch'ı kurar, dosya sistemi taraması çalıştırır ve JSON raporunu pipeline artifact'i olarak saklar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 gün\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (varsayılan) değeri, çıkış kodu \u003ccode\u003e1\u003c/code\u003e'in pipeline aşamasını başarısız kılması anlamına gelir. Taramanın merge işlemini engellemeden raporlamasını istiyorsanız \u003ccode\u003eallow_failure: true\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab, SAST raporu artifact'larını destekler. Leakwatch SARIF üretir (\u003ccode\u003e--format sarif\u003c/code\u003e) ancak GitLab'ın yerel SAST JSON şemasını değil; bu nedenle \u003ccode\u003ereports: sast:\u003c/code\u003e anahtarı yerine \u003ccode\u003epaths:\u003c/code\u003e artifact yaklaşımını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ci-runnerlar-iin-neriler\"\u003eCI runner'ları için öneriler\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eGiden internet erişimi olmayan runner'larda \u003ccode\u003e--no-verify\u003c/code\u003e kullanın.\u003c/strong\u003e Doğrulama, sağlayıcılara (AWS, GitHub, Stripe vb.) canlı API çağrıları yapar. Hava boşluklu veya güvenlik duvarıyla kısıtlanmış runner'larda bu çağrılar zaman aşımına uğrar ve taramayı yavaşlatır. Doğrulamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eÇıktıyı artifact olarak kaydedin.\u003c/strong\u003e İşi tamamlandıktan sonra saklanabilecek, bir güvenlik açığı yönetim platformuna yüklenebilecek veya incelenebilecek bir dosya yazmak için \u003ccode\u003e--format sarif\u003c/code\u003e ya da \u003ccode\u003e--format json\u003c/code\u003e ile birlikte \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e değerini en çok önem taşıyan sırlara odaklanmak için ayarlayın. Gürültülü bir kod tabanında \u003ccode\u003e--min-severity high\u003c/code\u003e ile başlayın ve birikmiş öğeleri temizledikten sonra eşiği düşürün.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-rnei\"\u003eAzure DevOps örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch sır taraması\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-sonuclari\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-rnei\"\u003eJenkins örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Sır taraması') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — tüm çıkış kodlarının tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e — ikili dosyayı kurmak yerine konteyner imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub iş akışları için resmi action.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Kancası","description":"Her commit'ten önce sır taraması yapmak için Leakwatch pre-commit kancasını kullanın.","html":"\u003ch1 id=\"pre-commit-kancas\"\u003ePre-commit Kancası\u003c/h1\u003e\n\u003cp\u003eBir sırrı yakalamak için en ucuz an, onu depoya girmeden önce durdurmaktır. Leakwatch, her \u003ccode\u003egit commit\u003c/code\u003e işleminde \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutunu otomatik olarak çalıştıran yerel bir \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e kancası sunar; böylece sızan bir API anahtarı veya parola, geçmişte yer almak yerine commit işlemini başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eŞunlara ihtiyacınız var:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit bir Python aracıdır).\u003c/li\u003e\n\u003cli\u003eGenel olarak kurulmuş \u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e (\u003ccode\u003epip install pre-commit\u003c/code\u003e veya \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePATH\u003c/code\u003e üzerinde Go 1.25+ — kanca dili \u003ccode\u003egolang\u003c/code\u003e olduğundan pre-commit, ilk çalıştırmada Leakwatch'ı kaynaktan derler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"yaplandrma\"\u003eYapılandırma\u003c/h2\u003e\n\u003cp\u003eDeponuzun köküne bir \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e dosyası ekleyin (veya mevcut olanı genişletin):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKancaları yerel Git deposuna kurun:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHepsi bu kadar. Bundan itibaren her \u003ccode\u003egit commit\u003c/code\u003e işlemi bir dosya sistemi taraması tetikler. Leakwatch herhangi bir sır bulursa commit engellenir ve bulgular terminale yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"elle-altrma\"\u003eElle çalıştırma\u003c/h2\u003e\n\u003cp\u003eTüm depoyu (yalnızca staged dosyaları değil) istediğiniz zaman taramak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDiğerlerini tetiklemeden yalnızca Leakwatch kancasını çalıştırmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ek-argmanlar-geirme\"\u003eEk argümanlar geçirme\u003c/h2\u003e\n\u003cp\u003eKancanın varsayılan davranışı, ek bayrak olmadan \u003ccode\u003eleakwatch scan fs\u003c/code\u003e'e karşılık gelir. \u003ccode\u003eargs:\u003c/code\u003e anahtarı aracılığıyla ek argümanlar geçirebilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu örnek, yalnızca Leakwatch'ın hâlâ etkin olduğunu doğruladığı yüksek önem dereceli sırları raporlar — yanlış pozitif gürültüsünden kaçınmak isteyen ancak kapsam kaybetmek istemeyen ekipler için uygun katı bir politika.\u003c/p\u003e\n\u003cp\u003eDiğer kullanışlı argümanlar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # daha hızlı commit'ler için canlı doğrulamayı atla\n - --min-severity\n - medium # düşük önem dereceli gürültüyü bastır\n - --format\n - table # terminalde insan tarafından okunabilir çıktı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eKanca tanımında \u003ccode\u003epass_filenames: false\u003c/code\u003e ayarlandığından kanca, yalnızca mevcut commit için staged dosyaları değil her zaman tam çalışma ağacını tarar. Bu, staged olmayan dosyalarda halihazırda bulunan sırların da tespit edileceğini garanti eder.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kancann-taradklar\"\u003eKancanın taradıkları\u003c/h2\u003e\n\u003cp\u003eKanca, depo çalışma dizinine karşı \u003ccode\u003eleakwatch scan fs\u003c/code\u003e çalıştırır. CLI ile aynı tespit hattını kullanır: Aho-Corasick ön filtreleme, regex doğrulama, entropi hesaplama ve (\u003ccode\u003e--no-verify\u003c/code\u003e ayarlanmadıkça) canlı doğrulama.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki yapılandırma otomatik olarak uygulanır — dışlama kalıpları, entropi eşikleri ve doğrulama ayarları, herhangi bir ek kanca yapılandırması olmadan geçerli olur.\u003c/p\u003e\n\u003ch2 id=\"kancay-geici-olarak-atlama\"\u003eKancayı geçici olarak atlama\u003c/h2\u003e\n\u003cp\u003eKancayı çalıştırmadan commit yapmak için (örneğin, maskelenmiş sır içeren bir test sabiti commit edilirken):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: test sabiti ekle\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eSKIP=leakwatch\u003c/code\u003e kullanmak, o commit için tüm sır taramasını devre dışı bırakır. Yalnızca içeriğin güvenli olduğunu teyit ettiğinizde kullanın; kalıcı bastırmalar için bunun yerine \u003ccode\u003e.leakwatchignore\u003c/code\u003e veya satır içi \u003ccode\u003eleakwatch:ignore\u003c/code\u003e yorumlarını tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kanca-srmn-sabitli-tutma\"\u003eKanca sürümünü sabitli tutma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003erev:\u003c/code\u003e değerini dal adı yerine belirli bir etikete sabitleyin. Bu, ekipteki tüm geliştiricilerin aynı dedektör setini kullandığını ve kancanın sprint ortasında sessizce yükseltilmediğini garantiler:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # sabitle; 'main' veya 'HEAD' kullanmayın\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGüncellemek için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003ccode\u003erev\u003c/code\u003e değerini en son etikete yükseltir ve siz onu commit etmeden önce değişikliği inceleme fırsatı tanır.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — kancanın çalıştırdığı temel tarama komutu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'da dışlamaları, entropiyi ve doğrulamayı kontrol etme.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub CI'da her push ve pull request'te tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Yapılandırma Dosyası","description":"Leakwatch'ı .leakwatch.yaml ile yapılandırma — tam şema, varsayılanlar, doğrulama kuralları, ortam değişkeni geçersiz kılmaları ve leakwatch init komutu.","html":"\u003ch1 id=\"yaplandrma-dosyas\"\u003eYapılandırma Dosyası\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın her tarama komutundaki davranışı, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e adlı tek bir YAML dosyasıyla yönetilir. Bu dosyayı anlamak; eşzamanlılık, doğrulama, çıktı biçimi ve yol filtrelemeyi bir kez ayarlamanızı ve her taramanın bu ayarları otomatik olarak almasını sağlar.\u003c/p\u003e\n\u003ch2 id=\"dosya-kefi\"\u003eDosya keşfi\u003c/h2\u003e\n\u003cp\u003eLeakwatch, yapılandırma dosyasını aşağıdaki sırayla çözer:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e bayrağı\u003c/strong\u003e — çalışma dizininden bağımsız olarak açık bir yol kullanır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGeçerli dizin\u003c/strong\u003e — komutun çalıştırıldığı dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAna dizin\u003c/strong\u003e — yedek olarak \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eHiçbir dosya bulunamazsa, her ayar için yerleşik varsayılanlar kullanılır.\u003c/p\u003e\n\u003ch2 id=\"balang-dosyas-oluturma\"\u003eBaşlangıç dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e komutu, önerilen varsayılanlarla düzenlemeye hazır bir dosya yazar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak dosya, geçerli dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e konumuna yazılır. Farklı bir yol seçmek için \u003ccode\u003e--output\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHedef dosya zaten mevcutsa, \u003ccode\u003eleakwatch init\u003c/code\u003e üzerine yazmayı reddeder ve hata vererek çıkar. Üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikeni-geersiz-klmalar\"\u003eOrtam değişkeni geçersiz kılmaları\u003c/h2\u003e\n\u003cp\u003eHer yapılandırma anahtarı bir ortam değişkeniyle geçersiz kılınabilir. İsimlendirme kuralı şudur:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eÖnek: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştirin\u003c/li\u003e\n\u003cli\u003eBüyük harfe çevirin\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eÖrnekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003cth\u003eOrtam değişkeni\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-sras\"\u003eÖncelik sırası\u003c/h2\u003e\n\u003cp\u003eAynı ayar birden fazla yerde belirtildiğinde, en yüksek öncelikli kaynak kazanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eKomut satırı bayrağı (en yüksek)\u003c/li\u003e\n\u003cli\u003eOrtam değişkeni\u003c/li\u003e\n\u003cli\u003eYapılandırma dosyası değeri\u003c/li\u003e\n\u003cli\u003eYerleşik varsayılan (en düşük)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"tam-ema\"\u003eTam şema\u003c/h2\u003e\n\u003cp\u003eAşağıdaki açıklamalı şema, desteklenen her anahtarı, varsayılan değerini ve geçerli aralığını göstermektedir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Tarama motoru ─────────────────────────────────────────────────────────────\n\nscan:\n # Eşzamanlı dosya işleme worker sayısı.\n # Varsayılan olarak ana makinedeki mantıksal CPU çekirdeği sayısı kullanılır.\n # \u0026gt;= 1 olmalıdır.\n concurrency: 8\n\n # Taranacak maksimum dosya boyutu (bayt cinsinden). Bu sınırı aşan dosyalar\n # tamamen atlanır. Varsayılan: 10 MB (10485760). \u0026gt;= 1 olmalıdır.\n max-file-size: 10485760\n\n# ── Tespit ────────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Her aday eşleşme için Shannon entropi hesaplamasını etkinleştirir.\n enabled: true\n\n # Gösterim ve özel kural kapısı için kullanılan entropi eşiği.\n # Aralık: 0–8. Varsayılan: 4.0.\n # Yerleşik bulgular hakkındaki nota bakın.\n threshold: 4.0\n\n# ── Doğrulama ─────────────────────────────────────────────────────────────────\n\nverification:\n # Sağlayıcı API'lerine karşı canlı doğrulamayı etkinleştirir.\n enabled: true\n\n # İstek başına HTTP zaman aşımı. Doğrulama etkinleştirildiğinde \u0026gt;= 1ms olmalıdır.\n # Süre dizesi kullanın (örn. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — tam sayı nanosaniye olarak\n # yorumlanır ve doğrulama başarısız olur.\n timeout: 10s\n\n # Eşzamanlı doğrulama worker sayısı. \u0026gt;= 1 olmalıdır.\n concurrency: 4\n\n # Saniyedeki maksimum doğrulama isteği (token-bucket hız sınırlayıcı).\n # \u0026gt; 0 olmalıdır.\n rate-limit: 10.0\n\n# ── Filtreleme ────────────────────────────────────────────────────────────────\n\nfilter:\n # Taramadan hariç tutulacak yollar için glob desenleri.\n # Desteklenen glob stilleri: filepath.Match desenleri, sıfır veya daha fazla\n # yol segmentini kapsayan ** çift yıldız ve herhangi bir derinlikte adlandırılmış\n # dizini eşleştiren sondaki eğik çizgili dir/ desenleri. Her desen hem tam yol\n # hem de temel dosya adına karşı test edilir.\n # Tüm tarama kaynaklarına uygulanır. (`scan fs` komutunda --exclude bayrağı da bunu ayarlar.)\n # Varsayılan: [] (yerleşik ikili/kilit dosya atlamalarının ötesinde hariç tutma yok).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Tamamen devre dışı bırakılacak dedektör ID'leri. Listelenen dedektörlerden\n # gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez.\n # Varsayılan: [].\n exclude-detectors: []\n\n# ── Çıktı ─────────────────────────────────────────────────────────────────────\n\noutput:\n # Çıktı biçimi. Şunlardan biri: json, sarif, csv, table. Varsayılan: json.\n # --format / -f bayrağı bunu çalışma zamanında geçersiz kılar.\n format: json\n\n # Çıktıyı stdout yerine bu dosya yoluna yaz. Varsayılan: \u0026quot;\u0026quot; (stdout).\n # --output / -o bayrağı bunu çalışma zamanında geçersiz kılar.\n file: \u0026quot;\u0026quot;\n\n # Bu önem seviyesinin altındaki bulguları bırak.\n # Şunlardan biri: low, medium, high, critical. Varsayılan: \u0026quot;\u0026quot; (tümünü göster).\n # --min-severity bayrağı bunu çalışma zamanında geçersiz kılar.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Çıktıda maskelenmemiş sır değerini dahil et.\n # Varsayılan: false. --show-raw bayrağı bunu çalışma zamanında geçersiz kılar.\n show-raw: false\n\n# ── Özel kurallar ─────────────────────────────────────────────────────────────\n\n# Kendi dedektörlerinizi YAML kuralları olarak tanımlayın. Tam kural şeması\n# için özel kurallar sayfasına bakın.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e, bir bulgunun yanında gösterilen entropi değerini kontrol eder ve özel kurallar için bir kapı görevi görür (entropisi eşiğin altına düşen özel kural eşleşmeleri bastırılır). Yerleşik dedektörlerin bulgularını \u003cstrong\u003ebastırmaz\u003c/strong\u003e — yerleşik dedektörlerin kendi eşleşme kriterleri vardır ve bu ayar tarafından hiçbir zaman bırakılmazlar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, taramaya başlamadan önce yüklenen yapılandırmayı doğrular ve aşağıdaki durumların herhangi birinde hata vererek çıkar:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKoşul\u003c/th\u003e\n\u003cth\u003eHata\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz eşzamanlılık değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz max-file-size değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e içinde değil\u003c/td\u003e\n\u003ctd\u003eDesteklenmeyen çıktı biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e 0–8 dışında\u003c/td\u003e\n\u003ctd\u003eGeçersiz entropi eşiği\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e geçerli bir seviye değil (boş değilse)\u003c/td\u003e\n\u003ctd\u003eGeçersiz severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama zaman aşımı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama eşzamanlılığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Bulguları Yok Sayma","description":".leakwatchignore dosyaları, satır içi yok sayma işaretçileri ve yerleşik ikili dosya ve kilit dosyası atlamaları ile yanlış pozitifleri bastırın.","html":"\u003ch1 id=\"bulgular-yok-sayma\"\u003eBulguları Yok Sayma\u003c/h1\u003e\n\u003cp\u003eHiçbir tarayıcının yanlış pozitif oranı sıfır değildir. Leakwatch, gürültüyü bastırmak için size üç katmanlı mekanizma sunar: yol tabanlı dışlamalar için bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası, satır düzeyinde bastırma için satır içi işaretçiler ve ikili dosyalar ile yaygın kilit dosyaları için her zaman etkin olan yerleşik atlamalar.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-dosyas\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası\u003c/h2\u003e\n\u003cp\u003eTarama sonuçlarından yolları hariç tutmak için depo kökünüze (veya geçerli dizine) bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası oluşturun. Gitignore stilinde söz dizimi kullanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e#\u003c/code\u003e ile başlayan satırlar yorum satırlarıdır.\u003c/li\u003e\n\u003cli\u003eBoş satırlar atlanır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e!\u003c/code\u003e öneki bir deseni \u003cstrong\u003egeçersiz kılar\u003c/strong\u003e; önceki bir desen tarafından dışlanmış olacak bir yolu yeniden dahil eder.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSon eşleşen desen kazanır\u003c/strong\u003e — sıra önemlidir.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"ykleme-sras\"\u003eYükleme sırası\u003c/h3\u003e\n\u003cp\u003eLeakwatch, \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyasını önce tarama kökünden, ardından geçerli çalışma dizininden yükler. Her ikisi de aynı yol için desen içeriyorsa, geçerli dizin dosyasının desenleri öncelik kazanır çünkü son değerlendirilenler bunlardır.\u003c/p\u003e\n\u003ch3 id=\"glob-sz-dizimi\"\u003eGlob söz dizimi\u003c/h3\u003e\n\u003cp\u003eÜç desen stili desteklenir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStil\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003cth\u003eÖrnek\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandart glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e stili, hem tam yola hem de temel dosya adına karşı eşleştirilen\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇift yıldız \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSıfır veya daha fazla yol segmentini kapsar\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSondaki eğik çizgi \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAdlandırılmış dizinin herhangi bir derinliğindeki her dosyayla eşleşir\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"leakwatchignore-rnei\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e örneği\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Tüm test fixture dosyalarını yok say\ntest/fixtures/**\n\n# Dokümantasyondaki bilinen yer tutucu anahtarları yok say\ndocs/examples/\n\n# Ağaçtaki herhangi bir yerdeki belirli uzantılı dosyaları yok say\n*.pem.example\n\n# Yukarıdaki kural tarafından dışlanan belirli bir dosyayı yeniden dahil et\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtrelemesi, her bulgunun dosya yoluna göre tarama tamamlandıktan \u003cstrong\u003esonra\u003c/strong\u003e uygulanır. Dosyaların okunmasını engellemez — ürettikleri bulguları bastırır. Dosyaları okunmadan önce atlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e veya \u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"satr-ii-yok-sayma-iaretileri\"\u003eSatır içi yok sayma işaretçileri\u003c/h2\u003e\n\u003cp\u003eSöz konusu satırdaki dedektörleri bastırmak için herhangi bir kaynak satırına doğrudan bir işaretçi koyun. İşaretçi satırın herhangi bir yerine yerleştirilebilir — genellikle bir yorum içinde — ve motor tarafından doğrulamadan \u003cstrong\u003eönce\u003c/strong\u003e uygulanır; böylece yok sayılan bir satır hiçbir zaman ağ çağrısını tetiklemez.\u003c/p\u003e\n\u003ch3 id=\"bir-satrdaki-tm-dedektrleri-bastr\"\u003eBir satırdaki tüm dedektörleri bastır\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Ödeme işleme yapılandırması\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"bir-satrdaki-belirli-bir-dedektr-bastr\"\u003eBir satırdaki belirli bir dedektörü bastır\u003c/h3\u003e\n\u003cp\u003eYalnızca bir dedektörü bastırırken diğerlerini etkin bırakmak için \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// Bu token dokümantasyon için kasıtlı olarak bir yer tutucudur\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Platform tarafından ayarlanan CI ortam değişkeni — gerçek bir sır değil\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eMümkün olduğunda genel form yerine dedektöre özgü formu (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) tercih edin. Hangi dedektörü bastırdığınızı belgeler ve diğer tüm dedektörleri o satırda etkin bırakır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerleik-atlamalar-her-zaman-uygulanr\"\u003eYerleşik atlamalar (her zaman uygulanır)\u003c/h2\u003e\n\u003cp\u003eLeakwatch, herhangi bir dedektörü çalıştırmadan önce aşağıdakileri koşulsuz olarak atlar:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili dosya uzantıları\u003c/strong\u003e — \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e ve diğerleri gibi uzantılara sahip dosyalar hiçbir zaman taranmaz.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili içerik tespiti\u003c/strong\u003e — ilk 8 KB'ı null bayt içeren herhangi bir dosya, uzantısından bağımsız olarak ikili olarak kabul edilir ve atlanır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eYaygın kilit dosyaları\u003c/strong\u003e — aşağıdaki dosya adları, yüksek oranda yanlış pozitif üreten hash ve sağlama toplamları içerdikleri için her zaman atlanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDosya\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eBu yerleşik atlamalar devre dışı bırakılamaz. \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ayarından ayrıdır ve yapılandırma tabanlı filtrelemeden önce çalışır.\u003c/p\u003e\n\u003ch2 id=\"tarama-ncesi-yol-tabanl-dlama\"\u003eTarama öncesi yol tabanlı dışlama\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru tarafından okunmadan önce dışlamak için yapılandırma dosyanızda \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu ayar \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır (dosya sistemi, Git geçmişi, konteyner imajları, bulut depolama, Slack). \u003ccode\u003escan fs\u003c/code\u003e komutunda ayrıca komut satırında \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e parametresi de geçirebilirsiniz; bu, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile eşdeğer bir bayraktır.\u003c/p\u003e\n\u003cp\u003eTam yapılandırma şeması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e, dedektör düzeyinde ve önem derecesi düzeyinde filtreleme için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Önem Derecesi \u0026 Filtreleme","description":"Önem eşikleri, yalnızca doğrulanmış mod, dedektör dışlamaları ve yol dışlamaları kullanarak hangi bulguların çıktınıza ulaşacağını kontrol edin.","html":"\u003ch1 id=\"nem-derecesi--filtreleme\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/h1\u003e\n\u003cp\u003eYoğun bir kod tabanı çok sayıda bulgu üretebilir. Leakwatch, en önemli sinyallere odaklanmak için birleştirebileceğiniz birkaç bağımsız filtre sunar: önem eşikleri düşük öncelikli gürültüyü eler, yalnızca doğrulanmış mod yalnızca onaylanmış canlı sırları ortaya çıkarır, dedektör dışlamaları bilinen yanlış pozitif kaynakları susturur ve yol dışlamaları tüm dizin ağaçlarını kapsamın dışında bırakır.\u003c/p\u003e\n\u003ch2 id=\"nem-seviyeleri\"\u003eÖnem seviyeleri\u003c/h2\u003e\n\u003cp\u003eHer yerleşik dedektör, varsayılan bir önem derecesiyle birlikte gelir. En düşükten en yüksek önceliğe doğru dört seviye şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeviye\u003c/th\u003e\n\u003cth\u003eTipik kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDaha yüksek yanlış pozitif oranına sahip genel desenler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanınabilir kimlik bilgisi biçimleri, doğrulanmamış\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaruziyetin büyük olasılıkla önemli olduğu iyi yapılandırılmış sırlar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOnaylanmış canlı sırlar veya neredeyse sıfır yanlış pozitif oranlı biçimler\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer dedektöre atanan önem derecesi \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-eiin-altndaki-bulgular-brak\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: eşiğin altındaki bulguları bırak\u003c/h2\u003e\n\u003cp\u003eBelirtilen seviyenin altındaki önem derecesine sahip bulguları atmak için \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e parametresini kullanın. Yalnızca eşik değerinde veya üzerindeki bulgular çıktıya ulaşır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Yalnızca high ve critical bulguları göster\nleakwatch scan fs . --min-severity high\n\n# medium, high ve critical bulguları göster\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e altında yapılandırma dosyasında kalıcı bir varsayılan ayarlayabilirsiniz. \u003ccode\u003e--min-severity\u003c/code\u003e bayrağı, çalışma zamanında yapılandırma değerini geçersiz kılar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-yalnzca-onaylanm-aktif-srlar\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: yalnızca onaylanmış aktif sırlar\u003c/h2\u003e\n\u003cp\u003eYalnızca doğrulama durumu \u003ccode\u003everified_active\u003c/code\u003e olan bulguları, yani Leakwatch'ın sağlayıcı API'sine kontrollü bir salt-okunur çağrı yaparak hâlâ geçerli olduğunu doğruladığı sırları tutmak için \u003ccode\u003e--only-verified\u003c/code\u003e parametresini kullanın. Diğer tüm bulgular (doğrulanmamış, doğrulanmış-etkin değil veya doğrulama hatası) bırakılır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu bayrak, derlemeyi yalnızca onaylanmış olaylar üzerinde, yer tutucu veya zaten döndürülmüş kimlik bilgileri olabilecek şüpheli desenler üzerinde değil, başarısız kılmak istediğiniz CI hatlarında en kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eHangi dedektörlerin canlı doğrulamayı desteklediği için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-belirli-dedektrleri-devre-d-brak\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: belirli dedektörleri devre dışı bırak\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü kalıcı olarak devre dışı bırakmak için ID'lerini yapılandırma dosyasındaki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e altında listeleyin. Listelenen dedektörlerden gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDedektör ID'leri \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir. Bir dedektör sürekli olarak kod tabanınız için yanlış pozitifler ürettiğinde ve diğer bastırma mekanizmaları (satır içi yok saymalar veya \u003ccode\u003e.leakwatchignore\u003c/code\u003e) yeterince ayrıntılı olmadığında bu ayarı kullanın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-tarama-ncesi-yollar-atla\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: tarama öncesi yolları atla\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru okumadan önce dışlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın. Desenler, \u003ccode\u003e.leakwatchignore\u003c/code\u003e ile aynı glob söz dizimini kullanır (standart globlar, \u003ccode\u003e**\u003c/code\u003e çift yıldız ve sondaki eğik çizgili dizin desenleri) ve \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e bayrağı, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile komut satırı eşdeğeridir. \u003ccode\u003e--exclude\u003c/code\u003e bayrağı \u003cstrong\u003eyalnızca\u003c/strong\u003e \u003ccode\u003escan fs\u003c/code\u003e komutunda mevcuttur — diğer tüm kaynaklar için yapılandırma dosyası ayarını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-filtreleri-birletirme\"\u003eCI'da filtreleri birleştirme\u003c/h2\u003e\n\u003cp\u003eBir CI hattında genellikle yalnızca gerçek olaylarda başarısız olan, düşük gürültülü ve yüksek sinyalli bir çalışma istersiniz. Önerilen bir kombinasyon:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYapılandırma dosyasının kalıcı yol dışlamalarını yönetmesiyle:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eArdından CI için yalnızca biçimi ve hedefi komut satırında geçersiz kılın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama ayrıntıları için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e, satır içi ve dosya tabanlı bastırma için \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e ve tam şema için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Özel Kurallar","description":"YAML ile kendi sır tespit kalıplarınızı nasıl tanımlayacağınız ve 63 yerleşik dedektörün yanında bir Leakwatch taramasına nasıl ekleyeceğiniz.","html":"\u003ch1 id=\"zel-kurallar\"\u003eÖzel Kurallar\u003c/h1\u003e\n\u003cp\u003e63 yerleşik dedektör yaygın kullanılan kimlik bilgisi formatlarını kapsar; ancak her kuruluşun dahili token'ları, özel servis anahtarları veya hiçbir genel aracın önceden tahmin edemeyeceği ortama özgü kalıpları vardır. Özel kurallar, kaynak kodu değiştirmeden veya ikili dosyayı yeniden derlemeden kendi kalıplarınızı düz YAML ile tanımlamanıza ve çalışma zamanında yüklemenize olanak tanıyarak Leakwatch'ı genişletmenizi sağlar.\u003c/p\u003e\n\u003ch2 id=\"zel-kurallar-nerede-tanmlanr\"\u003eÖzel kurallar nerede tanımlanır\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyanızda en üst düzey bir \u003ccode\u003ecustom-rules:\u003c/code\u003e listesi altında tanımlanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKurallar, Leakwatch başladığında çalışma zamanında kaydedilir. Aynı Aho-Corasick ön-filtre hattını kullanarak yerleşik dedektörlerle birlikte çalışırlar.\u003c/p\u003e\n\u003ch2 id=\"kural-alanlar\"\u003eKural alanları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eZorunlu\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eBenzersiz dedektör ID'si. Çıktıda ve \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e içinde kullanılır. Yerleşik dedektör ID'si veya başka bir özel kural ID'si ile çakışmamalıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eÇıktıda gösterilen insan tarafından okunabilir açıklama.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2 uyumlu düzenli ifade. Maksimum 4096 karakter.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring listesi\u003c/td\u003e\n\u003ctd\u003eAho-Corasick ön-filtre anahtar kelimeleri. Regex yalnızca bu dizelerden en az birini içeren parçalar üzerinde çalışır. Bu alanın atlanması regex'in her parça üzerinde çalışmasına neden olur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e veya \u003ccode\u003elow\u003c/code\u003e. Varsayılan \u003ccode\u003emedium\u003c/code\u003e'dur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropi eşiği (0–8). Entropisi bu değerin \u003cstrong\u003ealtında\u003c/strong\u003e olan eşleşmeler atılır. Düşük rastgelelikli yanlış pozitifleri filtrelemek için kullanışlıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eHer zaman \u003ccode\u003ekeywords\u003c/code\u003e belirtin. Tek kısa bir anahtar kelime bile (token ön eki gibi) regex motorunun işlediği parça sayısını önemli ölçüde azaltır ve büyük depolarda taramaların hızlı kalmasını sağlar. Örneğin tüm dahili token'larınız \u003ccode\u003eacme_\u003c/code\u003e ile başlıyorsa \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e ayarlayın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eentropy\u003c/code\u003e kullanarak \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e gibi kalıbı karşılayan ancak açıkça gerçek sır olmayan yer tutucu değerlerdeki eşleşmeleri bastırın. 3,0–3,5 civarı bir eşik iyi bir başlangıç noktasıdır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"akma-ynetimi\"\u003eÇakışma yönetimi\u003c/h2\u003e\n\u003cp\u003eBir özel kuralın \u003ccode\u003eid\u003c/code\u003e'si zaten kayıtlı bir dedektörle eşleşirse — yerleşik dedektör veya daha önce yüklenen özel kural olsun fark etmez — yinelenen kural \u003cstrong\u003eatlanır\u003c/strong\u003e ve bir hata loglanır. Leakwatch çökmez; geri kalan kurallar normal şekilde yüklenir. Bir özel kuralın etkisiz göründüğü durumlarda log çıktısını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eÖzel kuralların eşleştirilmiş doğrulayıcısı yoktur. Özel kurallardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e durumuyla raporlanır — hiçbir zaman \u003ccode\u003everified_active\u003c/code\u003e veya \u003ccode\u003everified_inactive\u003c/code\u003e olmaz.\u003c/p\u003e\n\u003ch2 id=\"tam-rnek\"\u003eTam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, iki özel kural tanımlar: biri dahili servis token'ı, diğeri webhook'larda kullanılan imzalama sırrı için.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook imzalama sırrı (format: whsec_ + 40 base64url karakter)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu yapılandırmayla bir tarama çalıştırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kural bulgusu için örnek JSON çıktısı (sır değeri maskelenmiştir):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eraw_redacted\u003c/code\u003e alanı gerçek sırrı her zaman maskeler. Ham değer, açıkça \u003ccode\u003e--show-raw\u003c/code\u003e geçilmedikçe çıktıya asla yazılmaz (kontrollü ortamlar dışında önerilmez).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kural-hari-tutma\"\u003eÖzel kuralı hariç tutma\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, yerleşik dedektörlerle aynı filtrelemeye katılır. Bir özel kuralı yapılandırmadan kaldırmadan devre dışı bırakmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003ecustom-rules:\u003c/code\u003e öğesinin belge yapısındaki yeri dahil \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e için tam referans.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — özel kuralınızı adlandırmadan önce ID çakışmalarını kontrol etmek için 63 yerleşik dedektör.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — \u003ccode\u003ekeywords\u003c/code\u003e öğesinin bağlandığı Aho-Corasick ön-filtre hattı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Dedektör Kataloğu","description":"Kategorilere göre gruplanmış tüm 63 yerleşik dedektör; ID'leri, ne tespit ettikleri ve varsayılan şiddet seviyeleri ile.","html":"\u003ch1 id=\"dedektr-katalou\"\u003eDedektör Kataloğu\u003c/h1\u003e\n\u003cp\u003eLeakwatch, bulut sağlayıcısı erişim anahtarlarından ve yapay zekâ API token'larından veritabanı bağlantı dizelerine ve özel kriptografik anahtarlara kadar geniş bir kimlik bilgisi türü yelpazesini kapsayan \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile gelir. Her dedektörün kararlı bir ID'si, varsayılan bir şiddet seviyesi ve (çoğu için) bulunan sırrın hâlâ canlı olup olmadığını teyit edebilen eşleştirilmiş bir doğrulayıcısı vardır.\u003c/p\u003e\n\u003cp\u003eBu sayfa her yerleşik dedektörü listeler. Doğrulama kapsamı ayrıntıları için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın. Kendi kalıplarınızı eklemek için \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"bu-katalogu-nasl-okuyacaksnz\"\u003eBu katalogu nasıl okuyacaksınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — yapılandırma ve çıktıda kullanılan kararlı dize tanımlayıcısı. Bir dedektörü atlamak için \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin veya \u003ccode\u003e--min-severity\u003c/code\u003e filtrelemesiyle birlikte kullanın (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTespit eder\u003c/strong\u003e — dedektörün ne aradığı.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eŞiddet\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e (Kritik), \u003ccode\u003eHigh\u003c/code\u003e (Yüksek) veya \u003ccode\u003eMedium\u003c/code\u003e (Orta). Bu varsayılandır; \u003ccode\u003e--min-severity\u003c/code\u003e bayrağını ve \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e yapılandırma anahtarını besler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"bulut-ve-altyap\"\u003eBulut ve Altyapı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Servis Hesabı Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID İstemci Sırrı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Servis Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yapay-zek--makine-renimi\"\u003eYapay Zekâ / Makine Öğrenimi\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"demeler-ve-ticaret\"\u003eÖdemeler ve Ticaret\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Canlı API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"gelitirme-aralar-ci-ve-paketler\"\u003eGeliştirme Araçları, CI ve Paketler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket Uygulama Parolası\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Kişisel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"letiim-ve-birlii\"\u003eİletişim ve İşbirliği\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/Kullanıcı Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Gelen Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Dahili Entegrasyon Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"e-posta-ve-mesajlama-teslimat\"\u003eE-posta ve Mesajlaşma Teslimatı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Sunucu API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"zleme-ve-gzlemlenebilirlik\"\u003eİzleme ve Gözlemlenebilirlik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Kimlik Doğrulama Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"veritabanlar-ve-balant-dizeleri\"\u003eVeritabanları ve Bağlantı Dizeleri\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVeritabanı Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Bağlantı Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Servis Rolü Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-ve-eriim\"\u003eKimlik ve Erişim\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Yönetim API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bağlama Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"genel-ve-kriptografik\"\u003eGenel ve Kriptografik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGenel API Anahtarı\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÖzel Anahtar (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eToplam: 63 yerleşik dedektör.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"iddete-gre-filtreleme\"\u003eŞiddete göre filtreleme\u003c/h2\u003e\n\u003cp\u003eBulgular, komut satırında \u003ccode\u003e--min-severity\u003c/code\u003e veya yapılandırmada \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e kullanılarak şiddet seviyesine göre filtrelenebilir. Yalnızca belirtilen seviyede veya üzerindeki bulgular çıktıya dahil edilir. Ayrıntılar için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"belirli-dedektrleri-hari-tutma\"\u003eBelirli dedektörleri hariç tutma\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü tamamen atlamak için ID'lerini \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam filtreleme referansı için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kapsam\"\u003eDoğrulama kapsamı\u003c/h2\u003e\n\u003cp\u003eBazı dedektörlerin canlı doğrulayıcısı vardır; bazıları yalnızca format doğrulamasına tabi tutulur; dokuzu ise hiç doğrulayıcıya sahip değildir. Tam döküm için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e — YAML ile kendi tespit kalıplarınızı tanımlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektörlerin canlı doğrulanabileceği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e — bulguları şiddet seviyesine veya dedektöre göre filtreleme.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"Nasıl Çalışır","description":"Leakwatch tarama hattının mimarisi: kaynaklar, tespit, doğrulama ve çıktı.","html":"\u003ch1 id=\"nasl-alr\"\u003eNasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eLeakwatch hattını anlamak, performansı ayarlamanıza, sonuçları yorumlamanıza ve hangi bayrakları kullanacağınıza karar vermenize yardımcı olur. Bu sayfa, bir tarama komutunu çalıştırdığınız andan bir bulgunun çıktınızda göründüğü ana kadar neler olduğunu açıklar.\u003c/p\u003e\n\u003ch2 id=\"hatta-genel-bak\"\u003eHatta genel bakış\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Kaynak\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[İşçi Havuzu\\n—concurrency işçi]\n B --\u0026gt; C[Aho-Corasick\\nÖn-Filtre]\n C --\u0026gt; D[Regex\\nDedektörler]\n D --\u0026gt; E[Satır İçi İgnore\\nKontrolü]\n E --\u0026gt; F[Doğrulama\\nHavuzu\\n4 işçi / 10 rps]\n F --\u0026gt; G[Tarama Sonrası\\nFiltreler]\n G --\u0026gt; H([Çıktı\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer aşama aşağıda ayrıntılı olarak açıklanmaktadır.\u003c/p\u003e\n\u003ch2 id=\"1-kaynak\"\u003e1. Kaynak\u003c/h2\u003e\n\u003cp\u003eHer tarama, motorun işlemesi için veri parçaları yayan bir soyutlama olan \u003cstrong\u003eKaynak\u003c/strong\u003e ile başlar. Leakwatch altı kaynak ile birlikte gelir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNe yayar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosya içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir OCI/Docker imajının katman içerikleri, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanal ve DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar. Slack'e yüklenen dosyaların içerikleri taranmaz.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eParçalar, işçi havuzu tarafından tüketilen tamponlu bir kanala akar.\u003c/p\u003e\n\u003ch2 id=\"2-i-havuzu\"\u003e2. İşçi havuzu\u003c/h2\u003e\n\u003cp\u003eMotor, sabit sayıda \u003cstrong\u003egoroutine\u003c/strong\u003e içeren bir havuz yönetir — her biri \u003ccode\u003e--concurrency\u003c/code\u003e değerine karşılık gelir (varsayılan: CPU sayısı). Her işçi kanaldan bir parça alır ve tespit hattını bağımsız olarak çalıştırır. İşçiler değişebilir durum paylaşmadığından havuz, I/O ve bellek sınırlarına kadar eşzamanlılıkla doğrusal ölçeklenir.\u003c/p\u003e\n\u003cp\u003eTaramalar \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e'e yanıt verir: iptal sinyali geldiğinde bağlam iptal edilir, işçiler mevcut parçalarını tamamlayıp durur ve kısmi sonuçlar çıktı yazılmadan önce toplanır.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-anahtar-kelime-n-filtresi\"\u003e3. Aho-Corasick anahtar kelime ön-filtresi\u003c/h2\u003e\n\u003cp\u003eHer parça üzerinde 63 regex desenini çalıştırmak yavaş olur. Bunun yerine motor, başlangıçta her dedektörün bildirdiği anahtar kelime listelerinden tek bir \u003cstrong\u003eAho-Corasick çok-desenli otomat\u003c/strong\u003e oluşturur. Her parça için bu otomat tek bir doğrusal geçiş yapar ve yalnızca anahtar kelimeleri parçanın baytlarında görünen dedektörleri döndürür.\u003c/p\u003e\n\u003cp\u003eBu, çoğu dedektörün çoğu parça üzerinde regex'ini hiç çalıştırmadığı anlamına gelir. Anahtar kelime bildirmeyen dedektörler her zaman çalışır (ön filtreyi atlayarak doğrudan regex'e geçerler).\u003c/p\u003e\n\u003cp\u003eAho-Corasick uygulaması \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e kütüphanesinden gelmektedir.\u003c/p\u003e\n\u003ch2 id=\"4-regex-dedektrler\"\u003e4. Regex dedektörler\u003c/h2\u003e\n\u003cp\u003eKısa listeye alınan her dedektör, derlenmiş \u003cstrong\u003edüzenli ifadesini\u003c/strong\u003e parça baytları üzerinde çalıştırır. Bir desen eşleştiğinde dedektör şunları içeren bir \u003ccode\u003eRawFinding\u003c/code\u003e döndürür:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları (yalnızca doğrulama için bellekte tutulur; asla loglanmaz veya diske yazılmaz).\u003c/li\u003e\n\u003cli\u003eÇıktı için güvenli olan \u003cstrong\u003emaskelenmiş\u003c/strong\u003e bir gösterim.\u003c/li\u003e\n\u003cli\u003eİsteğe bağlı ek meta veri (örneğin bir AWS anahtarı için hesap kimliği).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch, 60 paket genelinde \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel YAML kuralları\u003c/a\u003e aracılığıyla kendi desenlerinizi ekleyebilirsiniz.\u003c/p\u003e\n\u003cp\u003eTüm dedektörler, Go'nun \u003ccode\u003einit()\u003c/code\u003e işlevi ve boş importlar kullanılarak derleme zamanında kaydedilir (ADR-0004). Çalışma zamanında eklenti yükleyici veya dinamik keşif yoktur.\u003c/p\u003e\n\u003ch2 id=\"5-satr-ii-ignore-kontrol\"\u003e5. Satır içi ignore kontrolü\u003c/h2\u003e\n\u003cp\u003eBir bulgu doğrulamaya gönderilmeden önce motor, kaynak satırın bir \u003cstrong\u003esatır içi ignore işareti\u003c/strong\u003e içerip içermediğini kontrol eder:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eveya dedektöre özgü bir varyant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİşaret mevcutsa bulgu, \u003cstrong\u003eherhangi bir ağ çağrısı yapılmadan önce\u003c/strong\u003e sessizce bırakılır. Bu kasıtlıdır: yoksayılan sırlar asla canlı bir API isteğini tetiklememeli.\u003c/p\u003e\n\u003ch2 id=\"6-dorulama\"\u003e6. Doğrulama\u003c/h2\u003e\n\u003cp\u003eTüm parçalar için tespit tamamlandıktan sonra motor, bulguları ayrı bir \u003cstrong\u003edoğrulama işçi havuzuna\u003c/strong\u003e geçirir (varsayılan 4 işçi). Doğrulama:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eTüm işçiler arasında paylaşılan global bir \u003cstrong\u003ehız sınırlayıcı\u003c/strong\u003e (varsayılan saniyede 10 istek) ile korunur.\u003c/li\u003e\n\u003cli\u003eHer API çağrısına \u003cstrong\u003eistek başına zaman aşımı\u003c/strong\u003e (varsayılan 10 saniye) uygular.\u003c/li\u003e\n\u003cli\u003eSağlayıcıya yalnızca \u003cstrong\u003esalt-okunur, yıkıcı olmayan\u003c/strong\u003e çağrılar yapar (örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHer bulguyu dört durumdan biriyle işaretler: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch \u003cstrong\u003e54 doğrulayıcı\u003c/strong\u003e ile birlikte gelir; 63 yerleşik dedektör türünün %85,7'sini kapsar. Kalan 9 tür (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman \u003ccode\u003eunverified\u003c/code\u003e olarak raporlanır.\u003c/p\u003e\n\u003cp\u003eBu aşamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin — hızlı, çevrimdışı taramalar için kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eDoğrulama davranışı ve durum anlamları hakkında derinlemesine bilgi için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"7-bulgu-kimlii-ve-entropi\"\u003e7. Bulgu kimliği ve entropi\u003c/h2\u003e\n\u003cp\u003eHer bulgu, şu şekilde hesaplanan \u003cstrong\u003edeterministik bir kimlik\u003c/strong\u003e alır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(dedektörID + maskelendi + dosyaYolu + satır) → 16 hex karaktere kısaltıldı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAynı konumdaki aynı sır her zaman aynı kimliği üretir; bu da bulguları çalıştırmalar arasında yinelenenleri kaldırmayı veya sorun izleyicilerde takip etmeyi güvenli kılar.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropisi\u003c/strong\u003e (aralık 0–8) her bulgu için hesaplanır ve bilgilendirme amacıyla çıktıda gösterilir. Motor düzeyinde entropi, yerleşik bulguları \u003cstrong\u003eengellemez veya düşürmez\u003c/strong\u003e — düşük entropili bir eşleşme yine de sonuçlarda görünür. Entropi eşikleri yalnızca özel kuralların içinde geçerlidir; her kural kendi minimumunu bildirebilir.\u003c/p\u003e\n\u003ch2 id=\"8-tarama-sonras-filtreler\"\u003e8. Tarama sonrası filtreler\u003c/h2\u003e\n\u003cp\u003eDoğrulamadan sonra iki filtre uygulanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — \u003ccode\u003everified:active\u003c/code\u003e olmayan tüm bulguları bırakır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — belirtilen önem düzeyinin (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; varsayılan \u003ccode\u003elow\u003c/code\u003e) altındaki bulguları bırakır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHer iki filtre de doğrulama sonrasında çalışır; böylece \u003ccode\u003e--only-verified\u003c/code\u003e değerlendirildiğinde doğrulama durumu kullanılabilir olur.\u003c/p\u003e\n\u003ch2 id=\"9-kt\"\u003e9. Çıktı\u003c/h2\u003e\n\u003cp\u003eHayatta kalan bulgular dört \u003cstrong\u003ebiçimleyiciden\u003c/strong\u003e birine iletilir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBiçim\u003c/th\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eYaygın kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (varsayılan)\u003c/td\u003e\n\u003ctd\u003eMakine tarafından okunabilir, hat dostu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, güvenlik panoları\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eElektronik tablolar, veri analizi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTablo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal incelemesi, önem derecesine göre renklendirilmiş\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıktı varsayılan olarak stdout'a gider; bir dosyaya yazmak için \u003ccode\u003e--output \u0026lt;dosya\u0026gt;\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eBiçim veya çıktı hedefi ne olursa olsun, her taramadan sonra bir \u003cstrong\u003etarama özeti\u003c/strong\u003e (tarih, kaynak türü, hedef, taranan dosyalar, süre, bulgu sayısı, kesme durumu) her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eLeakwatch, bulunan sırların doğrulama çağrıları dışında süreç sınırını asla terk etmemesi için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları yalnızca tespit ve doğrulama sırasında bellekte yaşar.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--show-raw\u003c/code\u003e bayrağı varsayılan olarak \u003ccode\u003efalse\u003c/code\u003e'tur; bu olmadan çıktıda yalnızca maskelenmiş gösterim görünür.\u003c/li\u003e\n\u003cli\u003eSırlar asla diske yazılmaz, \u003ccode\u003eslog\u003c/code\u003e aracılığıyla loglanmaz veya çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"tasarm-kararlar\"\u003eTasarım kararları\u003c/h2\u003e\n\u003cp\u003eMimari, ADR'ler olarak belgelenmiş çeşitli bilinçli seçimleri yansıtır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO devre dışı\u003c/strong\u003e (ADR-0001) — tek statik ikili dosya, çalışma zamanı bağımlılığı yok, tüm platformlara çapraz derlenir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — \u003ccode\u003ebayrak \u0026gt; env \u0026gt; yapılandırma \u0026gt; varsayılan\u003c/code\u003e önceliğiyle hiyerarşik CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — saf Go Git kütüphanesi; harici \u003ccode\u003egit\u003c/code\u003e ikili dosyası gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDerleme zamanı dedektör kaydı\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + boş importlar; tür güvenli, çalışma zamanı eklenti yükleyicisi yok.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hibrit eşleştirme\u003c/strong\u003e (ADR-0005) — ön filtre, alakasız parçalardaki regex çalışmasının çoğunu ortadan kaldırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonsuz katman analizi; imajları taramak için Docker daemon gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eİşçi havuzu\u003c/strong\u003e (ADR-0008) — sabit goroutine sayısı, kanal tabanlı fan-out; öngörülebilir bellek ve CPU kullanımı.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Kurulum","description":"Leakwatch'ı Homebrew, go install, Docker veya hazır bir ikili dosya ile kurun.","html":"\u003ch1 id=\"kurulum\"\u003eKurulum\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ı makinenize kurmak bir dakikadan az sürer. İş akışınıza en uygun yöntemi seçin: Homebrew macOS ve Linux'ta en basit seçenektir, \u003ccode\u003ego install\u003c/code\u003e halihazırda bir Go araç zinciriniz varsa idealdir, Docker ana sisteminizi temiz tutar ve hazır ikili dosyalar herhangi bir araç zinciri gerektirmeden her yerde çalışır.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-ve-linux\"\u003eHomebrew (macOS ve Linux)\u003c/h2\u003e\n\u003cp\u003eResmi tap, amd64 ve arm64 mimarilerinde macOS ve Linux'u destekler.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTap, \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e adresinde barındırılmaktadır. Homebrew ile yükseltmek için \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e komutunu kullanın.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003ego install\u003c/h2\u003e\n\u003cp\u003eGo 1.25 veya daha yeni bir sürümü yüklüyse, en son sürümü doğrudan kaynaktan derleyip kurabilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİkili dosya \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e dizinine yerleştirilir. Bu dizinin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olduğundan emin olun.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e her zaman en son etiketli sürümü getirir. Belirli bir sürüme sabitlemek için \u003ccode\u003e@latest\u003c/code\u003e yerine \u003ccode\u003e@v1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eMinimal, çok aşamalı bir Alpine imajı GitHub Container Registry'de yayımlanmaktadır. İmaj, root olmayan bir kullanıcı (\u003ccode\u003eleakwatch\u003c/code\u003e) olarak çalışır, CGO devre dışıdır ve çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKullanılabilir etiketler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın. Bayraklar ve seçenekler yerel ikili dosyayla tamamen aynı şekilde çalışır — tam liste için \u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"hazr-ikili-dosya\"\u003eHazır ikili dosya\u003c/h2\u003e\n\u003cp\u003eHer sürüm, desteklenen tüm platformlar için \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasında tar arşivleri yayımlar. Platformunuza ait arşivi indirin, açın ve ikili dosyayı \u003ccode\u003ePATH\u003c/code\u003e değişkeninizdeki bir dizine taşıyın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDesteklenen platformlar:\u003c/strong\u003e amd64 ve arm64 mimarilerinde Linux, macOS ve Windows.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Linux amd64 örneği — OS ve ARCH değerlerini platformunuza göre değiştirin\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform adlandırması \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e kalıbını izler; \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e değeri \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e veya \u003ccode\u003eWindows\u003c/code\u003e, \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e değeri ise \u003ccode\u003eamd64\u003c/code\u003e veya \u003ccode\u003earm64\u003c/code\u003e olabilir.\u003c/p\u003e\n\u003ch2 id=\"kurulumu-dorulama\"\u003eKurulumu doğrulama\u003c/h2\u003e\n\u003cp\u003eHerhangi bir kurulum yönteminin ardından ikili dosyanın erişilebilir olduğunu doğrulayın ve sürümü kontrol edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeklenen çıktı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut bulunamazsa kurulum dizininin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olup olmadığını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — Leakwatch taramasının arkasındaki mimari.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile tarama davranışını özelleştirin.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Tanıtım","description":"Leakwatch nedir, neyi tarar ve sızan sırları nasıl tespit edip doğrular.","html":"\u003ch1 id=\"tantm\"\u003eTanıtım\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e, sızan sırları — API anahtarları, token'lar, parolalar, bağlantı dizeleri ve özel anahtarlar — kod tabanlarınızda, Git geçmişinizde, konteyner imajlarınızda, bulut depolamanızda ve Slack çalışma alanlarınızda \u003cstrong\u003etespit eden, doğrulayan ve raporlayan\u003c/strong\u003e yüksek performanslı, açık kaynaklı (MIT) bir güvenlik aracıdır.\u003c/p\u003e\n\u003cp\u003eGo ile yazılmıştır, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olarak dağıtılır (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e) ve her yerde çalışacak şekilde tasarlanmıştır: bir geliştirici dizüstü bilgisayarı, bir pre-commit kancası veya bir CI/CD hattı.\u003c/p\u003e\n\u003ch2 id=\"neden-leakwatch\"\u003eNeden Leakwatch\u003c/h2\u003e\n\u003cp\u003eTek bir commit'te sızan bir kimlik bilgisi — sonradan silinse bile — Git geçmişinde sonsuza dek erişilebilir kalabilir ve push edildikten dakikalar sonra istismar edilebilir. Leakwatch, bu sırları erken yakalamak ve hangilerinin \u003cem\u003egerçekten tehlikeli\u003c/em\u003e olduğunu söylemek için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGeniş tespit\u003c/strong\u003e — bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını ve daha fazlasını kapsayan 63 yerleşik dedektör; ayrıca kendi YAML özel kurallarınız.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eYalnızca tespit değil, doğrulama\u003c/strong\u003e — 54 dedektör türü için Leakwatch, bulunan bir sırrın \u003cem\u003ehâlâ etkin\u003c/em\u003e olup olmadığını sağlayıcıya kontrollü, salt-okunur bir çağrı yaparak teyit edebilir. Etkin olduğu doğrulanmış bir anahtar bir olaydır; etkin olmayan bir anahtar ise gürültüdür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eÇok sayıda kaynak\u003c/strong\u003e — yerel dosya sistemi, eksiksiz bir Git geçmişi, bir OCI/Docker imajı, AWS S3, Google Cloud Storage ve Slack mesajları.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-uyumlu çıktı\u003c/strong\u003e — JSON, SARIF (GitHub Code Scanning için), CSV ve renklendirilmiş terminal tablosu.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTasarımı gereği sır-güvenli\u003c/strong\u003e — bulunan sırlar varsayılan olarak maskelenir ve asla loglanmaz, önbelleğe alınmaz veya diske yazılmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"neleri-tarar\"\u003eNeleri tarar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNeyi kapsar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosyalar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob (yerel veya uzak)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker imaj katmanları, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanallardaki ve (isteğe bağlı) DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇoklu depo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAynı anda birden fazla Git deposu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"tespit-ksaca-nasl-alr\"\u003eTespit kısaca nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch, büyük girdilerde bile hızlı kalmak için katmanlı bir hat kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick anahtar kelime ön-filtresi\u003c/strong\u003e — tek bir çok-desenli otomat, bir parçayı hangi dedektörlerin eşleştirebileceğine hızla karar verir; böylece dedektörlerin çoğu regex'ini hiç çalıştırmaz.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex doğrulaması\u003c/strong\u003e — yalnızca kısa listeye alınan dedektörler kesin desenlerini çalıştırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropi\u003c/strong\u003e — Shannon entropisi gösterim için hesaplanır (ve özel kurallar tarafından düşük rastgelelikteki eşleşmeleri elemek için kullanılır).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDoğrulama\u003c/strong\u003e — uygun bulgular canlı sağlayıcı API'sine karşı kontrol edilir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch'ı kullanmak için bu hattı anlamanız gerekmez — ancak taramaların neden hızlı olduğunu ve bazı bulguların neden bir doğrulama durumu gösterirken bazılarının göstermediğini açıklar. Tam tablo için \u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"leakwatch-ne-deildir\"\u003eLeakwatch \u003cem\u003ene değildir\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eBeklentileri doğru belirlemek için:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGit geçmişini yeniden yazmaz veya sırları sizin için \u003cstrong\u003ekaldırmaz\u003c/strong\u003e — onları bulup raporlar ve (\u003ccode\u003e--remediation\u003c/code\u003e ile) nasıl döndüreceğinizi söyler.\u003c/li\u003e\n\u003cli\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar; yüklenen dosyaların \u003cem\u003eiçeriğini\u003c/em\u003e taramak uygulanmamıştır.\u003c/li\u003e\n\u003cli\u003eDoğrulama, birçok sır türü için mevcuttur ancak hepsi için değil — 9 dedektör türü (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman doğrulanmamış olarak raporlanır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker veya hazır bir ikili dosya ile kurun.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — taramanın arkasındaki mimari.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Hızlı Başlangıç","description":"İlk Leakwatch taramanızı bir dakikadan kısa sürede çalıştırın.","html":"\u003ch1 id=\"hzl-balang\"\u003eHızlı Başlangıç\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın neler yapabileceğini anlamanın en hızlı yolu, onu gerçek bir dizine yönlendirmektir. Bu sayfa ilk taramanızda size rehberlik eder, çıktının ne anlama geldiğini açıklar ve en sık kullanacağınız bayrakları gösterir.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eLeakwatch kurulu ve \u003ccode\u003ePATH\u003c/code\u003e değişkeninizde erişilebilir olmalıdır. Henüz yapmadıysanız \u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"lk-taramanz\"\u003eİlk taramanız\u003c/h2\u003e\n\u003cp\u003eMevcut dizini tek bir komutla tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak çıktı JSON biçiminde stdout'a yazılır. Bunun yerine okunabilir, renklendirilmiş bir tablo almak için \u003ccode\u003e--format table\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBir sonucun nasıl göründüğü aşağıdadır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTarama özeti her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır; bu nedenle pipe veya yeniden yönlendirilen çıktıyla hiçbir zaman çakışmaz.\u003c/p\u003e\n\u003ch2 id=\"bulguyu-anlamak\"\u003eBulguyu anlamak\u003c/h2\u003e\n\u003cp\u003eTablodaki her satır (veya JSON'daki her nesne) bir bulguyu temsil eder. Temel alanlar şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSır türünün ne kadar kritik olduğu: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşen dedektör — sır türünü tanımlar (örneğin \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın bulunduğu dosyanın tarama köküne göreli yolu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşmenin satır numarası\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın maskelenmiş gösterimi — \u003ccode\u003e--show-raw\u003c/code\u003e ayarlanmadıkça ham değer hiçbir zaman gösterilmez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulama sonucu: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003everified:active\u003c/code\u003e durumu, Leakwatch'ın sağlayıcıya salt-okunur bir API çağrısı yaparak sırrın hâlâ etkin olduğunu doğruladığı anlamına gelir. \u003cstrong\u003eHer \u003ccode\u003everified:active\u003c/code\u003e bulgusunu açık bir olay olarak değerlendirin.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"yaygn-tarama-seenekleri\"\u003eYaygın tarama seçenekleri\u003c/h2\u003e\n\u003ch3 id=\"yalnzca-onaylanm-srlara-odaklann\"\u003eYalnızca onaylanmış sırlara odaklanın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu seçenek doğrulanmamış ve etkin olmayan bulguları gizler; yalnızca etkin olduğu onaylananları bırakır. Çok sayıda sonucunuz olduğunda önceliklendirme için kullanışlıdır.\u003c/p\u003e\n\u003ch3 id=\"hzl-evrimd-tarama-iin-a-dorulamasn-atlayn\"\u003eHızlı çevrimdışı tarama için ağ doğrulamasını atlayın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama tamamen atlanır — hiçbir giden ağ çağrısı yapılmaz. Sonuçlar daha hızlı görünür ve internet bağlantısı olmadan çalışır, ancak tüm bulgular \u003ccode\u003eunverified\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"dzeltme-klavuzu-ekleyin\"\u003eDüzeltme kılavuzu ekleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer bulgu, söz konusu sır türünü nasıl döndüreceğinizi veya iptal edeceğinizi açıklayan bir \u003cstrong\u003eREMEDIATION\u003c/strong\u003e sütunu kazanır. Bayrak ayarlandığında aynı veriler JSON, SARIF ve CSV çıktısına da dahil edilir.\u003c/p\u003e\n\u003ch3 id=\"minimum-nem-derecesine-gre-filtreleyin\"\u003eMinimum önem derecesine göre filtreleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e önem derecesindeki bulgular raporlanır.\u003c/p\u003e\n\u003ch3 id=\"sonular-dosyaya-kaydedin\"\u003eSonuçları dosyaya kaydedin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e bayrağı stdout yerine bir dosyaya yazar. SARIF çıktısı \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e ile uyumludur.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-oluturma\"\u003eYapılandırma dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003eİlk denemede varsayılanlarla çalıştırmak uygundur; ancak tekrarlayan kullanım için proje düzeyinde bir yapılandırma isteyeceksiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut, eşzamanlılık, entropi, doğrulama, çıktı biçimi ve yaygın yol dışlamaları için önerilen varsayılanlarla mevcut dizine \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yazar. Mevcut bir dosyanın üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e, farklı bir yola yazmak için \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eHer seçeneğin tam açıklaması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI betiklerinin çıktıyı ayrıştırmadan sonuçlara göre hareket edebilmesi için farklı çıkış kodları kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bulgu yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bir veya daha fazla sır bulundu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama bir hata nedeniyle başarısız oldu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTipik bir CI kapısı şöyle görünür:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Etkin sırlar bulundu — derleme başarısız\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, etkin filtreleri geçen (\u003ccode\u003e--min-severity\u003c/code\u003e ve \u003ccode\u003e--only-verified\u003c/code\u003e dahil) \u003cem\u003eherhangi bir\u003c/em\u003e bulgu olduğunda döndürülür. Temiz çıkış kodu \u003ccode\u003e0\u003c/code\u003e, hiçbir bulgunun eşleşmediği anlamına gelir — kod tabanında sır olmadığı anlamına gelmez.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"taramay-iptal-etme\"\u003eTaramayı iptal etme\u003c/h2\u003e\n\u003cp\u003eÇalışan bir taramayı iptal etmek için \u003ccode\u003eCtrl+C\u003c/code\u003e tuşuna basın (veya \u003ccode\u003eSIGTERM\u003c/code\u003e gönderin). Leakwatch düzgün biçimde durur: işlemdeki parçalar tamamlanır, kısmi sonuçlar yazılır ve özet \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Çıktı Formatları","description":"Leakwatch'ın desteklediği dört çıktı formatı — JSON, SARIF, CSV ve tablo — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik.","html":"\u003ch1 id=\"kt-formatlar\"\u003eÇıktı Formatları\u003c/h1\u003e\n\u003cp\u003eLeakwatch dört çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları ve insan tarafından okunabilir terminal incelemesi. \u003ccode\u003e--format\u003c/code\u003e (veya \u003ccode\u003e-f\u003c/code\u003e) ile bir format seçin; stdout yerine bir dosyaya yazmak için \u003ccode\u003e--output\u003c/code\u003e (veya \u003ccode\u003e-o\u003c/code\u003e) kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan format \u003ccode\u003ejson\u003c/code\u003e'dur.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON varsayılan format ve en eksiksiz temsil biçimidir. Leakwatch, stdout'a (veya \u003ccode\u003e--output\u003c/code\u003e ile verilen dosyaya) bulgu nesnelerinden oluşan bir JSON \u003cstrong\u003edizisi\u003c/strong\u003e yazar.\u003c/p\u003e\n\u003cp\u003eHam sır değeri, \u003ccode\u003e--show-raw\u003c/code\u003e açıkça ayarlanmadıkça \u003cstrong\u003ehiçbir zaman\u003c/strong\u003e serileştirilmez. \u003ccode\u003e--show-raw\u003c/code\u003e ile her nesneye bir \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e alanı eklenir.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-bulgu-nesnesi\"\u003eÖrnek bulgu nesnesi\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--remediation\u003c/code\u003e de ayarlandığında her bulgunun içine iç içe bir \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e nesnesi yerleştirilir. Bkz. \u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif\u003c/code\u003e formatı, \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e'e yüklenmek üzere tasarlanmış bir SARIF v2.1.0 belgesi üretir. Araç adı \u003ccode\u003eLeakwatch\u003c/code\u003e'tır ve \u003ccode\u003einformationUri\u003c/code\u003e \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e adresine işaret eder.\u003c/p\u003e\n\u003cp\u003eBulgularda görünen her dedektör, SARIF sürücüsünde bir \u003cstrong\u003ekural\u003c/strong\u003e haline gelir; \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme adımlarından doldurulan \u003ccode\u003ehelp\u003c/code\u003e metni ve sağlayıcı belgelerine işaret eden bir \u003ccode\u003ehelpUri\u003c/code\u003e ile birlikte. Sonuçlar, dedektör ID'si, maskelenmiş değer ve dosya yolundan hesaplanan bir \u003ccode\u003eleakwatch/v1\u003c/code\u003e kısmi parmak izi taşır — bu, çevresindeki kod kaydığında bile GitHub Code Scanning'in aynı uyarıyı takip etmesini sağlar.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-1\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"github-code-scanninge-ykleme\"\u003eGitHub Code Scanning'e yükleme\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Bir GitHub Actions iş akışı adımında:\n- name: SARIF sonuçlarını yükle\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam CI kurulumu için \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003ecsv\u003c/code\u003e formatı, bir başlık satırı ve ardından bulgu başına bir satır yazar; standart virgülle ayrılmış değerler kullanır. Her hücre yazılmadan önce elektronik tablo formül enjeksiyonuna karşı sterilize edilir.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar (varsayılan):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eraw\u003c/code\u003e sütunu eklenir.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eremediation\u003c/code\u003e sütunu, \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme başlığını (örn. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) içerir, aksi hâlde boş kalır.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-2\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tablo\"\u003eTablo\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003etable\u003c/code\u003e formatı, insan tarafından okunabilir sekme hizalı bir tablo yazar; sonuçların hızlı görsel taramasını istediğiniz etkileşimli terminal oturumları için en uygun formattır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eRAW\u003c/code\u003e sütunu eklenir. Tablonun altına bir özet satırı yazdırılır (örn. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI rengi\u003c/strong\u003e, \u003ccode\u003eSEVERITY\u003c/code\u003e sütununa otomatik olarak uygulanır, ancak yalnızca dört koşulun tamamı sağlandığında:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e seçilmiş\u003c/li\u003e\n\u003cli\u003eÇıktı stdout'a gidiyor (\u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e yok)\u003c/li\u003e\n\u003cli\u003estdout bir TTY (pipe veya yönlendirme değil)\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e ortam değişkeni ayarlanmamış\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÖnem derecesi\u003c/th\u003e\n\u003cth\u003eRenk\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKalın kırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSarı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMavi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"rnek-ar-3\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt-1\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yaygn-kt-bayraklar\"\u003eYaygın çıktı bayrakları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı formatı: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (varsayılan \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout yerine dosyaya yaz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya maskelenmemiş sır değerini dahil et\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBu önem seviyesinin altındaki bulguları bırak\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca \u003ccode\u003everified_active\u003c/code\u003e bulgularını tut\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBulguları sağlayıcı düzeltme rehberiyle zenginleştir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Düzeltme Rehberi","description":"Bulguları sağlayıcıya özgü döndürme ve iptal adımları, aciliyet dereceleri ve resmi dokümantasyon bağlantılarıyla zenginleştirmek için --remediation kullanın.","html":"\u003ch1 id=\"dzeltme-rehberi\"\u003eDüzeltme Rehberi\u003c/h1\u003e\n\u003cp\u003eBir sırrın sızdığını bilmek işin yalnızca yarısıdır — ayrıca ne yapacağınızı da bilmeniz gerekir. Herhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e eklemek, her bulguyu yapılandırılmış, sağlayıcıya özgü rehberlikle zenginleştirir: kimlik bilgisini döndürme veya iptal etme adımları, sağlayıcının belgelerine bağlantı, yönetim konsoluna bağlantı, aciliyet derecelendirmesi ve bir doğrulama kontrol listesi.\u003c/p\u003e\n\u003ch2 id=\"nasl-etkinletirilir\"\u003eNasıl etkinleştirilir\u003c/h2\u003e\n\u003cp\u003eHerhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDüzeltme zenginleştirmesi varsayılan olarak devre dışıdır. Bayrak yoksa, her bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı \u003ccode\u003enull\u003c/code\u003e olur ve fazladan veri alınmaz veya hesaplanmaz.\u003c/p\u003e\n\u003ch2 id=\"ne-ierir\"\u003eNe içerir\u003c/h2\u003e\n\u003cp\u003eHer düzeltme girişi aşağıdaki alanları içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDüzeltme eyleminin kısa adı (örn. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrı döndürmek veya iptal etmek için sıralı adımlar listesi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının resmi kimlik bilgisi yönetimi belgelerine bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının yönetim konsolu sayfasına doğrudan bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNe kadar hızlı harekete geçileceği: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e veya \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDöndürme sonrası doğrulama adımları (örn. denetim günlüklerini inceleyin, güvenlik ekibini bilgilendirin)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch, her yerleşik dedektör için bir tane olmak üzere 63 düzeltme girişiyle birlikte gelir. 63 girişin tamamı ikili dosyaya dahildir; rehberliği almak için herhangi bir ağ çağrısı yapılmaz. Bu, çevrimdışı ortamlarda veya hava boşluklu ağlarda bile düzeltme rehberliğinin sorunsuz çalışması anlamına gelir.\u003c/p\u003e\n\u003ch2 id=\"her-formatta-nasl-grnr\"\u003eHer formatta nasıl görünür\u003c/h2\u003e\n\u003cp\u003eZenginleştirme, rehberliği bellekteki bulgu nesnesine ekler. Nasıl göründüğü çıktı formatına bağlıdır:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — tam yapılandırılmış \u003ccode\u003eremediation\u003c/code\u003e nesnesi her bulgunun içine yerleştirilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — \u003ccode\u003esteps\u003c/code\u003e alanları, kuralın \u003ccode\u003ehelp.text\u003c/code\u003e alanına yerleştirilir ve \u003ccode\u003edoc_url\u003c/code\u003e, kuralın \u003ccode\u003ehelpUri\u003c/code\u003e'si olarak ayarlanır. Bu, GitHub Code Scanning'in uyarı ayrıntıları panelinde doğrudan görünür.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı \u003ccode\u003eremediation\u003c/code\u003e sütununa yazılır. Tam yapılandırılmış rehberlik CSV çıktısına dahil edilmez.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTablo\u003c/strong\u003e — \u003ccode\u003eREMEDIATION\u003c/code\u003e sütununda yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı gösterilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOtomatik olay müdahale iş akışları için tam yapılandırılmış rehberliğe ihtiyaç duyduğunuzda \u003ccode\u003e--remediation --format json\u003c/code\u003e kullanın. Terminalde hızlı, insan tarafından okunabilir bir önceliklendirme oturumu için \u003ccode\u003e--remediation --format table\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eZenginleştirme yalnızca \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında çalışır. Bayrak olmadan, \u003ccode\u003eremediation\u003c/code\u003e alanı JSON ve SARIF çıktısında yoktur ve CSV ile tablo \u003ccode\u003eremediation\u003c/code\u003e sütunları boştur. Bayrak, orijinal tarama sonuçlarını değiştirmez — bunların üzerine bir katman ekler.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kurallar-ve-dzeltme\"\u003eÖzel kurallar ve düzeltme\u003c/h2\u003e\n\u003cp\u003eÖzel kural tanımları bir \u003ccode\u003eremediation\u003c/code\u003e bloğunu desteklemez — düzeltme rehberliği yalnızca yerleşik dedektörler için mevcuttur. Özel bir kural tarafından tetiklenen bulgu için \u003ccode\u003e--remediation\u003c/code\u003e bayrağı geçildiğinde, o bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı boş kalır; diğer alanlar etkilenmez.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Başvurusu","description":"Her Leakwatch komutu, alt komutu ve bayrağı için tam başvuru kaynağı.","html":"\u003ch1 id=\"cli-bavurusu\"\u003eCLI Başvurusu\u003c/h1\u003e\n\u003cp\u003eBu sayfa, tüm Leakwatch komutları ve bayrakları için yetkili başvuru kaynağıdır. Kavramsal açıklamalar ve çalışma örnekleri için ilgili tarama veya yapılandırma sayfalarındaki çapraz bağlantıları takip edin.\u003c/p\u003e\n\u003ch2 id=\"global-bayraklar\"\u003eGlobal bayraklar\u003c/h2\u003e\n\u003cp\u003eBu bayraklar her komut ve alt komut üzerinde kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOtomatik olarak bulunan \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasının yolu. Atlandığında Leakwatch, geçerli dizinde ve üst dizinlerinde \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e arar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGünlük ayrıntı düzeyi: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e veya \u003ccode\u003eerror\u003c/code\u003e. Günlük çıktısı stderr'e gider ve tarama sonuçlarını etkilemez.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eİkili dosya sürümünü, commit karmasını ve derleme zaman damgasını yazdırır, ardından çıkar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGeçerli dizinde önerilen varsayılanlarla bir \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyası oluşturur.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasını varsayılan yerine bu yola yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMevcut bir yapılandırma dosyasının üzerine yaz. Bu bayrak olmadan, çıktı dosyası zaten mevcutsa \u003ccode\u003einit\u003c/code\u003e hatayla çıkar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Varsayılan yapılandırmayı oluştur\nleakwatch init\n\n# Mevcut yapılandırmanın üzerine yaz\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eTüm tarama alt komutları için üst komut. Kendi başına davranışı yoktur; bir alt komut çalıştırın.\u003c/p\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003cp\u003eAşağıdaki bayraklar \u003cstrong\u003etüm\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e alt komutlarında kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosya yoluna yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu bayt sayısından büyük dosyaları veya blob'ları atla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya ham (maskelenmemiş) sır değerini dahil et. Dikkatli kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı sır doğrulamasını devre dışı bırak. Giden API çağrısı yapılmaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya dahil edilecek minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi (dönüşüm/iptal adımları) ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel bir dizin ağacını tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e varsayılan olarak \u003ccode\u003e.\u003c/code\u003e'dır. En fazla bir konumsal argüman kabul eder.\u003c/p\u003e\n\u003ch4 id=\"dosya-sistemine-zg-bayraklar\"\u003eDosya sistemine özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;kalıp\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob kalıbı. Tekrarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara, renklendirilmiş tablo yazdır\nleakwatch scan fs . --format table\n\n# SARIF çıktısını kaydet, test dosyalarını ve vendor'ı dışla\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel veya uzak bir Git deposunun tam commit geçmişini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir: yerel bir yol veya HTTP/HTTPS/SSH URL'si.\u003c/p\u003e\n\u003ch4 id=\"gite-zg-bayraklar\"\u003eGit'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit karmasından HEAD'e kadar olan değişiklikleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;ad\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan dal yerine belirli bir dalı hedefle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003eUzak depolar için sığ klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi getirir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-1\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tam yerel geçmişi tara\nleakwatch scan git . --format table\n\n# Bir pull request tarafından eklenen commit'leri tara\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir OCI/Docker imajının katmanlarını sırlar açısından tarar. Leakwatch daemonsuz çalışır ve kayıt defterinden doğrudan çeker — Docker soketi gerekmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"rnekler-2\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Genel bir imajı tara\nleakwatch scan image nginx:latest --format table\n\n# Özel kayıt defteri imajını tara, JSON çıktısını kaydet\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir AWS S3 kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, anahtarı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi. \u003ccode\u003eAWS_REGION\u003c/code\u003e ortam değişkenine veya AWS SDK varsayılanına geri döner.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-3\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm kovayı tara\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Belirli bir ön eki tara\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Google Cloud Storage kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"gcsye-zg-bayraklar\"\u003eGCS'ye özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, adı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği. Varsayılan kimlik bilgilerinden proje çıkarılamadığında gereklidir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-4\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm GCS kovasını tara\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Ön ek tara\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Slack çalışma alanındaki mesaj metnini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKonumsal argüman yoktur.\u003c/p\u003e\n\u003ch4 id=\"slacke-zg-bayraklar\"\u003eSlack'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token'ı. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni ile de ayarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adları veya kimliklerinin virgülle ayrılmış listesi. Atlandığında erişilebilir tüm kanalları tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adları veya kimliklerinin virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonra gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları dahil et (ek OAuth kapsamları gerektirir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-5\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Erişilebilir tüm kanalları tara\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Belirli kanalları belirli bir tarihten itibaren tara\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBirden fazla Git deposunu paralel olarak tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEn az iki konumsal argüman (depo URL'leri veya yerel yollar) gereklidir.\u003c/p\u003e\n\u003ch4 id=\"reposa-zg-bayraklar\"\u003eRepos'a özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eHer depo taramasındaki çalışan eşzamanlılığı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-6\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki depoyu paralel olarak tara\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Büyük bir depo seti için paralellizmi artır\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e — Leakwatch'ı bayrak kullanmadan yapılandırma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — ayrıntılı \u003ccode\u003escan fs\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — ayrıntılı \u003ccode\u003escan git\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Ortam Değişkenleri","description":"Leakwatch davranışını bayrak kullanmadan yapılandıran ortam değişkenleri.","html":"\u003ch1 id=\"ortam-deikenleri\"\u003eOrtam Değişkenleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, yapılandırmayı öncelik sırasına göre üç kaynaktan okur: \u003cstrong\u003ekomut satırı bayrakları\u003c/strong\u003e, \u003cstrong\u003eortam değişkenlerini\u003c/strong\u003e geçersiz kılar; ortam değişkenleri \u003cstrong\u003eyapılandırma dosyasını\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e) geçersiz kılar; yapılandırma dosyası yerleşik \u003cstrong\u003evarsayılanlara\u003c/strong\u003e geri döner. Ortam değişkenleri, bir yapılandırma dosyasını değiştiremeyeceğiniz veya her çağrıya bayrak geçiremeyeceğiniz CI ortamlarında kullanışlıdır.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-deikeni-kalb\"\u003eYapılandırma değişkeni kalıbı\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki herhangi bir anahtar, ortam değişkeni olarak şu şekilde ayarlanabilir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAnahtar adını büyük harfe çevir.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştir.\u003c/li\u003e\n\u003cli\u003eBaşına \u003ccode\u003eLEAKWATCH_\u003c/code\u003e ekle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eÖrneğin, \u003ccode\u003escan.concurrency\u003c/code\u003e yapılandırma anahtarı \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"deiken-bavurusu\"\u003eDeğişken başvurusu\u003c/h2\u003e\n\u003ch3 id=\"leakwatcha-zg-deikenler\"\u003eLeakwatch'a özgü değişkenler\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e için Slack bot token'ı. \u003ccode\u003e--token\u003c/code\u003e'a eşdeğer. Token'ın kabuk geçmişinde veya CI günlüklerinde görünmesini önlemek için bayrak olarak geçirmek yerine bunu ayarlayın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı. \u003ccode\u003e--concurrency\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı doğrulamayı genel olarak devre dışı bırakmak için \u003ccode\u003efalse\u003c/code\u003e olarak ayarlayın. \u003ccode\u003e--no-verify\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm doğrulayıcılar genelinde saniye başına maksimum doğrulama isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan çıktı biçimi (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e). \u003ccode\u003e--format\u003c/code\u003e'a eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir eşleşmenin raporlanması için gereken minimum Shannon entropisi. Float değer, örn. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"grntleme-deikeni\"\u003eGörüntüleme değişkeni\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBoş olmayan herhangi bir değere ayarlandığında, \u003ccode\u003etable\u003c/code\u003e çıktı biçimlendiricisindeki ANSI renk kodlarını devre dışı bırakır. \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e kuralını izler.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-deikenleri-scan-s3-ve-aws-sr-dorulamas-iin\"\u003eAWS değişkenleri (\u003ccode\u003escan s3\u003c/code\u003e ve AWS sır doğrulaması için)\u003c/h3\u003e\n\u003cp\u003eBunlar standart AWS SDK ortam değişkenleridir. Leakwatch bunları AWS SDK v2 varsayılan kimlik bilgisi zincirine aktarır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS erişim anahtarı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS gizli erişim anahtarı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS oturum token'ı (geçici kimlik bilgileri için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKullanılacak \u003ccode\u003e~/.aws/credentials\u003c/code\u003e dosyasından adlandırılmış profil.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-deikeni-scan-gcs-iin\"\u003eGCS değişkeni (\u003ccode\u003escan gcs\u003c/code\u003e için)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGoogle hizmet hesabı JSON anahtar dosyasının yolu. Bir GCS kovasını tararken Uygulama Varsayılan Kimlik Bilgileri tarafından kullanılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-rnei\"\u003eÖncelik örneği\u003c/h2\u003e\n\u003cp\u003eŞu kurulumu varsayın:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, \u003ccode\u003eoutput.format: table\u003c/code\u003e olarak ayarlıyor\u003c/li\u003e\n\u003cli\u003eOrtamda \u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e ayarlanmış\u003c/li\u003e\n\u003cli\u003eKomut \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e olarak çalıştırılıyor (\u003ccode\u003e--format\u003c/code\u003e bayrağı yok)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOrtam değişkeni yapılandırma dosyasını geçersiz kıldığından geçerli biçim \u003ccode\u003ejson\u003c/code\u003e'dır.\u003c/p\u003e\n\u003cp\u003eKomut \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e olarak çalıştırılırsa, bayrak her şeyi geçersiz kıldığından geçerli biçim \u003ccode\u003esarif\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kimlik-bilgileri-ve-tarama-kimlik-bilgileri\"\u003eDoğrulama kimlik bilgileri ve tarama kimlik bilgileri\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYukarıdaki AWS ve GCP değişkenleri, Leakwatch'ın \u003cstrong\u003ekendisinin\u003c/strong\u003e nesneleri taramak için S3 veya GCS'ye bağlanırken kimliğini doğrulaması için kullanılır. Bulunan sırları doğrulamak için kullanılmazlar. Keşfedilen bir AWS anahtarının doğrulanması, örneğin, runner'ın kimlik bilgilerini değil, keşfedilen anahtarın kendisini kullanarak AWS STS'yi çağırır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-srlar-gvenli-biimde-geirme\"\u003eCI'da sırları güvenli biçimde geçirme\u003c/h2\u003e\n\u003cp\u003eGitHub Actions'ta şifrelenmiş sırları kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGitLab CI'da maskelenmiş CI/CD değişkenlerini kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # proje ayarlarında maskelenmiş değişken olarak tanımlanmış\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eToken değerlerini hiçbir zaman iş akışı dosyalarına veya Dockerfile'lara sabit olarak kodlamayın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tam \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e anahtar başvurusu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eBulut Depolama Taraması\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e ve \u003ccode\u003escan gcs\u003c/code\u003e kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Taraması\u003c/a\u003e — Slack token kapsamları ve izinleri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — eşdeğer komut satırı bayrakları.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Çıkış Kodları","description":"Leakwatch çıkış kodu başvurusu ve bunların betiklerde ve CI pipeline'larında nasıl kullanılacağı.","html":"\u003ch1 id=\"k-kodlar\"\u003eÇıkış Kodları\u003c/h1\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için küçük, iyi tanımlanmış bir çıkış kodu seti kullanır. Her tarama alt komutu üç koddan biriyle çıkar.\u003c/p\u003e\n\u003ch2 id=\"kod-bavurusu\"\u003eKod başvurusu\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAd\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTemiz\u003c/td\u003e\n\u003ctd\u003eTarama başarıyla tamamlandı ve etkin filtrelerden hiçbir bulgu geçmedi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular var\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı ve etkin filtrelerden geçen bir veya daha fazla sır bulundu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHata\u003c/td\u003e\n\u003ctd\u003eTaramanın hiç çalışamamasına neden olan ciddi bir hata oluştu — örneğin geçersiz bir bayrak, okunamaz bir yol veya kimlik doğrulama hatası. Stderr'e bir \u003ccode\u003eError: ...\u003c/code\u003e mesajı ve kullanım ipucu yazdırılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"filtrelerin-k-kodu-1i-nasl-etkiledii\"\u003eFiltrelerin çıkış kodu 1'i nasıl etkilediği\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, yalnızca en az bir bulgu etkin çıktı filtrelerinin tümünden geçtiğinde yayılır. En ilgili iki filtre şunlardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — eşiğin altındaki bulgular bastırılır. Tüm bulgular \u003ccode\u003elow\u003c/code\u003e önem derecesindeyse ve \u003ccode\u003e--min-severity high\u003c/code\u003e ile çalışıyorsanız, sırlar mevcut olmasına rağmen çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulgular raporlanır. Etkin sır bulunamazsa çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBu, çıkış kodu \u003ccode\u003e0\u003c/code\u003e'ın \u0026quot;mevcut filtre ayarlarınızla eşleşen bulgu yok\u0026quot; anlamına geldiği anlamına gelir — kod tabanının hiçbir sır içermediği değil.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e altında temiz \u003ccode\u003e0\u003c/code\u003e çıkışı, kod tabanının sırdan arındırılmış olduğunu garanti etmez. Doğrulamanın mevcut olmadığı sır türleri (9 dedektör türü) her zaman doğrulanmamış olarak raporlanır ve \u003ccode\u003e--only-verified\u003c/code\u003e tarafından bastırılır. Tam kapsam için \u003ccode\u003e--only-verified\u003c/code\u003e ile birlikte ayrı bir filtresiz tarama yapın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kabuk-betiklerinde-k-kodlarn-kullanma\"\u003eKabuk betiklerinde çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;Sır bulunamadı. Derleme devam ediyor.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Sırlar bulundu — birleştirmeden önce leakwatch.json'u inceleyin ve düzeltin.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch bir hatayla karşılaştı (çıkış $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTaramadan önce \u003ccode\u003eset +e\u003c/code\u003e kullanmak, kabuğun sıfır dışı kodlarda çıkmasını engeller ve kodu kendiniz yakalayıp işlemenize olanak tanır.\u003c/p\u003e\n\u003ch2 id=\"ci-pipelinelarnda-k-kodlarn-kullanma\"\u003eCI pipeline'larında çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cp\u003eÇoğu CI sistemi, sıfır dışı herhangi bir çıkış kodunu adım başarısızlığı olarak değerlendirir. Leakwatch sırlar bulunduğunda \u003ccode\u003e1\u003c/code\u003e ile çıktığından, ek yapılandırma olmadan pipeline otomatik olarak başarısız olur — yalnızca tarama komutunu çalıştırın.\u003c/p\u003e\n\u003cp\u003eSırlar bulunsa bile pipeline'ın devam etmesine izin vermek için (örneğin, derlemeyi engellemeden raporu toplamak amacıyla) çıkış kodunu açıkça yoksayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitLab CI'da:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitHub Action'da \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"uygulamada-k-kodu-2\"\u003eUygulamada çıkış kodu 2\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e2\u003c/code\u003e, taramanın hiç çalışamamasına neden olan bir yapılandırma veya çalışma zamanı hatasını gösterir. Yaygın nedenler:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGeçersiz bir bayrak değeri (örneğin \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMevcut olmayan veya okunamaz bir yol.\u003c/li\u003e\n\u003cli\u003eEksik gerekli argüman (örneğin, URL olmadan \u003ccode\u003escan git\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBir bulut kaynağına bağlanırken kimlik doğrulama hatası.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHata mesajı stderr'e yazdırılır ve sorunu teşhis etmeye yardımcı olacak bağlam içerir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — çıkış kodlarını GitLab CI, Jenkins ve diğerlerine bağlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — resmi action'ın çıkış kodlarını adım sonuçlarıyla nasıl eşlediği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — tam bayrak başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Bulut Depolama (S3 \u0026 GCS)","description":"AWS S3 ve Google Cloud Storage kovalarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"bulut-depolama-s3--gcs\"\u003eBulut Depolama (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSırlar sıklıkla bulut depolamaya taşınır — dışa aktarılan veritabanı dökümleri, ortam dosyaları, CI artefaktları ve günlük arşivleri, düşünüldüğünden çok daha fazla kişinin erişebildiği kovalara akar. Leakwatch, AWS S3 ve Google Cloud Storage kovalarını nesne nesne tarayabilir ve bulduğu sırları bir olaya dönüşmeden işaretler.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"kullanm\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003es3://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch standart \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS varsayılan kimlik bilgisi zincirini\u003c/a\u003e kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOrtam değişkenleri (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan kimlik bilgileri dosyası (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan yapılandırma dosyası (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eÖrneğe veya göreve atanmış IAM rolü (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAWS CLI ile zaten kimlik doğrulaması yaptıysanız (\u003ccode\u003eaws configure\u003c/code\u003e veya üstlenilmiş bir rol) ek yapılandırma gerekmez.\u003c/p\u003e\n\u003ch3 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca anahtarı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eAWS yapılandırmasından\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-rnekleri\"\u003eS3 örnekleri\u003c/h3\u003e\n\u003cp\u003eTüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir bölgede belirli bir anahtar öneki altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eTaramayı ilgili bir alt yola sınırlamak için \u003ccode\u003e--prefix\u003c/code\u003e kullanın. Milyonlarca nesne içeren büyük bir kovayı taramak yavaş olabilir ve S3 GET istek maliyeti doğurabilir. Öneki gerçekten önemli olana — örneğin \u003ccode\u003econfigs/\u003c/code\u003e veya \u003ccode\u003eexports/\u003c/code\u003e — daraltın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"kullanm-1\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003egs://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama-1\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e kullanır. Kimlik bilgisi arama sırası şu şekildedir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eHizmet hesabı anahtar dosyasına işaret eden \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e ortam değişkeni.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egcloud auth application-default login\u003c/code\u003e ile yapılandırılmış kullanıcı kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003eGoogle Compute Engine örneğine, Cloud Run hizmetine veya GKE iş yüküne atanmış hizmet hesabı.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcse-zg-bayraklar\"\u003eGCS'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca adı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği (bazı ADC yapılandırmalarında gereklidir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-rnekleri\"\u003eGCS örnekleri\u003c/h3\u003e\n\u003cp\u003eBelirli bir GCP projesiyle tüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca belirli bir önek altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCSV olarak çıktı alın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h2\u003e\n\u003cp\u003eHem \u003ccode\u003es3\u003c/code\u003e hem de \u003ccode\u003egcs\u003c/code\u003e aynı ortak tarama bayraklarını destekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan nesneleri atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eNesne anahtarlarına uygulanan yol dışlamaları \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (kimlik doğrulama hatası, kova bulunamadı, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Konteyner İmajları","description":"Docker daemon gerektirmeksizin OCI ve Docker imaj katmanlarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"konteyner-majlar\"\u003eKonteyner İmajları\u003c/h1\u003e\n\u003cp\u003eKonteyner imajları sırların sıklıkla gizlendiği yerlerden biridir: ortam değişkenlerine gömülen API anahtarları, derleme katmanlarına yerleştirilmiş kimlik bilgileri ve imaj katmanlarına kopyalanıp unutulan yapılandırma dosyaları. \u003ccode\u003eleakwatch scan image\u003c/code\u003e, bir OCI veya Docker imajının her katmanını inceler ve bu sırları dağıtım öncesinde gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: standart \u003ccode\u003ename:tag\u003c/code\u003e gösteriminde bir imaj referansı. Leakwatch imajları çekmek ve incelemek için \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e kullanır — herhangi bir Docker daemon \u003cstrong\u003egerekmez\u003c/strong\u003e.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Docker Hub imajını tara\nleakwatch scan image nginx:latest\n\n# Özel GitHub Container Registry imajını tara\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Amazon ECR imajını tara\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"desteklenen-kayt-sunucular\"\u003eDesteklenen kayıt sunucuları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKayıt Sunucusu\u003c/th\u003e\n\u003cth\u003eÖrnek referans\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eOCI uyumlu herhangi bir kayıt sunucusu\u003c/td\u003e\n\u003ctd\u003eStandart \u003ccode\u003eregistry/name:tag\u003c/code\u003e biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, Docker ve diğer OCI araçları tarafından kullanılan standart kimlik bilgisi anahtarlığını kullanır. \u003ccode\u003edocker login\u003c/code\u003e (veya \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, bulut sağlayıcısı kimlik bilgisi yardımcıları gibi eşdeğer araçlar) ile oturum açtıysanız, Leakwatch bu kimlik bilgilerini otomatik olarak kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Önce GHCR'a giriş yapın\ndocker login ghcr.io\n\n# Ardından tarayın — kimlik bilgileri otomatik olarak alınır\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAmazon ECR için, taramadan önce ECR kimlik bilgisi yardımcısını yapılandırın ya da \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e ve ilgili ortam değişkenlerini ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch imaj manifestini çeker, her katmanı sırayla işler ve her katmandaki dosyaları çıkarır. Her dosyanın içeriği, dosya sistemi taramasıyla aynı tespit hattından geçirilir. \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları burada da geçerlidir ve katmanlar içinde hangi dosya yollarının inceleneceğini sınırlar.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003cp\u003eİmaja özgü bayrak yoktur. Tüm ortak tarama bayrakları geçerlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eYol tabanlı dışlamalar \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eDocker Hub imajını tarayın ve sonuçları tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt sunucusu imajını tarayın ve SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif sırları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eJSON çıktısına düzeltme rehberi dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eİmaj taramasından elde edilen her bulgu katman meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan imaj referansı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği katman özeti.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKatman içindeki dosyanın yolu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGizli bilgilerin bir kayıt sunucusuna push edilmeden önce yakalanması için konteyner imaj taramasını CI/CD hattınızın derleme aşamasına entegre edin. Sonuçları doğrudan GitHub Code Scanning'e yüklemek için \u003ccode\u003e--format sarif\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (imaj bulunamadı, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Dosya Sistemi","description":"leakwatch scan fs komutuyla yerel bir dizin ağacını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"dosya-sistemi\"\u003eDosya Sistemi\u003c/h1\u003e\n\u003cp\u003eSırlar çoğu zaman önce yerel kaynak kodda ortaya çıkar. \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutu, bir dizin ağacındaki tüm dosyaları dolaşır, her biri üzerinde tam tespit hattını çalıştırır ve bulguları raporlar — henüz commit edilmeden önce yakalamak ya da mevcut bir kod tabanını sonradan taramak için kullanabilirsiniz.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e isteğe bağlıdır. Belirtilmediğinde Leakwatch geçerli çalışma dizinini (\u003ccode\u003e.\u003c/code\u003e) tarar. Yalnızca tek bir path argümanı kabul edilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara\nleakwatch scan fs\n\n# Belirli bir proje klasörünü tara\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"dosya-sistemi-kaynann-otomatik-olarak-atladklar\"\u003eDosya sistemi kaynağının otomatik olarak atladıkları\u003c/h2\u003e\n\u003cp\u003eTaramaları hızlı ve gürültüsüz tutmak için dosya sistemi kaynağı herhangi bir yapılandırma gerekmeksizin şunları atlar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eİkili dosyalar\u003c/strong\u003e — dosyanın ilk 8 KB'ında null byte bulunmasıyla tespit edilir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBilinen ikili uzantılar\u003c/strong\u003e — yaygın derlenmiş, görsel, ses, video ve arşiv biçimleri.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKilit dosyaları\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e ve benzerleri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"dosya-sistemine-zg\"\u003eDosya sistemine özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (tekrarlanabilir)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob desenleri. Birden fazla kez belirtilebilir veya virgülle ayrılabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eGeçerli dizini tarayın ve terminalde renklendirilmiş bir tablo yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTest dosyalarını ve vendor dizinlerini dışlayıp GitHub Code Scanning için SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir monorepo için dosya boyutunu sınırlayın ve çalışan sayısını artırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca yüksek önem dereceli bulguları gösterip rotasyon talimatlarını dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yollar-dlama\"\u003eYolları dışlama\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--exclude\u003c/code\u003e bayrağı glob desenlerini kabul eder ve birden fazla kez belirtilebilir ya da virgülle ayrılmış liste olarak kullanılabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki ayrı bayrak\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Virgülle ayrılmış\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTakımınızla paylaşılan kalıcı dışlama kuralları için \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasına \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında ekleyin. Bu kurallar yalnızca dosya sistemi taramalarına değil, tüm kaynaklara uygulanır. Proje kök dizininizde bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası da oluşturabilirsiniz. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e ve \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e sayfalarına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (yapılandırma hatası, okunamayan yol, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti (kaynak türü, hedef, dosya sayısı, süre ve bulgu sayısı) yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGeliştirme sırasında \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e komutunu çalıştırarak hızlı bir görsel genel bakış elde edin. CI hatlarında GitHub Code Scanning ile entegrasyon için \u003ccode\u003e--format sarif\u003c/code\u003e seçeneğine geçin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — varsayılan biçimi, dışlamaları ve daha fazlasını yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e ve satır içi baskılama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — çalışma ağacı yerine commit edilmiş geçmişi tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git Geçmişi","description":"Yerel veya uzak bir Git deposunun tüm commit geçmişini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"git-gemii\"\u003eGit Geçmişi\u003c/h1\u003e\n\u003cp\u003eCommit edilip sonradan silinen bir sır, önceki her commit'te hâlâ mevcuttur ve depoya erişimi olan herkes tarafından ulaşılabilir durumdadır. \u003ccode\u003eleakwatch scan git\u003c/code\u003e, bir deponun — yerel veya uzak — \u003cem\u003etüm\u003c/em\u003e commit geçmişini dolaşarak bu sırları, istismar edilmeden önce gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: depoya giden \u003cstrong\u003eyerel dosya sistemi yolu\u003c/strong\u003e (geçerli dizin için \u003ccode\u003e.\u003c/code\u003e) ya da \u003cstrong\u003euzak HTTP/HTTPS veya SSH URL'si\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch tüm Git işlemleri için \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e kullanır; bu, sistem \u003ccode\u003egit\u003c/code\u003e ikili dosyasına bağımlılığı olmayan saf bir Go uygulamasıdır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizindeki yerel depoyu tara\nleakwatch scan git .\n\n# HTTPS üzerinden uzak bir depoyu tara\nleakwatch scan git https://github.com/org/repo.git\n\n# SSH üzerinden tara\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch geçmişteki her commit'i dolaşır ve her commit tarafından eklenen blob'ları inceler. \u003cstrong\u003eBlob-hash tekilleştirmesi\u003c/strong\u003e, aynı dosya içeriğinin kaç commit tarafından referans alındığından bağımsız olarak yalnızca bir kez taranmasını sağlar. Bu, tarama süresini ham commit sayısı yerine depodaki \u003cem\u003ebenzersiz içerik\u003c/em\u003e miktarıyla orantılı tutar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch commit-bazlı diff'leri incelediğinden, sonradan silinen — yani mevcut çalışma ağacında görünmeyen — sırları da bulur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"gite-zg\"\u003eGit'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit hash'inden HEAD'e kadar olan değişiklikleri tara (diff tabanlı).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan yerine belirli bir dalı hedef al.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eYalnızca uzak depolar\u003c/strong\u003e için klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eYerel deponun tam geçmişini tarayın ve tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003edevelop\u003c/code\u003e dalında belirli bir tarihten sonraki commit'leri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir commit'ten bu yana tanıtılan değişiklikleri tarayın (CI'da yeni commit'leri kontrol etmek için kullanışlıdır):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir uzak depoyu hızlandırmak için sığ klonlama yapın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak depoyu tarayıp yalnızca doğrulanmış bulguları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eGit taramasından elde edilen her bulgu commit meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan deponun URL'si veya yolu (kimlik bilgileri ayıklanmış).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın tanıtıldığı commit hash'i.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit yazarının adı ve e-postası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit zaman damgası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDal bağlamı (kullanılabilir olduğunda).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePull request CI işlerinde yalnızca PR tarafından eklenen commit'leri taramak için \u003ccode\u003e--since-commit\u003c/code\u003e kullanın. Son aktiviteyi kapsayan zamanlanmış gece taramaları için \u003ccode\u003e--since \u0026lt;tarih\u0026gt;\u003c/code\u003e tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'leri gömülü kimlik bilgileri içeriyorsa (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch bu bilgileri günlüklere veya çıktıya yazmadan önce URL'den ayırır; bu sayede token tarama sonuçlarında veya CI izlerinde hiçbir zaman görünmez.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (geçersiz URL, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eÇoklu Depo\u003c/a\u003e — tek komutla birden fazla depoyu tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — geçmiş yerine çalışma ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Çoklu Depo","description":"Birden fazla Git deposunu eşzamanlı olarak tarayın ve sonuçları tek bir raporda birleştirin.","html":"\u003ch1 id=\"oklu-depo\"\u003eÇoklu Depo\u003c/h1\u003e\n\u003cp\u003eBir kuruluş büyüdükçe sırlar düzinelerce hatta yüzlerce deponun herhangi birine yerleşebilir. Bunları tek tek kontrol etmek pratik değildir. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e, birden fazla depo URL'sini alır, bunları eşzamanlı olarak tarar ve tüm bulguları tek bir çıktıda birleştirir — tek komut, tek rapor.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut \u003cstrong\u003een az iki\u003c/strong\u003e depo URL'si gerektirir. Tüm depolar otomatik olarak klonlanır, taranır ve temizlenir. Sonunda birleşik bulgu sayısı ve tek bir tarama özeti raporlanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"nasl-alr\"\u003eNasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch aynı anda en fazla \u003ccode\u003e--parallel\u003c/code\u003e sayıda depo taraması başlatır. Her depo:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSağlanan URL'den klonlanır (güvenlik açısından kimlik bilgileri günlüklerden ve çıktıdan ayıklanır).\u003c/li\u003e\n\u003cli\u003eTam tespit hattıyla taranır; bu depo için \u003ccode\u003e--concurrency\u003c/code\u003e sayıda çalışan kullanılır.\u003c/li\u003e\n\u003cli\u003eTarama tamamlandığında temizlenir (geçici klon silinir).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eTüm depolardan elde edilen bulgular toplanır ve tek bir kaynaktan yapılmış tarama gibi tek bir çıktı olarak yazılır. Görüntülenen hedef \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e (N depo) şeklindedir.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"oklu-depoya-zg\"\u003eÇoklu depoya özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eDepo başına\u003c/strong\u003e eşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasındaki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları tüm depolara uygulanır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eİki depoyu tarayın ve sonuçları tablo olarak görüntüleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeş depoyu daha yüksek paralellik ile tarayın ve birleşik sonuçları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDepo başına daha fazla çalışan kullanarak yalnızca doğrulanmış bulguları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"paralellii-ayarlama\"\u003eParalelliği ayarlama\u003c/h2\u003e\n\u003cp\u003eVerimi kontrol eden iki parametre vardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e, kaç depo klonlama ve taramasının aynı anda çalışacağını kontrol eder. Varsayılan \u003ccode\u003e3\u003c/code\u003e, çoğu iş yükü için uygundur. Ağ bant genişliği ve CPU kapasitesi izin verdiğinde artırın; kısıtlı makinelerde düşürün.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e), her bir depodaki dosya blob'larını işleyen çalışan goroutine sayısını kontrol eder. Bu, tüm tarama komutlarında bulunan aynı bayraktır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTepe noktasındaki toplam eşzamanlı işlem = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBir veya daha fazla depo taraması başarısız olursa (örneğin ağ hatası veya kimlik doğrulama sorunu nedeniyle), Leakwatch hatayı günlüğe kaydeder ve kalan depoları taramaya devam eder. Diğer depolar bulgu üretmiş olsa bile herhangi bir depo taraması başarısız olursa çıkış kodu \u003ccode\u003e2\u003c/code\u003e olur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'lerindeki gömülü kimlik bilgileri (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), URL günlüklere, çıktıya veya tarama özetine yazılmadan önce ayıklanır.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir veya daha fazla depo taraması başarısız oldu ya da yapılandırma hatası oluştu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — tek bir depoyu derinlemesine tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tüm kaynaklar için paylaşılan varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Çalışma Alanı","description":"Slack kanal ve DM mesaj metinlerini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"slack-alma-alan\"\u003eSlack Çalışma Alanı\u003c/h1\u003e\n\u003cp\u003eGeliştiriciler çoğu zaman kimlik bilgilerini sohbet üzerinden paylaşır — hızlı bir test için bir kanala yapıştırılan token, DM ile gönderilen parola ya da bir olay başlığında söz edilen API anahtarı. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e, Slack çalışma alanınızdaki mesaj metinlerini okur ve bulduğu sırları işaretler.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e tarar. Yüklenen dosyaların (ekler, snippet'ler) içeriğini taramak uygulanmamıştır. Yalnızca mesajların metin gövdesi analiz edilir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003cstrong\u003ekonumsal argüman almaz\u003c/strong\u003e. Tüm yapılandırma bayraklar veya ortam değişkenleri aracılığıyla sağlanır.\u003c/p\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eBir Slack Bot Token gereklidir. \u003ccode\u003e--token\u003c/code\u003e bayrağı veya \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni aracılığıyla sağlayın. Ortam değişkeni kullanmak önerilir; böylece token kabuk geçmişinde veya süreç listelerinde asla görünmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"gerekli-bot-token-kapsamlar\"\u003eGerekli bot token kapsamları\u003c/h3\u003e\n\u003cp\u003eBot token'ı, aşağıdaki OAuth kapsamlarına sahip bir Slack uygulamasıyla ilişkilendirilmiş olmalıdır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKapsam\u003c/th\u003e\n\u003cth\u003eAmaç\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı genel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı özel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrup doğrudan mesajlarını oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"slacke-zg\"\u003eSlack'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni tercih edilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003etüm kanallar\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eBu tarihte veya sonrasında gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları ve grup DM'lerini de tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API istek sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eDahili parça boyutu sınırı (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eToken için ortam değişkeni kullanarak botun erişebildiği tüm kanalları tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli kanalları tarayın ve yılın başından bu yana gönderilen mesajlarla sınırlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGürültülü kanalları dışlayın ve doğrudan mesajları dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük çalışma alanlarında Slack hız sınırı hatalarını önlemek için API istek hızını düşürün:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif bulguları bir JSON dosyasına kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eSlack taramasından elde edilen her bulgu mesaj ve kanal meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği kanal adı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack mesaj zaman damgası (benzersiz mesaj kimliği).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMesaj yazarının Slack kullanıcı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performans-deerlendirmeleri\"\u003ePerformans değerlendirmeleri\u003c/h2\u003e\n\u003cp\u003eSlack API istekleri, Slack tarafından uygulanan hız sınırlarına tabidir. \u003ccode\u003e--rate-limit\u003c/code\u003e bayrağı (varsayılan saniyede \u003ccode\u003e20\u003c/code\u003e istek), Leakwatch'ın istekleri ne kadar agresif yapacağını kontrol eder. Özellikle büyük çalışma alanlarında \u003ccode\u003e429 Too Many Requests\u003c/code\u003e hatası alıyorsanız bu değeri düşürün.\u003c/p\u003e\n\u003cp\u003eHer çalıştırmada tüm çalışma alanını taramak yerine belirli kanalları hedeflemek için \u003ccode\u003e--channels\u003c/code\u003e kullanın. Mesajları artımlı biçimde taramak için \u003ccode\u003e--since\u003c/code\u003e ile birleştirin.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (eksik token, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — commit edilmiş geçmişi sırlara karşı tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"Doğrulama Nasıl Çalışır","description":"Leakwatch'ın tespit edilen bir sırrın hâlâ aktif olup olmadığını nasıl teyit ettiği, hangi doğrulama modlarını kullandığı ve doğrulamanın nasıl yapılandırılacağı veya devre dışı bırakılacağı.","html":"\u003ch1 id=\"dorulama-nasl-alr\"\u003eDoğrulama Nasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eBir kod tabanında sır bulmak hikayenin yalnızca yarısıdır. Altı ay önce döndürülen bir anahtar gürültüdür; hâlâ canlı olan bir anahtar ise aktif bir olayı temsil eder. Doğrulama, bu çizgiyi çizen adımdır — tespit edilen her bulguyu alır ve mümkün olan durumlarda sırrın sağlayıcıda hâlâ geçerli olup olmadığını teyit eder.\u003c/p\u003e\n\u003ch2 id=\"tespiten-dorulamaya\"\u003eTespiten doğrulamaya\u003c/h2\u003e\n\u003cp\u003eTarama motoru bulguları topladıktan sonra doğrulayıcı havuzu onları işlemeye alır. Her bulgu bir \u003ccode\u003edetector_id\u003c/code\u003e taşır; Leakwatch bu ID için kayıtlı bir doğrulayıcı olup olmadığını arar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBir doğrulayıcı mevcutsa çalışır ve bir durum döndürür.\u003c/li\u003e\n\u003cli\u003eO dedektör türü için kayıtlı bir doğrulayıcı yoksa bulgu değiştirilmeden \u003ccode\u003eunverified\u003c/code\u003e durumuyla geçer.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ki-dorulama-modu\"\u003eİki doğrulama modu\u003c/h2\u003e\n\u003cp\u003eTüm sırlar aynı şekilde doğrulanamaz. Leakwatch, her kimlik bilgisi türü için güvenli olan yaklaşıma göre iki farklı yöntem kullanır.\u003c/p\u003e\n\u003ch3 id=\"canl-api-dorulamas\"\u003eCanlı API doğrulaması\u003c/h3\u003e\n\u003cp\u003eYaklaşık 49 dedektör türü için Leakwatch, sağlayıcıya \u003cstrong\u003ekontrollü, salt-okunur bir API çağrısı\u003c/strong\u003e yapar — örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, GitHub token'ları için \u003ccode\u003eGET /user\u003c/code\u003e. Çağrı yalnızca kimliği doğrulamak için gereken minimum uç noktayı kullanır; hiçbir zaman veri değiştirmez, kaynak oluşturmaz veya faturalandırma olayı tetiklemez.\u003c/p\u003e\n\u003cp\u003eSağlayıcı başarılı bir yanıt döndürürse bulgu \u003ccode\u003everified_active\u003c/code\u003e olarak işaretlenir. Sağlayıcı kimlik bilgisini reddederse (örneğin HTTP 401 veya 403 ile) bulgu \u003ccode\u003everified_inactive\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"yalnzca-format-dorulamas\"\u003eYalnızca format doğrulaması\u003c/h3\u003e\n\u003cp\u003eBeş kimlik bilgisi türü için güvenli bir canlı kontrol mevcut değildir — sağlayıcının anonim bir kimlik uç noktası yoktur ya da gerçek bir çağrı yan etkiye yol açar. Bu durumlar için Leakwatch, herhangi bir ağ isteği yapmadan kimlik bilgisinin yapısını doğrular:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e alanlarının varlığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca format kontrolü — geçerli bir format hiçbir şeyi kanıtlamaz, sonuç her zaman \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFormat kontrolü geçse bile sonuç \u003ccode\u003eunverified\u003c/code\u003e olarak kalır. Yapısal olarak geçerli bir kimlik bilgisi süresi dolmuş veya iptal edilmiş olabilir. Bu bulgular her zaman manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama-durumlar\"\u003eDoğrulama durumları\u003c/h2\u003e\n\u003cp\u003eLeakwatch çıktısındaki her bulgu dört durumdan birini taşır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDurum\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen eylem\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın sağlayıcı tarafından canlı olduğu teyit edildi.\u003c/td\u003e\n\u003ctd\u003eAktif bir olay olarak ele alın. Hemen döndürün.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcı kimlik bilgisini reddetti.\u003c/td\u003e\n\u003ctd\u003eMuhtemelen zaten döndürülmüş. Bağlamı gözden geçirin ve kapatın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBu tür için doğrulayıcı yok, format doğrulaması sonuç vermedi veya doğrulama devre dışı bırakıldı.\u003c/td\u003e\n\u003ctd\u003eManuel olarak inceleyin; risk bağlama göre belirlenir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulayıcı çalıştı ancak ağ hatası, zaman aşımı veya beklenmedik yanıtla karşılaştı.\u003c/td\u003e\n\u003ctd\u003ePotansiyel olarak aktif kabul edin. Yeniden deneyin veya manuel olarak inceleyin.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulama-motoru\"\u003eDoğrulama motoru\u003c/h2\u003e\n\u003cp\u003eDoğrulama, tarama çalışan havuzundan yalıtılmış ayrı bir eşzamanlı çalışan havuzunda çalışır. Sağlayıcı hız sınırlarını tetiklememek için varsayılanlar temkinlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAyar\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇalışan sayısı\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal hız sınırı\u003c/td\u003e\n\u003ctd\u003e10 istek/saniye\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eİstek başına zaman aşımı\u003c/td\u003e\n\u003ctd\u003e10 sn\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer üç değer de \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003everification:\u003c/code\u003e bloğu altında ayarlanabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # global, saniye başına istek sayısı\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYüzlerce bulgu tetikleyen bir depoyu tarıyorsanız \u003ccode\u003erate-limit\u003c/code\u003e değerini 5'e düşürmeyi veya \u003ccode\u003e--only-verified\u003c/code\u003e etkinleştirmeyi düşünün; bu, doğrulanmış-aktif kümesini küçük ve uygulanabilir tutar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"komut-satrndan-dorulamay-kontrol-etme\"\u003eKomut satırından doğrulamayı kontrol etme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--no-verify\u003c/code\u003e ile \u003cstrong\u003edoğrulamayı tamamen devre dışı bırakın\u003c/strong\u003e (ya da yapılandırmada \u003ccode\u003everification.enabled: false\u003c/code\u003e ayarlayın). Her bulgu \u003ccode\u003eunverified\u003c/code\u003e olarak geçer. Bunu çevrimdışı veya hava boşluklu ortamlar için ya da herhangi bir sağlayıcı API'sine dokunmadan mümkün olan en hızlı taramayı istediğinizde kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eYalnızca canlı olduğu doğrulanan sırları görmek\u003c/strong\u003e için \u003ccode\u003e--only-verified\u003c/code\u003e kullanın. \u003ccode\u003everified_active\u003c/code\u003e olmayan her şey çıktıdan düşürülür. Bu, büyük bir sonuç kümesini önceliklendirmenin en hızlı yoludur — yalnızca hemen harekete geçmeniz gereken anahtarları görürsünüz.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e ve \u003ccode\u003everify_error\u003c/code\u003e bulgularını sessizce düşürür. Bunu uyumluluk bağlamında tek filtreniz olarak kullanmayın — bazı kimlik bilgisi türleri (JWT'ler, genel API anahtarları, özel anahtarlar) hiçbir zaman doğrulanamaz ve her zaman dışarıda kalır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eDoğrulama, ham sır değerinin süreç sınırını güvensiz biçimde asla terk etmeyecek şekilde tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDoğrulayıcılar sırrı TLS üzerinden doğrudan sağlayıcının HTTP uç noktasına iletir — diske yazılmaz, bir loga gönderilmez ve çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003cli\u003eBaşlatılamayan veya panikle karşılaşan bir doğrulayıcı motor tarafından yakalanır; motor, bulguyu \u003ccode\u003everify_error\u003c/code\u003e olarak işaretler ve taramayı çökertmeden devam eder.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektör türlerinin canlı doğrulandığı, format doğrulandığı veya hiç doğrulanamadığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003everification:\u003c/code\u003e bloğunun tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e — doğrulama durumunun JSON, SARIF, CSV ve tablo çıktısında nasıl göründüğü.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Doğrulama Kapsamı","description":"63 yerleşik dedektörün hangilerinin canlı doğrulandığı, yalnızca format doğrulandığı veya doğrulanamaz olduğu ve bunun önceliklendirme açısından ne anlama geldiği.","html":"\u003ch1 id=\"dorulama-kapsam\"\u003eDoğrulama Kapsamı\u003c/h1\u003e\n\u003cp\u003eLeakwatch 63 yerleşik dedektör ve 54 doğrulayıcı ile gelir; bu, \u003cstrong\u003e%85,7\u003c/strong\u003e kapsama oranı sağlar (63 dedektör türünün 54'ünün bir tür doğrulaması mevcuttur). Bu sayfa, çıktınızda ne beklemeniz gerektiğini bilmeniz için her dedektörü doğrulama durumuna göre eşler.\u003c/p\u003e\n\u003ch2 id=\"canl-dorulanan-49-dedektr-tr\"\u003eCanlı doğrulanan (49 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu türler için Leakwatch, sağlayıcıya kontrollü, salt-okunur bir API çağrısı yapar ve \u003ccode\u003everified_active\u003c/code\u003e ya da \u003ccode\u003everified_inactive\u003c/code\u003e döndürür. Hiçbir veri oluşturulmaz veya değiştirilmez; çağrı, kimliği doğrulamak için gereken minimum uç noktayı kullanır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör türü\u003c/th\u003e\n\u003cth\u003eSağlayıcı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yalnzca-format-dorulamas-5-dedektr-tr\"\u003eYalnızca format doğrulaması (5 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu doğrulayıcılar tamamen çevrimdışı çalışır. Hiçbir ağ isteği yapılmaz. Geçerli bir format kimlik bilgisinin aktif olduğunu kanıtlamadığından, beşi de format kontrolünün geçip geçmediğinden bağımsız olarak her zaman \u003ccode\u003eunverified\u003c/code\u003e döndürür.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003cth\u003eNeden canlı kontrol yok\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol, yan etkileri olan GCP OAuth2 token değişimi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003ctd\u003eHerkese açık kimlik doğrulamasız sağlık uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eParola uzunluğu ve host alt dize kontrolü\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol bir JDBC/ODBC veritabanı bağlantısı gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eHesap başına HMAC imzalama gerektirir; genel kimlik uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eİstemci kimlik bilgisi akışı oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulanamaz-9-dedektr-tr\"\u003eDoğrulanamaz (9 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu dedektör türlerinin hiç doğrulayıcısı yoktur. Bunlardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e olur. Bu durum önemsiz oldukları anlamına \u003cstrong\u003egelmez\u003c/strong\u003e — tam olarak tespit edilip raporlanırlar — ancak herkese açık bir doğrulama API'si bulunmamakta ya da herhangi bir doğrulama girişimi yan etkiye yol açmaktadır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eNeden\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJWT herhangi bir tarafça yayınlanabilir; evrensel bir doğrulama uç noktası yoktur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇağrılacak sağlayıcı yok; aktif kullanım uzaktan tespit edilemez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanım gereği bilinmeyen sağlayıcı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak hedef veritabanında oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak Redis örneğinde canlı bağlantı açar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGüvenli, salt-okunur FTP yoklama yöntemi yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind kimliği doğrulanmış bir oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWebhook'un aktif olduğunu doğrulamak mesaj göndermeyi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token doğrulaması, Vault uç noktasının bilinmesini gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Doğrulanamaz\u0026quot; \u0026quot;bulunamaz\u0026quot; anlamına gelmez. Bu 9 türün tamamı yine de tespit edilir ve çıktınızda görünür. Kimlik bilgisinin canlı olup olmadığını ve döndürülmesi gerekip gerekmediğini belirlemek için manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kapsam-zeti\"\u003eKapsam özeti\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKategori\u003c/th\u003e\n\u003cth\u003eSayı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eCanlı doğrulanan\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eYalnızca format doğrulaması\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDoğrulanamaz\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eToplam dedektör\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDoğrulayıcı (herhangi bir kapsam)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (%85,7)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — iki doğrulama modu, durumlar ve doğrulama motoru.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — yerleşik dedektörlerin tam listesi ve şiddet seviyeleri.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; +window.LW_MANUAL["tr"] = {"ci-cd/docker-usage":{"title":"Docker Kullanımı","description":"Resmi Docker imajını kullanarak Leakwatch taramalarını bir konteyner içinde çalıştırın.","html":"\u003ch1 id=\"docker-kullanm\"\u003eDocker Kullanımı\u003c/h1\u003e\n\u003cp\u003eResmi Leakwatch konteyner imajı, ana makineye herhangi bir şey kurmadan tarama yapmanızı sağlar. İmaj \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e ile statik olarak derlenmiş ve root olmayan bir kullanıcı olarak çalışır; bu nedenle kilitli CI ortamlarında ve ana sistemi değiştirmek istemediğiniz paylaşımlı makinelerde güvenle kullanılabilir.\u003c/p\u003e\n\u003ch2 id=\"maj-referans\"\u003eİmaj referansı\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eİmaj Alpine tabanlıdır, root olmayan \u003ccode\u003eleakwatch\u003c/code\u003e kullanıcısı olarak çalışır, çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır ve giriş noktası olarak \u003ccode\u003eleakwatch\u003c/code\u003e'ı ayarlar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGiriş noktası \u003ccode\u003eleakwatch\u003c/code\u003e olduğundan alt komutu ve bayrakları doğrudan imaj adının ardına eklersiniz — örneğin \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. İkili dosya adını tekrar yazmanıza gerek yoktur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerel-dizin-tarama\"\u003eYerel dizin tarama\u003c/h2\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAna makinedeki bir dosyaya sonuç yazmak için çıktı dosyasını bağlı birime yazın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch.sarif\u003c/code\u003e dosyası, konteyner çıktıktan sonra ana makinedeki geçerli dizinde görünür.\u003c/p\u003e\n\u003ch2 id=\"uzak-git-deposu-tarama\"\u003eUzak Git deposu tarama\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak Git depoları için birim bağlaması gerekli değildir — Leakwatch bunları konteyner içindeki geçici bir dizine klonlar.\u003c/p\u003e\n\u003ch2 id=\"konteyner-imaj-tarama\"\u003eKonteyner imajı tarama\u003c/h2\u003e\n\u003cp\u003eLeakwatch daemonsuz çalışır: imaj katmanlarını Docker daemon'ına ihtiyaç duymadan doğrudan kayıt defterinden çeker. Bu, Leakwatch konteynerinden, ana makine Docker soketini bağlamadan uzak bir imajı tarayabileceğiniz anlamına gelir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt defterleri için kimlik bilgilerini, kayıt defterinizin desteklediği standart ortam değişkenleri aracılığıyla geçirin (örneğin, bağlı bir kimlik bilgisi dosyasına işaret eden \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e).\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-geirme\"\u003eYapılandırma dosyası geçirme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasını \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın; Leakwatch onu otomatik olarak bulur:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e bağlanan dizinde olduğu sürece Leakwatch onu bulur çünkü \u003ccode\u003e/scan\u003c/code\u003e hem çalışma dizini hem de taramaya geçirilen yoldur. Yapılandırma dosyanız başka bir yerdeyse onu ayrıca bağlayın ve \u003ccode\u003e--config\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikenleri-geirme\"\u003eOrtam değişkenleri geçirme\u003c/h2\u003e\n\u003cp\u003eBulut taraması ve token tabanlı kimlik doğrulama için ortam değişkenleri \u003ccode\u003e-e\u003c/code\u003e ile enjekte edilebilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# AWS kimlik bilgileriyle S3 taraması\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCI ortamlarında, kimlik bilgilerini komut satırına gömmek yerine maskelenmiş CI değişkenleri olarak enjekte etmeyi tercih edin.\u003c/p\u003e\n\u003ch2 id=\"kt-dosyas-kalb\"\u003eÇıktı dosyası kalıbı\u003c/h2\u003e\n\u003cp\u003eCI'da yaygın bir Docker kalıbı, sonuçları bağlı birime yazmak ve ardından dosyayı bir pipeline artifact'i olarak yüklemek veya arşivlemektir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Docker kullanmak yerine yerel ikili dosyayı kurma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e bayrakları ve davranışı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eKonteyner İmajları\u003c/a\u003e — OCI/Docker imaj katmanlarını sır açısından tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI ve diğer pipeline'larda Docker imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm alt komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"GitHub iş akışlarında sır taraması yapmak için resmi Leakwatch GitHub Action'ını kullanın.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eDeponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. GitHub Marketplace'te yayımlanan ve \u003ccode\u003eHodeTech/Leakwatch@v1\u003c/code\u003e olarak kullanılan resmi \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e, Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder. Runner için önceden derlenmiş Leakwatch ikilisini indirir (Go araç zinciri veya derleme adımı gerekmez), taramayı çalıştırır, çıkış kodlarını işler, bir iş özeti (job summary) yazar ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler — bunların hepsini harici bir servis bağımlılığı olmadan yapar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003cstrong\u003eDesteklenen runner'lar:\u003c/strong\u003e action, Linux (\u003ccode\u003eubuntu-*\u003c/code\u003e) ve macOS (\u003ccode\u003emacos-*\u003c/code\u003e) runner'larında çalışır. Windows runner'ları henüz desteklenmemektedir; taramayı bir Linux/macOS runner'ında çalıştırın veya \u003ccode\u003eghcr.io/hodetech/leakwatch\u003c/code\u003e konteyner imajını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"hzl-balang\"\u003eHızlı başlangıç\u003c/h2\u003e\n\u003cp\u003eSır bulunduğunda iş akışını engelleyen minimal yapılandırma:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Sır taraması (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/Leakwatch@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca varsayılan değerlerle action, dosya sistemi taraması yapar (\u003ccode\u003escan-type: fs\u003c/code\u003e), SARIF çıktısı üretir, canlı doğrulamayı atlar (\u003ccode\u003eno-verify: true\u003c/code\u003e) ve herhangi bir bulgu raporlandığında işi başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"sarif-ykleme-ile-tam-rnek\"\u003eSARIF yükleme ile tam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki iş akışı, GitHub Code Scanning'e SARIF yüklemeyi etkinleştirir ve bulguları depo içinde güvenlik uyarıları olarak gösterir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Sır taraması\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # SARIF yüklemesi için gerekli\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Sırları tara\n uses: HodeTech/Leakwatch@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF yüklemesi, işin \u003ccode\u003epermissions: security-events: write\u003c/code\u003e bildirmesini gerektirir. Bu olmadan yükleme adımı 403 hatasıyla başarısız olur. \u003ccode\u003eactions/checkout@v4\u003c/code\u003e için \u003ccode\u003econtents: read\u003c/code\u003e izni de gereklidir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"girdiler\"\u003eGirdiler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eGirdi\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇalıştırılacak tarama türü: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e veya \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranacak yol (\u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e için) veya imaj referansı (\u003ccode\u003eimage\u003c/code\u003e için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e veya \u003ccode\u003egithub\u003c/code\u003e (satır içi pull-request ek açıklamaları).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e``\u003c/td\u003e\n\u003ctd\u003eBiçimlendirilmiş çıktıyı bu dosyaya yaz (\u003ccode\u003eworking-directory\u003c/code\u003e'ye göreli). \u003ccode\u003eformat: github\u003c/code\u003e için yok sayılır. Boş ve \u003ccode\u003eformat: sarif\u003c/code\u003e ise varsayılan \u003ccode\u003eresults.sarif\u003c/code\u003e'tir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak (sağlayıcılara giden ağ çağrısı yapılmaz).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eremediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya giderme (remediation) rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econfig\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e``\u003c/td\u003e\n\u003ctd\u003eBir \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyasının yolu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-diff\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eauto\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egit\u003c/code\u003e taramalarında yalnızca olaya yeni gelen commit'leri tara. \u003ccode\u003eauto\u003c/code\u003e, bunu \u003ccode\u003epull_request\u003c/code\u003e/\u003ccode\u003epush\u003c/code\u003e olaylarında etkinleştirir; \u003ccode\u003etrue\u003c/code\u003e zorlar; \u003ccode\u003efalse\u003c/code\u003e her zaman tüm geçmişi tarar. \u003ccode\u003eactions/checkout\u003c/code\u003e ile \u003ccode\u003efetch-depth: 0\u003c/code\u003e gerektirir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eextra-args\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e``\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e komutuna eklenen ek ham argümanlar (boşlukla ayrılmış). Action'ın kendi yönettiği bayraklar (\u003ccode\u003e--format\u003c/code\u003e, \u003ccode\u003e--output\u003c/code\u003e, \u003ccode\u003e--config\u003c/code\u003e, \u003ccode\u003e--show-raw\u003c/code\u003e) reddedilir — bunun yerine ilgili input'ları kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eworking-directory\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaramanın çalıştırılacağı dizin.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. \u003ccode\u003efalse\u003c/code\u003e olarak ayarlandığında adım başarısız olmak yerine \u003ccode\u003e::warning::\u003c/code\u003e ek açıklaması yayar. Ciddi hatalar (çıkış kodu ≥ 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKurulacak Leakwatch sürümü: \u003ccode\u003elatest\u003c/code\u003e veya belirli bir sürümü sabitlemek için \u003ccode\u003ev1.5.0\u003c/code\u003e gibi bir etiket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erelease-repo\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eHodeTech/Leakwatch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSürüm ikilisinin indirileceği depo (\u003ccode\u003eowner/name\u003c/code\u003e). Yalnızca fork veya kendi sunucunuzdaki aynalar için değiştirin.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ktlar\"\u003eÇıktılar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÇıktı\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu raporlanmadıysa \u003ccode\u003e0\u003c/code\u003e; bulgu raporlandıysa \u003ccode\u003e1\u003c/code\u003e. Leakwatch çıkış kodunu yansıtır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRunner üzerindeki SARIF çıktı dosyasının yolu (\u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda ayarlanır).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"cida-dorulama\"\u003eCI'da doğrulama\u003c/h2\u003e\n\u003cp\u003eVarsayılan olarak \u003ccode\u003eno-verify\u003c/code\u003e değeri \u003ccode\u003etrue\u003c/code\u003e'dur — CI'da canlı doğrulama \u003cstrong\u003ekapalıdır\u003c/strong\u003e. Bu, taramayı hızlı tutar ve CI runner'larından sağlayıcı API'lerine giden ağ çağrılarını önler; runner'lar güvenlik duvarı arkasında olabilir veya hız sınırlı kimlik bilgilerine sahip olabilir.\u003c/p\u003e\n\u003cp\u003eCI'da doğrulamayı etkinleştirmek için \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/Leakwatch@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eCI'da doğrulamayı etkinleştirmek, Leakwatch'ın her aday bulgu için sağlayıcılara (AWS, GitHub, Stripe vb.) kimlik doğrulamalı API çağrıları yapmasına neden olur. Sağlayıcı hız limitlerinden haberdar olun ve runner'ın giden internet erişimine sahip olduğundan emin olun.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sarif-yklemesi-nasl-alr\"\u003eSARIF yüklemesi nasıl çalışır\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e ve \u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLeakwatch'a çıktıyı \u003ccode\u003eresults.sarif\u003c/code\u003e dosyasına yazmasını söyler.\u003c/li\u003e\n\u003cli\u003eTaramanın ardından \u003ccode\u003ecategory: leakwatch\u003c/code\u003e ile \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e'ü çağırır.\u003c/li\u003e\n\u003cli\u003eGitHub dosyayı işler ve bulguları deponun \u003cstrong\u003eSecurity\u003c/strong\u003e sekmesinde \u003cstrong\u003eCode Scanning uyarıları\u003c/strong\u003e olarak gösterir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eYükleme adımı \u003ccode\u003eif: always()\u003c/code\u003e ile çalışır; dolayısıyla \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e tarama adımını başarısız kılsa bile sonuçlar yüklenir.\u003c/p\u003e\n\u003ch2 id=\"action-ktlarn-kullanmak\"\u003eAction çıktılarını kullanmak\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Sırları tara\n id: scan\n uses: HodeTech/Leakwatch@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # iş akışının devam etmesine izin ver\n\n- name: Sonucu yazdır\n run: echo \u0026quot;Raporlanan bulgular: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"belirli-bir-srm-sabitleme\"\u003eBelirli bir sürümü sabitleme\u003c/h2\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için \u003ccode\u003eversion\u003c/code\u003e değerini belirli bir etikete sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/Leakwatch@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu, önceden derlenmiş \u003ccode\u003ev1.5.0\u003c/code\u003e ikilisini \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eLeakwatch sürümlerinden\u003c/a\u003e indirir ve çalıştırmadan önce SHA-256 sağlama toplamını doğrular. En yüksek tedarik zinciri güvenliği için action'ın kendisini de bir commit SHA'sına sabitleyebilirsiniz: \u003ccode\u003euses: HodeTech/Leakwatch@\u0026lt;sha\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"yalnzca-deien-kodu-tarama-pull-request-diff\"\u003eYalnızca değişen kodu tarama (pull-request diff)\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003egit\u003c/code\u003e taramalarında action, taramayı bir pull request veya push'un gerçekten getirdiği commit'lerle sınırlayabilir; bu daha hızlıdır ve yalnızca yeni eklenen sırları yüzeye çıkarır. \u003ccode\u003escan-diff\u003c/code\u003e (varsayılan \u003ccode\u003eauto\u003c/code\u003e) ile kontrol edilir ve base commit'in yerel olarak bulunması için tam bir checkout gerektirir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ejobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0 # PR base commit'inin mevcut olması için gerekli\n - uses: HodeTech/Leakwatch@v1\n with:\n scan-type: git\n path: .\n # scan-diff: auto (varsayılan) — pull_request/push'ta yalnızca base..HEAD taranır\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epull_request\u003c/code\u003e olayında action \u003ccode\u003egithub.event.pull_request.base.sha\u003c/code\u003e'dan; \u003ccode\u003epush\u003c/code\u003e olayında \u003ccode\u003egithub.event.before\u003c/code\u003e'dan itibaren tarar. Her zaman tüm geçmişi taramak için \u003ccode\u003escan-diff: \u0026quot;false\u0026quot;\u003c/code\u003e, diff modunu zorlamak için \u003ccode\u003escan-diff: \u0026quot;true\u0026quot;\u003c/code\u003e kullanın. \u003ccode\u003escan-diff\u003c/code\u003e'in \u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003eimage\u003c/code\u003e taramalarında etkisi yoktur.\u003c/p\u003e\n\u003ch2 id=\"satr-ii-pull-request-ek-aklamalar\"\u003eSatır içi pull-request ek açıklamaları\u003c/h2\u003e\n\u003cp\u003eBulguları GitHub Actions iş akışı komutları olarak yaymak için \u003ccode\u003eformat: github\u003c/code\u003e ayarlayın; bunlar pull request'in \u003cstrong\u003eFiles changed\u003c/strong\u003e görünümünde ve çalışma günlüğünde satır içi ek açıklamalar olarak görünür:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/Leakwatch@v1\n with:\n format: github\n fail-on-findings: \u0026quot;false\u0026quot; # isterseniz engellemeden yalnızca ek açıklama yapın\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEk açıklamalar her zaman yalnızca \u003cstrong\u003eredakte edilmiş\u003c/strong\u003e değeri gösterir — ham sır, (çoğu zaman herkese açık olan) PR arayüzüne veya günlüklere asla yazılmaz. Hızlı ve görünür PR geri bildirimi için \u003ccode\u003eformat: github\u003c/code\u003e, bulguları \u003cstrong\u003eSecurity\u003c/strong\u003e sekmesinde Code Scanning uyarıları olarak kaydetmek için \u003ccode\u003esarif-upload: true\u003c/code\u003e ile \u003ccode\u003eformat: sarif\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısını anlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — Leakwatch'ın sağlayıcı API'lerini ne zaman ve nasıl çağırdığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Kancası\u003c/a\u003e — commit edilmeden önce sırları yakalama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI, Jenkins ve genel kabuk entegrasyonu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Diğer CI Sistemleri","description":"Leakwatch'ı GitLab CI, Jenkins, Bitbucket Pipelines ve diğer CI sistemlerine entegre edin.","html":"\u003ch1 id=\"dier-ci-sistemleri\"\u003eDiğer CI Sistemleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olduğundan, kabuk komutu çalıştırabilen herhangi bir CI ortamında çalışır: GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps ve diğerleri. Bu sayfada açıklananların ötesinde bu sistemler için yerleşik bir entegrasyon yoktur; kalıp her zaman aynıdır: ikili dosyayı kur, taramayı çalıştır, çıkış koduna göre hareket et.\u003c/p\u003e\n\u003ch2 id=\"cida-leakwatch-kurma\"\u003eCI'da Leakwatch kurma\u003c/h2\u003e\n\u003cp\u003eRunner ortamınıza en uygun yöntemi seçin:\u003c/p\u003e\n\u003ch3 id=\"go-install-araclyla-runnerda-go-gerektirir\"\u003e\u003ccode\u003ego install\u003c/code\u003e aracılığıyla (runner'da Go gerektirir)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için belirli bir sürüme sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"docker-imaj-araclyla-go-gerekmez\"\u003eDocker imajı aracılığıyla (Go gerekmez)\u003c/h3\u003e\n\u003cp\u003e\u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e'i iş imajı olarak kullanın veya \u003ccode\u003edocker run\u003c/code\u003e ile çalıştırın. Tam kalıp için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch3 id=\"hazr-bir-srm-ikili-dosyas-araclyla\"\u003eHazır bir sürüm ikili dosyası aracılığıyla\u003c/h3\u003e\n\u003cp\u003eUygun tar arşivini \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasından indirin, çıkarın ve \u003ccode\u003ePATH\u003c/code\u003e'e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için iyi tanımlanmış üç çıkış kodu kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen CI eylemi\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu yok\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını geç\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırlar bulundu\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCiddi hata (hatalı yapılandırma, okunamaz yol vb.)\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıkış koduna göre dallanma yapan genel bir kabuk parçacığı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;Sır bulunamadı.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Sırlar bulundu — derlemeyi başarısız kılıyorum.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Tarama hatası (çıkış $EXIT_CODE) — derlemeyi başarısız kılıyorum.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-rnei\"\u003eGitLab CI örneği\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e işi Leakwatch'ı kurar, dosya sistemi taraması çalıştırır ve JSON raporunu pipeline artifact'i olarak saklar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 gün\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (varsayılan) değeri, çıkış kodu \u003ccode\u003e1\u003c/code\u003e'in pipeline aşamasını başarısız kılması anlamına gelir. Taramanın merge işlemini engellemeden raporlamasını istiyorsanız \u003ccode\u003eallow_failure: true\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab, SAST raporu artifact'larını destekler. Leakwatch SARIF üretir (\u003ccode\u003e--format sarif\u003c/code\u003e) ancak GitLab'ın yerel SAST JSON şemasını değil; bu nedenle \u003ccode\u003ereports: sast:\u003c/code\u003e anahtarı yerine \u003ccode\u003epaths:\u003c/code\u003e artifact yaklaşımını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ci-runnerlar-iin-neriler\"\u003eCI runner'ları için öneriler\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eGiden internet erişimi olmayan runner'larda \u003ccode\u003e--no-verify\u003c/code\u003e kullanın.\u003c/strong\u003e Doğrulama, sağlayıcılara (AWS, GitHub, Stripe vb.) canlı API çağrıları yapar. Hava boşluklu veya güvenlik duvarıyla kısıtlanmış runner'larda bu çağrılar zaman aşımına uğrar ve taramayı yavaşlatır. Doğrulamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eÇıktıyı artifact olarak kaydedin.\u003c/strong\u003e İşi tamamlandıktan sonra saklanabilecek, bir güvenlik açığı yönetim platformuna yüklenebilecek veya incelenebilecek bir dosya yazmak için \u003ccode\u003e--format sarif\u003c/code\u003e ya da \u003ccode\u003e--format json\u003c/code\u003e ile birlikte \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e değerini en çok önem taşıyan sırlara odaklanmak için ayarlayın. Gürültülü bir kod tabanında \u003ccode\u003e--min-severity high\u003c/code\u003e ile başlayın ve birikmiş öğeleri temizledikten sonra eşiği düşürün.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-rnei\"\u003eAzure DevOps örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch sır taraması\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-sonuclari\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-rnei\"\u003eJenkins örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Sır taraması') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — tüm çıkış kodlarının tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e — ikili dosyayı kurmak yerine konteyner imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub iş akışları için resmi action.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Kancası","description":"Her commit'ten önce sır taraması yapmak için Leakwatch pre-commit kancasını kullanın.","html":"\u003ch1 id=\"pre-commit-kancas\"\u003ePre-commit Kancası\u003c/h1\u003e\n\u003cp\u003eBir sırrı yakalamak için en ucuz an, onu depoya girmeden önce durdurmaktır. Leakwatch, her \u003ccode\u003egit commit\u003c/code\u003e işleminde \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutunu otomatik olarak çalıştıran yerel bir \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e kancası sunar; böylece sızan bir API anahtarı veya parola, geçmişte yer almak yerine commit işlemini başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eŞunlara ihtiyacınız var:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit bir Python aracıdır).\u003c/li\u003e\n\u003cli\u003eGenel olarak kurulmuş \u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e (\u003ccode\u003epip install pre-commit\u003c/code\u003e veya \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePATH\u003c/code\u003e üzerinde Go 1.25+ — kanca dili \u003ccode\u003egolang\u003c/code\u003e olduğundan pre-commit, ilk çalıştırmada Leakwatch'ı kaynaktan derler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"yaplandrma\"\u003eYapılandırma\u003c/h2\u003e\n\u003cp\u003eDeponuzun köküne bir \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e dosyası ekleyin (veya mevcut olanı genişletin):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKancaları yerel Git deposuna kurun:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHepsi bu kadar. Bundan itibaren her \u003ccode\u003egit commit\u003c/code\u003e işlemi bir dosya sistemi taraması tetikler. Leakwatch herhangi bir sır bulursa commit engellenir ve bulgular terminale yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"elle-altrma\"\u003eElle çalıştırma\u003c/h2\u003e\n\u003cp\u003eTüm depoyu (yalnızca staged dosyaları değil) istediğiniz zaman taramak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDiğerlerini tetiklemeden yalnızca Leakwatch kancasını çalıştırmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ek-argmanlar-geirme\"\u003eEk argümanlar geçirme\u003c/h2\u003e\n\u003cp\u003eKancanın varsayılan davranışı, ek bayrak olmadan \u003ccode\u003eleakwatch scan fs\u003c/code\u003e'e karşılık gelir. \u003ccode\u003eargs:\u003c/code\u003e anahtarı aracılığıyla ek argümanlar geçirebilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu örnek, yalnızca Leakwatch'ın hâlâ etkin olduğunu doğruladığı yüksek önem dereceli sırları raporlar — yanlış pozitif gürültüsünden kaçınmak isteyen ancak kapsam kaybetmek istemeyen ekipler için uygun katı bir politika.\u003c/p\u003e\n\u003cp\u003eDiğer kullanışlı argümanlar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # daha hızlı commit'ler için canlı doğrulamayı atla\n - --min-severity\n - medium # düşük önem dereceli gürültüyü bastır\n - --format\n - table # terminalde insan tarafından okunabilir çıktı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eKanca tanımında \u003ccode\u003epass_filenames: false\u003c/code\u003e ayarlandığından kanca, yalnızca mevcut commit için staged dosyaları değil her zaman tam çalışma ağacını tarar. Bu, staged olmayan dosyalarda halihazırda bulunan sırların da tespit edileceğini garanti eder.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kancann-taradklar\"\u003eKancanın taradıkları\u003c/h2\u003e\n\u003cp\u003eKanca, depo çalışma dizinine karşı \u003ccode\u003eleakwatch scan fs\u003c/code\u003e çalıştırır. CLI ile aynı tespit hattını kullanır: Aho-Corasick ön filtreleme, regex doğrulama, entropi hesaplama ve (\u003ccode\u003e--no-verify\u003c/code\u003e ayarlanmadıkça) canlı doğrulama.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki yapılandırma otomatik olarak uygulanır — dışlama kalıpları, entropi eşikleri ve doğrulama ayarları, herhangi bir ek kanca yapılandırması olmadan geçerli olur.\u003c/p\u003e\n\u003ch2 id=\"kancay-geici-olarak-atlama\"\u003eKancayı geçici olarak atlama\u003c/h2\u003e\n\u003cp\u003eKancayı çalıştırmadan commit yapmak için (örneğin, maskelenmiş sır içeren bir test sabiti commit edilirken):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: test sabiti ekle\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eSKIP=leakwatch\u003c/code\u003e kullanmak, o commit için tüm sır taramasını devre dışı bırakır. Yalnızca içeriğin güvenli olduğunu teyit ettiğinizde kullanın; kalıcı bastırmalar için bunun yerine \u003ccode\u003e.leakwatchignore\u003c/code\u003e veya satır içi \u003ccode\u003eleakwatch:ignore\u003c/code\u003e yorumlarını tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kanca-srmn-sabitli-tutma\"\u003eKanca sürümünü sabitli tutma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003erev:\u003c/code\u003e değerini dal adı yerine belirli bir etikete sabitleyin. Bu, ekipteki tüm geliştiricilerin aynı dedektör setini kullandığını ve kancanın sprint ortasında sessizce yükseltilmediğini garantiler:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # sabitle; 'main' veya 'HEAD' kullanmayın\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGüncellemek için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003ccode\u003erev\u003c/code\u003e değerini en son etikete yükseltir ve siz onu commit etmeden önce değişikliği inceleme fırsatı tanır.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — kancanın çalıştırdığı temel tarama komutu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'da dışlamaları, entropiyi ve doğrulamayı kontrol etme.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub CI'da her push ve pull request'te tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Yapılandırma Dosyası","description":"Leakwatch'ı .leakwatch.yaml ile yapılandırma — tam şema, varsayılanlar, doğrulama kuralları, ortam değişkeni geçersiz kılmaları ve leakwatch init komutu.","html":"\u003ch1 id=\"yaplandrma-dosyas\"\u003eYapılandırma Dosyası\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın her tarama komutundaki davranışı, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e adlı tek bir YAML dosyasıyla yönetilir. Bu dosyayı anlamak; eşzamanlılık, doğrulama, çıktı biçimi ve yol filtrelemeyi bir kez ayarlamanızı ve her taramanın bu ayarları otomatik olarak almasını sağlar.\u003c/p\u003e\n\u003ch2 id=\"dosya-kefi\"\u003eDosya keşfi\u003c/h2\u003e\n\u003cp\u003eLeakwatch, yapılandırma dosyasını aşağıdaki sırayla çözer:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e bayrağı\u003c/strong\u003e — çalışma dizininden bağımsız olarak açık bir yol kullanır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGeçerli dizin\u003c/strong\u003e — komutun çalıştırıldığı dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAna dizin\u003c/strong\u003e — yedek olarak \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eHiçbir dosya bulunamazsa, her ayar için yerleşik varsayılanlar kullanılır.\u003c/p\u003e\n\u003ch2 id=\"balang-dosyas-oluturma\"\u003eBaşlangıç dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e komutu, önerilen varsayılanlarla düzenlemeye hazır bir dosya yazar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak dosya, geçerli dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e konumuna yazılır. Farklı bir yol seçmek için \u003ccode\u003e--output\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHedef dosya zaten mevcutsa, \u003ccode\u003eleakwatch init\u003c/code\u003e üzerine yazmayı reddeder ve hata vererek çıkar. Üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikeni-geersiz-klmalar\"\u003eOrtam değişkeni geçersiz kılmaları\u003c/h2\u003e\n\u003cp\u003eHer yapılandırma anahtarı bir ortam değişkeniyle geçersiz kılınabilir. İsimlendirme kuralı şudur:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eÖnek: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştirin\u003c/li\u003e\n\u003cli\u003eBüyük harfe çevirin\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eÖrnekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003cth\u003eOrtam değişkeni\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-sras\"\u003eÖncelik sırası\u003c/h2\u003e\n\u003cp\u003eAynı ayar birden fazla yerde belirtildiğinde, en yüksek öncelikli kaynak kazanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eKomut satırı bayrağı (en yüksek)\u003c/li\u003e\n\u003cli\u003eOrtam değişkeni\u003c/li\u003e\n\u003cli\u003eYapılandırma dosyası değeri\u003c/li\u003e\n\u003cli\u003eYerleşik varsayılan (en düşük)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"tam-ema\"\u003eTam şema\u003c/h2\u003e\n\u003cp\u003eAşağıdaki açıklamalı şema, desteklenen her anahtarı, varsayılan değerini ve geçerli aralığını göstermektedir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Tarama motoru ─────────────────────────────────────────────────────────────\n\nscan:\n # Eşzamanlı dosya işleme worker sayısı.\n # Varsayılan olarak ana makinedeki mantıksal CPU çekirdeği sayısı kullanılır.\n # \u0026gt;= 1 olmalıdır.\n concurrency: 8\n\n # Taranacak maksimum dosya boyutu (bayt cinsinden). Bu sınırı aşan dosyalar\n # tamamen atlanır. Varsayılan: 10 MB (10485760). \u0026gt;= 1 olmalıdır.\n max-file-size: 10485760\n\n# ── Tespit ────────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Her aday eşleşme için Shannon entropi hesaplamasını etkinleştirir.\n enabled: true\n\n # Gösterim ve özel kural kapısı için kullanılan entropi eşiği.\n # Aralık: 0–8. Varsayılan: 4.0.\n # Yerleşik bulgular hakkındaki nota bakın.\n threshold: 4.0\n\n# ── Doğrulama ─────────────────────────────────────────────────────────────────\n\nverification:\n # Sağlayıcı API'lerine karşı canlı doğrulamayı etkinleştirir.\n enabled: true\n\n # İstek başına HTTP zaman aşımı. Doğrulama etkinleştirildiğinde \u0026gt;= 1ms olmalıdır.\n # Süre dizesi kullanın (örn. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — tam sayı nanosaniye olarak\n # yorumlanır ve doğrulama başarısız olur.\n timeout: 10s\n\n # Eşzamanlı doğrulama worker sayısı. \u0026gt;= 1 olmalıdır.\n concurrency: 4\n\n # Saniyedeki maksimum doğrulama isteği (token-bucket hız sınırlayıcı).\n # \u0026gt; 0 olmalıdır.\n rate-limit: 10.0\n\n# ── Filtreleme ────────────────────────────────────────────────────────────────\n\nfilter:\n # Taramadan hariç tutulacak yollar için glob desenleri.\n # Desteklenen glob stilleri: filepath.Match desenleri, sıfır veya daha fazla\n # yol segmentini kapsayan ** çift yıldız ve herhangi bir derinlikte adlandırılmış\n # dizini eşleştiren sondaki eğik çizgili dir/ desenleri. Her desen hem tam yol\n # hem de temel dosya adına karşı test edilir.\n # Tüm tarama kaynaklarına uygulanır. (`scan fs` komutunda --exclude bayrağı da bunu ayarlar.)\n # Varsayılan: [] (yerleşik ikili/kilit dosya atlamalarının ötesinde hariç tutma yok).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Tamamen devre dışı bırakılacak dedektör ID'leri. Listelenen dedektörlerden\n # gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez.\n # Varsayılan: [].\n exclude-detectors: []\n\n# ── Çıktı ─────────────────────────────────────────────────────────────────────\n\noutput:\n # Çıktı biçimi. Şunlardan biri: json, sarif, csv, table. Varsayılan: json.\n # --format / -f bayrağı bunu çalışma zamanında geçersiz kılar.\n format: json\n\n # Çıktıyı stdout yerine bu dosya yoluna yaz. Varsayılan: \u0026quot;\u0026quot; (stdout).\n # --output / -o bayrağı bunu çalışma zamanında geçersiz kılar.\n file: \u0026quot;\u0026quot;\n\n # Bu önem seviyesinin altındaki bulguları bırak.\n # Şunlardan biri: low, medium, high, critical. Varsayılan: \u0026quot;\u0026quot; (tümünü göster).\n # --min-severity bayrağı bunu çalışma zamanında geçersiz kılar.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Çıktıda maskelenmemiş sır değerini dahil et.\n # Varsayılan: false. --show-raw bayrağı bunu çalışma zamanında geçersiz kılar.\n show-raw: false\n\n# ── Özel kurallar ─────────────────────────────────────────────────────────────\n\n# Kendi dedektörlerinizi YAML kuralları olarak tanımlayın. Tam kural şeması\n# için özel kurallar sayfasına bakın.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e, bir bulgunun yanında gösterilen entropi değerini kontrol eder ve özel kurallar için bir kapı görevi görür (entropisi eşiğin altına düşen özel kural eşleşmeleri bastırılır). Yerleşik dedektörlerin bulgularını \u003cstrong\u003ebastırmaz\u003c/strong\u003e — yerleşik dedektörlerin kendi eşleşme kriterleri vardır ve bu ayar tarafından hiçbir zaman bırakılmazlar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, taramaya başlamadan önce yüklenen yapılandırmayı doğrular ve aşağıdaki durumların herhangi birinde hata vererek çıkar:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKoşul\u003c/th\u003e\n\u003cth\u003eHata\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz eşzamanlılık değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz max-file-size değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e içinde değil\u003c/td\u003e\n\u003ctd\u003eDesteklenmeyen çıktı biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e 0–8 dışında\u003c/td\u003e\n\u003ctd\u003eGeçersiz entropi eşiği\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e geçerli bir seviye değil (boş değilse)\u003c/td\u003e\n\u003ctd\u003eGeçersiz severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama zaman aşımı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama eşzamanlılığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Bulguları Yok Sayma","description":".leakwatchignore dosyaları, satır içi yok sayma işaretçileri ve yerleşik ikili dosya ve kilit dosyası atlamaları ile yanlış pozitifleri bastırın.","html":"\u003ch1 id=\"bulgular-yok-sayma\"\u003eBulguları Yok Sayma\u003c/h1\u003e\n\u003cp\u003eHiçbir tarayıcının yanlış pozitif oranı sıfır değildir. Leakwatch, gürültüyü bastırmak için size üç katmanlı mekanizma sunar: yol tabanlı dışlamalar için bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası, satır düzeyinde bastırma için satır içi işaretçiler ve ikili dosyalar ile yaygın kilit dosyaları için her zaman etkin olan yerleşik atlamalar.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-dosyas\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası\u003c/h2\u003e\n\u003cp\u003eTarama sonuçlarından yolları hariç tutmak için depo kökünüze (veya geçerli dizine) bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası oluşturun. Gitignore stilinde söz dizimi kullanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e#\u003c/code\u003e ile başlayan satırlar yorum satırlarıdır.\u003c/li\u003e\n\u003cli\u003eBoş satırlar atlanır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e!\u003c/code\u003e öneki bir deseni \u003cstrong\u003egeçersiz kılar\u003c/strong\u003e; önceki bir desen tarafından dışlanmış olacak bir yolu yeniden dahil eder.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSon eşleşen desen kazanır\u003c/strong\u003e — sıra önemlidir.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"ykleme-sras\"\u003eYükleme sırası\u003c/h3\u003e\n\u003cp\u003eLeakwatch, \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyasını önce tarama kökünden, ardından geçerli çalışma dizininden yükler. Her ikisi de aynı yol için desen içeriyorsa, geçerli dizin dosyasının desenleri öncelik kazanır çünkü son değerlendirilenler bunlardır.\u003c/p\u003e\n\u003ch3 id=\"glob-sz-dizimi\"\u003eGlob söz dizimi\u003c/h3\u003e\n\u003cp\u003eÜç desen stili desteklenir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStil\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003cth\u003eÖrnek\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandart glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e stili, hem tam yola hem de temel dosya adına karşı eşleştirilen\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇift yıldız \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSıfır veya daha fazla yol segmentini kapsar\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSondaki eğik çizgi \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAdlandırılmış dizinin herhangi bir derinliğindeki her dosyayla eşleşir\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"leakwatchignore-rnei\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e örneği\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Tüm test fixture dosyalarını yok say\ntest/fixtures/**\n\n# Dokümantasyondaki bilinen yer tutucu anahtarları yok say\ndocs/examples/\n\n# Ağaçtaki herhangi bir yerdeki belirli uzantılı dosyaları yok say\n*.pem.example\n\n# Yukarıdaki kural tarafından dışlanan belirli bir dosyayı yeniden dahil et\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtrelemesi, her bulgunun dosya yoluna göre tarama tamamlandıktan \u003cstrong\u003esonra\u003c/strong\u003e uygulanır. Dosyaların okunmasını engellemez — ürettikleri bulguları bastırır. Dosyaları okunmadan önce atlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e veya \u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"satr-ii-yok-sayma-iaretileri\"\u003eSatır içi yok sayma işaretçileri\u003c/h2\u003e\n\u003cp\u003eSöz konusu satırdaki dedektörleri bastırmak için herhangi bir kaynak satırına doğrudan bir işaretçi koyun. İşaretçi satırın herhangi bir yerine yerleştirilebilir — genellikle bir yorum içinde — ve motor tarafından doğrulamadan \u003cstrong\u003eönce\u003c/strong\u003e uygulanır; böylece yok sayılan bir satır hiçbir zaman ağ çağrısını tetiklemez.\u003c/p\u003e\n\u003ch3 id=\"bir-satrdaki-tm-dedektrleri-bastr\"\u003eBir satırdaki tüm dedektörleri bastır\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Ödeme işleme yapılandırması\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"bir-satrdaki-belirli-bir-dedektr-bastr\"\u003eBir satırdaki belirli bir dedektörü bastır\u003c/h3\u003e\n\u003cp\u003eYalnızca bir dedektörü bastırırken diğerlerini etkin bırakmak için \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// Bu token dokümantasyon için kasıtlı olarak bir yer tutucudur\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Platform tarafından ayarlanan CI ortam değişkeni — gerçek bir sır değil\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eMümkün olduğunda genel form yerine dedektöre özgü formu (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) tercih edin. Hangi dedektörü bastırdığınızı belgeler ve diğer tüm dedektörleri o satırda etkin bırakır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerleik-atlamalar-her-zaman-uygulanr\"\u003eYerleşik atlamalar (her zaman uygulanır)\u003c/h2\u003e\n\u003cp\u003eLeakwatch, herhangi bir dedektörü çalıştırmadan önce aşağıdakileri koşulsuz olarak atlar:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili dosya uzantıları\u003c/strong\u003e — \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e ve diğerleri gibi uzantılara sahip dosyalar hiçbir zaman taranmaz.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili içerik tespiti\u003c/strong\u003e — ilk 8 KB'ı null bayt içeren herhangi bir dosya, uzantısından bağımsız olarak ikili olarak kabul edilir ve atlanır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eYaygın kilit dosyaları\u003c/strong\u003e — aşağıdaki dosya adları, yüksek oranda yanlış pozitif üreten hash ve sağlama toplamları içerdikleri için her zaman atlanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDosya\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eBu yerleşik atlamalar devre dışı bırakılamaz. \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ayarından ayrıdır ve yapılandırma tabanlı filtrelemeden önce çalışır.\u003c/p\u003e\n\u003ch2 id=\"tarama-ncesi-yol-tabanl-dlama\"\u003eTarama öncesi yol tabanlı dışlama\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru tarafından okunmadan önce dışlamak için yapılandırma dosyanızda \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu ayar \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır (dosya sistemi, Git geçmişi, konteyner imajları, bulut depolama, Slack). \u003ccode\u003escan fs\u003c/code\u003e komutunda ayrıca komut satırında \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e parametresi de geçirebilirsiniz; bu, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile eşdeğer bir bayraktır.\u003c/p\u003e\n\u003cp\u003eTam yapılandırma şeması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e, dedektör düzeyinde ve önem derecesi düzeyinde filtreleme için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Önem Derecesi \u0026 Filtreleme","description":"Önem eşikleri, yalnızca doğrulanmış mod, dedektör dışlamaları ve yol dışlamaları kullanarak hangi bulguların çıktınıza ulaşacağını kontrol edin.","html":"\u003ch1 id=\"nem-derecesi--filtreleme\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/h1\u003e\n\u003cp\u003eYoğun bir kod tabanı çok sayıda bulgu üretebilir. Leakwatch, en önemli sinyallere odaklanmak için birleştirebileceğiniz birkaç bağımsız filtre sunar: önem eşikleri düşük öncelikli gürültüyü eler, yalnızca doğrulanmış mod yalnızca onaylanmış canlı sırları ortaya çıkarır, dedektör dışlamaları bilinen yanlış pozitif kaynakları susturur ve yol dışlamaları tüm dizin ağaçlarını kapsamın dışında bırakır.\u003c/p\u003e\n\u003ch2 id=\"nem-seviyeleri\"\u003eÖnem seviyeleri\u003c/h2\u003e\n\u003cp\u003eHer yerleşik dedektör, varsayılan bir önem derecesiyle birlikte gelir. En düşükten en yüksek önceliğe doğru dört seviye şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeviye\u003c/th\u003e\n\u003cth\u003eTipik kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDaha yüksek yanlış pozitif oranına sahip genel desenler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanınabilir kimlik bilgisi biçimleri, doğrulanmamış\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaruziyetin büyük olasılıkla önemli olduğu iyi yapılandırılmış sırlar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOnaylanmış canlı sırlar veya neredeyse sıfır yanlış pozitif oranlı biçimler\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer dedektöre atanan önem derecesi \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-eiin-altndaki-bulgular-brak\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: eşiğin altındaki bulguları bırak\u003c/h2\u003e\n\u003cp\u003eBelirtilen seviyenin altındaki önem derecesine sahip bulguları atmak için \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e parametresini kullanın. Yalnızca eşik değerinde veya üzerindeki bulgular çıktıya ulaşır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Yalnızca high ve critical bulguları göster\nleakwatch scan fs . --min-severity high\n\n# medium, high ve critical bulguları göster\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e altında yapılandırma dosyasında kalıcı bir varsayılan ayarlayabilirsiniz. \u003ccode\u003e--min-severity\u003c/code\u003e bayrağı, çalışma zamanında yapılandırma değerini geçersiz kılar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-yalnzca-onaylanm-aktif-srlar\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: yalnızca onaylanmış aktif sırlar\u003c/h2\u003e\n\u003cp\u003eYalnızca doğrulama durumu \u003ccode\u003everified_active\u003c/code\u003e olan bulguları, yani Leakwatch'ın sağlayıcı API'sine kontrollü bir salt-okunur çağrı yaparak hâlâ geçerli olduğunu doğruladığı sırları tutmak için \u003ccode\u003e--only-verified\u003c/code\u003e parametresini kullanın. Diğer tüm bulgular (doğrulanmamış, doğrulanmış-etkin değil veya doğrulama hatası) bırakılır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu bayrak, derlemeyi yalnızca onaylanmış olaylar üzerinde, yer tutucu veya zaten döndürülmüş kimlik bilgileri olabilecek şüpheli desenler üzerinde değil, başarısız kılmak istediğiniz CI hatlarında en kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eHangi dedektörlerin canlı doğrulamayı desteklediği için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-belirli-dedektrleri-devre-d-brak\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: belirli dedektörleri devre dışı bırak\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü kalıcı olarak devre dışı bırakmak için ID'lerini yapılandırma dosyasındaki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e altında listeleyin. Listelenen dedektörlerden gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDedektör ID'leri \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir. Bir dedektör sürekli olarak kod tabanınız için yanlış pozitifler ürettiğinde ve diğer bastırma mekanizmaları (satır içi yok saymalar veya \u003ccode\u003e.leakwatchignore\u003c/code\u003e) yeterince ayrıntılı olmadığında bu ayarı kullanın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-tarama-ncesi-yollar-atla\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: tarama öncesi yolları atla\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru okumadan önce dışlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın. Desenler, \u003ccode\u003e.leakwatchignore\u003c/code\u003e ile aynı glob söz dizimini kullanır (standart globlar, \u003ccode\u003e**\u003c/code\u003e çift yıldız ve sondaki eğik çizgili dizin desenleri) ve \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e bayrağı, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile komut satırı eşdeğeridir. \u003ccode\u003e--exclude\u003c/code\u003e bayrağı \u003cstrong\u003eyalnızca\u003c/strong\u003e \u003ccode\u003escan fs\u003c/code\u003e komutunda mevcuttur — diğer tüm kaynaklar için yapılandırma dosyası ayarını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-filtreleri-birletirme\"\u003eCI'da filtreleri birleştirme\u003c/h2\u003e\n\u003cp\u003eBir CI hattında genellikle yalnızca gerçek olaylarda başarısız olan, düşük gürültülü ve yüksek sinyalli bir çalışma istersiniz. Önerilen bir kombinasyon:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYapılandırma dosyasının kalıcı yol dışlamalarını yönetmesiyle:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eArdından CI için yalnızca biçimi ve hedefi komut satırında geçersiz kılın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama ayrıntıları için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e, satır içi ve dosya tabanlı bastırma için \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e ve tam şema için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Özel Kurallar","description":"YAML ile kendi sır tespit kalıplarınızı nasıl tanımlayacağınız ve 63 yerleşik dedektörün yanında bir Leakwatch taramasına nasıl ekleyeceğiniz.","html":"\u003ch1 id=\"zel-kurallar\"\u003eÖzel Kurallar\u003c/h1\u003e\n\u003cp\u003e63 yerleşik dedektör yaygın kullanılan kimlik bilgisi formatlarını kapsar; ancak her kuruluşun dahili token'ları, özel servis anahtarları veya hiçbir genel aracın önceden tahmin edemeyeceği ortama özgü kalıpları vardır. Özel kurallar, kaynak kodu değiştirmeden veya ikili dosyayı yeniden derlemeden kendi kalıplarınızı düz YAML ile tanımlamanıza ve çalışma zamanında yüklemenize olanak tanıyarak Leakwatch'ı genişletmenizi sağlar.\u003c/p\u003e\n\u003ch2 id=\"zel-kurallar-nerede-tanmlanr\"\u003eÖzel kurallar nerede tanımlanır\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyanızda en üst düzey bir \u003ccode\u003ecustom-rules:\u003c/code\u003e listesi altında tanımlanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKurallar, Leakwatch başladığında çalışma zamanında kaydedilir. Aynı Aho-Corasick ön-filtre hattını kullanarak yerleşik dedektörlerle birlikte çalışırlar.\u003c/p\u003e\n\u003ch2 id=\"kural-alanlar\"\u003eKural alanları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eZorunlu\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eBenzersiz dedektör ID'si. Çıktıda ve \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e içinde kullanılır. Yerleşik dedektör ID'si veya başka bir özel kural ID'si ile çakışmamalıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eÇıktıda gösterilen insan tarafından okunabilir açıklama.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2 uyumlu düzenli ifade. Maksimum 4096 karakter.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring listesi\u003c/td\u003e\n\u003ctd\u003eAho-Corasick ön-filtre anahtar kelimeleri. Regex yalnızca bu dizelerden en az birini içeren parçalar üzerinde çalışır. Bu alanın atlanması regex'in her parça üzerinde çalışmasına neden olur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e veya \u003ccode\u003elow\u003c/code\u003e. Varsayılan \u003ccode\u003emedium\u003c/code\u003e'dur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropi eşiği (0–8). Entropisi bu değerin \u003cstrong\u003ealtında\u003c/strong\u003e olan eşleşmeler atılır. Düşük rastgelelikli yanlış pozitifleri filtrelemek için kullanışlıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eHer zaman \u003ccode\u003ekeywords\u003c/code\u003e belirtin. Tek kısa bir anahtar kelime bile (token ön eki gibi) regex motorunun işlediği parça sayısını önemli ölçüde azaltır ve büyük depolarda taramaların hızlı kalmasını sağlar. Örneğin tüm dahili token'larınız \u003ccode\u003eacme_\u003c/code\u003e ile başlıyorsa \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e ayarlayın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eentropy\u003c/code\u003e kullanarak \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e gibi kalıbı karşılayan ancak açıkça gerçek sır olmayan yer tutucu değerlerdeki eşleşmeleri bastırın. 3,0–3,5 civarı bir eşik iyi bir başlangıç noktasıdır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"akma-ynetimi\"\u003eÇakışma yönetimi\u003c/h2\u003e\n\u003cp\u003eBir özel kuralın \u003ccode\u003eid\u003c/code\u003e'si zaten kayıtlı bir dedektörle eşleşirse — yerleşik dedektör veya daha önce yüklenen özel kural olsun fark etmez — yinelenen kural \u003cstrong\u003eatlanır\u003c/strong\u003e ve bir hata loglanır. Leakwatch çökmez; geri kalan kurallar normal şekilde yüklenir. Bir özel kuralın etkisiz göründüğü durumlarda log çıktısını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eÖzel kuralların eşleştirilmiş doğrulayıcısı yoktur. Özel kurallardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e durumuyla raporlanır — hiçbir zaman \u003ccode\u003everified_active\u003c/code\u003e veya \u003ccode\u003everified_inactive\u003c/code\u003e olmaz.\u003c/p\u003e\n\u003ch2 id=\"tam-rnek\"\u003eTam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, iki özel kural tanımlar: biri dahili servis token'ı, diğeri webhook'larda kullanılan imzalama sırrı için.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook imzalama sırrı (format: whsec_ + 40 base64url karakter)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu yapılandırmayla bir tarama çalıştırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kural bulgusu için örnek JSON çıktısı (sır değeri maskelenmiştir):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eraw_redacted\u003c/code\u003e alanı gerçek sırrı her zaman maskeler. Ham değer, açıkça \u003ccode\u003e--show-raw\u003c/code\u003e geçilmedikçe çıktıya asla yazılmaz (kontrollü ortamlar dışında önerilmez).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kural-hari-tutma\"\u003eÖzel kuralı hariç tutma\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, yerleşik dedektörlerle aynı filtrelemeye katılır. Bir özel kuralı yapılandırmadan kaldırmadan devre dışı bırakmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003ecustom-rules:\u003c/code\u003e öğesinin belge yapısındaki yeri dahil \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e için tam referans.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — özel kuralınızı adlandırmadan önce ID çakışmalarını kontrol etmek için 63 yerleşik dedektör.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — \u003ccode\u003ekeywords\u003c/code\u003e öğesinin bağlandığı Aho-Corasick ön-filtre hattı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Dedektör Kataloğu","description":"Kategorilere göre gruplanmış tüm 63 yerleşik dedektör; ID'leri, ne tespit ettikleri ve varsayılan şiddet seviyeleri ile.","html":"\u003ch1 id=\"dedektr-katalou\"\u003eDedektör Kataloğu\u003c/h1\u003e\n\u003cp\u003eLeakwatch, bulut sağlayıcısı erişim anahtarlarından ve yapay zekâ API token'larından veritabanı bağlantı dizelerine ve özel kriptografik anahtarlara kadar geniş bir kimlik bilgisi türü yelpazesini kapsayan \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile gelir. Her dedektörün kararlı bir ID'si, varsayılan bir şiddet seviyesi ve (çoğu için) bulunan sırrın hâlâ canlı olup olmadığını teyit edebilen eşleştirilmiş bir doğrulayıcısı vardır.\u003c/p\u003e\n\u003cp\u003eBu sayfa her yerleşik dedektörü listeler. Doğrulama kapsamı ayrıntıları için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın. Kendi kalıplarınızı eklemek için \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"bu-katalogu-nasl-okuyacaksnz\"\u003eBu katalogu nasıl okuyacaksınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — yapılandırma ve çıktıda kullanılan kararlı dize tanımlayıcısı. Bir dedektörü atlamak için \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin veya \u003ccode\u003e--min-severity\u003c/code\u003e filtrelemesiyle birlikte kullanın (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTespit eder\u003c/strong\u003e — dedektörün ne aradığı.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eŞiddet\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e (Kritik), \u003ccode\u003eHigh\u003c/code\u003e (Yüksek) veya \u003ccode\u003eMedium\u003c/code\u003e (Orta). Bu varsayılandır; \u003ccode\u003e--min-severity\u003c/code\u003e bayrağını ve \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e yapılandırma anahtarını besler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"bulut-ve-altyap\"\u003eBulut ve Altyapı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Servis Hesabı Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID İstemci Sırrı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Servis Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yapay-zek--makine-renimi\"\u003eYapay Zekâ / Makine Öğrenimi\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"demeler-ve-ticaret\"\u003eÖdemeler ve Ticaret\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Canlı API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"gelitirme-aralar-ci-ve-paketler\"\u003eGeliştirme Araçları, CI ve Paketler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket Uygulama Parolası\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Kişisel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"letiim-ve-birlii\"\u003eİletişim ve İşbirliği\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/Kullanıcı Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Gelen Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Dahili Entegrasyon Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"e-posta-ve-mesajlama-teslimat\"\u003eE-posta ve Mesajlaşma Teslimatı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Sunucu API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"zleme-ve-gzlemlenebilirlik\"\u003eİzleme ve Gözlemlenebilirlik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Kimlik Doğrulama Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"veritabanlar-ve-balant-dizeleri\"\u003eVeritabanları ve Bağlantı Dizeleri\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVeritabanı Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Bağlantı Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Servis Rolü Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-ve-eriim\"\u003eKimlik ve Erişim\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Yönetim API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bağlama Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"genel-ve-kriptografik\"\u003eGenel ve Kriptografik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGenel API Anahtarı\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÖzel Anahtar (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eToplam: 63 yerleşik dedektör.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"iddete-gre-filtreleme\"\u003eŞiddete göre filtreleme\u003c/h2\u003e\n\u003cp\u003eBulgular, komut satırında \u003ccode\u003e--min-severity\u003c/code\u003e veya yapılandırmada \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e kullanılarak şiddet seviyesine göre filtrelenebilir. Yalnızca belirtilen seviyede veya üzerindeki bulgular çıktıya dahil edilir. Ayrıntılar için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"belirli-dedektrleri-hari-tutma\"\u003eBelirli dedektörleri hariç tutma\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü tamamen atlamak için ID'lerini \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam filtreleme referansı için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kapsam\"\u003eDoğrulama kapsamı\u003c/h2\u003e\n\u003cp\u003eBazı dedektörlerin canlı doğrulayıcısı vardır; bazıları yalnızca format doğrulamasına tabi tutulur; dokuzu ise hiç doğrulayıcıya sahip değildir. Tam döküm için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e — YAML ile kendi tespit kalıplarınızı tanımlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektörlerin canlı doğrulanabileceği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e — bulguları şiddet seviyesine veya dedektöre göre filtreleme.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"Nasıl Çalışır","description":"Leakwatch tarama hattının mimarisi: kaynaklar, tespit, doğrulama ve çıktı.","html":"\u003ch1 id=\"nasl-alr\"\u003eNasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eLeakwatch hattını anlamak, performansı ayarlamanıza, sonuçları yorumlamanıza ve hangi bayrakları kullanacağınıza karar vermenize yardımcı olur. Bu sayfa, bir tarama komutunu çalıştırdığınız andan bir bulgunun çıktınızda göründüğü ana kadar neler olduğunu açıklar.\u003c/p\u003e\n\u003ch2 id=\"hatta-genel-bak\"\u003eHatta genel bakış\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Kaynak\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[İşçi Havuzu\\n—concurrency işçi]\n B --\u0026gt; C[Aho-Corasick\\nÖn-Filtre]\n C --\u0026gt; D[Regex\\nDedektörler]\n D --\u0026gt; E[Satır İçi İgnore\\nKontrolü]\n E --\u0026gt; F[Doğrulama\\nHavuzu\\n4 işçi / 10 rps]\n F --\u0026gt; G[Tarama Sonrası\\nFiltreler]\n G --\u0026gt; H([Çıktı\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer aşama aşağıda ayrıntılı olarak açıklanmaktadır.\u003c/p\u003e\n\u003ch2 id=\"1-kaynak\"\u003e1. Kaynak\u003c/h2\u003e\n\u003cp\u003eHer tarama, motorun işlemesi için veri parçaları yayan bir soyutlama olan \u003cstrong\u003eKaynak\u003c/strong\u003e ile başlar. Leakwatch altı kaynak ile birlikte gelir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNe yayar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosya içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir OCI/Docker imajının katman içerikleri, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanal ve DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar. Slack'e yüklenen dosyaların içerikleri taranmaz.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eParçalar, işçi havuzu tarafından tüketilen tamponlu bir kanala akar.\u003c/p\u003e\n\u003ch2 id=\"2-i-havuzu\"\u003e2. İşçi havuzu\u003c/h2\u003e\n\u003cp\u003eMotor, sabit sayıda \u003cstrong\u003egoroutine\u003c/strong\u003e içeren bir havuz yönetir — her biri \u003ccode\u003e--concurrency\u003c/code\u003e değerine karşılık gelir (varsayılan: CPU sayısı). Her işçi kanaldan bir parça alır ve tespit hattını bağımsız olarak çalıştırır. İşçiler değişebilir durum paylaşmadığından havuz, I/O ve bellek sınırlarına kadar eşzamanlılıkla doğrusal ölçeklenir.\u003c/p\u003e\n\u003cp\u003eTaramalar \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e'e yanıt verir: iptal sinyali geldiğinde bağlam iptal edilir, işçiler mevcut parçalarını tamamlayıp durur ve kısmi sonuçlar çıktı yazılmadan önce toplanır.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-anahtar-kelime-n-filtresi\"\u003e3. Aho-Corasick anahtar kelime ön-filtresi\u003c/h2\u003e\n\u003cp\u003eHer parça üzerinde 63 regex desenini çalıştırmak yavaş olur. Bunun yerine motor, başlangıçta her dedektörün bildirdiği anahtar kelime listelerinden tek bir \u003cstrong\u003eAho-Corasick çok-desenli otomat\u003c/strong\u003e oluşturur. Her parça için bu otomat tek bir doğrusal geçiş yapar ve yalnızca anahtar kelimeleri parçanın baytlarında görünen dedektörleri döndürür.\u003c/p\u003e\n\u003cp\u003eBu, çoğu dedektörün çoğu parça üzerinde regex'ini hiç çalıştırmadığı anlamına gelir. Anahtar kelime bildirmeyen dedektörler her zaman çalışır (ön filtreyi atlayarak doğrudan regex'e geçerler).\u003c/p\u003e\n\u003cp\u003eAho-Corasick uygulaması \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e kütüphanesinden gelmektedir.\u003c/p\u003e\n\u003ch2 id=\"4-regex-dedektrler\"\u003e4. Regex dedektörler\u003c/h2\u003e\n\u003cp\u003eKısa listeye alınan her dedektör, derlenmiş \u003cstrong\u003edüzenli ifadesini\u003c/strong\u003e parça baytları üzerinde çalıştırır. Bir desen eşleştiğinde dedektör şunları içeren bir \u003ccode\u003eRawFinding\u003c/code\u003e döndürür:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları (yalnızca doğrulama için bellekte tutulur; asla loglanmaz veya diske yazılmaz).\u003c/li\u003e\n\u003cli\u003eÇıktı için güvenli olan \u003cstrong\u003emaskelenmiş\u003c/strong\u003e bir gösterim.\u003c/li\u003e\n\u003cli\u003eİsteğe bağlı ek meta veri (örneğin bir AWS anahtarı için hesap kimliği).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch, 60 paket genelinde \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel YAML kuralları\u003c/a\u003e aracılığıyla kendi desenlerinizi ekleyebilirsiniz.\u003c/p\u003e\n\u003cp\u003eTüm dedektörler, Go'nun \u003ccode\u003einit()\u003c/code\u003e işlevi ve boş importlar kullanılarak derleme zamanında kaydedilir (ADR-0004). Çalışma zamanında eklenti yükleyici veya dinamik keşif yoktur.\u003c/p\u003e\n\u003ch2 id=\"5-satr-ii-ignore-kontrol\"\u003e5. Satır içi ignore kontrolü\u003c/h2\u003e\n\u003cp\u003eBir bulgu doğrulamaya gönderilmeden önce motor, kaynak satırın bir \u003cstrong\u003esatır içi ignore işareti\u003c/strong\u003e içerip içermediğini kontrol eder:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eveya dedektöre özgü bir varyant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİşaret mevcutsa bulgu, \u003cstrong\u003eherhangi bir ağ çağrısı yapılmadan önce\u003c/strong\u003e sessizce bırakılır. Bu kasıtlıdır: yoksayılan sırlar asla canlı bir API isteğini tetiklememeli.\u003c/p\u003e\n\u003ch2 id=\"6-dorulama\"\u003e6. Doğrulama\u003c/h2\u003e\n\u003cp\u003eTüm parçalar için tespit tamamlandıktan sonra motor, bulguları ayrı bir \u003cstrong\u003edoğrulama işçi havuzuna\u003c/strong\u003e geçirir (varsayılan 4 işçi). Doğrulama:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eTüm işçiler arasında paylaşılan global bir \u003cstrong\u003ehız sınırlayıcı\u003c/strong\u003e (varsayılan saniyede 10 istek) ile korunur.\u003c/li\u003e\n\u003cli\u003eHer API çağrısına \u003cstrong\u003eistek başına zaman aşımı\u003c/strong\u003e (varsayılan 10 saniye) uygular.\u003c/li\u003e\n\u003cli\u003eSağlayıcıya yalnızca \u003cstrong\u003esalt-okunur, yıkıcı olmayan\u003c/strong\u003e çağrılar yapar (örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHer bulguyu dört durumdan biriyle işaretler: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch \u003cstrong\u003e54 doğrulayıcı\u003c/strong\u003e ile birlikte gelir; 63 yerleşik dedektör türünün %85,7'sini kapsar. Kalan 9 tür (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman \u003ccode\u003eunverified\u003c/code\u003e olarak raporlanır.\u003c/p\u003e\n\u003cp\u003eBu aşamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin — hızlı, çevrimdışı taramalar için kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eDoğrulama davranışı ve durum anlamları hakkında derinlemesine bilgi için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"7-bulgu-kimlii-ve-entropi\"\u003e7. Bulgu kimliği ve entropi\u003c/h2\u003e\n\u003cp\u003eHer bulgu, şu şekilde hesaplanan \u003cstrong\u003edeterministik bir kimlik\u003c/strong\u003e alır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(dedektörID + maskelendi + dosyaYolu + satır) → 16 hex karaktere kısaltıldı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAynı konumdaki aynı sır her zaman aynı kimliği üretir; bu da bulguları çalıştırmalar arasında yinelenenleri kaldırmayı veya sorun izleyicilerde takip etmeyi güvenli kılar.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropisi\u003c/strong\u003e (aralık 0–8) her bulgu için hesaplanır ve bilgilendirme amacıyla çıktıda gösterilir. Motor düzeyinde entropi, yerleşik bulguları \u003cstrong\u003eengellemez veya düşürmez\u003c/strong\u003e — düşük entropili bir eşleşme yine de sonuçlarda görünür. Entropi eşikleri yalnızca özel kuralların içinde geçerlidir; her kural kendi minimumunu bildirebilir.\u003c/p\u003e\n\u003ch2 id=\"8-tarama-sonras-filtreler\"\u003e8. Tarama sonrası filtreler\u003c/h2\u003e\n\u003cp\u003eDoğrulamadan sonra iki filtre uygulanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — \u003ccode\u003everified:active\u003c/code\u003e olmayan tüm bulguları bırakır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — belirtilen önem düzeyinin (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; varsayılan \u003ccode\u003elow\u003c/code\u003e) altındaki bulguları bırakır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHer iki filtre de doğrulama sonrasında çalışır; böylece \u003ccode\u003e--only-verified\u003c/code\u003e değerlendirildiğinde doğrulama durumu kullanılabilir olur.\u003c/p\u003e\n\u003ch2 id=\"9-kt\"\u003e9. Çıktı\u003c/h2\u003e\n\u003cp\u003eHayatta kalan bulgular dört \u003cstrong\u003ebiçimleyiciden\u003c/strong\u003e birine iletilir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBiçim\u003c/th\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eYaygın kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (varsayılan)\u003c/td\u003e\n\u003ctd\u003eMakine tarafından okunabilir, hat dostu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, güvenlik panoları\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eElektronik tablolar, veri analizi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTablo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal incelemesi, önem derecesine göre renklendirilmiş\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıktı varsayılan olarak stdout'a gider; bir dosyaya yazmak için \u003ccode\u003e--output \u0026lt;dosya\u0026gt;\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eBiçim veya çıktı hedefi ne olursa olsun, her taramadan sonra bir \u003cstrong\u003etarama özeti\u003c/strong\u003e (tarih, kaynak türü, hedef, taranan dosyalar, süre, bulgu sayısı, kesme durumu) her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eLeakwatch, bulunan sırların doğrulama çağrıları dışında süreç sınırını asla terk etmemesi için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları yalnızca tespit ve doğrulama sırasında bellekte yaşar.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--show-raw\u003c/code\u003e bayrağı varsayılan olarak \u003ccode\u003efalse\u003c/code\u003e'tur; bu olmadan çıktıda yalnızca maskelenmiş gösterim görünür.\u003c/li\u003e\n\u003cli\u003eSırlar asla diske yazılmaz, \u003ccode\u003eslog\u003c/code\u003e aracılığıyla loglanmaz veya çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"tasarm-kararlar\"\u003eTasarım kararları\u003c/h2\u003e\n\u003cp\u003eMimari, ADR'ler olarak belgelenmiş çeşitli bilinçli seçimleri yansıtır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO devre dışı\u003c/strong\u003e (ADR-0001) — tek statik ikili dosya, çalışma zamanı bağımlılığı yok, tüm platformlara çapraz derlenir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — \u003ccode\u003ebayrak \u0026gt; env \u0026gt; yapılandırma \u0026gt; varsayılan\u003c/code\u003e önceliğiyle hiyerarşik CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — saf Go Git kütüphanesi; harici \u003ccode\u003egit\u003c/code\u003e ikili dosyası gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDerleme zamanı dedektör kaydı\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + boş importlar; tür güvenli, çalışma zamanı eklenti yükleyicisi yok.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hibrit eşleştirme\u003c/strong\u003e (ADR-0005) — ön filtre, alakasız parçalardaki regex çalışmasının çoğunu ortadan kaldırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonsuz katman analizi; imajları taramak için Docker daemon gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eİşçi havuzu\u003c/strong\u003e (ADR-0008) — sabit goroutine sayısı, kanal tabanlı fan-out; öngörülebilir bellek ve CPU kullanımı.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Kurulum","description":"Leakwatch'ı Homebrew, go install, Docker veya hazır bir ikili dosya ile kurun.","html":"\u003ch1 id=\"kurulum\"\u003eKurulum\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ı makinenize kurmak bir dakikadan az sürer. İş akışınıza en uygun yöntemi seçin: Homebrew macOS ve Linux'ta en basit seçenektir, \u003ccode\u003ego install\u003c/code\u003e halihazırda bir Go araç zinciriniz varsa idealdir, Docker ana sisteminizi temiz tutar ve hazır ikili dosyalar herhangi bir araç zinciri gerektirmeden her yerde çalışır.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-ve-linux\"\u003eHomebrew (macOS ve Linux)\u003c/h2\u003e\n\u003cp\u003eResmi tap, amd64 ve arm64 mimarilerinde macOS ve Linux'u destekler.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTap, \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e adresinde barındırılmaktadır. Homebrew ile yükseltmek için \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e komutunu kullanın.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003ego install\u003c/h2\u003e\n\u003cp\u003eGo 1.25 veya daha yeni bir sürümü yüklüyse, en son sürümü doğrudan kaynaktan derleyip kurabilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİkili dosya \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e dizinine yerleştirilir. Bu dizinin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olduğundan emin olun.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e her zaman en son etiketli sürümü getirir. Belirli bir sürüme sabitlemek için \u003ccode\u003e@latest\u003c/code\u003e yerine \u003ccode\u003e@v1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eMinimal, çok aşamalı bir Alpine imajı GitHub Container Registry'de yayımlanmaktadır. İmaj, root olmayan bir kullanıcı (\u003ccode\u003eleakwatch\u003c/code\u003e) olarak çalışır, CGO devre dışıdır ve çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKullanılabilir etiketler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın. Bayraklar ve seçenekler yerel ikili dosyayla tamamen aynı şekilde çalışır — tam liste için \u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"hazr-ikili-dosya\"\u003eHazır ikili dosya\u003c/h2\u003e\n\u003cp\u003eHer sürüm, desteklenen tüm platformlar için \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasında tar arşivleri yayımlar. Platformunuza ait arşivi indirin, açın ve ikili dosyayı \u003ccode\u003ePATH\u003c/code\u003e değişkeninizdeki bir dizine taşıyın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDesteklenen platformlar:\u003c/strong\u003e amd64 ve arm64 mimarilerinde Linux, macOS ve Windows.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Linux amd64 örneği — OS ve ARCH değerlerini platformunuza göre değiştirin\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform adlandırması \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e kalıbını izler; \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e değeri \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e veya \u003ccode\u003eWindows\u003c/code\u003e, \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e değeri ise \u003ccode\u003eamd64\u003c/code\u003e veya \u003ccode\u003earm64\u003c/code\u003e olabilir.\u003c/p\u003e\n\u003ch2 id=\"kurulumu-dorulama\"\u003eKurulumu doğrulama\u003c/h2\u003e\n\u003cp\u003eHerhangi bir kurulum yönteminin ardından ikili dosyanın erişilebilir olduğunu doğrulayın ve sürümü kontrol edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeklenen çıktı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut bulunamazsa kurulum dizininin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olup olmadığını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — Leakwatch taramasının arkasındaki mimari.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile tarama davranışını özelleştirin.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Tanıtım","description":"Leakwatch nedir, neyi tarar ve sızan sırları nasıl tespit edip doğrular.","html":"\u003ch1 id=\"tantm\"\u003eTanıtım\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e, sızan sırları — API anahtarları, token'lar, parolalar, bağlantı dizeleri ve özel anahtarlar — kod tabanlarınızda, Git geçmişinizde, konteyner imajlarınızda, bulut depolamanızda ve Slack çalışma alanlarınızda \u003cstrong\u003etespit eden, doğrulayan ve raporlayan\u003c/strong\u003e yüksek performanslı, açık kaynaklı (MIT) bir güvenlik aracıdır.\u003c/p\u003e\n\u003cp\u003eGo ile yazılmıştır, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olarak dağıtılır (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e) ve her yerde çalışacak şekilde tasarlanmıştır: bir geliştirici dizüstü bilgisayarı, bir pre-commit kancası veya bir CI/CD hattı.\u003c/p\u003e\n\u003ch2 id=\"neden-leakwatch\"\u003eNeden Leakwatch\u003c/h2\u003e\n\u003cp\u003eTek bir commit'te sızan bir kimlik bilgisi — sonradan silinse bile — Git geçmişinde sonsuza dek erişilebilir kalabilir ve push edildikten dakikalar sonra istismar edilebilir. Leakwatch, bu sırları erken yakalamak ve hangilerinin \u003cem\u003egerçekten tehlikeli\u003c/em\u003e olduğunu söylemek için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGeniş tespit\u003c/strong\u003e — bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını ve daha fazlasını kapsayan 63 yerleşik dedektör; ayrıca kendi YAML özel kurallarınız.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eYalnızca tespit değil, doğrulama\u003c/strong\u003e — 54 dedektör türü için Leakwatch, bulunan bir sırrın \u003cem\u003ehâlâ etkin\u003c/em\u003e olup olmadığını sağlayıcıya kontrollü, salt-okunur bir çağrı yaparak teyit edebilir. Etkin olduğu doğrulanmış bir anahtar bir olaydır; etkin olmayan bir anahtar ise gürültüdür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eÇok sayıda kaynak\u003c/strong\u003e — yerel dosya sistemi, eksiksiz bir Git geçmişi, bir OCI/Docker imajı, AWS S3, Google Cloud Storage ve Slack mesajları.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-uyumlu çıktı\u003c/strong\u003e — JSON, SARIF (GitHub Code Scanning için), CSV ve renklendirilmiş terminal tablosu.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTasarımı gereği sır-güvenli\u003c/strong\u003e — bulunan sırlar varsayılan olarak maskelenir ve asla loglanmaz, önbelleğe alınmaz veya diske yazılmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"neleri-tarar\"\u003eNeleri tarar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNeyi kapsar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosyalar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob (yerel veya uzak)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker imaj katmanları, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanallardaki ve (isteğe bağlı) DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇoklu depo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAynı anda birden fazla Git deposu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"tespit-ksaca-nasl-alr\"\u003eTespit kısaca nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch, büyük girdilerde bile hızlı kalmak için katmanlı bir hat kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick anahtar kelime ön-filtresi\u003c/strong\u003e — tek bir çok-desenli otomat, bir parçayı hangi dedektörlerin eşleştirebileceğine hızla karar verir; böylece dedektörlerin çoğu regex'ini hiç çalıştırmaz.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex doğrulaması\u003c/strong\u003e — yalnızca kısa listeye alınan dedektörler kesin desenlerini çalıştırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropi\u003c/strong\u003e — Shannon entropisi gösterim için hesaplanır (ve özel kurallar tarafından düşük rastgelelikteki eşleşmeleri elemek için kullanılır).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDoğrulama\u003c/strong\u003e — uygun bulgular canlı sağlayıcı API'sine karşı kontrol edilir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch'ı kullanmak için bu hattı anlamanız gerekmez — ancak taramaların neden hızlı olduğunu ve bazı bulguların neden bir doğrulama durumu gösterirken bazılarının göstermediğini açıklar. Tam tablo için \u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"leakwatch-ne-deildir\"\u003eLeakwatch \u003cem\u003ene değildir\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eBeklentileri doğru belirlemek için:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGit geçmişini yeniden yazmaz veya sırları sizin için \u003cstrong\u003ekaldırmaz\u003c/strong\u003e — onları bulup raporlar ve (\u003ccode\u003e--remediation\u003c/code\u003e ile) nasıl döndüreceğinizi söyler.\u003c/li\u003e\n\u003cli\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar; yüklenen dosyaların \u003cem\u003eiçeriğini\u003c/em\u003e taramak uygulanmamıştır.\u003c/li\u003e\n\u003cli\u003eDoğrulama, birçok sır türü için mevcuttur ancak hepsi için değil — 9 dedektör türü (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman doğrulanmamış olarak raporlanır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker veya hazır bir ikili dosya ile kurun.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — taramanın arkasındaki mimari.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Hızlı Başlangıç","description":"İlk Leakwatch taramanızı bir dakikadan kısa sürede çalıştırın.","html":"\u003ch1 id=\"hzl-balang\"\u003eHızlı Başlangıç\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın neler yapabileceğini anlamanın en hızlı yolu, onu gerçek bir dizine yönlendirmektir. Bu sayfa ilk taramanızda size rehberlik eder, çıktının ne anlama geldiğini açıklar ve en sık kullanacağınız bayrakları gösterir.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eLeakwatch kurulu ve \u003ccode\u003ePATH\u003c/code\u003e değişkeninizde erişilebilir olmalıdır. Henüz yapmadıysanız \u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"lk-taramanz\"\u003eİlk taramanız\u003c/h2\u003e\n\u003cp\u003eMevcut dizini tek bir komutla tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak çıktı JSON biçiminde stdout'a yazılır. Bunun yerine okunabilir, renklendirilmiş bir tablo almak için \u003ccode\u003e--format table\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBir sonucun nasıl göründüğü aşağıdadır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTarama özeti her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır; bu nedenle pipe veya yeniden yönlendirilen çıktıyla hiçbir zaman çakışmaz.\u003c/p\u003e\n\u003ch2 id=\"bulguyu-anlamak\"\u003eBulguyu anlamak\u003c/h2\u003e\n\u003cp\u003eTablodaki her satır (veya JSON'daki her nesne) bir bulguyu temsil eder. Temel alanlar şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSır türünün ne kadar kritik olduğu: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşen dedektör — sır türünü tanımlar (örneğin \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın bulunduğu dosyanın tarama köküne göreli yolu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşmenin satır numarası\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın maskelenmiş gösterimi — \u003ccode\u003e--show-raw\u003c/code\u003e ayarlanmadıkça ham değer hiçbir zaman gösterilmez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulama sonucu: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003everified:active\u003c/code\u003e durumu, Leakwatch'ın sağlayıcıya salt-okunur bir API çağrısı yaparak sırrın hâlâ etkin olduğunu doğruladığı anlamına gelir. \u003cstrong\u003eHer \u003ccode\u003everified:active\u003c/code\u003e bulgusunu açık bir olay olarak değerlendirin.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"yaygn-tarama-seenekleri\"\u003eYaygın tarama seçenekleri\u003c/h2\u003e\n\u003ch3 id=\"yalnzca-onaylanm-srlara-odaklann\"\u003eYalnızca onaylanmış sırlara odaklanın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu seçenek doğrulanmamış ve etkin olmayan bulguları gizler; yalnızca etkin olduğu onaylananları bırakır. Çok sayıda sonucunuz olduğunda önceliklendirme için kullanışlıdır.\u003c/p\u003e\n\u003ch3 id=\"hzl-evrimd-tarama-iin-a-dorulamasn-atlayn\"\u003eHızlı çevrimdışı tarama için ağ doğrulamasını atlayın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama tamamen atlanır — hiçbir giden ağ çağrısı yapılmaz. Sonuçlar daha hızlı görünür ve internet bağlantısı olmadan çalışır, ancak tüm bulgular \u003ccode\u003eunverified\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"dzeltme-klavuzu-ekleyin\"\u003eDüzeltme kılavuzu ekleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer bulgu, söz konusu sır türünü nasıl döndüreceğinizi veya iptal edeceğinizi açıklayan bir \u003cstrong\u003eREMEDIATION\u003c/strong\u003e sütunu kazanır. Bayrak ayarlandığında aynı veriler JSON, SARIF ve CSV çıktısına da dahil edilir.\u003c/p\u003e\n\u003ch3 id=\"minimum-nem-derecesine-gre-filtreleyin\"\u003eMinimum önem derecesine göre filtreleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e önem derecesindeki bulgular raporlanır.\u003c/p\u003e\n\u003ch3 id=\"sonular-dosyaya-kaydedin\"\u003eSonuçları dosyaya kaydedin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e bayrağı stdout yerine bir dosyaya yazar. SARIF çıktısı \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e ile uyumludur.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-oluturma\"\u003eYapılandırma dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003eİlk denemede varsayılanlarla çalıştırmak uygundur; ancak tekrarlayan kullanım için proje düzeyinde bir yapılandırma isteyeceksiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut, eşzamanlılık, entropi, doğrulama, çıktı biçimi ve yaygın yol dışlamaları için önerilen varsayılanlarla mevcut dizine \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yazar. Mevcut bir dosyanın üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e, farklı bir yola yazmak için \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eHer seçeneğin tam açıklaması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI betiklerinin çıktıyı ayrıştırmadan sonuçlara göre hareket edebilmesi için farklı çıkış kodları kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bulgu yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bir veya daha fazla sır bulundu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama bir hata nedeniyle başarısız oldu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTipik bir CI kapısı şöyle görünür:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Etkin sırlar bulundu — derleme başarısız\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, etkin filtreleri geçen (\u003ccode\u003e--min-severity\u003c/code\u003e ve \u003ccode\u003e--only-verified\u003c/code\u003e dahil) \u003cem\u003eherhangi bir\u003c/em\u003e bulgu olduğunda döndürülür. Temiz çıkış kodu \u003ccode\u003e0\u003c/code\u003e, hiçbir bulgunun eşleşmediği anlamına gelir — kod tabanında sır olmadığı anlamına gelmez.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"taramay-iptal-etme\"\u003eTaramayı iptal etme\u003c/h2\u003e\n\u003cp\u003eÇalışan bir taramayı iptal etmek için \u003ccode\u003eCtrl+C\u003c/code\u003e tuşuna basın (veya \u003ccode\u003eSIGTERM\u003c/code\u003e gönderin). Leakwatch düzgün biçimde durur: işlemdeki parçalar tamamlanır, kısmi sonuçlar yazılır ve özet \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Çıktı Formatları","description":"Leakwatch'ın desteklediği beş çıktı formatı — JSON, SARIF, CSV, tablo ve GitHub ek açıklamaları — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik.","html":"\u003ch1 id=\"kt-formatlar\"\u003eÇıktı Formatları\u003c/h1\u003e\n\u003cp\u003eLeakwatch beş çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları, insan tarafından okunabilir terminal incelemesi ve GitHub Actions ek açıklamaları. \u003ccode\u003e--format\u003c/code\u003e (veya \u003ccode\u003e-f\u003c/code\u003e) ile bir format seçin; stdout yerine bir dosyaya yazmak için \u003ccode\u003e--output\u003c/code\u003e (veya \u003ccode\u003e-o\u003c/code\u003e) kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\nleakwatch scan fs . --format github # GitHub Actions ek açıklamaları (CI kullanımı)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan format \u003ccode\u003ejson\u003c/code\u003e'dur.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON varsayılan format ve en eksiksiz temsil biçimidir. Leakwatch, stdout'a (veya \u003ccode\u003e--output\u003c/code\u003e ile verilen dosyaya) bulgu nesnelerinden oluşan bir JSON \u003cstrong\u003edizisi\u003c/strong\u003e yazar.\u003c/p\u003e\n\u003cp\u003eHam sır değeri, \u003ccode\u003e--show-raw\u003c/code\u003e açıkça ayarlanmadıkça \u003cstrong\u003ehiçbir zaman\u003c/strong\u003e serileştirilmez. \u003ccode\u003e--show-raw\u003c/code\u003e ile her nesneye bir \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e alanı eklenir.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-bulgu-nesnesi\"\u003eÖrnek bulgu nesnesi\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--remediation\u003c/code\u003e de ayarlandığında her bulgunun içine iç içe bir \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e nesnesi yerleştirilir. Bkz. \u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif\u003c/code\u003e formatı, \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e'e yüklenmek üzere tasarlanmış bir SARIF v2.1.0 belgesi üretir. Araç adı \u003ccode\u003eLeakwatch\u003c/code\u003e'tır ve \u003ccode\u003einformationUri\u003c/code\u003e \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e adresine işaret eder.\u003c/p\u003e\n\u003cp\u003eBulgularda görünen her dedektör, SARIF sürücüsünde bir \u003cstrong\u003ekural\u003c/strong\u003e haline gelir; \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme adımlarından doldurulan \u003ccode\u003ehelp\u003c/code\u003e metni ve sağlayıcı belgelerine işaret eden bir \u003ccode\u003ehelpUri\u003c/code\u003e ile birlikte. Sonuçlar, dedektör ID'si, maskelenmiş değer ve dosya yolundan hesaplanan bir \u003ccode\u003eleakwatch/v1\u003c/code\u003e kısmi parmak izi taşır — bu, çevresindeki kod kaydığında bile GitHub Code Scanning'in aynı uyarıyı takip etmesini sağlar.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-1\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"github-code-scanninge-ykleme\"\u003eGitHub Code Scanning'e yükleme\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Bir GitHub Actions iş akışı adımında:\n- name: SARIF sonuçlarını yükle\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam CI kurulumu için \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003ecsv\u003c/code\u003e formatı, bir başlık satırı ve ardından bulgu başına bir satır yazar; standart virgülle ayrılmış değerler kullanır. Her hücre yazılmadan önce elektronik tablo formül enjeksiyonuna karşı sterilize edilir.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar (varsayılan):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eraw\u003c/code\u003e sütunu eklenir.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eremediation\u003c/code\u003e sütunu, \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme başlığını (örn. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) içerir, aksi hâlde boş kalır.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-2\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tablo\"\u003eTablo\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003etable\u003c/code\u003e formatı, insan tarafından okunabilir sekme hizalı bir tablo yazar; sonuçların hızlı görsel taramasını istediğiniz etkileşimli terminal oturumları için en uygun formattır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eRAW\u003c/code\u003e sütunu eklenir. Tablonun altına bir özet satırı yazdırılır (örn. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI rengi\u003c/strong\u003e, \u003ccode\u003eSEVERITY\u003c/code\u003e sütununa otomatik olarak uygulanır, ancak yalnızca dört koşulun tamamı sağlandığında:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e seçilmiş\u003c/li\u003e\n\u003cli\u003eÇıktı stdout'a gidiyor (\u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e yok)\u003c/li\u003e\n\u003cli\u003estdout bir TTY (pipe veya yönlendirme değil)\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e ortam değişkeni ayarlanmamış\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÖnem derecesi\u003c/th\u003e\n\u003cth\u003eRenk\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKalın kırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSarı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMavi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"rnek-ar-3\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt-1\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"github-ek-aklamalar\"\u003eGitHub ek açıklamaları\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003egithub\u003c/code\u003e formatı, \u003ca href=\"https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions\"\u003eGitHub Actions iş akışı komutlarını\u003c/a\u003e (\u003ccode\u003e::error\u003c/code\u003e / \u003ccode\u003e::warning\u003c/code\u003e / \u003ccode\u003e::notice\u003c/code\u003e) yayar; böylece bulgular bir pull request'in \u003cem\u003eFiles changed\u003c/em\u003e görünümünde ve çalışma günlüğünde \u003cstrong\u003esatır içi ek açıklamalar\u003c/strong\u003e olarak görünür. Runner'ın stdout'una akıtılmak üzere tasarlanmıştır — bir dosyaya yazmanın etkisi yoktur.\u003c/p\u003e\n\u003cp\u003eÖnem derecesi ek açıklama seviyesine eşlenir: \u003ccode\u003ecritical\u003c/code\u003e → \u003ccode\u003eerror\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e → \u003ccode\u003ewarning\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e/\u003ccode\u003elow\u003c/code\u003e → \u003ccode\u003enotice\u003c/code\u003e. Dosya yolu olan bir bulgu o dosya ve satıra bağlanır; dosya yolu olmayan bir bulgu çalışma düzeyinde (run-level) bir ek açıklama olur.\u003c/p\u003e\n\u003cp\u003eGüvenlik için bu format ham sırrı \u003cstrong\u003easla\u003c/strong\u003e yazdırmaz — \u003ccode\u003e--show-raw\u003c/code\u003e ile bile yalnızca redakte edilmiş değer gösterilir; çünkü ek açıklamalar (çoğu zaman herkese açık olan) PR arayüzünde ve günlüklerde görüntülenir.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-4\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format github\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt-2\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e::error file=config/prod.env,line=12,title=Leakwatch%3A aws-access-key-id::Potential secret detected by aws-access-key-id (critical): AKIA****K7NP\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu format normalde elle çağrılmak yerine \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e (\u003ccode\u003eformat: github\u003c/code\u003e) tarafından kullanılır.\u003c/p\u003e\n\u003ch2 id=\"yaygn-kt-bayraklar\"\u003eYaygın çıktı bayrakları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı formatı: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e, \u003ccode\u003egithub\u003c/code\u003e (varsayılan \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout yerine dosyaya yaz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya maskelenmemiş sır değerini dahil et\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBu önem seviyesinin altındaki bulguları bırak\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca \u003ccode\u003everified_active\u003c/code\u003e bulgularını tut\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBulguları sağlayıcı düzeltme rehberiyle zenginleştir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Düzeltme Rehberi","description":"Bulguları sağlayıcıya özgü döndürme ve iptal adımları, aciliyet dereceleri ve resmi dokümantasyon bağlantılarıyla zenginleştirmek için --remediation kullanın.","html":"\u003ch1 id=\"dzeltme-rehberi\"\u003eDüzeltme Rehberi\u003c/h1\u003e\n\u003cp\u003eBir sırrın sızdığını bilmek işin yalnızca yarısıdır — ayrıca ne yapacağınızı da bilmeniz gerekir. Herhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e eklemek, her bulguyu yapılandırılmış, sağlayıcıya özgü rehberlikle zenginleştirir: kimlik bilgisini döndürme veya iptal etme adımları, sağlayıcının belgelerine bağlantı, yönetim konsoluna bağlantı, aciliyet derecelendirmesi ve bir doğrulama kontrol listesi.\u003c/p\u003e\n\u003ch2 id=\"nasl-etkinletirilir\"\u003eNasıl etkinleştirilir\u003c/h2\u003e\n\u003cp\u003eHerhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDüzeltme zenginleştirmesi varsayılan olarak devre dışıdır. Bayrak yoksa, her bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı \u003ccode\u003enull\u003c/code\u003e olur ve fazladan veri alınmaz veya hesaplanmaz.\u003c/p\u003e\n\u003ch2 id=\"ne-ierir\"\u003eNe içerir\u003c/h2\u003e\n\u003cp\u003eHer düzeltme girişi aşağıdaki alanları içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDüzeltme eyleminin kısa adı (örn. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrı döndürmek veya iptal etmek için sıralı adımlar listesi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının resmi kimlik bilgisi yönetimi belgelerine bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının yönetim konsolu sayfasına doğrudan bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNe kadar hızlı harekete geçileceği: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e veya \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDöndürme sonrası doğrulama adımları (örn. denetim günlüklerini inceleyin, güvenlik ekibini bilgilendirin)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch, her yerleşik dedektör için bir tane olmak üzere 63 düzeltme girişiyle birlikte gelir. 63 girişin tamamı ikili dosyaya dahildir; rehberliği almak için herhangi bir ağ çağrısı yapılmaz. Bu, çevrimdışı ortamlarda veya hava boşluklu ağlarda bile düzeltme rehberliğinin sorunsuz çalışması anlamına gelir.\u003c/p\u003e\n\u003ch2 id=\"her-formatta-nasl-grnr\"\u003eHer formatta nasıl görünür\u003c/h2\u003e\n\u003cp\u003eZenginleştirme, rehberliği bellekteki bulgu nesnesine ekler. Nasıl göründüğü çıktı formatına bağlıdır:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — tam yapılandırılmış \u003ccode\u003eremediation\u003c/code\u003e nesnesi her bulgunun içine yerleştirilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — \u003ccode\u003esteps\u003c/code\u003e alanları, kuralın \u003ccode\u003ehelp.text\u003c/code\u003e alanına yerleştirilir ve \u003ccode\u003edoc_url\u003c/code\u003e, kuralın \u003ccode\u003ehelpUri\u003c/code\u003e'si olarak ayarlanır. Bu, GitHub Code Scanning'in uyarı ayrıntıları panelinde doğrudan görünür.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı \u003ccode\u003eremediation\u003c/code\u003e sütununa yazılır. Tam yapılandırılmış rehberlik CSV çıktısına dahil edilmez.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTablo\u003c/strong\u003e — \u003ccode\u003eREMEDIATION\u003c/code\u003e sütununda yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı gösterilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOtomatik olay müdahale iş akışları için tam yapılandırılmış rehberliğe ihtiyaç duyduğunuzda \u003ccode\u003e--remediation --format json\u003c/code\u003e kullanın. Terminalde hızlı, insan tarafından okunabilir bir önceliklendirme oturumu için \u003ccode\u003e--remediation --format table\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eZenginleştirme yalnızca \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında çalışır. Bayrak olmadan, \u003ccode\u003eremediation\u003c/code\u003e alanı JSON ve SARIF çıktısında yoktur ve CSV ile tablo \u003ccode\u003eremediation\u003c/code\u003e sütunları boştur. Bayrak, orijinal tarama sonuçlarını değiştirmez — bunların üzerine bir katman ekler.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kurallar-ve-dzeltme\"\u003eÖzel kurallar ve düzeltme\u003c/h2\u003e\n\u003cp\u003eÖzel kural tanımları bir \u003ccode\u003eremediation\u003c/code\u003e bloğunu desteklemez — düzeltme rehberliği yalnızca yerleşik dedektörler için mevcuttur. Özel bir kural tarafından tetiklenen bulgu için \u003ccode\u003e--remediation\u003c/code\u003e bayrağı geçildiğinde, o bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı boş kalır; diğer alanlar etkilenmez.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Başvurusu","description":"Her Leakwatch komutu, alt komutu ve bayrağı için tam başvuru kaynağı.","html":"\u003ch1 id=\"cli-bavurusu\"\u003eCLI Başvurusu\u003c/h1\u003e\n\u003cp\u003eBu sayfa, tüm Leakwatch komutları ve bayrakları için yetkili başvuru kaynağıdır. Kavramsal açıklamalar ve çalışma örnekleri için ilgili tarama veya yapılandırma sayfalarındaki çapraz bağlantıları takip edin.\u003c/p\u003e\n\u003ch2 id=\"global-bayraklar\"\u003eGlobal bayraklar\u003c/h2\u003e\n\u003cp\u003eBu bayraklar her komut ve alt komut üzerinde kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOtomatik olarak bulunan \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasının yolu. Atlandığında Leakwatch, geçerli dizinde ve üst dizinlerinde \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e arar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGünlük ayrıntı düzeyi: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e veya \u003ccode\u003eerror\u003c/code\u003e. Günlük çıktısı stderr'e gider ve tarama sonuçlarını etkilemez.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eİkili dosya sürümünü, commit karmasını ve derleme zaman damgasını yazdırır, ardından çıkar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGeçerli dizinde önerilen varsayılanlarla bir \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyası oluşturur.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasını varsayılan yerine bu yola yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMevcut bir yapılandırma dosyasının üzerine yaz. Bu bayrak olmadan, çıktı dosyası zaten mevcutsa \u003ccode\u003einit\u003c/code\u003e hatayla çıkar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Varsayılan yapılandırmayı oluştur\nleakwatch init\n\n# Mevcut yapılandırmanın üzerine yaz\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eTüm tarama alt komutları için üst komut. Kendi başına davranışı yoktur; bir alt komut çalıştırın.\u003c/p\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003cp\u003eAşağıdaki bayraklar \u003cstrong\u003etüm\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e alt komutlarında kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosya yoluna yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu bayt sayısından büyük dosyaları veya blob'ları atla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya ham (maskelenmemiş) sır değerini dahil et. Dikkatli kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı sır doğrulamasını devre dışı bırak. Giden API çağrısı yapılmaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya dahil edilecek minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi (dönüşüm/iptal adımları) ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel bir dizin ağacını tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e varsayılan olarak \u003ccode\u003e.\u003c/code\u003e'dır. En fazla bir konumsal argüman kabul eder.\u003c/p\u003e\n\u003ch4 id=\"dosya-sistemine-zg-bayraklar\"\u003eDosya sistemine özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;kalıp\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob kalıbı. Tekrarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara, renklendirilmiş tablo yazdır\nleakwatch scan fs . --format table\n\n# SARIF çıktısını kaydet, test dosyalarını ve vendor'ı dışla\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel veya uzak bir Git deposunun tam commit geçmişini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir: yerel bir yol veya HTTP/HTTPS/SSH URL'si.\u003c/p\u003e\n\u003ch4 id=\"gite-zg-bayraklar\"\u003eGit'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit karmasından HEAD'e kadar olan değişiklikleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;ad\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan dal yerine belirli bir dalı hedefle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003eUzak depolar için sığ klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi getirir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-1\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tam yerel geçmişi tara\nleakwatch scan git . --format table\n\n# Bir pull request tarafından eklenen commit'leri tara\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir OCI/Docker imajının katmanlarını sırlar açısından tarar. Leakwatch daemonsuz çalışır ve kayıt defterinden doğrudan çeker — Docker soketi gerekmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"rnekler-2\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Genel bir imajı tara\nleakwatch scan image nginx:latest --format table\n\n# Özel kayıt defteri imajını tara, JSON çıktısını kaydet\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir AWS S3 kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, anahtarı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi. \u003ccode\u003eAWS_REGION\u003c/code\u003e ortam değişkenine veya AWS SDK varsayılanına geri döner.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-3\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm kovayı tara\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Belirli bir ön eki tara\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Google Cloud Storage kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"gcsye-zg-bayraklar\"\u003eGCS'ye özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, adı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği. Varsayılan kimlik bilgilerinden proje çıkarılamadığında gereklidir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-4\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm GCS kovasını tara\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Ön ek tara\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Slack çalışma alanındaki mesaj metnini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKonumsal argüman yoktur.\u003c/p\u003e\n\u003ch4 id=\"slacke-zg-bayraklar\"\u003eSlack'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token'ı. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni ile de ayarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adları veya kimliklerinin virgülle ayrılmış listesi. Atlandığında erişilebilir tüm kanalları tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adları veya kimliklerinin virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonra gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları dahil et (ek OAuth kapsamları gerektirir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-5\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Erişilebilir tüm kanalları tara\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Belirli kanalları belirli bir tarihten itibaren tara\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBirden fazla Git deposunu paralel olarak tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEn az iki konumsal argüman (depo URL'leri veya yerel yollar) gereklidir.\u003c/p\u003e\n\u003ch4 id=\"reposa-zg-bayraklar\"\u003eRepos'a özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eHer depo taramasındaki çalışan eşzamanlılığı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-6\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki depoyu paralel olarak tara\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Büyük bir depo seti için paralellizmi artır\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e — Leakwatch'ı bayrak kullanmadan yapılandırma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — ayrıntılı \u003ccode\u003escan fs\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — ayrıntılı \u003ccode\u003escan git\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Ortam Değişkenleri","description":"Leakwatch davranışını bayrak kullanmadan yapılandıran ortam değişkenleri.","html":"\u003ch1 id=\"ortam-deikenleri\"\u003eOrtam Değişkenleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, yapılandırmayı öncelik sırasına göre üç kaynaktan okur: \u003cstrong\u003ekomut satırı bayrakları\u003c/strong\u003e, \u003cstrong\u003eortam değişkenlerini\u003c/strong\u003e geçersiz kılar; ortam değişkenleri \u003cstrong\u003eyapılandırma dosyasını\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e) geçersiz kılar; yapılandırma dosyası yerleşik \u003cstrong\u003evarsayılanlara\u003c/strong\u003e geri döner. Ortam değişkenleri, bir yapılandırma dosyasını değiştiremeyeceğiniz veya her çağrıya bayrak geçiremeyeceğiniz CI ortamlarında kullanışlıdır.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-deikeni-kalb\"\u003eYapılandırma değişkeni kalıbı\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki herhangi bir anahtar, ortam değişkeni olarak şu şekilde ayarlanabilir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAnahtar adını büyük harfe çevir.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştir.\u003c/li\u003e\n\u003cli\u003eBaşına \u003ccode\u003eLEAKWATCH_\u003c/code\u003e ekle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eÖrneğin, \u003ccode\u003escan.concurrency\u003c/code\u003e yapılandırma anahtarı \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"deiken-bavurusu\"\u003eDeğişken başvurusu\u003c/h2\u003e\n\u003ch3 id=\"leakwatcha-zg-deikenler\"\u003eLeakwatch'a özgü değişkenler\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e için Slack bot token'ı. \u003ccode\u003e--token\u003c/code\u003e'a eşdeğer. Token'ın kabuk geçmişinde veya CI günlüklerinde görünmesini önlemek için bayrak olarak geçirmek yerine bunu ayarlayın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı. \u003ccode\u003e--concurrency\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı doğrulamayı genel olarak devre dışı bırakmak için \u003ccode\u003efalse\u003c/code\u003e olarak ayarlayın. \u003ccode\u003e--no-verify\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm doğrulayıcılar genelinde saniye başına maksimum doğrulama isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan çıktı biçimi (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e). \u003ccode\u003e--format\u003c/code\u003e'a eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir eşleşmenin raporlanması için gereken minimum Shannon entropisi. Float değer, örn. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"grntleme-deikeni\"\u003eGörüntüleme değişkeni\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBoş olmayan herhangi bir değere ayarlandığında, \u003ccode\u003etable\u003c/code\u003e çıktı biçimlendiricisindeki ANSI renk kodlarını devre dışı bırakır. \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e kuralını izler.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-deikenleri-scan-s3-ve-aws-sr-dorulamas-iin\"\u003eAWS değişkenleri (\u003ccode\u003escan s3\u003c/code\u003e ve AWS sır doğrulaması için)\u003c/h3\u003e\n\u003cp\u003eBunlar standart AWS SDK ortam değişkenleridir. Leakwatch bunları AWS SDK v2 varsayılan kimlik bilgisi zincirine aktarır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS erişim anahtarı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS gizli erişim anahtarı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS oturum token'ı (geçici kimlik bilgileri için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKullanılacak \u003ccode\u003e~/.aws/credentials\u003c/code\u003e dosyasından adlandırılmış profil.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-deikeni-scan-gcs-iin\"\u003eGCS değişkeni (\u003ccode\u003escan gcs\u003c/code\u003e için)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGoogle hizmet hesabı JSON anahtar dosyasının yolu. Bir GCS kovasını tararken Uygulama Varsayılan Kimlik Bilgileri tarafından kullanılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-rnei\"\u003eÖncelik örneği\u003c/h2\u003e\n\u003cp\u003eŞu kurulumu varsayın:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, \u003ccode\u003eoutput.format: table\u003c/code\u003e olarak ayarlıyor\u003c/li\u003e\n\u003cli\u003eOrtamda \u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e ayarlanmış\u003c/li\u003e\n\u003cli\u003eKomut \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e olarak çalıştırılıyor (\u003ccode\u003e--format\u003c/code\u003e bayrağı yok)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOrtam değişkeni yapılandırma dosyasını geçersiz kıldığından geçerli biçim \u003ccode\u003ejson\u003c/code\u003e'dır.\u003c/p\u003e\n\u003cp\u003eKomut \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e olarak çalıştırılırsa, bayrak her şeyi geçersiz kıldığından geçerli biçim \u003ccode\u003esarif\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kimlik-bilgileri-ve-tarama-kimlik-bilgileri\"\u003eDoğrulama kimlik bilgileri ve tarama kimlik bilgileri\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYukarıdaki AWS ve GCP değişkenleri, Leakwatch'ın \u003cstrong\u003ekendisinin\u003c/strong\u003e nesneleri taramak için S3 veya GCS'ye bağlanırken kimliğini doğrulaması için kullanılır. Bulunan sırları doğrulamak için kullanılmazlar. Keşfedilen bir AWS anahtarının doğrulanması, örneğin, runner'ın kimlik bilgilerini değil, keşfedilen anahtarın kendisini kullanarak AWS STS'yi çağırır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-srlar-gvenli-biimde-geirme\"\u003eCI'da sırları güvenli biçimde geçirme\u003c/h2\u003e\n\u003cp\u003eGitHub Actions'ta şifrelenmiş sırları kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGitLab CI'da maskelenmiş CI/CD değişkenlerini kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # proje ayarlarında maskelenmiş değişken olarak tanımlanmış\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eToken değerlerini hiçbir zaman iş akışı dosyalarına veya Dockerfile'lara sabit olarak kodlamayın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tam \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e anahtar başvurusu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eBulut Depolama Taraması\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e ve \u003ccode\u003escan gcs\u003c/code\u003e kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Taraması\u003c/a\u003e — Slack token kapsamları ve izinleri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — eşdeğer komut satırı bayrakları.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Çıkış Kodları","description":"Leakwatch çıkış kodu başvurusu ve bunların betiklerde ve CI pipeline'larında nasıl kullanılacağı.","html":"\u003ch1 id=\"k-kodlar\"\u003eÇıkış Kodları\u003c/h1\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için küçük, iyi tanımlanmış bir çıkış kodu seti kullanır. Her tarama alt komutu üç koddan biriyle çıkar.\u003c/p\u003e\n\u003ch2 id=\"kod-bavurusu\"\u003eKod başvurusu\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAd\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTemiz\u003c/td\u003e\n\u003ctd\u003eTarama başarıyla tamamlandı ve etkin filtrelerden hiçbir bulgu geçmedi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular var\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı ve etkin filtrelerden geçen bir veya daha fazla sır bulundu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHata\u003c/td\u003e\n\u003ctd\u003eTaramanın hiç çalışamamasına neden olan ciddi bir hata oluştu — örneğin geçersiz bir bayrak, okunamaz bir yol veya kimlik doğrulama hatası. Stderr'e bir \u003ccode\u003eError: ...\u003c/code\u003e mesajı ve kullanım ipucu yazdırılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"filtrelerin-k-kodu-1i-nasl-etkiledii\"\u003eFiltrelerin çıkış kodu 1'i nasıl etkilediği\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, yalnızca en az bir bulgu etkin çıktı filtrelerinin tümünden geçtiğinde yayılır. En ilgili iki filtre şunlardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — eşiğin altındaki bulgular bastırılır. Tüm bulgular \u003ccode\u003elow\u003c/code\u003e önem derecesindeyse ve \u003ccode\u003e--min-severity high\u003c/code\u003e ile çalışıyorsanız, sırlar mevcut olmasına rağmen çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulgular raporlanır. Etkin sır bulunamazsa çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBu, çıkış kodu \u003ccode\u003e0\u003c/code\u003e'ın \u0026quot;mevcut filtre ayarlarınızla eşleşen bulgu yok\u0026quot; anlamına geldiği anlamına gelir — kod tabanının hiçbir sır içermediği değil.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e altında temiz \u003ccode\u003e0\u003c/code\u003e çıkışı, kod tabanının sırdan arındırılmış olduğunu garanti etmez. Doğrulamanın mevcut olmadığı sır türleri (9 dedektör türü) her zaman doğrulanmamış olarak raporlanır ve \u003ccode\u003e--only-verified\u003c/code\u003e tarafından bastırılır. Tam kapsam için \u003ccode\u003e--only-verified\u003c/code\u003e ile birlikte ayrı bir filtresiz tarama yapın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kabuk-betiklerinde-k-kodlarn-kullanma\"\u003eKabuk betiklerinde çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;Sır bulunamadı. Derleme devam ediyor.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Sırlar bulundu — birleştirmeden önce leakwatch.json'u inceleyin ve düzeltin.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch bir hatayla karşılaştı (çıkış $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTaramadan önce \u003ccode\u003eset +e\u003c/code\u003e kullanmak, kabuğun sıfır dışı kodlarda çıkmasını engeller ve kodu kendiniz yakalayıp işlemenize olanak tanır.\u003c/p\u003e\n\u003ch2 id=\"ci-pipelinelarnda-k-kodlarn-kullanma\"\u003eCI pipeline'larında çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cp\u003eÇoğu CI sistemi, sıfır dışı herhangi bir çıkış kodunu adım başarısızlığı olarak değerlendirir. Leakwatch sırlar bulunduğunda \u003ccode\u003e1\u003c/code\u003e ile çıktığından, ek yapılandırma olmadan pipeline otomatik olarak başarısız olur — yalnızca tarama komutunu çalıştırın.\u003c/p\u003e\n\u003cp\u003eSırlar bulunsa bile pipeline'ın devam etmesine izin vermek için (örneğin, derlemeyi engellemeden raporu toplamak amacıyla) çıkış kodunu açıkça yoksayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitLab CI'da:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitHub Action'da \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"uygulamada-k-kodu-2\"\u003eUygulamada çıkış kodu 2\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e2\u003c/code\u003e, taramanın hiç çalışamamasına neden olan bir yapılandırma veya çalışma zamanı hatasını gösterir. Yaygın nedenler:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGeçersiz bir bayrak değeri (örneğin \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMevcut olmayan veya okunamaz bir yol.\u003c/li\u003e\n\u003cli\u003eEksik gerekli argüman (örneğin, URL olmadan \u003ccode\u003escan git\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBir bulut kaynağına bağlanırken kimlik doğrulama hatası.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHata mesajı stderr'e yazdırılır ve sorunu teşhis etmeye yardımcı olacak bağlam içerir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — çıkış kodlarını GitLab CI, Jenkins ve diğerlerine bağlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — resmi action'ın çıkış kodlarını adım sonuçlarıyla nasıl eşlediği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — tam bayrak başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Bulut Depolama (S3 \u0026 GCS)","description":"AWS S3 ve Google Cloud Storage kovalarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"bulut-depolama-s3--gcs\"\u003eBulut Depolama (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSırlar sıklıkla bulut depolamaya taşınır — dışa aktarılan veritabanı dökümleri, ortam dosyaları, CI artefaktları ve günlük arşivleri, düşünüldüğünden çok daha fazla kişinin erişebildiği kovalara akar. Leakwatch, AWS S3 ve Google Cloud Storage kovalarını nesne nesne tarayabilir ve bulduğu sırları bir olaya dönüşmeden işaretler.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"kullanm\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003es3://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch standart \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS varsayılan kimlik bilgisi zincirini\u003c/a\u003e kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOrtam değişkenleri (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan kimlik bilgileri dosyası (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan yapılandırma dosyası (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eÖrneğe veya göreve atanmış IAM rolü (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAWS CLI ile zaten kimlik doğrulaması yaptıysanız (\u003ccode\u003eaws configure\u003c/code\u003e veya üstlenilmiş bir rol) ek yapılandırma gerekmez.\u003c/p\u003e\n\u003ch3 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca anahtarı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eAWS yapılandırmasından\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-rnekleri\"\u003eS3 örnekleri\u003c/h3\u003e\n\u003cp\u003eTüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir bölgede belirli bir anahtar öneki altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eTaramayı ilgili bir alt yola sınırlamak için \u003ccode\u003e--prefix\u003c/code\u003e kullanın. Milyonlarca nesne içeren büyük bir kovayı taramak yavaş olabilir ve S3 GET istek maliyeti doğurabilir. Öneki gerçekten önemli olana — örneğin \u003ccode\u003econfigs/\u003c/code\u003e veya \u003ccode\u003eexports/\u003c/code\u003e — daraltın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"kullanm-1\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003egs://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama-1\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e kullanır. Kimlik bilgisi arama sırası şu şekildedir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eHizmet hesabı anahtar dosyasına işaret eden \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e ortam değişkeni.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egcloud auth application-default login\u003c/code\u003e ile yapılandırılmış kullanıcı kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003eGoogle Compute Engine örneğine, Cloud Run hizmetine veya GKE iş yüküne atanmış hizmet hesabı.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcse-zg-bayraklar\"\u003eGCS'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca adı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği (bazı ADC yapılandırmalarında gereklidir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-rnekleri\"\u003eGCS örnekleri\u003c/h3\u003e\n\u003cp\u003eBelirli bir GCP projesiyle tüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca belirli bir önek altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCSV olarak çıktı alın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h2\u003e\n\u003cp\u003eHem \u003ccode\u003es3\u003c/code\u003e hem de \u003ccode\u003egcs\u003c/code\u003e aynı ortak tarama bayraklarını destekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan nesneleri atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eNesne anahtarlarına uygulanan yol dışlamaları \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (kimlik doğrulama hatası, kova bulunamadı, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Konteyner İmajları","description":"Docker daemon gerektirmeksizin OCI ve Docker imaj katmanlarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"konteyner-majlar\"\u003eKonteyner İmajları\u003c/h1\u003e\n\u003cp\u003eKonteyner imajları sırların sıklıkla gizlendiği yerlerden biridir: ortam değişkenlerine gömülen API anahtarları, derleme katmanlarına yerleştirilmiş kimlik bilgileri ve imaj katmanlarına kopyalanıp unutulan yapılandırma dosyaları. \u003ccode\u003eleakwatch scan image\u003c/code\u003e, bir OCI veya Docker imajının her katmanını inceler ve bu sırları dağıtım öncesinde gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: standart \u003ccode\u003ename:tag\u003c/code\u003e gösteriminde bir imaj referansı. Leakwatch imajları çekmek ve incelemek için \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e kullanır — herhangi bir Docker daemon \u003cstrong\u003egerekmez\u003c/strong\u003e.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Docker Hub imajını tara\nleakwatch scan image nginx:latest\n\n# Özel GitHub Container Registry imajını tara\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Amazon ECR imajını tara\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"desteklenen-kayt-sunucular\"\u003eDesteklenen kayıt sunucuları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKayıt Sunucusu\u003c/th\u003e\n\u003cth\u003eÖrnek referans\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eOCI uyumlu herhangi bir kayıt sunucusu\u003c/td\u003e\n\u003ctd\u003eStandart \u003ccode\u003eregistry/name:tag\u003c/code\u003e biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, Docker ve diğer OCI araçları tarafından kullanılan standart kimlik bilgisi anahtarlığını kullanır. \u003ccode\u003edocker login\u003c/code\u003e (veya \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, bulut sağlayıcısı kimlik bilgisi yardımcıları gibi eşdeğer araçlar) ile oturum açtıysanız, Leakwatch bu kimlik bilgilerini otomatik olarak kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Önce GHCR'a giriş yapın\ndocker login ghcr.io\n\n# Ardından tarayın — kimlik bilgileri otomatik olarak alınır\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAmazon ECR için, taramadan önce ECR kimlik bilgisi yardımcısını yapılandırın ya da \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e ve ilgili ortam değişkenlerini ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch imaj manifestini çeker, her katmanı sırayla işler ve her katmandaki dosyaları çıkarır. Her dosyanın içeriği, dosya sistemi taramasıyla aynı tespit hattından geçirilir. \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları burada da geçerlidir ve katmanlar içinde hangi dosya yollarının inceleneceğini sınırlar.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003cp\u003eİmaja özgü bayrak yoktur. Tüm ortak tarama bayrakları geçerlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eYol tabanlı dışlamalar \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eDocker Hub imajını tarayın ve sonuçları tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt sunucusu imajını tarayın ve SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif sırları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eJSON çıktısına düzeltme rehberi dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eİmaj taramasından elde edilen her bulgu katman meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan imaj referansı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği katman özeti.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKatman içindeki dosyanın yolu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGizli bilgilerin bir kayıt sunucusuna push edilmeden önce yakalanması için konteyner imaj taramasını CI/CD hattınızın derleme aşamasına entegre edin. Sonuçları doğrudan GitHub Code Scanning'e yüklemek için \u003ccode\u003e--format sarif\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (imaj bulunamadı, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Dosya Sistemi","description":"leakwatch scan fs komutuyla yerel bir dizin ağacını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"dosya-sistemi\"\u003eDosya Sistemi\u003c/h1\u003e\n\u003cp\u003eSırlar çoğu zaman önce yerel kaynak kodda ortaya çıkar. \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutu, bir dizin ağacındaki tüm dosyaları dolaşır, her biri üzerinde tam tespit hattını çalıştırır ve bulguları raporlar — henüz commit edilmeden önce yakalamak ya da mevcut bir kod tabanını sonradan taramak için kullanabilirsiniz.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e isteğe bağlıdır. Belirtilmediğinde Leakwatch geçerli çalışma dizinini (\u003ccode\u003e.\u003c/code\u003e) tarar. Yalnızca tek bir path argümanı kabul edilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara\nleakwatch scan fs\n\n# Belirli bir proje klasörünü tara\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"dosya-sistemi-kaynann-otomatik-olarak-atladklar\"\u003eDosya sistemi kaynağının otomatik olarak atladıkları\u003c/h2\u003e\n\u003cp\u003eTaramaları hızlı ve gürültüsüz tutmak için dosya sistemi kaynağı herhangi bir yapılandırma gerekmeksizin şunları atlar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eİkili dosyalar\u003c/strong\u003e — dosyanın ilk 8 KB'ında null byte bulunmasıyla tespit edilir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBilinen ikili uzantılar\u003c/strong\u003e — yaygın derlenmiş, görsel, ses, video ve arşiv biçimleri.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKilit dosyaları\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e ve benzerleri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"dosya-sistemine-zg\"\u003eDosya sistemine özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (tekrarlanabilir)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob desenleri. Birden fazla kez belirtilebilir veya virgülle ayrılabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eGeçerli dizini tarayın ve terminalde renklendirilmiş bir tablo yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTest dosyalarını ve vendor dizinlerini dışlayıp GitHub Code Scanning için SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir monorepo için dosya boyutunu sınırlayın ve çalışan sayısını artırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca yüksek önem dereceli bulguları gösterip rotasyon talimatlarını dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yollar-dlama\"\u003eYolları dışlama\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--exclude\u003c/code\u003e bayrağı glob desenlerini kabul eder ve birden fazla kez belirtilebilir ya da virgülle ayrılmış liste olarak kullanılabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki ayrı bayrak\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Virgülle ayrılmış\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTakımınızla paylaşılan kalıcı dışlama kuralları için \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasına \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında ekleyin. Bu kurallar yalnızca dosya sistemi taramalarına değil, tüm kaynaklara uygulanır. Proje kök dizininizde bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası da oluşturabilirsiniz. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e ve \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e sayfalarına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (yapılandırma hatası, okunamayan yol, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti (kaynak türü, hedef, dosya sayısı, süre ve bulgu sayısı) yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGeliştirme sırasında \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e komutunu çalıştırarak hızlı bir görsel genel bakış elde edin. CI hatlarında GitHub Code Scanning ile entegrasyon için \u003ccode\u003e--format sarif\u003c/code\u003e seçeneğine geçin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — varsayılan biçimi, dışlamaları ve daha fazlasını yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e ve satır içi baskılama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — çalışma ağacı yerine commit edilmiş geçmişi tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git Geçmişi","description":"Yerel veya uzak bir Git deposunun tüm commit geçmişini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"git-gemii\"\u003eGit Geçmişi\u003c/h1\u003e\n\u003cp\u003eCommit edilip sonradan silinen bir sır, önceki her commit'te hâlâ mevcuttur ve depoya erişimi olan herkes tarafından ulaşılabilir durumdadır. \u003ccode\u003eleakwatch scan git\u003c/code\u003e, bir deponun — yerel veya uzak — \u003cem\u003etüm\u003c/em\u003e commit geçmişini dolaşarak bu sırları, istismar edilmeden önce gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: depoya giden \u003cstrong\u003eyerel dosya sistemi yolu\u003c/strong\u003e (geçerli dizin için \u003ccode\u003e.\u003c/code\u003e) ya da \u003cstrong\u003euzak HTTP/HTTPS veya SSH URL'si\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch tüm Git işlemleri için \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e kullanır; bu, sistem \u003ccode\u003egit\u003c/code\u003e ikili dosyasına bağımlılığı olmayan saf bir Go uygulamasıdır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizindeki yerel depoyu tara\nleakwatch scan git .\n\n# HTTPS üzerinden uzak bir depoyu tara\nleakwatch scan git https://github.com/org/repo.git\n\n# SSH üzerinden tara\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch geçmişteki her commit'i dolaşır ve her commit tarafından eklenen blob'ları inceler. \u003cstrong\u003eBlob-hash tekilleştirmesi\u003c/strong\u003e, aynı dosya içeriğinin kaç commit tarafından referans alındığından bağımsız olarak yalnızca bir kez taranmasını sağlar. Bu, tarama süresini ham commit sayısı yerine depodaki \u003cem\u003ebenzersiz içerik\u003c/em\u003e miktarıyla orantılı tutar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch commit-bazlı diff'leri incelediğinden, sonradan silinen — yani mevcut çalışma ağacında görünmeyen — sırları da bulur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"gite-zg\"\u003eGit'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit hash'inden HEAD'e kadar olan değişiklikleri tara (diff tabanlı).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan yerine belirli bir dalı hedef al.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eYalnızca uzak depolar\u003c/strong\u003e için klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eYerel deponun tam geçmişini tarayın ve tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003edevelop\u003c/code\u003e dalında belirli bir tarihten sonraki commit'leri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir commit'ten bu yana tanıtılan değişiklikleri tarayın (CI'da yeni commit'leri kontrol etmek için kullanışlıdır):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir uzak depoyu hızlandırmak için sığ klonlama yapın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak depoyu tarayıp yalnızca doğrulanmış bulguları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eGit taramasından elde edilen her bulgu commit meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan deponun URL'si veya yolu (kimlik bilgileri ayıklanmış).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın tanıtıldığı commit hash'i.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit yazarının adı ve e-postası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit zaman damgası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDal bağlamı (kullanılabilir olduğunda).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePull request CI işlerinde yalnızca PR tarafından eklenen commit'leri taramak için \u003ccode\u003e--since-commit\u003c/code\u003e kullanın. Son aktiviteyi kapsayan zamanlanmış gece taramaları için \u003ccode\u003e--since \u0026lt;tarih\u0026gt;\u003c/code\u003e tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'leri gömülü kimlik bilgileri içeriyorsa (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch bu bilgileri günlüklere veya çıktıya yazmadan önce URL'den ayırır; bu sayede token tarama sonuçlarında veya CI izlerinde hiçbir zaman görünmez.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (geçersiz URL, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eÇoklu Depo\u003c/a\u003e — tek komutla birden fazla depoyu tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — geçmiş yerine çalışma ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Çoklu Depo","description":"Birden fazla Git deposunu eşzamanlı olarak tarayın ve sonuçları tek bir raporda birleştirin.","html":"\u003ch1 id=\"oklu-depo\"\u003eÇoklu Depo\u003c/h1\u003e\n\u003cp\u003eBir kuruluş büyüdükçe sırlar düzinelerce hatta yüzlerce deponun herhangi birine yerleşebilir. Bunları tek tek kontrol etmek pratik değildir. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e, birden fazla depo URL'sini alır, bunları eşzamanlı olarak tarar ve tüm bulguları tek bir çıktıda birleştirir — tek komut, tek rapor.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut \u003cstrong\u003een az iki\u003c/strong\u003e depo URL'si gerektirir. Tüm depolar otomatik olarak klonlanır, taranır ve temizlenir. Sonunda birleşik bulgu sayısı ve tek bir tarama özeti raporlanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"nasl-alr\"\u003eNasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch aynı anda en fazla \u003ccode\u003e--parallel\u003c/code\u003e sayıda depo taraması başlatır. Her depo:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSağlanan URL'den klonlanır (güvenlik açısından kimlik bilgileri günlüklerden ve çıktıdan ayıklanır).\u003c/li\u003e\n\u003cli\u003eTam tespit hattıyla taranır; bu depo için \u003ccode\u003e--concurrency\u003c/code\u003e sayıda çalışan kullanılır.\u003c/li\u003e\n\u003cli\u003eTarama tamamlandığında temizlenir (geçici klon silinir).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eTüm depolardan elde edilen bulgular toplanır ve tek bir kaynaktan yapılmış tarama gibi tek bir çıktı olarak yazılır. Görüntülenen hedef \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e (N depo) şeklindedir.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"oklu-depoya-zg\"\u003eÇoklu depoya özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eDepo başına\u003c/strong\u003e eşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasındaki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları tüm depolara uygulanır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eİki depoyu tarayın ve sonuçları tablo olarak görüntüleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeş depoyu daha yüksek paralellik ile tarayın ve birleşik sonuçları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDepo başına daha fazla çalışan kullanarak yalnızca doğrulanmış bulguları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"paralellii-ayarlama\"\u003eParalelliği ayarlama\u003c/h2\u003e\n\u003cp\u003eVerimi kontrol eden iki parametre vardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e, kaç depo klonlama ve taramasının aynı anda çalışacağını kontrol eder. Varsayılan \u003ccode\u003e3\u003c/code\u003e, çoğu iş yükü için uygundur. Ağ bant genişliği ve CPU kapasitesi izin verdiğinde artırın; kısıtlı makinelerde düşürün.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e), her bir depodaki dosya blob'larını işleyen çalışan goroutine sayısını kontrol eder. Bu, tüm tarama komutlarında bulunan aynı bayraktır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTepe noktasındaki toplam eşzamanlı işlem = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBir veya daha fazla depo taraması başarısız olursa (örneğin ağ hatası veya kimlik doğrulama sorunu nedeniyle), Leakwatch hatayı günlüğe kaydeder ve kalan depoları taramaya devam eder. Diğer depolar bulgu üretmiş olsa bile herhangi bir depo taraması başarısız olursa çıkış kodu \u003ccode\u003e2\u003c/code\u003e olur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'lerindeki gömülü kimlik bilgileri (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), URL günlüklere, çıktıya veya tarama özetine yazılmadan önce ayıklanır.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir veya daha fazla depo taraması başarısız oldu ya da yapılandırma hatası oluştu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — tek bir depoyu derinlemesine tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tüm kaynaklar için paylaşılan varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Çalışma Alanı","description":"Slack kanal ve DM mesaj metinlerini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"slack-alma-alan\"\u003eSlack Çalışma Alanı\u003c/h1\u003e\n\u003cp\u003eGeliştiriciler çoğu zaman kimlik bilgilerini sohbet üzerinden paylaşır — hızlı bir test için bir kanala yapıştırılan token, DM ile gönderilen parola ya da bir olay başlığında söz edilen API anahtarı. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e, Slack çalışma alanınızdaki mesaj metinlerini okur ve bulduğu sırları işaretler.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e tarar. Yüklenen dosyaların (ekler, snippet'ler) içeriğini taramak uygulanmamıştır. Yalnızca mesajların metin gövdesi analiz edilir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003cstrong\u003ekonumsal argüman almaz\u003c/strong\u003e. Tüm yapılandırma bayraklar veya ortam değişkenleri aracılığıyla sağlanır.\u003c/p\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eBir Slack Bot Token gereklidir. \u003ccode\u003e--token\u003c/code\u003e bayrağı veya \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni aracılığıyla sağlayın. Ortam değişkeni kullanmak önerilir; böylece token kabuk geçmişinde veya süreç listelerinde asla görünmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"gerekli-bot-token-kapsamlar\"\u003eGerekli bot token kapsamları\u003c/h3\u003e\n\u003cp\u003eBot token'ı, aşağıdaki OAuth kapsamlarına sahip bir Slack uygulamasıyla ilişkilendirilmiş olmalıdır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKapsam\u003c/th\u003e\n\u003cth\u003eAmaç\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı genel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı özel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrup doğrudan mesajlarını oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"slacke-zg\"\u003eSlack'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni tercih edilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003etüm kanallar\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eBu tarihte veya sonrasında gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları ve grup DM'lerini de tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API istek sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eDahili parça boyutu sınırı (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eToken için ortam değişkeni kullanarak botun erişebildiği tüm kanalları tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli kanalları tarayın ve yılın başından bu yana gönderilen mesajlarla sınırlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGürültülü kanalları dışlayın ve doğrudan mesajları dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük çalışma alanlarında Slack hız sınırı hatalarını önlemek için API istek hızını düşürün:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif bulguları bir JSON dosyasına kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eSlack taramasından elde edilen her bulgu mesaj ve kanal meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği kanal adı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack mesaj zaman damgası (benzersiz mesaj kimliği).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMesaj yazarının Slack kullanıcı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performans-deerlendirmeleri\"\u003ePerformans değerlendirmeleri\u003c/h2\u003e\n\u003cp\u003eSlack API istekleri, Slack tarafından uygulanan hız sınırlarına tabidir. \u003ccode\u003e--rate-limit\u003c/code\u003e bayrağı (varsayılan saniyede \u003ccode\u003e20\u003c/code\u003e istek), Leakwatch'ın istekleri ne kadar agresif yapacağını kontrol eder. Özellikle büyük çalışma alanlarında \u003ccode\u003e429 Too Many Requests\u003c/code\u003e hatası alıyorsanız bu değeri düşürün.\u003c/p\u003e\n\u003cp\u003eHer çalıştırmada tüm çalışma alanını taramak yerine belirli kanalları hedeflemek için \u003ccode\u003e--channels\u003c/code\u003e kullanın. Mesajları artımlı biçimde taramak için \u003ccode\u003e--since\u003c/code\u003e ile birleştirin.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (eksik token, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — commit edilmiş geçmişi sırlara karşı tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"Doğrulama Nasıl Çalışır","description":"Leakwatch'ın tespit edilen bir sırrın hâlâ aktif olup olmadığını nasıl teyit ettiği, hangi doğrulama modlarını kullandığı ve doğrulamanın nasıl yapılandırılacağı veya devre dışı bırakılacağı.","html":"\u003ch1 id=\"dorulama-nasl-alr\"\u003eDoğrulama Nasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eBir kod tabanında sır bulmak hikayenin yalnızca yarısıdır. Altı ay önce döndürülen bir anahtar gürültüdür; hâlâ canlı olan bir anahtar ise aktif bir olayı temsil eder. Doğrulama, bu çizgiyi çizen adımdır — tespit edilen her bulguyu alır ve mümkün olan durumlarda sırrın sağlayıcıda hâlâ geçerli olup olmadığını teyit eder.\u003c/p\u003e\n\u003ch2 id=\"tespiten-dorulamaya\"\u003eTespiten doğrulamaya\u003c/h2\u003e\n\u003cp\u003eTarama motoru bulguları topladıktan sonra doğrulayıcı havuzu onları işlemeye alır. Her bulgu bir \u003ccode\u003edetector_id\u003c/code\u003e taşır; Leakwatch bu ID için kayıtlı bir doğrulayıcı olup olmadığını arar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBir doğrulayıcı mevcutsa çalışır ve bir durum döndürür.\u003c/li\u003e\n\u003cli\u003eO dedektör türü için kayıtlı bir doğrulayıcı yoksa bulgu değiştirilmeden \u003ccode\u003eunverified\u003c/code\u003e durumuyla geçer.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ki-dorulama-modu\"\u003eİki doğrulama modu\u003c/h2\u003e\n\u003cp\u003eTüm sırlar aynı şekilde doğrulanamaz. Leakwatch, her kimlik bilgisi türü için güvenli olan yaklaşıma göre iki farklı yöntem kullanır.\u003c/p\u003e\n\u003ch3 id=\"canl-api-dorulamas\"\u003eCanlı API doğrulaması\u003c/h3\u003e\n\u003cp\u003eYaklaşık 49 dedektör türü için Leakwatch, sağlayıcıya \u003cstrong\u003ekontrollü, salt-okunur bir API çağrısı\u003c/strong\u003e yapar — örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, GitHub token'ları için \u003ccode\u003eGET /user\u003c/code\u003e. Çağrı yalnızca kimliği doğrulamak için gereken minimum uç noktayı kullanır; hiçbir zaman veri değiştirmez, kaynak oluşturmaz veya faturalandırma olayı tetiklemez.\u003c/p\u003e\n\u003cp\u003eSağlayıcı başarılı bir yanıt döndürürse bulgu \u003ccode\u003everified_active\u003c/code\u003e olarak işaretlenir. Sağlayıcı kimlik bilgisini reddederse (örneğin HTTP 401 veya 403 ile) bulgu \u003ccode\u003everified_inactive\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"yalnzca-format-dorulamas\"\u003eYalnızca format doğrulaması\u003c/h3\u003e\n\u003cp\u003eBeş kimlik bilgisi türü için güvenli bir canlı kontrol mevcut değildir — sağlayıcının anonim bir kimlik uç noktası yoktur ya da gerçek bir çağrı yan etkiye yol açar. Bu durumlar için Leakwatch, herhangi bir ağ isteği yapmadan kimlik bilgisinin yapısını doğrular:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e alanlarının varlığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca format kontrolü — geçerli bir format hiçbir şeyi kanıtlamaz, sonuç her zaman \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFormat kontrolü geçse bile sonuç \u003ccode\u003eunverified\u003c/code\u003e olarak kalır. Yapısal olarak geçerli bir kimlik bilgisi süresi dolmuş veya iptal edilmiş olabilir. Bu bulgular her zaman manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama-durumlar\"\u003eDoğrulama durumları\u003c/h2\u003e\n\u003cp\u003eLeakwatch çıktısındaki her bulgu dört durumdan birini taşır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDurum\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen eylem\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın sağlayıcı tarafından canlı olduğu teyit edildi.\u003c/td\u003e\n\u003ctd\u003eAktif bir olay olarak ele alın. Hemen döndürün.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcı kimlik bilgisini reddetti.\u003c/td\u003e\n\u003ctd\u003eMuhtemelen zaten döndürülmüş. Bağlamı gözden geçirin ve kapatın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBu tür için doğrulayıcı yok, format doğrulaması sonuç vermedi veya doğrulama devre dışı bırakıldı.\u003c/td\u003e\n\u003ctd\u003eManuel olarak inceleyin; risk bağlama göre belirlenir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulayıcı çalıştı ancak ağ hatası, zaman aşımı veya beklenmedik yanıtla karşılaştı.\u003c/td\u003e\n\u003ctd\u003ePotansiyel olarak aktif kabul edin. Yeniden deneyin veya manuel olarak inceleyin.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulama-motoru\"\u003eDoğrulama motoru\u003c/h2\u003e\n\u003cp\u003eDoğrulama, tarama çalışan havuzundan yalıtılmış ayrı bir eşzamanlı çalışan havuzunda çalışır. Sağlayıcı hız sınırlarını tetiklememek için varsayılanlar temkinlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAyar\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇalışan sayısı\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal hız sınırı\u003c/td\u003e\n\u003ctd\u003e10 istek/saniye\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eİstek başına zaman aşımı\u003c/td\u003e\n\u003ctd\u003e10 sn\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer üç değer de \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003everification:\u003c/code\u003e bloğu altında ayarlanabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # global, saniye başına istek sayısı\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYüzlerce bulgu tetikleyen bir depoyu tarıyorsanız \u003ccode\u003erate-limit\u003c/code\u003e değerini 5'e düşürmeyi veya \u003ccode\u003e--only-verified\u003c/code\u003e etkinleştirmeyi düşünün; bu, doğrulanmış-aktif kümesini küçük ve uygulanabilir tutar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"komut-satrndan-dorulamay-kontrol-etme\"\u003eKomut satırından doğrulamayı kontrol etme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--no-verify\u003c/code\u003e ile \u003cstrong\u003edoğrulamayı tamamen devre dışı bırakın\u003c/strong\u003e (ya da yapılandırmada \u003ccode\u003everification.enabled: false\u003c/code\u003e ayarlayın). Her bulgu \u003ccode\u003eunverified\u003c/code\u003e olarak geçer. Bunu çevrimdışı veya hava boşluklu ortamlar için ya da herhangi bir sağlayıcı API'sine dokunmadan mümkün olan en hızlı taramayı istediğinizde kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eYalnızca canlı olduğu doğrulanan sırları görmek\u003c/strong\u003e için \u003ccode\u003e--only-verified\u003c/code\u003e kullanın. \u003ccode\u003everified_active\u003c/code\u003e olmayan her şey çıktıdan düşürülür. Bu, büyük bir sonuç kümesini önceliklendirmenin en hızlı yoludur — yalnızca hemen harekete geçmeniz gereken anahtarları görürsünüz.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e ve \u003ccode\u003everify_error\u003c/code\u003e bulgularını sessizce düşürür. Bunu uyumluluk bağlamında tek filtreniz olarak kullanmayın — bazı kimlik bilgisi türleri (JWT'ler, genel API anahtarları, özel anahtarlar) hiçbir zaman doğrulanamaz ve her zaman dışarıda kalır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eDoğrulama, ham sır değerinin süreç sınırını güvensiz biçimde asla terk etmeyecek şekilde tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDoğrulayıcılar sırrı TLS üzerinden doğrudan sağlayıcının HTTP uç noktasına iletir — diske yazılmaz, bir loga gönderilmez ve çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003cli\u003eBaşlatılamayan veya panikle karşılaşan bir doğrulayıcı motor tarafından yakalanır; motor, bulguyu \u003ccode\u003everify_error\u003c/code\u003e olarak işaretler ve taramayı çökertmeden devam eder.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektör türlerinin canlı doğrulandığı, format doğrulandığı veya hiç doğrulanamadığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003everification:\u003c/code\u003e bloğunun tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e — doğrulama durumunun JSON, SARIF, CSV ve tablo çıktısında nasıl göründüğü.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Doğrulama Kapsamı","description":"63 yerleşik dedektörün hangilerinin canlı doğrulandığı, yalnızca format doğrulandığı veya doğrulanamaz olduğu ve bunun önceliklendirme açısından ne anlama geldiği.","html":"\u003ch1 id=\"dorulama-kapsam\"\u003eDoğrulama Kapsamı\u003c/h1\u003e\n\u003cp\u003eLeakwatch 63 yerleşik dedektör ve 54 doğrulayıcı ile gelir; bu, \u003cstrong\u003e%85,7\u003c/strong\u003e kapsama oranı sağlar (63 dedektör türünün 54'ünün bir tür doğrulaması mevcuttur). Bu sayfa, çıktınızda ne beklemeniz gerektiğini bilmeniz için her dedektörü doğrulama durumuna göre eşler.\u003c/p\u003e\n\u003ch2 id=\"canl-dorulanan-49-dedektr-tr\"\u003eCanlı doğrulanan (49 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu türler için Leakwatch, sağlayıcıya kontrollü, salt-okunur bir API çağrısı yapar ve \u003ccode\u003everified_active\u003c/code\u003e ya da \u003ccode\u003everified_inactive\u003c/code\u003e döndürür. Hiçbir veri oluşturulmaz veya değiştirilmez; çağrı, kimliği doğrulamak için gereken minimum uç noktayı kullanır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör türü\u003c/th\u003e\n\u003cth\u003eSağlayıcı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yalnzca-format-dorulamas-5-dedektr-tr\"\u003eYalnızca format doğrulaması (5 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu doğrulayıcılar tamamen çevrimdışı çalışır. Hiçbir ağ isteği yapılmaz. Geçerli bir format kimlik bilgisinin aktif olduğunu kanıtlamadığından, beşi de format kontrolünün geçip geçmediğinden bağımsız olarak her zaman \u003ccode\u003eunverified\u003c/code\u003e döndürür.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003cth\u003eNeden canlı kontrol yok\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol, yan etkileri olan GCP OAuth2 token değişimi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003ctd\u003eHerkese açık kimlik doğrulamasız sağlık uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eParola uzunluğu ve host alt dize kontrolü\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol bir JDBC/ODBC veritabanı bağlantısı gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eHesap başına HMAC imzalama gerektirir; genel kimlik uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eİstemci kimlik bilgisi akışı oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulanamaz-9-dedektr-tr\"\u003eDoğrulanamaz (9 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu dedektör türlerinin hiç doğrulayıcısı yoktur. Bunlardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e olur. Bu durum önemsiz oldukları anlamına \u003cstrong\u003egelmez\u003c/strong\u003e — tam olarak tespit edilip raporlanırlar — ancak herkese açık bir doğrulama API'si bulunmamakta ya da herhangi bir doğrulama girişimi yan etkiye yol açmaktadır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eNeden\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJWT herhangi bir tarafça yayınlanabilir; evrensel bir doğrulama uç noktası yoktur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇağrılacak sağlayıcı yok; aktif kullanım uzaktan tespit edilemez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanım gereği bilinmeyen sağlayıcı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak hedef veritabanında oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak Redis örneğinde canlı bağlantı açar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGüvenli, salt-okunur FTP yoklama yöntemi yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind kimliği doğrulanmış bir oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWebhook'un aktif olduğunu doğrulamak mesaj göndermeyi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token doğrulaması, Vault uç noktasının bilinmesini gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Doğrulanamaz\u0026quot; \u0026quot;bulunamaz\u0026quot; anlamına gelmez. Bu 9 türün tamamı yine de tespit edilir ve çıktınızda görünür. Kimlik bilgisinin canlı olup olmadığını ve döndürülmesi gerekip gerekmediğini belirlemek için manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kapsam-zeti\"\u003eKapsam özeti\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKategori\u003c/th\u003e\n\u003cth\u003eSayı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eCanlı doğrulanan\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eYalnızca format doğrulaması\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDoğrulanamaz\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eToplam dedektör\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDoğrulayıcı (herhangi bir kapsam)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (%85,7)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — iki doğrulama modu, durumlar ve doğrulama motoru.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — yerleşik dedektörlerin tam listesi ve şiddet seviyeleri.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; From 47d2642b9a550aadc2d2be8f56918647c4af62df Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Mon, 25 May 2026 09:48:54 +0300 Subject: [PATCH 5/5] =?UTF-8?q?fix(action):=20review=20round=203=20?= =?UTF-8?q?=E2=80=94=20persist-credentials,=20glob-safe=20extra-args,=20sa?= =?UTF-8?q?rif=20path?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Valid findings fixed: - Add `persist-credentials: false` to every actions/checkout step in action-test.yml and ci.yml (don't persist GITHUB_TOKEN; matches release.yml). - action.yml: `set -f` around the extra-args word-split so a bare glob token (e.g. `--exclude *.go`) isn't pathname-expanded against the work dir before reaching leakwatch. - action.yml: report the correct sarif-file path for a non-"." working-directory (relative or absolute) instead of bare $OUT, so the SARIF upload step finds it. - action-test.yml: convert the finding/SARIF assertions to explicit if blocks (drops the `A && B || C` pattern; identical messages/behavior). - 01-COMPETITIVE-ANALYSIS.md: reconcile the two "requires writing Go code and recompiling" claims with the corrected footnote — TruffleHog supports YAML custom regex detectors; only custom verification logic needs Go. Skipped (not valid against current code): - ADR-0009 lowercase `github`: it's the backticked literal output-format name (`--format github`); capitalizing would misstate the CLI value. - output-formats.md `#/ci-cd/github-action` links: `#/` hash routes are the deliberate docs-portal (SPA) convention used by ~140 sibling manual links; switching one to a .md path would break portal navigation and be inconsistent. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/action-test.yml | 14 ++++++++++++-- .github/workflows/ci.yml | 6 ++++++ action.yml | 19 ++++++++++++------- docs/architecture/01-COMPETITIVE-ANALYSIS.md | 4 ++-- 4 files changed, 32 insertions(+), 11 deletions(-) diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml index a85fd1a..13a1da3 100644 --- a/.github/workflows/action-test.yml +++ b/.github/workflows/action-test.yml @@ -29,6 +29,8 @@ jobs: contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.25.10' @@ -53,6 +55,8 @@ jobs: os: [ubuntu-latest, macos-latest] steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false # Build the fixture at runtime so no secret-shaped literal is ever committed # (which would trip push protection / secret scanning). Reassembled at @@ -87,8 +91,12 @@ jobs: run: | set -euo pipefail echo "findings-count=$COUNT sarif-file=$SARIF" - [ "$COUNT" = "1" ] || { echo "::error::expected findings-count=1, got '$COUNT'"; exit 1; } - [ -n "$SARIF" ] && [ -f "$SARIF" ] || { echo "::error::expected SARIF file at '$SARIF'"; exit 1; } + if [ "$COUNT" != "1" ]; then + echo "::error::expected findings-count=1, got '$COUNT'"; exit 1 + fi + if [ -z "$SARIF" ] || [ ! -f "$SARIF" ]; then + echo "::error::expected SARIF file at '$SARIF'"; exit 1 + fi echo "OK: finding detected and SARIF written" - name: Scan clean fixture (expect no findings) @@ -121,6 +129,8 @@ jobs: contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.25.10' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ab85775..c64f5d9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,8 @@ jobs: go-version: ['1.25.10'] steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: ${{ matrix.go-version }} @@ -36,6 +38,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.25.10' @@ -46,6 +50,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.25.10' diff --git a/action.yml b/action.yml index 2828a18..e15dcff 100644 --- a/action.yml +++ b/action.yml @@ -202,13 +202,14 @@ runs: ARGS+=(--output "$OUT") fi if [ "$INPUT_FORMAT" = "sarif" ] && [ -n "$OUT" ]; then - # Report the path relative to the repo root so a later upload step finds it. - case "$WORKDIR" in - .) echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" ;; - /*) echo "::warning::working-directory is absolute; the SARIF upload step may not locate the file. Use a repository-relative working-directory." - echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" ;; - *) echo "sarif-file=${WORKDIR%/}/$OUT" >> "$GITHUB_OUTPUT" ;; - esac + # Report where the upload step should look: $OUT as-is when running from + # the repo root, otherwise prefixed with the working directory. This is + # correct for both relative and absolute working-directory values. + if [ "$WORKDIR" = "." ]; then + echo "sarif-file=$OUT" >> "$GITHUB_OUTPUT" + else + echo "sarif-file=${WORKDIR%/}/$OUT" >> "$GITHUB_OUTPUT" + fi fi [ "$INPUT_ONLY_VERIFIED" = "true" ] && ARGS+=(--only-verified) @@ -267,8 +268,12 @@ runs: # flags the action manages itself, so its output/summary/upload bookkeeping # can never silently disagree with the actual CLI invocation. if [ -n "$INPUT_EXTRA_ARGS" ]; then + # Disable globbing so an arg like --exclude=*.go is not expanded against + # the working directory; the word-splitting into separate args is intended. + set -f # shellcheck disable=SC2206 extra=($INPUT_EXTRA_ARGS) + set +f for a in "${extra[@]}"; do # Prefix-match so combined shorthand (-fcsv, -o/tmp/x) and =forms are # all caught. -f/-o are format/output here and have no other meaning. diff --git a/docs/architecture/01-COMPETITIVE-ANALYSIS.md b/docs/architecture/01-COMPETITIVE-ANALYSIS.md index 4a5cc13..f576259 100644 --- a/docs/architecture/01-COMPETITIVE-ANALYSIS.md +++ b/docs/architecture/01-COMPETITIVE-ANALYSIS.md @@ -45,7 +45,7 @@ While existing open-source tools (TruffleHog, Gitleaks) are strong in certain ar - High memory consumption with large repositories - Verification can hit API rate limits - Unverified results are still noisy -- Adding custom detectors requires writing Go code and recompiling +- Custom regex detectors can be defined in YAML (`config.yaml` `detectors:`), but adding custom **verification** logic requires writing Go code and recompiling - `.secretsignore` / allowlist mechanism is less mature compared to competitors --- @@ -214,7 +214,7 @@ While existing open-source tools (TruffleHog, Gitleaks) are strong in certain ar **Leakwatch Opportunity:** A unique position in the open-source market with an MIT-licensed, modular verification system. #### Opportunity 2: Easy Extensibility -**Situation:** Adding custom detectors in TruffleHog requires writing Go code and recompiling. Gitleaks' TOML rules are simple but do not allow adding verification logic. +**Situation:** TruffleHog supports custom regex detectors in YAML (`config.yaml` `detectors:`), but adding custom verification logic requires writing Go code and recompiling. Gitleaks' TOML rules are simple but do not allow adding verification logic. **Leakwatch Opportunity:** Two-tier extensibility with YAML-based rule definitions + Go plugin interface. YAML is sufficient for simple regex rules; Go interface for advanced verification.