From f75a6a11e14e9077da4c36e9c00889efce0abd23 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Sat, 23 May 2026 20:44:27 +0300 Subject: [PATCH 1/7] chore: migrate module path and references to HodeTech org Move the project to the HodeTech organization: - Go module github.com/cemililik/leakwatch -> github.com/HodeTech/leakwatch (go.mod + all internal imports / blank imports) - Web URLs -> github.com/HodeTech/Leakwatch (README, CLAUDE.md, CONTRIBUTING, CODE_OF_CONDUCT, docs/guides, architecture, ROADMAP) - Container image -> ghcr.io/hodetech/leakwatch (GHCR requires lowercase) - Homebrew tap -> HodeTech/tap (+ HodeTech/homebrew-tap) - GitHub Action -> HodeTech/leakwatch-action; action author -> HodeTech - .goreleaser.yml, Formula/leakwatch.rb, sonar-project.properties (org=hodetech), vscode/package.json (publisher=HodeTech) go build ./... , go vet ./... and detector+cmd tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/ISSUE_TEMPLATE/config.yml | 6 +- .goreleaser.yml | 30 +-- CLAUDE.md | 2 +- CODE_OF_CONDUCT.md | 2 +- CONTRIBUTING.md | 2 +- Formula/leakwatch.rb | 12 +- README.md | 20 +- action/action.yml | 6 +- cmd/imports.go | 220 +++++++++--------- cmd/init.go | 2 +- cmd/scan_common.go | 28 +-- cmd/scan_common_test.go | 10 +- cmd/scan_fs.go | 2 +- cmd/scan_gcs.go | 2 +- cmd/scan_git.go | 2 +- cmd/scan_image.go | 2 +- cmd/scan_repos.go | 6 +- cmd/scan_s3.go | 2 +- cmd/scan_slack.go | 2 +- docs/architecture/03-ARCHITECTURE.md | 34 +-- docs/architecture/05-VERIFIER-ANALYSIS.md | 8 +- docs/guides/ci-cd-integration.md | 44 ++-- docs/guides/container-scanning.md | 4 +- docs/guides/docker-usage.md | 80 +++---- docs/guides/getting-started.md | 12 +- docs/guides/git-scanning.md | 4 +- docs/guides/slack-scanning.md | 2 +- docs/guides/vscode-extension.md | 4 +- docs/standards/02-RELEASE-STANDARDS.md | 8 +- go.mod | 2 +- internal/config/config.go | 2 +- internal/detector/airtable/airtable_token.go | 4 +- .../detector/airtable/airtable_token_test.go | 2 +- internal/detector/anthropic/anthropic_key.go | 4 +- .../detector/anthropic/anthropic_key_test.go | 2 +- internal/detector/auth0/auth0_token.go | 4 +- internal/detector/auth0/auth0_token_test.go | 2 +- internal/detector/aws/aws_access_key.go | 4 +- internal/detector/aws/aws_access_key_test.go | 2 +- internal/detector/azure/azure_entra.go | 4 +- internal/detector/azure/azure_entra_test.go | 2 +- internal/detector/azure/azure_storage.go | 4 +- internal/detector/azure/azure_storage_test.go | 2 +- .../detector/bitbucket/bitbucket_password.go | 4 +- .../bitbucket/bitbucket_password_test.go | 2 +- internal/detector/circleci/circleci_token.go | 4 +- .../detector/circleci/circleci_token_test.go | 2 +- .../detector/cloudflare/cloudflare_token.go | 4 +- .../cloudflare/cloudflare_token_test.go | 2 +- internal/detector/coinbase/coinbase_key.go | 4 +- .../detector/coinbase/coinbase_key_test.go | 2 +- internal/detector/custom/custom_rule.go | 6 +- internal/detector/custom/custom_rule_test.go | 4 +- .../detector/databricks/databricks_token.go | 4 +- .../databricks/databricks_token_test.go | 2 +- internal/detector/datadog/datadog_key.go | 4 +- internal/detector/datadog/datadog_key_test.go | 2 +- internal/detector/dbconn/connection_string.go | 4 +- .../detector/dbconn/connection_string_test.go | 2 +- internal/detector/deepseek/deepseek_key.go | 4 +- .../detector/deepseek/deepseek_key_test.go | 2 +- internal/detector/detector.go | 2 +- .../digitalocean/digitalocean_token.go | 4 +- .../digitalocean/digitalocean_token_test.go | 2 +- internal/detector/discord/discord_token.go | 4 +- .../detector/discord/discord_token_test.go | 2 +- .../detector/dockerhub/dockerhub_token.go | 4 +- .../dockerhub/dockerhub_token_test.go | 2 +- internal/detector/doppler/doppler_token.go | 4 +- .../detector/doppler/doppler_token_test.go | 2 +- internal/detector/figma/figma_token.go | 4 +- internal/detector/figma/figma_token_test.go | 2 +- internal/detector/ftp/ftp_cred.go | 4 +- internal/detector/ftp/ftp_cred_test.go | 2 +- internal/detector/gcp/gcp_service_account.go | 4 +- .../detector/gcp/gcp_service_account_test.go | 2 +- internal/detector/generic/generic_api_key.go | 6 +- .../detector/generic/generic_api_key_test.go | 2 +- internal/detector/github/github_oauth.go | 4 +- internal/detector/github/github_oauth_test.go | 2 +- internal/detector/github/github_token.go | 4 +- internal/detector/github/github_token_test.go | 2 +- internal/detector/gitlab/gitlab_token.go | 4 +- internal/detector/gitlab/gitlab_token_test.go | 2 +- internal/detector/grafana/grafana_key.go | 4 +- internal/detector/grafana/grafana_key_test.go | 2 +- internal/detector/heroku/heroku_key.go | 4 +- internal/detector/heroku/heroku_key_test.go | 2 +- .../detector/huggingface/huggingface_token.go | 4 +- .../huggingface/huggingface_token_test.go | 2 +- internal/detector/infura/infura_key.go | 4 +- internal/detector/infura/infura_key_test.go | 2 +- internal/detector/jwt/jwt.go | 4 +- internal/detector/jwt/jwt_test.go | 2 +- .../detector/launchdarkly/launchdarkly_key.go | 4 +- .../launchdarkly/launchdarkly_key_test.go | 2 +- internal/detector/ldap/ldap_cred.go | 4 +- internal/detector/ldap/ldap_cred_test.go | 2 +- internal/detector/linear/linear_key.go | 4 +- internal/detector/linear/linear_key_test.go | 2 +- internal/detector/mailgun/mailgun_key.go | 4 +- internal/detector/mailgun/mailgun_key_test.go | 2 +- internal/detector/newrelic/newrelic_key.go | 4 +- .../detector/newrelic/newrelic_key_test.go | 2 +- internal/detector/notion/notion_token.go | 4 +- internal/detector/notion/notion_token_test.go | 2 +- internal/detector/npm/npm_token.go | 4 +- internal/detector/npm/npm_token_test.go | 2 +- internal/detector/okta/okta_token.go | 4 +- internal/detector/okta/okta_token_test.go | 2 +- internal/detector/openai/openai_key.go | 4 +- internal/detector/openai/openai_key_test.go | 2 +- internal/detector/pagerduty/pagerduty_key.go | 4 +- .../detector/pagerduty/pagerduty_key_test.go | 2 +- internal/detector/postmark/postmark_token.go | 4 +- .../detector/postmark/postmark_token_test.go | 2 +- internal/detector/privatekey/private_key.go | 4 +- .../detector/privatekey/private_key_test.go | 2 +- internal/detector/pypi/pypi_token.go | 4 +- internal/detector/pypi/pypi_token_test.go | 2 +- internal/detector/rabbitmq/rabbitmq_conn.go | 4 +- .../detector/rabbitmq/rabbitmq_conn_test.go | 2 +- internal/detector/redis/redis_conn.go | 4 +- internal/detector/redis/redis_conn_test.go | 2 +- internal/detector/registry_count_test.go | 120 +++++----- internal/detector/registry_test.go | 2 +- internal/detector/rubygems/rubygems_key.go | 4 +- .../detector/rubygems/rubygems_key_test.go | 2 +- internal/detector/sendgrid/sendgrid_key.go | 4 +- .../detector/sendgrid/sendgrid_key_test.go | 2 +- internal/detector/sentry/sentry_token.go | 4 +- internal/detector/sentry/sentry_token_test.go | 2 +- internal/detector/shopify/shopify_token.go | 4 +- .../detector/shopify/shopify_token_test.go | 2 +- internal/detector/slack/slack_test.go | 2 +- internal/detector/slack/slack_token.go | 4 +- internal/detector/slack/slack_webhook.go | 4 +- internal/detector/snowflake/snowflake_cred.go | 4 +- .../detector/snowflake/snowflake_cred_test.go | 2 +- internal/detector/snyk/snyk_key.go | 4 +- internal/detector/snyk/snyk_key_test.go | 2 +- .../detector/sonarcloud/sonarcloud_token.go | 4 +- .../sonarcloud/sonarcloud_token_test.go | 2 +- internal/detector/stripe/stripe_key.go | 4 +- internal/detector/stripe/stripe_key_test.go | 2 +- internal/detector/supabase/supabase_key.go | 4 +- .../detector/supabase/supabase_key_test.go | 2 +- internal/detector/teams/teams_webhook.go | 4 +- internal/detector/teams/teams_webhook_test.go | 2 +- .../telegram/telegram_matcher_test.go | 2 +- internal/detector/telegram/telegram_token.go | 4 +- .../detector/telegram/telegram_token_test.go | 2 +- .../detector/terraform/terraform_token.go | 4 +- .../terraform/terraform_token_test.go | 2 +- internal/detector/testutil/testutil.go | 4 +- internal/detector/twilio/twilio_key.go | 4 +- internal/detector/twilio/twilio_key_test.go | 2 +- internal/detector/vault/vault_token.go | 4 +- internal/detector/vault/vault_token_test.go | 2 +- internal/detector/vercel/vercel_token.go | 4 +- internal/detector/vercel/vercel_token_test.go | 2 +- internal/engine/engine.go | 14 +- internal/engine/engine_test.go | 6 +- internal/matcher/matcher.go | 2 +- internal/matcher/matcher_test.go | 4 +- internal/output/csv/csv_formatter.go | 2 +- internal/output/csv/csv_formatter_test.go | 2 +- internal/output/formatter.go | 2 +- internal/output/json/json_formatter.go | 2 +- internal/output/json/json_formatter_test.go | 2 +- internal/output/sarif/sarif_formatter.go | 4 +- internal/output/sarif/sarif_formatter_test.go | 2 +- internal/output/table/table_formatter.go | 2 +- internal/output/table/table_formatter_test.go | 2 +- internal/remediation/guidance.go | 2 +- internal/remediation/remediation.go | 2 +- internal/remediation/remediation_test.go | 2 +- internal/source/container/container.go | 6 +- internal/source/container/container_test.go | 2 +- internal/source/filesystem/filesystem.go | 6 +- internal/source/gcs/gcs.go | 6 +- internal/source/gcs/gcs_test.go | 2 +- internal/source/git/git.go | 6 +- internal/source/s3/s3.go | 6 +- internal/source/s3/s3_test.go | 2 +- internal/source/slack/slack.go | 4 +- internal/source/source.go | 2 +- .../verifier/airtable/airtable_verifier.go | 8 +- .../airtable/airtable_verifier_test.go | 4 +- .../anthropic/anthropic_shared_test.go | 6 +- .../verifier/anthropic/anthropic_verifier.go | 8 +- .../anthropic/anthropic_verifier_test.go | 4 +- internal/verifier/auth0/auth0_verifier.go | 8 +- .../verifier/auth0/auth0_verifier_test.go | 4 +- internal/verifier/aws/aws_verifier.go | 6 +- internal/verifier/aws/aws_verifier_test.go | 4 +- .../verifier/azure/azure_entra_verifier.go | 6 +- .../azure/azure_entra_verifier_test.go | 4 +- .../verifier/azure/azure_storage_verifier.go | 6 +- .../azure/azure_storage_verifier_test.go | 4 +- .../verifier/bitbucket/bitbucket_verifier.go | 8 +- .../bitbucket/bitbucket_verifier_test.go | 4 +- .../verifier/circleci/circleci_shared_test.go | 6 +- .../verifier/circleci/circleci_verifier.go | 8 +- .../circleci/circleci_verifier_test.go | 4 +- .../cloudflare/cloudflare_verifier.go | 8 +- .../cloudflare/cloudflare_verifier_test.go | 4 +- .../verifier/coinbase/coinbase_verifier.go | 8 +- .../coinbase/coinbase_verifier_test.go | 4 +- .../databricks/databricks_verifier.go | 8 +- .../databricks/databricks_verifier_test.go | 4 +- .../verifier/datadog/datadog_shared_test.go | 6 +- internal/verifier/datadog/datadog_verifier.go | 8 +- .../verifier/datadog/datadog_verifier_test.go | 4 +- .../verifier/deepseek/deepseek_verifier.go | 8 +- .../deepseek/deepseek_verifier_test.go | 4 +- .../digitalocean/digitalocean_verifier.go | 8 +- .../digitalocean_verifier_test.go | 4 +- internal/verifier/discord/discord_verifier.go | 8 +- .../verifier/discord/discord_verifier_test.go | 4 +- .../verifier/dockerhub/dockerhub_verifier.go | 8 +- .../dockerhub/dockerhub_verifier_test.go | 4 +- internal/verifier/doppler/doppler_verifier.go | 8 +- .../verifier/doppler/doppler_verifier_test.go | 4 +- internal/verifier/engine.go | 2 +- internal/verifier/engine_test.go | 4 +- internal/verifier/figma/figma_verifier.go | 8 +- .../verifier/figma/figma_verifier_test.go | 4 +- internal/verifier/gcp/gcp_verifier.go | 6 +- internal/verifier/gcp/gcp_verifier_test.go | 6 +- .../verifier/github/github_oauth_verifier.go | 8 +- .../github/github_oauth_verifier_test.go | 4 +- .../verifier/github/github_shared_test.go | 6 +- internal/verifier/github/github_verifier.go | 8 +- .../verifier/github/github_verifier_test.go | 4 +- .../verifier/gitlab/gitlab_shared_test.go | 6 +- internal/verifier/gitlab/gitlab_verifier.go | 8 +- .../verifier/gitlab/gitlab_verifier_test.go | 4 +- internal/verifier/grafana/grafana_verifier.go | 8 +- .../verifier/grafana/grafana_verifier_test.go | 4 +- internal/verifier/heroku/heroku_verifier.go | 8 +- .../verifier/heroku/heroku_verifier_test.go | 4 +- .../huggingface/huggingface_verifier.go | 8 +- .../huggingface/huggingface_verifier_test.go | 4 +- internal/verifier/infura/infura_verifier.go | 8 +- .../verifier/infura/infura_verifier_test.go | 4 +- internal/verifier/internal/httpx/verify.go | 2 +- .../verifier/internal/httpx/verify_test.go | 2 +- internal/verifier/internal/vtest/vtest.go | 6 +- .../launchdarkly/launchdarkly_verifier.go | 8 +- .../launchdarkly_verifier_test.go | 4 +- .../verifier/linear/linear_shared_test.go | 6 +- internal/verifier/linear/linear_verifier.go | 8 +- .../verifier/linear/linear_verifier_test.go | 4 +- internal/verifier/mailgun/mailgun_verifier.go | 8 +- .../verifier/mailgun/mailgun_verifier_test.go | 4 +- .../verifier/newrelic/newrelic_verifier.go | 8 +- .../newrelic/newrelic_verifier_test.go | 4 +- internal/verifier/notion/notion_verifier.go | 8 +- .../verifier/notion/notion_verifier_test.go | 4 +- internal/verifier/npm/npm_verifier.go | 8 +- internal/verifier/npm/npm_verifier_test.go | 4 +- internal/verifier/okta/okta_verifier.go | 8 +- internal/verifier/okta/okta_verifier_test.go | 4 +- .../verifier/openai/openai_shared_test.go | 6 +- internal/verifier/openai/openai_verifier.go | 8 +- .../verifier/openai/openai_verifier_test.go | 4 +- .../verifier/pagerduty/pagerduty_verifier.go | 8 +- .../pagerduty/pagerduty_verifier_test.go | 4 +- .../verifier/postmark/postmark_verifier.go | 8 +- .../postmark/postmark_verifier_test.go | 4 +- internal/verifier/pypi/pypi_verifier.go | 8 +- internal/verifier/pypi/pypi_verifier_test.go | 4 +- .../verifier/rabbitmq/rabbitmq_verifier.go | 6 +- .../rabbitmq/rabbitmq_verifier_test.go | 4 +- internal/verifier/registry_test.go | 4 +- .../verifier/rubygems/rubygems_verifier.go | 8 +- .../rubygems/rubygems_verifier_test.go | 4 +- .../verifier/sendgrid/sendgrid_shared_test.go | 6 +- .../verifier/sendgrid/sendgrid_verifier.go | 8 +- .../sendgrid/sendgrid_verifier_test.go | 4 +- .../verifier/sentry/sentry_shared_test.go | 6 +- internal/verifier/sentry/sentry_verifier.go | 8 +- .../verifier/sentry/sentry_verifier_test.go | 4 +- internal/verifier/shopify/shopify_verifier.go | 8 +- .../verifier/shopify/shopify_verifier_test.go | 4 +- internal/verifier/slack/slack_shared_test.go | 6 +- internal/verifier/slack/slack_verifier.go | 8 +- .../verifier/slack/slack_verifier_test.go | 4 +- .../verifier/snowflake/snowflake_verifier.go | 6 +- .../snowflake/snowflake_verifier_test.go | 4 +- internal/verifier/snyk/snyk_shared_test.go | 6 +- internal/verifier/snyk/snyk_verifier.go | 8 +- internal/verifier/snyk/snyk_verifier_test.go | 4 +- .../sonarcloud/sonarcloud_verifier.go | 8 +- .../sonarcloud/sonarcloud_verifier_test.go | 4 +- .../verifier/stripe/stripe_shared_test.go | 6 +- internal/verifier/stripe/stripe_verifier.go | 8 +- .../verifier/stripe/stripe_verifier_test.go | 4 +- .../verifier/supabase/supabase_verifier.go | 8 +- .../supabase/supabase_verifier_test.go | 4 +- internal/verifier/teams/teams_verifier.go | 8 +- .../verifier/teams/teams_verifier_test.go | 4 +- .../verifier/telegram/telegram_shared_test.go | 6 +- .../verifier/telegram/telegram_verifier.go | 8 +- .../telegram/telegram_verifier_test.go | 4 +- .../verifier/terraform/terraform_verifier.go | 8 +- .../terraform/terraform_verifier_test.go | 4 +- internal/verifier/twilio/twilio_verifier.go | 8 +- .../verifier/twilio/twilio_verifier_test.go | 4 +- internal/verifier/vercel/vercel_verifier.go | 8 +- .../verifier/vercel/vercel_verifier_test.go | 4 +- internal/verifier/verifier.go | 4 +- main.go | 2 +- sonar-project.properties | 8 +- vscode/README.md | 4 +- vscode/package.json | 4 +- 317 files changed, 957 insertions(+), 957 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 69805b8..21fbe66 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,11 +1,11 @@ blank_issues_enabled: false contact_links: - name: Documentation - url: https://github.com/cemililik/Leakwatch/tree/main/docs/guides + url: https://github.com/HodeTech/Leakwatch/tree/main/docs/guides about: Check the guides before opening an issue - name: Discussions (Q&A) - url: https://github.com/cemililik/Leakwatch/discussions + url: https://github.com/HodeTech/Leakwatch/discussions about: Ask questions and get help from the community - name: Custom Rules Guide - url: https://github.com/cemililik/Leakwatch/blob/main/docs/guides/custom-rules.md + url: https://github.com/HodeTech/Leakwatch/blob/main/docs/guides/custom-rules.md about: Need a new detector? You can add it with 5 lines of YAML diff --git a/.goreleaser.yml b/.goreleaser.yml index cc9b715..b56459d 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -32,11 +32,11 @@ checksum: brews: - repository: - owner: cemililik + owner: HodeTech name: homebrew-tap token: "{{ .Env.HOMEBREW_TAP_TOKEN }}" directory: Formula - homepage: https://github.com/cemililik/Leakwatch + homepage: https://github.com/HodeTech/Leakwatch description: High-performance secret scanner for codebases, Git histories, and container images license: MIT test: | @@ -44,7 +44,7 @@ brews: dockers: - image_templates: - - ghcr.io/cemililik/leakwatch:{{ .Version }}-amd64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-amd64 dockerfile: Dockerfile.goreleaser use: buildx goos: linux @@ -54,11 +54,11 @@ dockers: - --label=org.opencontainers.image.title={{ .ProjectName }} - --label=org.opencontainers.image.version={{ .Version }} - --label=org.opencontainers.image.revision={{ .FullCommit }} - - --label=org.opencontainers.image.source=https://github.com/cemililik/Leakwatch + - --label=org.opencontainers.image.source=https://github.com/HodeTech/Leakwatch - --label=org.opencontainers.image.licenses=MIT - image_templates: - - ghcr.io/cemililik/leakwatch:{{ .Version }}-arm64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-arm64 dockerfile: Dockerfile.goreleaser use: buildx goos: linux @@ -68,24 +68,24 @@ dockers: - --label=org.opencontainers.image.title={{ .ProjectName }} - --label=org.opencontainers.image.version={{ .Version }} - --label=org.opencontainers.image.revision={{ .FullCommit }} - - --label=org.opencontainers.image.source=https://github.com/cemililik/Leakwatch + - --label=org.opencontainers.image.source=https://github.com/HodeTech/Leakwatch - --label=org.opencontainers.image.licenses=MIT docker_manifests: - - name_template: ghcr.io/cemililik/leakwatch:{{ .Version }} + - name_template: ghcr.io/hodetech/leakwatch:{{ .Version }} image_templates: - - ghcr.io/cemililik/leakwatch:{{ .Version }}-amd64 - - ghcr.io/cemililik/leakwatch:{{ .Version }}-arm64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-amd64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-arm64 - - name_template: ghcr.io/cemililik/leakwatch:latest + - name_template: ghcr.io/hodetech/leakwatch:latest image_templates: - - ghcr.io/cemililik/leakwatch:{{ .Version }}-amd64 - - ghcr.io/cemililik/leakwatch:{{ .Version }}-arm64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-amd64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-arm64 - - name_template: ghcr.io/cemililik/leakwatch:v{{ .Major }}.{{ .Minor }} + - name_template: ghcr.io/hodetech/leakwatch:v{{ .Major }}.{{ .Minor }} image_templates: - - ghcr.io/cemililik/leakwatch:{{ .Version }}-amd64 - - ghcr.io/cemililik/leakwatch:{{ .Version }}-arm64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-amd64 + - ghcr.io/hodetech/leakwatch:{{ .Version }}-arm64 changelog: sort: asc diff --git a/CLAUDE.md b/CLAUDE.md index 86fa1f1..a4f7a8a 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -8,7 +8,7 @@ Leakwatch is a high-performance, open source (MIT) security tool that detects, v **Language:** Go (1.25+) **License:** MIT -**Repo:** https://github.com/cemililik/Leakwatch +**Repo:** https://github.com/HodeTech/Leakwatch ## Project Structure diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 01e86ff..334bf83 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -37,7 +37,7 @@ This Code of Conduct applies within all community spaces, and also applies when ## Enforcement -Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at https://github.com/cemililik/Leakwatch/issues. All complaints will be reviewed and investigated promptly and fairly. +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at https://github.com/HodeTech/Leakwatch/issues. All complaints will be reviewed and investigated promptly and fairly. All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a8ed8d0..f51e323 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -5,7 +5,7 @@ Thank you for your interest in contributing to Leakwatch! ## Development Environment ```bash -git clone https://github.com/cemililik/Leakwatch.git +git clone https://github.com/HodeTech/Leakwatch.git cd Leakwatch go mod download go test -race ./... diff --git a/Formula/leakwatch.rb b/Formula/leakwatch.rb index fa035fd..55dad17 100644 --- a/Formula/leakwatch.rb +++ b/Formula/leakwatch.rb @@ -1,25 +1,25 @@ # Homebrew formula for Leakwatch -# Install: brew install cemililik/tap/leakwatch +# Install: brew install HodeTech/tap/leakwatch class Leakwatch < Formula desc "High-performance secret scanner for codebases, Git histories, and container images" - homepage "https://github.com/cemililik/Leakwatch" + homepage "https://github.com/HodeTech/Leakwatch" license "MIT" on_macos do on_arm do - url "https://github.com/cemililik/Leakwatch/releases/latest/download/leakwatch_Darwin_arm64.tar.gz" + url "https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Darwin_arm64.tar.gz" end on_intel do - url "https://github.com/cemililik/Leakwatch/releases/latest/download/leakwatch_Darwin_amd64.tar.gz" + url "https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Darwin_amd64.tar.gz" end end on_linux do on_arm do - url "https://github.com/cemililik/Leakwatch/releases/latest/download/leakwatch_Linux_arm64.tar.gz" + url "https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_arm64.tar.gz" end on_intel do - url "https://github.com/cemililik/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz" + url "https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz" end end diff --git a/README.md b/README.md index c9c28a8..06ce289 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Leakwatch -[![CI](https://github.com/cemililik/Leakwatch/actions/workflows/ci.yml/badge.svg)](https://github.com/cemililik/Leakwatch/actions/workflows/ci.yml) +[![CI](https://github.com/HodeTech/Leakwatch/actions/workflows/ci.yml/badge.svg)](https://github.com/HodeTech/Leakwatch/actions/workflows/ci.yml) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) -[![Go Report Card](https://goreportcard.com/badge/github.com/cemililik/leakwatch)](https://goreportcard.com/report/github.com/cemililik/leakwatch) -[![Go Reference](https://pkg.go.dev/badge/github.com/cemililik/leakwatch.svg)](https://pkg.go.dev/github.com/cemililik/leakwatch) +[![Go Report Card](https://goreportcard.com/badge/github.com/HodeTech/leakwatch)](https://goreportcard.com/report/github.com/HodeTech/leakwatch) +[![Go Reference](https://pkg.go.dev/badge/github.com/HodeTech/leakwatch.svg)](https://pkg.go.dev/github.com/HodeTech/leakwatch) > Next-generation secret scanning platform — fast, accurate, open source. @@ -40,16 +40,16 @@ ```bash # Homebrew (macOS/Linux) -brew install cemililik/tap/leakwatch +brew install HodeTech/tap/leakwatch # Go install -go install github.com/cemililik/leakwatch@latest +go install github.com/HodeTech/leakwatch@latest # Docker -docker run --rm -v $(pwd):/scan ghcr.io/cemililik/leakwatch:latest scan fs /scan +docker run --rm -v $(pwd):/scan ghcr.io/hodetech/leakwatch:latest scan fs /scan # Binary download -curl -sSfL https://github.com/cemililik/Leakwatch/releases/latest/download/leakwatch_$(uname -s)_$(uname -m).tar.gz | tar xz +curl -sSfL https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_$(uname -s)_$(uname -m).tar.gz | tar xz ``` ### Quick Setup @@ -190,7 +190,7 @@ leakwatch scan fs . --remediation ### GitHub Actions ```yaml -- uses: cemililik/leakwatch-action@v1 +- uses: HodeTech/leakwatch-action@v1 with: scan-type: git only-verified: true # only report verified live secrets (action default: false) @@ -202,7 +202,7 @@ leakwatch scan fs . --remediation ```yaml # .pre-commit-config.yaml repos: - - repo: https://github.com/cemililik/Leakwatch + - repo: https://github.com/HodeTech/Leakwatch rev: v1.5.0 hooks: - id: leakwatch @@ -333,7 +333,7 @@ We welcome your contributions! Please see the [CONTRIBUTING.md](CONTRIBUTING.md) ```bash # Set up the development environment -git clone https://github.com/cemililik/Leakwatch.git +git clone https://github.com/HodeTech/Leakwatch.git cd Leakwatch go mod download go test ./... diff --git a/action/action.yml b/action/action.yml index da48cd0..a889918 100644 --- a/action/action.yml +++ b/action/action.yml @@ -1,6 +1,6 @@ name: 'Leakwatch Secret Scanner' description: 'Scan your codebase for leaked secrets (API keys, passwords, certificates)' -author: 'cemililik' +author: 'HodeTech' branding: icon: 'shield' @@ -59,9 +59,9 @@ runs: INPUT_VERSION: ${{ inputs.version }} run: | if [ "$INPUT_VERSION" = "latest" ]; then - go install github.com/cemililik/leakwatch@latest + go install github.com/HodeTech/leakwatch@latest else - go install "github.com/cemililik/leakwatch@$INPUT_VERSION" + go install "github.com/HodeTech/leakwatch@$INPUT_VERSION" fi - name: Run scan diff --git a/cmd/imports.go b/cmd/imports.go index 51d1afa..eac7220 100644 --- a/cmd/imports.go +++ b/cmd/imports.go @@ -9,118 +9,118 @@ package cmd // Register detectors at compile time via init(). import ( - _ "github.com/cemililik/leakwatch/internal/detector/airtable" // register airtable detector - _ "github.com/cemililik/leakwatch/internal/detector/anthropic" // register anthropic detector - _ "github.com/cemililik/leakwatch/internal/detector/auth0" // register auth0 detector - _ "github.com/cemililik/leakwatch/internal/detector/aws" // register aws detector - _ "github.com/cemililik/leakwatch/internal/detector/azure" // register azure detectors (storage + entra) - _ "github.com/cemililik/leakwatch/internal/detector/bitbucket" // register bitbucket detector - _ "github.com/cemililik/leakwatch/internal/detector/circleci" // register circleci detector - _ "github.com/cemililik/leakwatch/internal/detector/cloudflare" // register cloudflare detector - _ "github.com/cemililik/leakwatch/internal/detector/coinbase" // register coinbase detector - _ "github.com/cemililik/leakwatch/internal/detector/databricks" // register databricks detector - _ "github.com/cemililik/leakwatch/internal/detector/datadog" // register datadog detector - _ "github.com/cemililik/leakwatch/internal/detector/dbconn" // register database connection-string detector - _ "github.com/cemililik/leakwatch/internal/detector/deepseek" // register deepseek detector - _ "github.com/cemililik/leakwatch/internal/detector/digitalocean" // register digitalocean detector - _ "github.com/cemililik/leakwatch/internal/detector/discord" // register discord detector - _ "github.com/cemililik/leakwatch/internal/detector/dockerhub" // register dockerhub detector - _ "github.com/cemililik/leakwatch/internal/detector/doppler" // register doppler detector - _ "github.com/cemililik/leakwatch/internal/detector/figma" // register figma detector - _ "github.com/cemililik/leakwatch/internal/detector/ftp" // register ftp credentials detector - _ "github.com/cemililik/leakwatch/internal/detector/gcp" // register gcp service-account detector - _ "github.com/cemililik/leakwatch/internal/detector/generic" // register generic api-key detector - _ "github.com/cemililik/leakwatch/internal/detector/github" // register github detectors (pat + oauth) - _ "github.com/cemililik/leakwatch/internal/detector/gitlab" // register gitlab detector - _ "github.com/cemililik/leakwatch/internal/detector/grafana" // register grafana detector - _ "github.com/cemililik/leakwatch/internal/detector/heroku" // register heroku detector - _ "github.com/cemililik/leakwatch/internal/detector/huggingface" // register huggingface detector - _ "github.com/cemililik/leakwatch/internal/detector/infura" // register infura detector - _ "github.com/cemililik/leakwatch/internal/detector/jwt" // register jwt detector - _ "github.com/cemililik/leakwatch/internal/detector/launchdarkly" // register launchdarkly detector - _ "github.com/cemililik/leakwatch/internal/detector/ldap" // register ldap credentials detector - _ "github.com/cemililik/leakwatch/internal/detector/linear" // register linear detector - _ "github.com/cemililik/leakwatch/internal/detector/mailgun" // register mailgun detector - _ "github.com/cemililik/leakwatch/internal/detector/newrelic" // register newrelic detector - _ "github.com/cemililik/leakwatch/internal/detector/notion" // register notion detector - _ "github.com/cemililik/leakwatch/internal/detector/npm" // register npm detector - _ "github.com/cemililik/leakwatch/internal/detector/okta" // register okta detector - _ "github.com/cemililik/leakwatch/internal/detector/openai" // register openai detector - _ "github.com/cemililik/leakwatch/internal/detector/pagerduty" // register pagerduty detector - _ "github.com/cemililik/leakwatch/internal/detector/postmark" // register postmark detector - _ "github.com/cemililik/leakwatch/internal/detector/privatekey" // register private-key detector (RSA, SSH, DSA, EC, PGP) - _ "github.com/cemililik/leakwatch/internal/detector/pypi" // register pypi detector - _ "github.com/cemililik/leakwatch/internal/detector/rabbitmq" // register rabbitmq detector - _ "github.com/cemililik/leakwatch/internal/detector/redis" // register redis detector - _ "github.com/cemililik/leakwatch/internal/detector/rubygems" // register rubygems detector - _ "github.com/cemililik/leakwatch/internal/detector/sendgrid" // register sendgrid detector - _ "github.com/cemililik/leakwatch/internal/detector/sentry" // register sentry detector - _ "github.com/cemililik/leakwatch/internal/detector/shopify" // register shopify detector - _ "github.com/cemililik/leakwatch/internal/detector/slack" // register slack detectors (token + webhook) - _ "github.com/cemililik/leakwatch/internal/detector/snowflake" // register snowflake detector - _ "github.com/cemililik/leakwatch/internal/detector/snyk" // register snyk detector - _ "github.com/cemililik/leakwatch/internal/detector/sonarcloud" // register sonarcloud detector - _ "github.com/cemililik/leakwatch/internal/detector/stripe" // register stripe detectors (live + test) - _ "github.com/cemililik/leakwatch/internal/detector/supabase" // register supabase detector - _ "github.com/cemililik/leakwatch/internal/detector/teams" // register microsoft teams webhook detector - _ "github.com/cemililik/leakwatch/internal/detector/telegram" // register telegram detector - _ "github.com/cemililik/leakwatch/internal/detector/terraform" // register terraform cloud detector - _ "github.com/cemililik/leakwatch/internal/detector/twilio" // register twilio detector - _ "github.com/cemililik/leakwatch/internal/detector/vault" // register hashicorp vault detector - _ "github.com/cemililik/leakwatch/internal/detector/vercel" // register vercel detector + _ "github.com/HodeTech/leakwatch/internal/detector/airtable" // register airtable detector + _ "github.com/HodeTech/leakwatch/internal/detector/anthropic" // register anthropic detector + _ "github.com/HodeTech/leakwatch/internal/detector/auth0" // register auth0 detector + _ "github.com/HodeTech/leakwatch/internal/detector/aws" // register aws detector + _ "github.com/HodeTech/leakwatch/internal/detector/azure" // register azure detectors (storage + entra) + _ "github.com/HodeTech/leakwatch/internal/detector/bitbucket" // register bitbucket detector + _ "github.com/HodeTech/leakwatch/internal/detector/circleci" // register circleci detector + _ "github.com/HodeTech/leakwatch/internal/detector/cloudflare" // register cloudflare detector + _ "github.com/HodeTech/leakwatch/internal/detector/coinbase" // register coinbase detector + _ "github.com/HodeTech/leakwatch/internal/detector/databricks" // register databricks detector + _ "github.com/HodeTech/leakwatch/internal/detector/datadog" // register datadog detector + _ "github.com/HodeTech/leakwatch/internal/detector/dbconn" // register database connection-string detector + _ "github.com/HodeTech/leakwatch/internal/detector/deepseek" // register deepseek detector + _ "github.com/HodeTech/leakwatch/internal/detector/digitalocean" // register digitalocean detector + _ "github.com/HodeTech/leakwatch/internal/detector/discord" // register discord detector + _ "github.com/HodeTech/leakwatch/internal/detector/dockerhub" // register dockerhub detector + _ "github.com/HodeTech/leakwatch/internal/detector/doppler" // register doppler detector + _ "github.com/HodeTech/leakwatch/internal/detector/figma" // register figma detector + _ "github.com/HodeTech/leakwatch/internal/detector/ftp" // register ftp credentials detector + _ "github.com/HodeTech/leakwatch/internal/detector/gcp" // register gcp service-account detector + _ "github.com/HodeTech/leakwatch/internal/detector/generic" // register generic api-key detector + _ "github.com/HodeTech/leakwatch/internal/detector/github" // register github detectors (pat + oauth) + _ "github.com/HodeTech/leakwatch/internal/detector/gitlab" // register gitlab detector + _ "github.com/HodeTech/leakwatch/internal/detector/grafana" // register grafana detector + _ "github.com/HodeTech/leakwatch/internal/detector/heroku" // register heroku detector + _ "github.com/HodeTech/leakwatch/internal/detector/huggingface" // register huggingface detector + _ "github.com/HodeTech/leakwatch/internal/detector/infura" // register infura detector + _ "github.com/HodeTech/leakwatch/internal/detector/jwt" // register jwt detector + _ "github.com/HodeTech/leakwatch/internal/detector/launchdarkly" // register launchdarkly detector + _ "github.com/HodeTech/leakwatch/internal/detector/ldap" // register ldap credentials detector + _ "github.com/HodeTech/leakwatch/internal/detector/linear" // register linear detector + _ "github.com/HodeTech/leakwatch/internal/detector/mailgun" // register mailgun detector + _ "github.com/HodeTech/leakwatch/internal/detector/newrelic" // register newrelic detector + _ "github.com/HodeTech/leakwatch/internal/detector/notion" // register notion detector + _ "github.com/HodeTech/leakwatch/internal/detector/npm" // register npm detector + _ "github.com/HodeTech/leakwatch/internal/detector/okta" // register okta detector + _ "github.com/HodeTech/leakwatch/internal/detector/openai" // register openai detector + _ "github.com/HodeTech/leakwatch/internal/detector/pagerduty" // register pagerduty detector + _ "github.com/HodeTech/leakwatch/internal/detector/postmark" // register postmark detector + _ "github.com/HodeTech/leakwatch/internal/detector/privatekey" // register private-key detector (RSA, SSH, DSA, EC, PGP) + _ "github.com/HodeTech/leakwatch/internal/detector/pypi" // register pypi detector + _ "github.com/HodeTech/leakwatch/internal/detector/rabbitmq" // register rabbitmq detector + _ "github.com/HodeTech/leakwatch/internal/detector/redis" // register redis detector + _ "github.com/HodeTech/leakwatch/internal/detector/rubygems" // register rubygems detector + _ "github.com/HodeTech/leakwatch/internal/detector/sendgrid" // register sendgrid detector + _ "github.com/HodeTech/leakwatch/internal/detector/sentry" // register sentry detector + _ "github.com/HodeTech/leakwatch/internal/detector/shopify" // register shopify detector + _ "github.com/HodeTech/leakwatch/internal/detector/slack" // register slack detectors (token + webhook) + _ "github.com/HodeTech/leakwatch/internal/detector/snowflake" // register snowflake detector + _ "github.com/HodeTech/leakwatch/internal/detector/snyk" // register snyk detector + _ "github.com/HodeTech/leakwatch/internal/detector/sonarcloud" // register sonarcloud detector + _ "github.com/HodeTech/leakwatch/internal/detector/stripe" // register stripe detectors (live + test) + _ "github.com/HodeTech/leakwatch/internal/detector/supabase" // register supabase detector + _ "github.com/HodeTech/leakwatch/internal/detector/teams" // register microsoft teams webhook detector + _ "github.com/HodeTech/leakwatch/internal/detector/telegram" // register telegram detector + _ "github.com/HodeTech/leakwatch/internal/detector/terraform" // register terraform cloud detector + _ "github.com/HodeTech/leakwatch/internal/detector/twilio" // register twilio detector + _ "github.com/HodeTech/leakwatch/internal/detector/vault" // register hashicorp vault detector + _ "github.com/HodeTech/leakwatch/internal/detector/vercel" // register vercel detector ) // Register verifiers at compile time via init(). import ( - _ "github.com/cemililik/leakwatch/internal/verifier/airtable" // register airtable verifier - _ "github.com/cemililik/leakwatch/internal/verifier/anthropic" // register anthropic verifier - _ "github.com/cemililik/leakwatch/internal/verifier/auth0" // register auth0 verifier - _ "github.com/cemililik/leakwatch/internal/verifier/aws" // register aws STS verifier - _ "github.com/cemililik/leakwatch/internal/verifier/azure" // register azure verifiers (storage + entra) - _ "github.com/cemililik/leakwatch/internal/verifier/bitbucket" // register bitbucket verifier - _ "github.com/cemililik/leakwatch/internal/verifier/circleci" // register circleci verifier - _ "github.com/cemililik/leakwatch/internal/verifier/cloudflare" // register cloudflare verifier - _ "github.com/cemililik/leakwatch/internal/verifier/coinbase" // register coinbase verifier - _ "github.com/cemililik/leakwatch/internal/verifier/databricks" // register databricks verifier - _ "github.com/cemililik/leakwatch/internal/verifier/datadog" // register datadog verifier - _ "github.com/cemililik/leakwatch/internal/verifier/deepseek" // register deepseek verifier - _ "github.com/cemililik/leakwatch/internal/verifier/digitalocean" // register digitalocean verifier - _ "github.com/cemililik/leakwatch/internal/verifier/discord" // register discord verifier - _ "github.com/cemililik/leakwatch/internal/verifier/dockerhub" // register dockerhub verifier - _ "github.com/cemililik/leakwatch/internal/verifier/doppler" // register doppler verifier - _ "github.com/cemililik/leakwatch/internal/verifier/figma" // register figma verifier - _ "github.com/cemililik/leakwatch/internal/verifier/gcp" // register gcp verifier (format validation) - _ "github.com/cemililik/leakwatch/internal/verifier/github" // register github verifiers (pat + oauth) - _ "github.com/cemililik/leakwatch/internal/verifier/gitlab" // register gitlab verifier - _ "github.com/cemililik/leakwatch/internal/verifier/grafana" // register grafana verifier - _ "github.com/cemililik/leakwatch/internal/verifier/heroku" // register heroku verifier - _ "github.com/cemililik/leakwatch/internal/verifier/huggingface" // register huggingface verifier - _ "github.com/cemililik/leakwatch/internal/verifier/infura" // register infura verifier - _ "github.com/cemililik/leakwatch/internal/verifier/launchdarkly" // register launchdarkly verifier - _ "github.com/cemililik/leakwatch/internal/verifier/linear" // register linear verifier - _ "github.com/cemililik/leakwatch/internal/verifier/mailgun" // register mailgun verifier - _ "github.com/cemililik/leakwatch/internal/verifier/newrelic" // register newrelic verifier - _ "github.com/cemililik/leakwatch/internal/verifier/notion" // register notion verifier - _ "github.com/cemililik/leakwatch/internal/verifier/npm" // register npm verifier - _ "github.com/cemililik/leakwatch/internal/verifier/okta" // register okta verifier - _ "github.com/cemililik/leakwatch/internal/verifier/openai" // register openai verifier - _ "github.com/cemililik/leakwatch/internal/verifier/pagerduty" // register pagerduty verifier - _ "github.com/cemililik/leakwatch/internal/verifier/postmark" // register postmark verifier - _ "github.com/cemililik/leakwatch/internal/verifier/pypi" // register pypi verifier - _ "github.com/cemililik/leakwatch/internal/verifier/rabbitmq" // register rabbitmq verifier (format validation) - _ "github.com/cemililik/leakwatch/internal/verifier/rubygems" // register rubygems verifier - _ "github.com/cemililik/leakwatch/internal/verifier/sendgrid" // register sendgrid verifier - _ "github.com/cemililik/leakwatch/internal/verifier/sentry" // register sentry verifier - _ "github.com/cemililik/leakwatch/internal/verifier/shopify" // register shopify verifier - _ "github.com/cemililik/leakwatch/internal/verifier/slack" // register slack verifier - _ "github.com/cemililik/leakwatch/internal/verifier/snowflake" // register snowflake verifier (format validation) - _ "github.com/cemililik/leakwatch/internal/verifier/snyk" // register snyk verifier - _ "github.com/cemililik/leakwatch/internal/verifier/sonarcloud" // register sonarcloud verifier - _ "github.com/cemililik/leakwatch/internal/verifier/stripe" // register stripe verifiers (live + test) - _ "github.com/cemililik/leakwatch/internal/verifier/supabase" // register supabase verifier - _ "github.com/cemililik/leakwatch/internal/verifier/teams" // register microsoft teams webhook verifier - _ "github.com/cemililik/leakwatch/internal/verifier/telegram" // register telegram verifier - _ "github.com/cemililik/leakwatch/internal/verifier/terraform" // register terraform cloud verifier - _ "github.com/cemililik/leakwatch/internal/verifier/twilio" // register twilio verifier - _ "github.com/cemililik/leakwatch/internal/verifier/vercel" // register vercel verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/airtable" // register airtable verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/anthropic" // register anthropic verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/auth0" // register auth0 verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/aws" // register aws STS verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/azure" // register azure verifiers (storage + entra) + _ "github.com/HodeTech/leakwatch/internal/verifier/bitbucket" // register bitbucket verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/circleci" // register circleci verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/cloudflare" // register cloudflare verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/coinbase" // register coinbase verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/databricks" // register databricks verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/datadog" // register datadog verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/deepseek" // register deepseek verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/digitalocean" // register digitalocean verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/discord" // register discord verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/dockerhub" // register dockerhub verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/doppler" // register doppler verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/figma" // register figma verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/gcp" // register gcp verifier (format validation) + _ "github.com/HodeTech/leakwatch/internal/verifier/github" // register github verifiers (pat + oauth) + _ "github.com/HodeTech/leakwatch/internal/verifier/gitlab" // register gitlab verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/grafana" // register grafana verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/heroku" // register heroku verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/huggingface" // register huggingface verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/infura" // register infura verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/launchdarkly" // register launchdarkly verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/linear" // register linear verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/mailgun" // register mailgun verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/newrelic" // register newrelic verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/notion" // register notion verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/npm" // register npm verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/okta" // register okta verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/openai" // register openai verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/pagerduty" // register pagerduty verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/postmark" // register postmark verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/pypi" // register pypi verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/rabbitmq" // register rabbitmq verifier (format validation) + _ "github.com/HodeTech/leakwatch/internal/verifier/rubygems" // register rubygems verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/sendgrid" // register sendgrid verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/sentry" // register sentry verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/shopify" // register shopify verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/slack" // register slack verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/snowflake" // register snowflake verifier (format validation) + _ "github.com/HodeTech/leakwatch/internal/verifier/snyk" // register snyk verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/sonarcloud" // register sonarcloud verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/stripe" // register stripe verifiers (live + test) + _ "github.com/HodeTech/leakwatch/internal/verifier/supabase" // register supabase verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/teams" // register microsoft teams webhook verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/telegram" // register telegram verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/terraform" // register terraform cloud verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/twilio" // register twilio verifier + _ "github.com/HodeTech/leakwatch/internal/verifier/vercel" // register vercel verifier ) diff --git a/cmd/init.go b/cmd/init.go index 04577af..001346e 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -33,7 +33,7 @@ func init() { } const defaultConfig = `# Leakwatch Configuration -# Documentation: https://github.com/cemililik/Leakwatch/blob/main/docs/guides/configuration.md +# Documentation: https://github.com/HodeTech/Leakwatch/blob/main/docs/guides/configuration.md scan: concurrency: 8 # Number of concurrent workers diff --git a/cmd/scan_common.go b/cmd/scan_common.go index 15f6533..030642a 100644 --- a/cmd/scan_common.go +++ b/cmd/scan_common.go @@ -17,20 +17,20 @@ import ( "github.com/spf13/pflag" "github.com/spf13/viper" - "github.com/cemililik/leakwatch/internal/config" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/detector/custom" - "github.com/cemililik/leakwatch/internal/engine" - "github.com/cemililik/leakwatch/internal/filter" - "github.com/cemililik/leakwatch/internal/output" - csvout "github.com/cemililik/leakwatch/internal/output/csv" - jsonout "github.com/cemililik/leakwatch/internal/output/json" - sarifout "github.com/cemililik/leakwatch/internal/output/sarif" - tableout "github.com/cemililik/leakwatch/internal/output/table" - "github.com/cemililik/leakwatch/internal/remediation" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/config" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/detector/custom" + "github.com/HodeTech/leakwatch/internal/engine" + "github.com/HodeTech/leakwatch/internal/filter" + "github.com/HodeTech/leakwatch/internal/output" + csvout "github.com/HodeTech/leakwatch/internal/output/csv" + jsonout "github.com/HodeTech/leakwatch/internal/output/json" + sarifout "github.com/HodeTech/leakwatch/internal/output/sarif" + tableout "github.com/HodeTech/leakwatch/internal/output/table" + "github.com/HodeTech/leakwatch/internal/remediation" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) // closeable is implemented by sources that hold resources (e.g. cloned repos). diff --git a/cmd/scan_common_test.go b/cmd/scan_common_test.go index b1294e8..9d918c9 100644 --- a/cmd/scan_common_test.go +++ b/cmd/scan_common_test.go @@ -7,11 +7,11 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - csvout "github.com/cemililik/leakwatch/internal/output/csv" - jsonout "github.com/cemililik/leakwatch/internal/output/json" - sarifout "github.com/cemililik/leakwatch/internal/output/sarif" - tableout "github.com/cemililik/leakwatch/internal/output/table" - "github.com/cemililik/leakwatch/pkg/finding" + csvout "github.com/HodeTech/leakwatch/internal/output/csv" + jsonout "github.com/HodeTech/leakwatch/internal/output/json" + sarifout "github.com/HodeTech/leakwatch/internal/output/sarif" + tableout "github.com/HodeTech/leakwatch/internal/output/table" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestParseSeverity_ValidInputs_ReturnsCorrectSeverity(t *testing.T) { diff --git a/cmd/scan_fs.go b/cmd/scan_fs.go index 966669d..229b9ce 100644 --- a/cmd/scan_fs.go +++ b/cmd/scan_fs.go @@ -7,7 +7,7 @@ import ( "github.com/spf13/cobra" - "github.com/cemililik/leakwatch/internal/source/filesystem" + "github.com/HodeTech/leakwatch/internal/source/filesystem" ) var scanFsCmd = &cobra.Command{ diff --git a/cmd/scan_gcs.go b/cmd/scan_gcs.go index 72e1de0..54bd022 100644 --- a/cmd/scan_gcs.go +++ b/cmd/scan_gcs.go @@ -5,7 +5,7 @@ import ( "github.com/spf13/cobra" - gcssource "github.com/cemililik/leakwatch/internal/source/gcs" + gcssource "github.com/HodeTech/leakwatch/internal/source/gcs" ) var scanGCSCmd = &cobra.Command{ diff --git a/cmd/scan_git.go b/cmd/scan_git.go index 970e9f3..bbef156 100644 --- a/cmd/scan_git.go +++ b/cmd/scan_git.go @@ -7,7 +7,7 @@ import ( "github.com/spf13/cobra" - gitsource "github.com/cemililik/leakwatch/internal/source/git" + gitsource "github.com/HodeTech/leakwatch/internal/source/git" ) var scanGitCmd = &cobra.Command{ diff --git a/cmd/scan_image.go b/cmd/scan_image.go index dc67516..4fbc6c2 100644 --- a/cmd/scan_image.go +++ b/cmd/scan_image.go @@ -5,7 +5,7 @@ import ( "github.com/spf13/cobra" - "github.com/cemililik/leakwatch/internal/source/container" + "github.com/HodeTech/leakwatch/internal/source/container" ) var scanImageCmd = &cobra.Command{ diff --git a/cmd/scan_repos.go b/cmd/scan_repos.go index 0ef37f9..ab0123e 100644 --- a/cmd/scan_repos.go +++ b/cmd/scan_repos.go @@ -11,9 +11,9 @@ import ( "github.com/spf13/cobra" - "github.com/cemililik/leakwatch/internal/engine" - gitsource "github.com/cemililik/leakwatch/internal/source/git" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/engine" + gitsource "github.com/HodeTech/leakwatch/internal/source/git" + "github.com/HodeTech/leakwatch/pkg/finding" ) var scanReposCmd = &cobra.Command{ diff --git a/cmd/scan_s3.go b/cmd/scan_s3.go index 18d0e29..96cfed3 100644 --- a/cmd/scan_s3.go +++ b/cmd/scan_s3.go @@ -5,7 +5,7 @@ import ( "github.com/spf13/cobra" - s3source "github.com/cemililik/leakwatch/internal/source/s3" + s3source "github.com/HodeTech/leakwatch/internal/source/s3" ) var scanS3Cmd = &cobra.Command{ diff --git a/cmd/scan_slack.go b/cmd/scan_slack.go index 12564ba..d5f605d 100644 --- a/cmd/scan_slack.go +++ b/cmd/scan_slack.go @@ -10,7 +10,7 @@ import ( "github.com/spf13/cobra" - slacksource "github.com/cemililik/leakwatch/internal/source/slack" + slacksource "github.com/HodeTech/leakwatch/internal/source/slack" ) // flagIncludeFiles is the slack-only flag that requests scanning of uploaded diff --git a/docs/architecture/03-ARCHITECTURE.md b/docs/architecture/03-ARCHITECTURE.md index c19389b..9dc9d2f 100644 --- a/docs/architecture/03-ARCHITECTURE.md +++ b/docs/architecture/03-ARCHITECTURE.md @@ -512,27 +512,27 @@ func (d *AWSAccessKeyID) Scan(ctx context.Context, data []byte) []RawFinding { import ( // Register detectors - _ "github.com/cemililik/leakwatch/internal/detector/aws" - _ "github.com/cemililik/leakwatch/internal/detector/generic" - _ "github.com/cemililik/leakwatch/internal/detector/privatekey" - _ "github.com/cemililik/leakwatch/internal/detector/github" - _ "github.com/cemililik/leakwatch/internal/detector/slack" - _ "github.com/cemililik/leakwatch/internal/detector/stripe" - _ "github.com/cemililik/leakwatch/internal/detector/jwt" - _ "github.com/cemililik/leakwatch/internal/detector/dbconn" - _ "github.com/cemililik/leakwatch/internal/detector/custom" + _ "github.com/HodeTech/leakwatch/internal/detector/aws" + _ "github.com/HodeTech/leakwatch/internal/detector/generic" + _ "github.com/HodeTech/leakwatch/internal/detector/privatekey" + _ "github.com/HodeTech/leakwatch/internal/detector/github" + _ "github.com/HodeTech/leakwatch/internal/detector/slack" + _ "github.com/HodeTech/leakwatch/internal/detector/stripe" + _ "github.com/HodeTech/leakwatch/internal/detector/jwt" + _ "github.com/HodeTech/leakwatch/internal/detector/dbconn" + _ "github.com/HodeTech/leakwatch/internal/detector/custom" // Register sources - _ "github.com/cemililik/leakwatch/internal/source/git" - _ "github.com/cemililik/leakwatch/internal/source/filesystem" - _ "github.com/cemililik/leakwatch/internal/source/container" - _ "github.com/cemililik/leakwatch/internal/source/s3" - _ "github.com/cemililik/leakwatch/internal/source/gcs" - _ "github.com/cemililik/leakwatch/internal/source/slack" + _ "github.com/HodeTech/leakwatch/internal/source/git" + _ "github.com/HodeTech/leakwatch/internal/source/filesystem" + _ "github.com/HodeTech/leakwatch/internal/source/container" + _ "github.com/HodeTech/leakwatch/internal/source/s3" + _ "github.com/HodeTech/leakwatch/internal/source/gcs" + _ "github.com/HodeTech/leakwatch/internal/source/slack" // Register verifiers - _ "github.com/cemililik/leakwatch/internal/verifier/aws" - _ "github.com/cemililik/leakwatch/internal/verifier/github" + _ "github.com/HodeTech/leakwatch/internal/verifier/aws" + _ "github.com/HodeTech/leakwatch/internal/verifier/github" ) ``` diff --git a/docs/architecture/05-VERIFIER-ANALYSIS.md b/docs/architecture/05-VERIFIER-ANALYSIS.md index e6454c8..2ec8393 100644 --- a/docs/architecture/05-VERIFIER-ANALYSIS.md +++ b/docs/architecture/05-VERIFIER-ANALYSIS.md @@ -240,9 +240,9 @@ import ( "log/slog" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "" @@ -280,6 +280,6 @@ New verifiers are registered at compile time. After creating the verifier packag ```go import ( - _ "github.com/cemililik/leakwatch/internal/verifier/" + _ "github.com/HodeTech/leakwatch/internal/verifier/" ) ``` diff --git a/docs/guides/ci-cd-integration.md b/docs/guides/ci-cd-integration.md index 8e747d9..8f8eae4 100644 --- a/docs/guides/ci-cd-integration.md +++ b/docs/guides/ci-cd-integration.md @@ -107,7 +107,7 @@ jobs: go-version: '1.25' - name: Leakwatch Scan - uses: cemililik/leakwatch-action@v1 + uses: HodeTech/leakwatch-action@v1 with: scan-type: fs only-verified: true @@ -146,7 +146,7 @@ jobs: go-version: '1.25' - name: Leakwatch Scan - uses: cemililik/leakwatch-action@v1 + uses: HodeTech/leakwatch-action@v1 with: scan-type: git format: sarif @@ -205,7 +205,7 @@ jobs: - name: Leakwatch PR scan run: | - go install github.com/cemililik/leakwatch@latest + go install github.com/HodeTech/leakwatch@latest leakwatch scan git . \ --since-commit ${{ steps.base.outputs.sha }} \ --format sarif \ @@ -254,7 +254,7 @@ jobs: go-version: '1.25' - name: Full history scan - uses: cemililik/leakwatch-action@v1 + uses: HodeTech/leakwatch-action@v1 with: scan-type: git format: sarif @@ -316,7 +316,7 @@ jobs: - name: PR scan run: | - go install github.com/cemililik/leakwatch@${{ env.LEAKWATCH_VERSION }} + go install github.com/HodeTech/leakwatch@${{ env.LEAKWATCH_VERSION }} leakwatch scan git . \ --since-commit ${{ steps.base.outputs.sha }} \ --format sarif \ @@ -342,7 +342,7 @@ jobs: go-version: '1.25' - name: Filesystem scan - uses: cemililik/leakwatch-action@v1 + uses: HodeTech/leakwatch-action@v1 with: scan-type: fs format: sarif @@ -364,7 +364,7 @@ jobs: go-version: '1.25' - name: Full history scan - uses: cemililik/leakwatch-action@v1 + uses: HodeTech/leakwatch-action@v1 with: scan-type: git format: sarif @@ -395,7 +395,7 @@ leakwatch-scan: stage: security image: golang:1.25-alpine before_script: - - go install github.com/cemililik/leakwatch@latest + - go install github.com/HodeTech/leakwatch@latest script: - leakwatch scan fs . --format sarif --output leakwatch-results.sarif --min-severity medium artifacts: @@ -424,7 +424,7 @@ leakwatch-mr-scan: image: golang:1.25-alpine before_script: - apk add --no-cache git - - go install github.com/cemililik/leakwatch@latest + - go install github.com/HodeTech/leakwatch@latest script: # Find the MR base commit - BASE_SHA=$(git merge-base origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME HEAD) @@ -444,7 +444,7 @@ leakwatch-full-scan: image: golang:1.25-alpine before_script: - apk add --no-cache git - - go install github.com/cemililik/leakwatch@latest + - go install github.com/HodeTech/leakwatch@latest script: - leakwatch scan git . --format sarif --output leakwatch-results.sarif --min-severity low artifacts: @@ -469,7 +469,7 @@ Using the Docker image without requiring Go installation: leakwatch-docker-scan: stage: security image: - name: ghcr.io/cemililik/leakwatch:latest + name: ghcr.io/hodetech/leakwatch:latest entrypoint: [""] script: - leakwatch scan fs /builds/$CI_PROJECT_PATH --format sarif --output leakwatch-results.sarif @@ -506,7 +506,7 @@ pipeline { stage('Install Leakwatch') { steps { sh ''' - go install github.com/cemililik/leakwatch@${LEAKWATCH_VERSION} + go install github.com/HodeTech/leakwatch@${LEAKWATCH_VERSION} ''' } } @@ -554,7 +554,7 @@ pipeline { pipeline { agent { docker { - image 'ghcr.io/cemililik/leakwatch:latest' + image 'ghcr.io/hodetech/leakwatch:latest' args '-v ${WORKSPACE}:/scan' } } @@ -600,7 +600,7 @@ Create a `.pre-commit-config.yaml` file in your project root: ```yaml # .pre-commit-config.yaml repos: - - repo: https://github.com/cemililik/Leakwatch + - repo: https://github.com/HodeTech/Leakwatch rev: v1.5.0 hooks: - id: leakwatch @@ -664,21 +664,21 @@ The Leakwatch Docker image can be used in any CI/CD environment without requirin ### 6.1 Docker Image -The Leakwatch Docker image is published on GitHub Container Registry as `ghcr.io/cemililik/leakwatch`. The image is based on Alpine Linux and has a minimal size. +The Leakwatch Docker image is published on GitHub Container Registry as `ghcr.io/hodetech/leakwatch`. The image is based on Alpine Linux and has a minimal size. ```bash # Scan a local directory -docker run --rm -v "$(pwd):/scan" ghcr.io/cemililik/leakwatch:latest scan fs /scan +docker run --rm -v "$(pwd):/scan" ghcr.io/hodetech/leakwatch:latest scan fs /scan # Scan a Git repository -docker run --rm -v "$(pwd):/scan" ghcr.io/cemililik/leakwatch:latest scan git /scan +docker run --rm -v "$(pwd):/scan" ghcr.io/hodetech/leakwatch:latest scan git /scan # SARIF output -docker run --rm -v "$(pwd):/scan" ghcr.io/cemililik/leakwatch:latest \ +docker run --rm -v "$(pwd):/scan" ghcr.io/hodetech/leakwatch:latest \ scan fs /scan --format sarif --output /scan/results.sarif # Show only verified active secrets -docker run --rm -v "$(pwd):/scan" ghcr.io/cemililik/leakwatch:latest \ +docker run --rm -v "$(pwd):/scan" ghcr.io/hodetech/leakwatch:latest \ scan fs /scan --only-verified ``` @@ -697,7 +697,7 @@ COPY . . RUN go build -o myapp . # Security scan stage -FROM ghcr.io/cemililik/leakwatch:latest AS security +FROM ghcr.io/hodetech/leakwatch:latest AS security COPY --from=builder /app /scan RUN leakwatch scan fs /scan --min-severity high @@ -715,10 +715,10 @@ To scan container images for secrets, provide the full registry reference. Leakw ```bash # Scan a Docker Hub image -docker run --rm ghcr.io/cemililik/leakwatch:latest scan image nginx:latest +docker run --rm ghcr.io/hodetech/leakwatch:latest scan image nginx:latest # Scan a GHCR image -docker run --rm ghcr.io/cemililik/leakwatch:latest scan image ghcr.io/myorg/myapp:latest +docker run --rm ghcr.io/hodetech/leakwatch:latest scan image ghcr.io/myorg/myapp:latest ``` --- diff --git a/docs/guides/container-scanning.md b/docs/guides/container-scanning.md index 6f0b0db..29413c2 100644 --- a/docs/guides/container-scanning.md +++ b/docs/guides/container-scanning.md @@ -415,7 +415,7 @@ jobs: go-version: '1.25' - name: Install Leakwatch - run: go install github.com/cemililik/leakwatch@latest + run: go install github.com/HodeTech/leakwatch@latest - name: Scan container image run: | @@ -453,7 +453,7 @@ container-scan: DOCKER_TLS_CERTDIR: "/certs" script: - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA . - - go install github.com/cemililik/leakwatch@latest + - go install github.com/HodeTech/leakwatch@latest - leakwatch scan image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA --format json --output results.json artifacts: reports: diff --git a/docs/guides/docker-usage.md b/docs/guides/docker-usage.md index 8df37da..7625c71 100644 --- a/docs/guides/docker-usage.md +++ b/docs/guides/docker-usage.md @@ -12,31 +12,31 @@ Leakwatch is available as a container image from GitHub Container Registry. No i ```bash # Pull the latest image -docker pull ghcr.io/cemililik/leakwatch:latest +docker pull ghcr.io/hodetech/leakwatch:latest ``` ### Scan a Local Directory (Filesystem) ```bash -docker run --rm -v "$(pwd):/scan" ghcr.io/cemililik/leakwatch:latest scan fs /scan +docker run --rm -v "$(pwd):/scan" ghcr.io/hodetech/leakwatch:latest scan fs /scan ``` ### Scan a Remote Git Repository ```bash -docker run --rm ghcr.io/cemililik/leakwatch:latest scan git https://github.com/org/repo.git +docker run --rm ghcr.io/hodetech/leakwatch:latest scan git https://github.com/org/repo.git ``` ### Scan a Local Git Repository ```bash -docker run --rm -v "/path/to/repo:/scan" ghcr.io/cemililik/leakwatch:latest scan git /scan +docker run --rm -v "/path/to/repo:/scan" ghcr.io/hodetech/leakwatch:latest scan git /scan ``` ### Scan a Container Image ```bash -docker run --rm ghcr.io/cemililik/leakwatch:latest scan image nginx:latest +docker run --rm ghcr.io/hodetech/leakwatch:latest scan image nginx:latest ``` ### Scan an S3 Bucket @@ -46,7 +46,7 @@ docker run --rm \ -e AWS_ACCESS_KEY_ID \ -e AWS_SECRET_ACCESS_KEY \ -e AWS_REGION=us-east-1 \ - ghcr.io/cemililik/leakwatch:latest scan s3 my-bucket --prefix prefix/ + ghcr.io/hodetech/leakwatch:latest scan s3 my-bucket --prefix prefix/ ``` ### Scan a GCS Bucket @@ -54,7 +54,7 @@ docker run --rm \ ```bash docker run --rm \ -v "$HOME/.config/gcloud:/home/leakwatch/.config/gcloud:ro" \ - ghcr.io/cemililik/leakwatch:latest scan gcs my-bucket --prefix prefix/ + ghcr.io/hodetech/leakwatch:latest scan gcs my-bucket --prefix prefix/ ``` ### Scan Summary @@ -62,7 +62,7 @@ docker run --rm \ Every scan prints a summary to stderr showing source, duration, file count, and findings count. When writing output to a file with `--output`, the summary still appears in the terminal: ```bash -docker run --rm -v "$(pwd):/scan:ro" ghcr.io/cemililik/leakwatch:latest scan fs /scan +docker run --rm -v "$(pwd):/scan:ro" ghcr.io/hodetech/leakwatch:latest scan fs /scan ``` ``` @@ -108,7 +108,7 @@ For filesystem scans, mount the source directory as read-only for an additional ```bash docker run --rm \ -v "/path/to/project:/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan + ghcr.io/hodetech/leakwatch:latest scan fs /scan ``` ### Writing Output to Host @@ -119,7 +119,7 @@ To save scan results to a file on the host, mount an output directory: docker run --rm \ -v "$(pwd):/scan:ro" \ -v "/tmp/results:/output" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan \ + ghcr.io/hodetech/leakwatch:latest scan fs /scan \ --format sarif --output /output/results.sarif ``` @@ -133,15 +133,15 @@ When scanning remote Git repositories, no volume mount is needed. Leakwatch clon ```bash # Full history scan -docker run --rm ghcr.io/cemililik/leakwatch:latest \ +docker run --rm ghcr.io/hodetech/leakwatch:latest \ scan git https://github.com/org/repo.git # Shallow clone for faster scanning -docker run --rm ghcr.io/cemililik/leakwatch:latest \ +docker run --rm ghcr.io/hodetech/leakwatch:latest \ scan git https://github.com/org/repo.git --depth 50 # Specific branch -docker run --rm ghcr.io/cemililik/leakwatch:latest \ +docker run --rm ghcr.io/hodetech/leakwatch:latest \ scan git https://github.com/org/repo.git --branch main ``` @@ -153,13 +153,13 @@ For private repositories that require authentication, pass credentials via envir # it does NOT honor git-CLI variables such as GIT_ASKPASS / GIT_PASSWORD. # The display URL is credential-stripped in logs and output. docker run --rm \ - ghcr.io/cemililik/leakwatch:latest \ + ghcr.io/hodetech/leakwatch:latest \ scan git https://x-access-token:ghp_xxxxxxxxxxxx@github.com/org/private-repo.git # SSH key mount docker run --rm \ -v "$HOME/.ssh:/home/leakwatch/.ssh:ro" \ - ghcr.io/cemililik/leakwatch:latest \ + ghcr.io/hodetech/leakwatch:latest \ scan git git@github.com:org/private-repo.git ``` @@ -179,13 +179,13 @@ No special configuration needed. Leakwatch pulls and analyzes image layers direc ```bash # Docker Hub -docker run --rm ghcr.io/cemililik/leakwatch:latest scan image nginx:latest +docker run --rm ghcr.io/hodetech/leakwatch:latest scan image nginx:latest # GHCR -docker run --rm ghcr.io/cemililik/leakwatch:latest scan image ghcr.io/org/app:v1.2.3 +docker run --rm ghcr.io/hodetech/leakwatch:latest scan image ghcr.io/org/app:v1.2.3 # ECR -docker run --rm ghcr.io/cemililik/leakwatch:latest scan image \ +docker run --rm ghcr.io/hodetech/leakwatch:latest scan image \ 123456789.dkr.ecr.eu-west-1.amazonaws.com/my-app:latest ``` @@ -215,7 +215,7 @@ For private registries, mount your Docker config: ```bash docker run --rm \ -v "$HOME/.docker/config.json:/home/leakwatch/.docker/config.json:ro" \ - ghcr.io/cemililik/leakwatch:latest scan image registry.example.com/team/service:main + ghcr.io/hodetech/leakwatch:latest scan image registry.example.com/team/service:main ``` --- @@ -233,7 +233,7 @@ docker run --rm \ -e AWS_SESSION_TOKEN \ -e AWS_REGION=us-east-1 \ -v "$(pwd):/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan + ghcr.io/hodetech/leakwatch:latest scan fs /scan ``` Alternatively, mount the AWS credentials file: @@ -242,7 +242,7 @@ Alternatively, mount the AWS credentials file: docker run --rm \ -v "$HOME/.aws:/home/leakwatch/.aws:ro" \ -v "$(pwd):/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan + ghcr.io/hodetech/leakwatch:latest scan fs /scan ``` ### GCP Credentials @@ -253,13 +253,13 @@ For GCS scanning, mount the Application Default Credentials or set the service a # Application Default Credentials docker run --rm \ -v "$HOME/.config/gcloud:/home/leakwatch/.config/gcloud:ro" \ - ghcr.io/cemililik/leakwatch:latest scan gcs my-bucket + ghcr.io/hodetech/leakwatch:latest scan gcs my-bucket # Service account key docker run --rm \ -e GOOGLE_APPLICATION_CREDENTIALS=/creds/sa-key.json \ -v "/path/to/sa-key.json:/creds/sa-key.json:ro" \ - ghcr.io/cemililik/leakwatch:latest scan gcs my-bucket + ghcr.io/hodetech/leakwatch:latest scan gcs my-bucket ``` ### Verification Control @@ -268,14 +268,14 @@ docker run --rm \ # Disable verification (no outbound API calls) docker run --rm \ -v "$(pwd):/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan --no-verify + ghcr.io/hodetech/leakwatch:latest scan fs /scan --no-verify # Only show verified active secrets docker run --rm \ -e AWS_ACCESS_KEY_ID \ -e AWS_SECRET_ACCESS_KEY \ -v "$(pwd):/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan --only-verified + ghcr.io/hodetech/leakwatch:latest scan fs /scan --only-verified ``` --- @@ -287,7 +287,7 @@ docker run --rm \ ```yaml services: leakwatch: - image: ghcr.io/cemililik/leakwatch:latest + image: ghcr.io/hodetech/leakwatch:latest volumes: - ./:/scan:ro - ./reports:/output @@ -305,7 +305,7 @@ docker compose run --rm leakwatch ```yaml services: leakwatch: - image: ghcr.io/cemililik/leakwatch:latest + image: ghcr.io/hodetech/leakwatch:latest volumes: - ./:/scan:ro - ./reports:/output @@ -321,14 +321,14 @@ services: ```yaml services: scan-api: - image: ghcr.io/cemililik/leakwatch:latest + image: ghcr.io/hodetech/leakwatch:latest volumes: - ../api-service:/scan:ro - ./reports:/output command: scan fs /scan --format json --output /output/api-results.json scan-web: - image: ghcr.io/cemililik/leakwatch:latest + image: ghcr.io/hodetech/leakwatch:latest volumes: - ../web-app:/scan:ro - ./reports:/output @@ -363,7 +363,7 @@ jobs: run: | docker run --rm \ -v "${{ github.workspace }}:/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest \ + ghcr.io/hodetech/leakwatch:latest \ scan git /scan --since-commit HEAD~1 \ --only-verified --min-severity high \ --format sarif --output /dev/stdout > results.sarif @@ -380,7 +380,7 @@ jobs: ```yaml secret-scan: stage: test - image: ghcr.io/cemililik/leakwatch:latest + image: ghcr.io/hodetech/leakwatch:latest script: - leakwatch scan git . --since-commit HEAD~1 --min-severity high --format json --output results.json artifacts: @@ -401,7 +401,7 @@ pipeline { sh ''' docker run --rm \ -v "${WORKSPACE}:/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest \ + ghcr.io/hodetech/leakwatch:latest \ scan fs /scan --min-severity high --format table ''' } @@ -448,7 +448,7 @@ There is no standalone rules file. Custom rules are defined under the contains them to the home directory, which Leakwatch loads as the global config: ```dockerfile -FROM ghcr.io/cemililik/leakwatch:latest +FROM ghcr.io/hodetech/leakwatch:latest # .leakwatch.yaml here must include the custom rules under `custom-rules:` COPY .leakwatch.yaml /home/leakwatch/.leakwatch.yaml @@ -461,7 +461,7 @@ home directory (`~/.leakwatch.yaml`). Copy your config to the home directory so applies to every scan regardless of the mounted working directory: ```dockerfile -FROM ghcr.io/cemililik/leakwatch:latest +FROM ghcr.io/hodetech/leakwatch:latest COPY .leakwatch.yaml /home/leakwatch/.leakwatch.yaml ``` @@ -472,14 +472,14 @@ Alternatively, point at a config explicitly with `--config`: docker run --rm \ -v "$(pwd):/scan:ro" \ -v "$(pwd)/.leakwatch.yaml:/cfg/.leakwatch.yaml:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan --config /cfg/.leakwatch.yaml + ghcr.io/hodetech/leakwatch:latest scan fs /scan --config /cfg/.leakwatch.yaml ``` ### Building from Source ```bash # Clone the repository -git clone https://github.com/cemililik/Leakwatch.git +git clone https://github.com/HodeTech/Leakwatch.git cd Leakwatch # Build the Docker image @@ -536,7 +536,7 @@ When scanning remote Git repositories, Leakwatch clones them to a temporary dire ```bash docker run --rm \ --tmpfs /tmp:size=1g \ - ghcr.io/cemililik/leakwatch:latest \ + ghcr.io/hodetech/leakwatch:latest \ scan git https://github.com/org/repo.git ``` @@ -549,7 +549,7 @@ docker run --rm \ --memory=512m \ --cpus=2 \ -v "$(pwd):/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan --concurrency 2 + ghcr.io/hodetech/leakwatch:latest scan fs /scan --concurrency 2 ``` ### Match Concurrency to Available CPUs @@ -560,7 +560,7 @@ The `--concurrency` flag should match the CPUs allocated to the container: docker run --rm \ --cpus=4 \ -v "$(pwd):/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan --concurrency 4 + ghcr.io/hodetech/leakwatch:latest scan fs /scan --concurrency 4 ``` ### Skip Verification for Speed @@ -570,7 +570,7 @@ If you only need detection without verification (e.g., in a pre-commit hook), sk ```bash docker run --rm \ -v "$(pwd):/scan:ro" \ - ghcr.io/cemililik/leakwatch:latest scan fs /scan --no-verify + ghcr.io/hodetech/leakwatch:latest scan fs /scan --no-verify ``` --- diff --git a/docs/guides/getting-started.md b/docs/guides/getting-started.md index e9fbe76..d0cf698 100644 --- a/docs/guides/getting-started.md +++ b/docs/guides/getting-started.md @@ -61,7 +61,7 @@ You can use one of the following methods to install Leakwatch on your system. If Go 1.25 or higher is installed: ```bash -go install github.com/cemililik/leakwatch@latest +go install github.com/HodeTech/leakwatch@latest ``` The binary is installed to the `$GOPATH/bin` (or `$HOME/go/bin`) directory. Make sure this directory is defined in your `PATH` environment variable. @@ -69,7 +69,7 @@ The binary is installed to the `$GOPATH/bin` (or `$HOME/go/bin`) directory. Make ### 2.2 Homebrew (macOS / Linux) ```bash -brew install cemililik/tap/leakwatch +brew install HodeTech/tap/leakwatch ``` ### 2.3 Binary Download @@ -85,10 +85,10 @@ You can download the binary suitable for your platform from the GitHub Releases # leakwatch_v1.5.0_Windows_x86_64.zip # # Download the archive for your platform from the Releases page: -# https://github.com/cemililik/Leakwatch/releases/latest +# https://github.com/HodeTech/Leakwatch/releases/latest # # Example for Linux x86_64 (replace v1.5.0 with the current release version): -curl -sSfL https://github.com/cemililik/Leakwatch/releases/latest/download/leakwatch_v1.5.0_Linux_x86_64.tar.gz | tar xz +curl -sSfL https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_v1.5.0_Linux_x86_64.tar.gz | tar xz # Move binary to PATH sudo mv leakwatch /usr/local/bin/ @@ -98,10 +98,10 @@ sudo mv leakwatch /usr/local/bin/ ```bash # Latest version -docker pull ghcr.io/cemililik/leakwatch:latest +docker pull ghcr.io/hodetech/leakwatch:latest # Scan current directory -docker run --rm -v "$(pwd):/scan" ghcr.io/cemililik/leakwatch:latest scan fs /scan +docker run --rm -v "$(pwd):/scan" ghcr.io/hodetech/leakwatch:latest scan fs /scan ``` ### 2.5 Installation Verification diff --git a/docs/guides/git-scanning.md b/docs/guides/git-scanning.md index 5743326..5575507 100644 --- a/docs/guides/git-scanning.md +++ b/docs/guides/git-scanning.md @@ -331,7 +331,7 @@ jobs: fetch-depth: 0 # Full history needed for --since-commit - name: Install Leakwatch - run: go install github.com/cemililik/leakwatch@latest + run: go install github.com/HodeTech/leakwatch@latest - name: Scan for secrets (PR) if: github.event_name == 'pull_request' @@ -365,7 +365,7 @@ secret-scan: stage: test image: golang:1.25-alpine before_script: - - go install github.com/cemililik/leakwatch@latest + - go install github.com/HodeTech/leakwatch@latest script: - | if [ -n "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]; then diff --git a/docs/guides/slack-scanning.md b/docs/guides/slack-scanning.md index 82d5043..9b01cfc 100644 --- a/docs/guides/slack-scanning.md +++ b/docs/guides/slack-scanning.md @@ -282,7 +282,7 @@ jobs: go-version: '1.25' - name: Install Leakwatch - run: go install github.com/cemililik/leakwatch@latest + run: go install github.com/HodeTech/leakwatch@latest - name: Scan Slack workspace env: diff --git a/docs/guides/vscode-extension.md b/docs/guides/vscode-extension.md index ded2b6d..493f74c 100644 --- a/docs/guides/vscode-extension.md +++ b/docs/guides/vscode-extension.md @@ -33,7 +33,7 @@ leakwatch version ### 2.2 Install from VSIX -Download the `.vsix` package from the [GitHub Releases](https://github.com/cemililik/Leakwatch/releases) page, then install it in VS Code: +Download the `.vsix` package from the [GitHub Releases](https://github.com/HodeTech/Leakwatch/releases) page, then install it in VS Code: ```bash code --install-extension leakwatch-0.1.0.vsix @@ -53,7 +53,7 @@ Once published, the extension will be available on the VS Code Marketplace: ```bash # Clone the repository -git clone https://github.com/cemililik/Leakwatch.git +git clone https://github.com/HodeTech/Leakwatch.git cd Leakwatch/vscode # Install dependencies diff --git a/docs/standards/02-RELEASE-STANDARDS.md b/docs/standards/02-RELEASE-STANDARDS.md index 96c912e..0710082 100644 --- a/docs/standards/02-RELEASE-STANDARDS.md +++ b/docs/standards/02-RELEASE-STANDARDS.md @@ -254,16 +254,16 @@ git push origin v0.2.0 ```bash # Go install -go install github.com/cemililik/leakwatch@latest +go install github.com/HodeTech/leakwatch@latest # Homebrew (macOS/Linux) -brew install cemililik/tap/leakwatch +brew install HodeTech/tap/leakwatch # Docker -docker run --rm -v $(pwd):/scan ghcr.io/cemililik/leakwatch:latest scan fs /scan +docker run --rm -v $(pwd):/scan ghcr.io/hodetech/leakwatch:latest scan fs /scan # Binary download -curl -sSfL https://github.com/cemililik/Leakwatch/releases/latest/download/leakwatch_$(uname -s)_$(uname -m).tar.gz | tar xz +curl -sSfL https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_$(uname -s)_$(uname -m).tar.gz | tar xz ``` --- diff --git a/go.mod b/go.mod index 4d11c92..0607fb7 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/cemililik/leakwatch +module github.com/HodeTech/leakwatch go 1.25.10 diff --git a/internal/config/config.go b/internal/config/config.go index fd77c01..96717c0 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -8,7 +8,7 @@ import ( "github.com/spf13/viper" - "github.com/cemililik/leakwatch/internal/detector/custom" + "github.com/HodeTech/leakwatch/internal/detector/custom" ) // Supported output formats. diff --git a/internal/detector/airtable/airtable_token.go b/internal/detector/airtable/airtable_token.go index d4669b0..b518cda 100644 --- a/internal/detector/airtable/airtable_token.go +++ b/internal/detector/airtable/airtable_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var airtableTokenPattern = regexp.MustCompile(`pat[A-Za-z0-9]{14}\.[a-f0-9]{64}`) diff --git a/internal/detector/airtable/airtable_token_test.go b/internal/detector/airtable/airtable_token_test.go index 4c6119b..7150145 100644 --- a/internal/detector/airtable/airtable_token_test.go +++ b/internal/detector/airtable/airtable_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/anthropic/anthropic_key.go b/internal/detector/anthropic/anthropic_key.go index 2917e23..80e8a5a 100644 --- a/internal/detector/anthropic/anthropic_key.go +++ b/internal/detector/anthropic/anthropic_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var anthropicKeyPattern = regexp.MustCompile(`sk-ant-[A-Za-z0-9_-]{85,}`) diff --git a/internal/detector/anthropic/anthropic_key_test.go b/internal/detector/anthropic/anthropic_key_test.go index 65af9c4..9608b12 100644 --- a/internal/detector/anthropic/anthropic_key_test.go +++ b/internal/detector/anthropic/anthropic_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/auth0/auth0_token.go b/internal/detector/auth0/auth0_token.go index a2cd252..310278d 100644 --- a/internal/detector/auth0/auth0_token.go +++ b/internal/detector/auth0/auth0_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var auth0TokenPattern = regexp.MustCompile(`(?:AUTH0_MANAGEMENT_TOKEN|AUTH0_API_TOKEN|auth0_token)\s*[=:]\s*['"]?([A-Za-z0-9_-]{30,})['"]?`) diff --git a/internal/detector/auth0/auth0_token_test.go b/internal/detector/auth0/auth0_token_test.go index d819217..312e453 100644 --- a/internal/detector/auth0/auth0_token_test.go +++ b/internal/detector/auth0/auth0_token_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/aws/aws_access_key.go b/internal/detector/aws/aws_access_key.go index 17544b3..57a3ae9 100644 --- a/internal/detector/aws/aws_access_key.go +++ b/internal/detector/aws/aws_access_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var accessKeyIDPattern = regexp.MustCompile(`(AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16}`) diff --git a/internal/detector/aws/aws_access_key_test.go b/internal/detector/aws/aws_access_key_test.go index 99e08c0..6cdaf4c 100644 --- a/internal/detector/aws/aws_access_key_test.go +++ b/internal/detector/aws/aws_access_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/azure/azure_entra.go b/internal/detector/azure/azure_entra.go index c7d8c22..b4af578 100644 --- a/internal/detector/azure/azure_entra.go +++ b/internal/detector/azure/azure_entra.go @@ -4,8 +4,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var azureEntraPattern = regexp.MustCompile(`(?:AZURE_CLIENT_SECRET|azure_client_secret|client_secret)\s*[=:]\s*['"]?([A-Za-z0-9~._-]{34,40})['"]?`) diff --git a/internal/detector/azure/azure_entra_test.go b/internal/detector/azure/azure_entra_test.go index b32defd..1acd4af 100644 --- a/internal/detector/azure/azure_entra_test.go +++ b/internal/detector/azure/azure_entra_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/azure/azure_storage.go b/internal/detector/azure/azure_storage.go index 5583fa7..265feef 100644 --- a/internal/detector/azure/azure_storage.go +++ b/internal/detector/azure/azure_storage.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/azure/azure_storage_test.go b/internal/detector/azure/azure_storage_test.go index 9283755..f6b8cf8 100644 --- a/internal/detector/azure/azure_storage_test.go +++ b/internal/detector/azure/azure_storage_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/bitbucket/bitbucket_password.go b/internal/detector/bitbucket/bitbucket_password.go index 155a530..ddbbfb1 100644 --- a/internal/detector/bitbucket/bitbucket_password.go +++ b/internal/detector/bitbucket/bitbucket_password.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var bitbucketPasswordPattern = regexp.MustCompile(`(?:BITBUCKET_APP_PASSWORD|bitbucket_app_password|bitbucket)\s*[=:]\s*['"]?([A-Za-z0-9]{18,24})['"]?`) diff --git a/internal/detector/bitbucket/bitbucket_password_test.go b/internal/detector/bitbucket/bitbucket_password_test.go index 23f6398..439b397 100644 --- a/internal/detector/bitbucket/bitbucket_password_test.go +++ b/internal/detector/bitbucket/bitbucket_password_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/circleci/circleci_token.go b/internal/detector/circleci/circleci_token.go index 17aad6e..74d1793 100644 --- a/internal/detector/circleci/circleci_token.go +++ b/internal/detector/circleci/circleci_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var circleciTokenPattern = regexp.MustCompile(`CCIPAT_[A-Za-z0-9_]{50,}`) diff --git a/internal/detector/circleci/circleci_token_test.go b/internal/detector/circleci/circleci_token_test.go index 75e9c15..cd90f56 100644 --- a/internal/detector/circleci/circleci_token_test.go +++ b/internal/detector/circleci/circleci_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/cloudflare/cloudflare_token.go b/internal/detector/cloudflare/cloudflare_token.go index ccfa7da..19ad0c4 100644 --- a/internal/detector/cloudflare/cloudflare_token.go +++ b/internal/detector/cloudflare/cloudflare_token.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/cloudflare/cloudflare_token_test.go b/internal/detector/cloudflare/cloudflare_token_test.go index ad25aec..875fb27 100644 --- a/internal/detector/cloudflare/cloudflare_token_test.go +++ b/internal/detector/cloudflare/cloudflare_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/coinbase/coinbase_key.go b/internal/detector/coinbase/coinbase_key.go index cd7f016..aa838ee 100644 --- a/internal/detector/coinbase/coinbase_key.go +++ b/internal/detector/coinbase/coinbase_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var coinbaseKeyPattern = regexp.MustCompile(`(?:COINBASE_API_KEY|coinbase_api_key|coinbase_api_secret)\s*[=:]\s*['"]?([A-Za-z0-9+/=]{16,64})['"]?`) diff --git a/internal/detector/coinbase/coinbase_key_test.go b/internal/detector/coinbase/coinbase_key_test.go index a80112b..0a5f87f 100644 --- a/internal/detector/coinbase/coinbase_key_test.go +++ b/internal/detector/coinbase/coinbase_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/custom/custom_rule.go b/internal/detector/custom/custom_rule.go index 92302f5..ee8c6c0 100644 --- a/internal/detector/custom/custom_rule.go +++ b/internal/detector/custom/custom_rule.go @@ -7,9 +7,9 @@ import ( "fmt" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/entropy" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/entropy" + "github.com/HodeTech/leakwatch/pkg/finding" ) // maxRegexLength is the maximum allowed length of a custom rule regex pattern. diff --git a/internal/detector/custom/custom_rule_test.go b/internal/detector/custom/custom_rule_test.go index 9719066..313b21d 100644 --- a/internal/detector/custom/custom_rule_test.go +++ b/internal/detector/custom/custom_rule_test.go @@ -5,8 +5,8 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/databricks/databricks_token.go b/internal/detector/databricks/databricks_token.go index 33a6501..4fdcb73 100644 --- a/internal/detector/databricks/databricks_token.go +++ b/internal/detector/databricks/databricks_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var databricksTokenPattern = regexp.MustCompile(`dapi[a-f0-9]{32}(-[0-9])?`) diff --git a/internal/detector/databricks/databricks_token_test.go b/internal/detector/databricks/databricks_token_test.go index f033f8e..e5ea61c 100644 --- a/internal/detector/databricks/databricks_token_test.go +++ b/internal/detector/databricks/databricks_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/datadog/datadog_key.go b/internal/detector/datadog/datadog_key.go index e908cce..9dd460b 100644 --- a/internal/detector/datadog/datadog_key.go +++ b/internal/detector/datadog/datadog_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var datadogKeyPattern = regexp.MustCompile(`(?:DD_API_KEY|DATADOG_API_KEY|datadog_api_key)\s*[=:]\s*['"]?([a-fA-F0-9]{32})['"]?`) diff --git a/internal/detector/datadog/datadog_key_test.go b/internal/detector/datadog/datadog_key_test.go index f5008f6..a493002 100644 --- a/internal/detector/datadog/datadog_key_test.go +++ b/internal/detector/datadog/datadog_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/dbconn/connection_string.go b/internal/detector/dbconn/connection_string.go index dc6cfa0..cd5539e 100644 --- a/internal/detector/dbconn/connection_string.go +++ b/internal/detector/dbconn/connection_string.go @@ -7,8 +7,8 @@ import ( "regexp" "strings" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var connStringPattern = regexp.MustCompile(`(postgres|mysql|mongodb(\+srv)?|redis)://[^\s'"]+@[^\s'"]+`) diff --git a/internal/detector/dbconn/connection_string_test.go b/internal/detector/dbconn/connection_string_test.go index a2ef77b..be8e252 100644 --- a/internal/detector/dbconn/connection_string_test.go +++ b/internal/detector/dbconn/connection_string_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/deepseek/deepseek_key.go b/internal/detector/deepseek/deepseek_key.go index 953d9ff..b99cefd 100644 --- a/internal/detector/deepseek/deepseek_key.go +++ b/internal/detector/deepseek/deepseek_key.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var deepSeekKeyPattern = regexp.MustCompile(`sk-[a-f0-9]{32,}`) diff --git a/internal/detector/deepseek/deepseek_key_test.go b/internal/detector/deepseek/deepseek_key_test.go index a6fb670..cff1a8f 100644 --- a/internal/detector/deepseek/deepseek_key_test.go +++ b/internal/detector/deepseek/deepseek_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/detector.go b/internal/detector/detector.go index 697eed7..5431132 100644 --- a/internal/detector/detector.go +++ b/internal/detector/detector.go @@ -4,7 +4,7 @@ package detector import ( "context" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Detector represents a component that detects a specific secret type. diff --git a/internal/detector/digitalocean/digitalocean_token.go b/internal/detector/digitalocean/digitalocean_token.go index 2433706..b296254 100644 --- a/internal/detector/digitalocean/digitalocean_token.go +++ b/internal/detector/digitalocean/digitalocean_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var digitaloceanTokenPattern = regexp.MustCompile(`dop_v1_[a-f0-9]{64}`) diff --git a/internal/detector/digitalocean/digitalocean_token_test.go b/internal/detector/digitalocean/digitalocean_token_test.go index ad19c25..27f23a1 100644 --- a/internal/detector/digitalocean/digitalocean_token_test.go +++ b/internal/detector/digitalocean/digitalocean_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/discord/discord_token.go b/internal/detector/discord/discord_token.go index 8902aa6..07d809b 100644 --- a/internal/detector/discord/discord_token.go +++ b/internal/detector/discord/discord_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var discordTokenPattern = regexp.MustCompile(`[MNO][A-Za-z0-9_-]{23}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}`) diff --git a/internal/detector/discord/discord_token_test.go b/internal/detector/discord/discord_token_test.go index 2427274..3aa40b2 100644 --- a/internal/detector/discord/discord_token_test.go +++ b/internal/detector/discord/discord_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/dockerhub/dockerhub_token.go b/internal/detector/dockerhub/dockerhub_token.go index 3867ea6..e23cf53 100644 --- a/internal/detector/dockerhub/dockerhub_token.go +++ b/internal/detector/dockerhub/dockerhub_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var dockerhubPATPattern = regexp.MustCompile(`dckr_pat_[A-Za-z0-9_-]{27,}`) diff --git a/internal/detector/dockerhub/dockerhub_token_test.go b/internal/detector/dockerhub/dockerhub_token_test.go index 70fd34d..b971160 100644 --- a/internal/detector/dockerhub/dockerhub_token_test.go +++ b/internal/detector/dockerhub/dockerhub_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/doppler/doppler_token.go b/internal/detector/doppler/doppler_token.go index 15f023e..4a5ccad 100644 --- a/internal/detector/doppler/doppler_token.go +++ b/internal/detector/doppler/doppler_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var dopplerTokenPattern = regexp.MustCompile(`dp\.st\.[a-zA-Z0-9_-]{40,}`) diff --git a/internal/detector/doppler/doppler_token_test.go b/internal/detector/doppler/doppler_token_test.go index 77b6e1a..6e64e27 100644 --- a/internal/detector/doppler/doppler_token_test.go +++ b/internal/detector/doppler/doppler_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/figma/figma_token.go b/internal/detector/figma/figma_token.go index a6f84c2..1a69a12 100644 --- a/internal/detector/figma/figma_token.go +++ b/internal/detector/figma/figma_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var figmaTokenPattern = regexp.MustCompile(`figd_[A-Za-z0-9_-]{40,}`) diff --git a/internal/detector/figma/figma_token_test.go b/internal/detector/figma/figma_token_test.go index fabba71..73d786e 100644 --- a/internal/detector/figma/figma_token_test.go +++ b/internal/detector/figma/figma_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/ftp/ftp_cred.go b/internal/detector/ftp/ftp_cred.go index f0195b0..c300f9f 100644 --- a/internal/detector/ftp/ftp_cred.go +++ b/internal/detector/ftp/ftp_cred.go @@ -6,8 +6,8 @@ import ( "net/url" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ftpCredPattern = regexp.MustCompile(`(?:s?ftps?)://[^\s'"]+:[^\s'"]+@[^\s'"]+`) diff --git a/internal/detector/ftp/ftp_cred_test.go b/internal/detector/ftp/ftp_cred_test.go index 1ea429c..ce3c1f0 100644 --- a/internal/detector/ftp/ftp_cred_test.go +++ b/internal/detector/ftp/ftp_cred_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/gcp/gcp_service_account.go b/internal/detector/gcp/gcp_service_account.go index 0cfe4cc..1a73aee 100644 --- a/internal/detector/gcp/gcp_service_account.go +++ b/internal/detector/gcp/gcp_service_account.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/gcp/gcp_service_account_test.go b/internal/detector/gcp/gcp_service_account_test.go index b738de0..c68f344 100644 --- a/internal/detector/gcp/gcp_service_account_test.go +++ b/internal/detector/gcp/gcp_service_account_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/generic/generic_api_key.go b/internal/detector/generic/generic_api_key.go index fbd1196..785443e 100644 --- a/internal/detector/generic/generic_api_key.go +++ b/internal/detector/generic/generic_api_key.go @@ -6,9 +6,9 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/entropy" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/entropy" + "github.com/HodeTech/leakwatch/pkg/finding" ) var apiKeyPattern = regexp.MustCompile(`(?i)(api[_\-]?key|api[_\-]?secret|secret[_\-]?key|x[_\-]?apisix[_\-]?key|apisix[_\-]?key|apisix[_\-]?admin[_\-]?key)[ \t]*[:=][ \t]*['"]?([a-zA-Z0-9/\-_]{16,64})['"]?`) diff --git a/internal/detector/generic/generic_api_key_test.go b/internal/detector/generic/generic_api_key_test.go index 1c82c2e..5642f90 100644 --- a/internal/detector/generic/generic_api_key_test.go +++ b/internal/detector/generic/generic_api_key_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/github/github_oauth.go b/internal/detector/github/github_oauth.go index a236dd8..d90fbb0 100644 --- a/internal/detector/github/github_oauth.go +++ b/internal/detector/github/github_oauth.go @@ -4,8 +4,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var oauthTokenPattern = regexp.MustCompile(`gh[orus]_[A-Za-z0-9_]{36,}`) diff --git a/internal/detector/github/github_oauth_test.go b/internal/detector/github/github_oauth_test.go index 2920c43..d768d79 100644 --- a/internal/detector/github/github_oauth_test.go +++ b/internal/detector/github/github_oauth_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/github/github_token.go b/internal/detector/github/github_token.go index a5494e2..f93fda5 100644 --- a/internal/detector/github/github_token.go +++ b/internal/detector/github/github_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) // tokenPattern matches GitHub Personal Access Tokens only. The OAuth-related diff --git a/internal/detector/github/github_token_test.go b/internal/detector/github/github_token_test.go index f8dfc8f..408b32d 100644 --- a/internal/detector/github/github_token_test.go +++ b/internal/detector/github/github_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/gitlab/gitlab_token.go b/internal/detector/gitlab/gitlab_token.go index c97c760..9ba8b03 100644 --- a/internal/detector/gitlab/gitlab_token.go +++ b/internal/detector/gitlab/gitlab_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var gitlabPATPattern = regexp.MustCompile(`glpat-[A-Za-z0-9_\-]{20}`) diff --git a/internal/detector/gitlab/gitlab_token_test.go b/internal/detector/gitlab/gitlab_token_test.go index fbb8617..d080c54 100644 --- a/internal/detector/gitlab/gitlab_token_test.go +++ b/internal/detector/gitlab/gitlab_token_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/grafana/grafana_key.go b/internal/detector/grafana/grafana_key.go index e042a4f..3d5548c 100644 --- a/internal/detector/grafana/grafana_key.go +++ b/internal/detector/grafana/grafana_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var grafanaKeyPattern = regexp.MustCompile(`glsa_[A-Za-z0-9_]{32,}_[a-f0-9]{8}`) diff --git a/internal/detector/grafana/grafana_key_test.go b/internal/detector/grafana/grafana_key_test.go index ab5e3d6..8b8c7de 100644 --- a/internal/detector/grafana/grafana_key_test.go +++ b/internal/detector/grafana/grafana_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/heroku/heroku_key.go b/internal/detector/heroku/heroku_key.go index 609aa47..d5ec1e4 100644 --- a/internal/detector/heroku/heroku_key.go +++ b/internal/detector/heroku/heroku_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var herokuKeyPattern = regexp.MustCompile( diff --git a/internal/detector/heroku/heroku_key_test.go b/internal/detector/heroku/heroku_key_test.go index 1403fda..98d7b19 100644 --- a/internal/detector/heroku/heroku_key_test.go +++ b/internal/detector/heroku/heroku_key_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/huggingface/huggingface_token.go b/internal/detector/huggingface/huggingface_token.go index 47fdc95..addd809 100644 --- a/internal/detector/huggingface/huggingface_token.go +++ b/internal/detector/huggingface/huggingface_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var huggingFaceTokenPattern = regexp.MustCompile(`hf_[A-Za-z0-9]{34,}`) diff --git a/internal/detector/huggingface/huggingface_token_test.go b/internal/detector/huggingface/huggingface_token_test.go index 3f89503..da447cc 100644 --- a/internal/detector/huggingface/huggingface_token_test.go +++ b/internal/detector/huggingface/huggingface_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/infura/infura_key.go b/internal/detector/infura/infura_key.go index eff12c7..77d4d74 100644 --- a/internal/detector/infura/infura_key.go +++ b/internal/detector/infura/infura_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var infuraKeyPattern = regexp.MustCompile(`(?:INFURA_API_KEY|infura_api_key|infura)\s*[=:]\s*['"]?([a-f0-9]{32})['"]?`) diff --git a/internal/detector/infura/infura_key_test.go b/internal/detector/infura/infura_key_test.go index 052c46e..c1a6368 100644 --- a/internal/detector/infura/infura_key_test.go +++ b/internal/detector/infura/infura_key_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/jwt/jwt.go b/internal/detector/jwt/jwt.go index 1b25eda..48d2376 100644 --- a/internal/detector/jwt/jwt.go +++ b/internal/detector/jwt/jwt.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var jwtPattern = regexp.MustCompile(`eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}`) diff --git a/internal/detector/jwt/jwt_test.go b/internal/detector/jwt/jwt_test.go index 752ac5a..bf820cb 100644 --- a/internal/detector/jwt/jwt_test.go +++ b/internal/detector/jwt/jwt_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/launchdarkly/launchdarkly_key.go b/internal/detector/launchdarkly/launchdarkly_key.go index 6e287b9..89a1108 100644 --- a/internal/detector/launchdarkly/launchdarkly_key.go +++ b/internal/detector/launchdarkly/launchdarkly_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var launchdarklyKeyPattern = regexp.MustCompile(`sdk-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}`) diff --git a/internal/detector/launchdarkly/launchdarkly_key_test.go b/internal/detector/launchdarkly/launchdarkly_key_test.go index d56c5ee..c843cbf 100644 --- a/internal/detector/launchdarkly/launchdarkly_key_test.go +++ b/internal/detector/launchdarkly/launchdarkly_key_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/ldap/ldap_cred.go b/internal/detector/ldap/ldap_cred.go index bcd14d0..e7c3982 100644 --- a/internal/detector/ldap/ldap_cred.go +++ b/internal/detector/ldap/ldap_cred.go @@ -6,8 +6,8 @@ import ( "net/url" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ldapCredPattern = regexp.MustCompile(`ldaps?://[^\s'"]+:[^\s'"]+@[^\s'"]+`) diff --git a/internal/detector/ldap/ldap_cred_test.go b/internal/detector/ldap/ldap_cred_test.go index b861ff7..86f97c7 100644 --- a/internal/detector/ldap/ldap_cred_test.go +++ b/internal/detector/ldap/ldap_cred_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/linear/linear_key.go b/internal/detector/linear/linear_key.go index 12d96dd..71298e2 100644 --- a/internal/detector/linear/linear_key.go +++ b/internal/detector/linear/linear_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var linearKeyPattern = regexp.MustCompile(`lin_api_[A-Za-z0-9]{40,}`) diff --git a/internal/detector/linear/linear_key_test.go b/internal/detector/linear/linear_key_test.go index b2cdb53..38f3aa5 100644 --- a/internal/detector/linear/linear_key_test.go +++ b/internal/detector/linear/linear_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/mailgun/mailgun_key.go b/internal/detector/mailgun/mailgun_key.go index bd81936..9a1099d 100644 --- a/internal/detector/mailgun/mailgun_key.go +++ b/internal/detector/mailgun/mailgun_key.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var mailgunKeyPattern = regexp.MustCompile(`key-[a-f0-9]{32}`) diff --git a/internal/detector/mailgun/mailgun_key_test.go b/internal/detector/mailgun/mailgun_key_test.go index efe30ea..4299c2a 100644 --- a/internal/detector/mailgun/mailgun_key_test.go +++ b/internal/detector/mailgun/mailgun_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/newrelic/newrelic_key.go b/internal/detector/newrelic/newrelic_key.go index a29e7e4..a2bf931 100644 --- a/internal/detector/newrelic/newrelic_key.go +++ b/internal/detector/newrelic/newrelic_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var newRelicKeyPattern = regexp.MustCompile(`NRAK-[A-Z0-9]{27}`) diff --git a/internal/detector/newrelic/newrelic_key_test.go b/internal/detector/newrelic/newrelic_key_test.go index f9a3ab2..1c5e980 100644 --- a/internal/detector/newrelic/newrelic_key_test.go +++ b/internal/detector/newrelic/newrelic_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/notion/notion_token.go b/internal/detector/notion/notion_token.go index b6edf78..3441e1c 100644 --- a/internal/detector/notion/notion_token.go +++ b/internal/detector/notion/notion_token.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/notion/notion_token_test.go b/internal/detector/notion/notion_token_test.go index 71ccd65..96f09c6 100644 --- a/internal/detector/notion/notion_token_test.go +++ b/internal/detector/notion/notion_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/npm/npm_token.go b/internal/detector/npm/npm_token.go index c7ecb0d..4f6771f 100644 --- a/internal/detector/npm/npm_token.go +++ b/internal/detector/npm/npm_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var npmTokenPattern = regexp.MustCompile(`npm_[A-Za-z0-9]{36}`) diff --git a/internal/detector/npm/npm_token_test.go b/internal/detector/npm/npm_token_test.go index d269b3f..7f6e6a4 100644 --- a/internal/detector/npm/npm_token_test.go +++ b/internal/detector/npm/npm_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/okta/okta_token.go b/internal/detector/okta/okta_token.go index ee9d46b..117b4c8 100644 --- a/internal/detector/okta/okta_token.go +++ b/internal/detector/okta/okta_token.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/okta/okta_token_test.go b/internal/detector/okta/okta_token_test.go index 7725f4d..0c0c58e 100644 --- a/internal/detector/okta/okta_token_test.go +++ b/internal/detector/okta/okta_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/openai/openai_key.go b/internal/detector/openai/openai_key.go index 93ae853..ea9d341 100644 --- a/internal/detector/openai/openai_key.go +++ b/internal/detector/openai/openai_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var openAIKeyPattern = regexp.MustCompile(`sk-proj-[A-Za-z0-9_-]{50,}`) diff --git a/internal/detector/openai/openai_key_test.go b/internal/detector/openai/openai_key_test.go index 7cfc70f..2ab58ec 100644 --- a/internal/detector/openai/openai_key_test.go +++ b/internal/detector/openai/openai_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/pagerduty/pagerduty_key.go b/internal/detector/pagerduty/pagerduty_key.go index 727c9f5..f98e888 100644 --- a/internal/detector/pagerduty/pagerduty_key.go +++ b/internal/detector/pagerduty/pagerduty_key.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Context-aware pattern: requires a PagerDuty-related keyword near the key value. diff --git a/internal/detector/pagerduty/pagerduty_key_test.go b/internal/detector/pagerduty/pagerduty_key_test.go index 05a1ba2..0b6f28a 100644 --- a/internal/detector/pagerduty/pagerduty_key_test.go +++ b/internal/detector/pagerduty/pagerduty_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/postmark/postmark_token.go b/internal/detector/postmark/postmark_token.go index 73eeba9..f0d03bb 100644 --- a/internal/detector/postmark/postmark_token.go +++ b/internal/detector/postmark/postmark_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var postmarkTokenPattern = regexp.MustCompile(`(?:POSTMARK_SERVER_TOKEN|postmark_server_token|X-Postmark-Server-Token)\s*[=:]\s*['"]?([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})['"]?`) diff --git a/internal/detector/postmark/postmark_token_test.go b/internal/detector/postmark/postmark_token_test.go index 84e6f88..90d0604 100644 --- a/internal/detector/postmark/postmark_token_test.go +++ b/internal/detector/postmark/postmark_token_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/privatekey/private_key.go b/internal/detector/privatekey/private_key.go index f8a8292..46d263f 100644 --- a/internal/detector/privatekey/private_key.go +++ b/internal/detector/privatekey/private_key.go @@ -6,8 +6,8 @@ import ( "regexp" "strconv" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/privatekey/private_key_test.go b/internal/detector/privatekey/private_key_test.go index 24dc0c7..1978a36 100644 --- a/internal/detector/privatekey/private_key_test.go +++ b/internal/detector/privatekey/private_key_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" ) diff --git a/internal/detector/pypi/pypi_token.go b/internal/detector/pypi/pypi_token.go index 62a1407..babfda1 100644 --- a/internal/detector/pypi/pypi_token.go +++ b/internal/detector/pypi/pypi_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var pypiTokenPattern = regexp.MustCompile(`pypi-[A-Za-z0-9_-]{16,}`) diff --git a/internal/detector/pypi/pypi_token_test.go b/internal/detector/pypi/pypi_token_test.go index 0e49485..c43fae7 100644 --- a/internal/detector/pypi/pypi_token_test.go +++ b/internal/detector/pypi/pypi_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/rabbitmq/rabbitmq_conn.go b/internal/detector/rabbitmq/rabbitmq_conn.go index 3d70624..a6c4a7e 100644 --- a/internal/detector/rabbitmq/rabbitmq_conn.go +++ b/internal/detector/rabbitmq/rabbitmq_conn.go @@ -6,8 +6,8 @@ import ( "net/url" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var rabbitmqConnPattern = regexp.MustCompile(`amqps?://[^\s'"]+:[^\s'"]+@[^\s'"]+`) diff --git a/internal/detector/rabbitmq/rabbitmq_conn_test.go b/internal/detector/rabbitmq/rabbitmq_conn_test.go index b1bac4c..4c0b43e 100644 --- a/internal/detector/rabbitmq/rabbitmq_conn_test.go +++ b/internal/detector/rabbitmq/rabbitmq_conn_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/redis/redis_conn.go b/internal/detector/redis/redis_conn.go index 870fbae..d654fba 100644 --- a/internal/detector/redis/redis_conn.go +++ b/internal/detector/redis/redis_conn.go @@ -6,8 +6,8 @@ import ( "net/url" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var redisConnPattern = regexp.MustCompile(`rediss?://[^\s'"]+:[^\s'"]+@[^\s'"]+`) diff --git a/internal/detector/redis/redis_conn_test.go b/internal/detector/redis/redis_conn_test.go index e4e65e7..abcd41f 100644 --- a/internal/detector/redis/redis_conn_test.go +++ b/internal/detector/redis/redis_conn_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/registry_count_test.go b/internal/detector/registry_count_test.go index 75c76c6..2d7a839 100644 --- a/internal/detector/registry_count_test.go +++ b/internal/detector/registry_count_test.go @@ -20,72 +20,72 @@ package detector_test import ( "testing" - "github.com/cemililik/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/detector" "github.com/stretchr/testify/assert" // Each blank import runs the package's init(), registering its detector(s) // so the golden count below sees the full compile-time set. The per-line // comments mirror cmd/imports.go and satisfy the no-blank-import-without- // comment lint rule. - _ "github.com/cemililik/leakwatch/internal/detector/airtable" // register airtable detector - _ "github.com/cemililik/leakwatch/internal/detector/anthropic" // register anthropic detector - _ "github.com/cemililik/leakwatch/internal/detector/auth0" // register auth0 detector - _ "github.com/cemililik/leakwatch/internal/detector/aws" // register aws detector - _ "github.com/cemililik/leakwatch/internal/detector/azure" // register azure detectors (storage + entra) - _ "github.com/cemililik/leakwatch/internal/detector/bitbucket" // register bitbucket detector - _ "github.com/cemililik/leakwatch/internal/detector/circleci" // register circleci detector - _ "github.com/cemililik/leakwatch/internal/detector/cloudflare" // register cloudflare detector - _ "github.com/cemililik/leakwatch/internal/detector/coinbase" // register coinbase detector - _ "github.com/cemililik/leakwatch/internal/detector/databricks" // register databricks detector - _ "github.com/cemililik/leakwatch/internal/detector/datadog" // register datadog detector - _ "github.com/cemililik/leakwatch/internal/detector/dbconn" // register database connection-string detector - _ "github.com/cemililik/leakwatch/internal/detector/deepseek" // register deepseek detector - _ "github.com/cemililik/leakwatch/internal/detector/digitalocean" // register digitalocean detector - _ "github.com/cemililik/leakwatch/internal/detector/discord" // register discord detector - _ "github.com/cemililik/leakwatch/internal/detector/dockerhub" // register dockerhub detector - _ "github.com/cemililik/leakwatch/internal/detector/doppler" // register doppler detector - _ "github.com/cemililik/leakwatch/internal/detector/figma" // register figma detector - _ "github.com/cemililik/leakwatch/internal/detector/ftp" // register ftp credentials detector - _ "github.com/cemililik/leakwatch/internal/detector/gcp" // register gcp service-account detector - _ "github.com/cemililik/leakwatch/internal/detector/generic" // register generic api-key detector - _ "github.com/cemililik/leakwatch/internal/detector/github" // register github detectors (pat + oauth) - _ "github.com/cemililik/leakwatch/internal/detector/gitlab" // register gitlab detector - _ "github.com/cemililik/leakwatch/internal/detector/grafana" // register grafana detector - _ "github.com/cemililik/leakwatch/internal/detector/heroku" // register heroku detector - _ "github.com/cemililik/leakwatch/internal/detector/huggingface" // register huggingface detector - _ "github.com/cemililik/leakwatch/internal/detector/infura" // register infura detector - _ "github.com/cemililik/leakwatch/internal/detector/jwt" // register jwt detector - _ "github.com/cemililik/leakwatch/internal/detector/launchdarkly" // register launchdarkly detector - _ "github.com/cemililik/leakwatch/internal/detector/ldap" // register ldap credentials detector - _ "github.com/cemililik/leakwatch/internal/detector/linear" // register linear detector - _ "github.com/cemililik/leakwatch/internal/detector/mailgun" // register mailgun detector - _ "github.com/cemililik/leakwatch/internal/detector/newrelic" // register newrelic detector - _ "github.com/cemililik/leakwatch/internal/detector/notion" // register notion detector - _ "github.com/cemililik/leakwatch/internal/detector/npm" // register npm detector - _ "github.com/cemililik/leakwatch/internal/detector/okta" // register okta detector - _ "github.com/cemililik/leakwatch/internal/detector/openai" // register openai detector - _ "github.com/cemililik/leakwatch/internal/detector/pagerduty" // register pagerduty detector - _ "github.com/cemililik/leakwatch/internal/detector/postmark" // register postmark detector - _ "github.com/cemililik/leakwatch/internal/detector/privatekey" // register private-key detector (RSA, SSH, DSA, EC, PGP) - _ "github.com/cemililik/leakwatch/internal/detector/pypi" // register pypi detector - _ "github.com/cemililik/leakwatch/internal/detector/rabbitmq" // register rabbitmq detector - _ "github.com/cemililik/leakwatch/internal/detector/redis" // register redis detector - _ "github.com/cemililik/leakwatch/internal/detector/rubygems" // register rubygems detector - _ "github.com/cemililik/leakwatch/internal/detector/sendgrid" // register sendgrid detector - _ "github.com/cemililik/leakwatch/internal/detector/sentry" // register sentry detector - _ "github.com/cemililik/leakwatch/internal/detector/shopify" // register shopify detector - _ "github.com/cemililik/leakwatch/internal/detector/slack" // register slack detectors (token + webhook) - _ "github.com/cemililik/leakwatch/internal/detector/snowflake" // register snowflake detector - _ "github.com/cemililik/leakwatch/internal/detector/snyk" // register snyk detector - _ "github.com/cemililik/leakwatch/internal/detector/sonarcloud" // register sonarcloud detector - _ "github.com/cemililik/leakwatch/internal/detector/stripe" // register stripe detectors (live + test) - _ "github.com/cemililik/leakwatch/internal/detector/supabase" // register supabase detector - _ "github.com/cemililik/leakwatch/internal/detector/teams" // register microsoft teams webhook detector - _ "github.com/cemililik/leakwatch/internal/detector/telegram" // register telegram detector - _ "github.com/cemililik/leakwatch/internal/detector/terraform" // register terraform cloud detector - _ "github.com/cemililik/leakwatch/internal/detector/twilio" // register twilio detector - _ "github.com/cemililik/leakwatch/internal/detector/vault" // register hashicorp vault detector - _ "github.com/cemililik/leakwatch/internal/detector/vercel" // register vercel detector + _ "github.com/HodeTech/leakwatch/internal/detector/airtable" // register airtable detector + _ "github.com/HodeTech/leakwatch/internal/detector/anthropic" // register anthropic detector + _ "github.com/HodeTech/leakwatch/internal/detector/auth0" // register auth0 detector + _ "github.com/HodeTech/leakwatch/internal/detector/aws" // register aws detector + _ "github.com/HodeTech/leakwatch/internal/detector/azure" // register azure detectors (storage + entra) + _ "github.com/HodeTech/leakwatch/internal/detector/bitbucket" // register bitbucket detector + _ "github.com/HodeTech/leakwatch/internal/detector/circleci" // register circleci detector + _ "github.com/HodeTech/leakwatch/internal/detector/cloudflare" // register cloudflare detector + _ "github.com/HodeTech/leakwatch/internal/detector/coinbase" // register coinbase detector + _ "github.com/HodeTech/leakwatch/internal/detector/databricks" // register databricks detector + _ "github.com/HodeTech/leakwatch/internal/detector/datadog" // register datadog detector + _ "github.com/HodeTech/leakwatch/internal/detector/dbconn" // register database connection-string detector + _ "github.com/HodeTech/leakwatch/internal/detector/deepseek" // register deepseek detector + _ "github.com/HodeTech/leakwatch/internal/detector/digitalocean" // register digitalocean detector + _ "github.com/HodeTech/leakwatch/internal/detector/discord" // register discord detector + _ "github.com/HodeTech/leakwatch/internal/detector/dockerhub" // register dockerhub detector + _ "github.com/HodeTech/leakwatch/internal/detector/doppler" // register doppler detector + _ "github.com/HodeTech/leakwatch/internal/detector/figma" // register figma detector + _ "github.com/HodeTech/leakwatch/internal/detector/ftp" // register ftp credentials detector + _ "github.com/HodeTech/leakwatch/internal/detector/gcp" // register gcp service-account detector + _ "github.com/HodeTech/leakwatch/internal/detector/generic" // register generic api-key detector + _ "github.com/HodeTech/leakwatch/internal/detector/github" // register github detectors (pat + oauth) + _ "github.com/HodeTech/leakwatch/internal/detector/gitlab" // register gitlab detector + _ "github.com/HodeTech/leakwatch/internal/detector/grafana" // register grafana detector + _ "github.com/HodeTech/leakwatch/internal/detector/heroku" // register heroku detector + _ "github.com/HodeTech/leakwatch/internal/detector/huggingface" // register huggingface detector + _ "github.com/HodeTech/leakwatch/internal/detector/infura" // register infura detector + _ "github.com/HodeTech/leakwatch/internal/detector/jwt" // register jwt detector + _ "github.com/HodeTech/leakwatch/internal/detector/launchdarkly" // register launchdarkly detector + _ "github.com/HodeTech/leakwatch/internal/detector/ldap" // register ldap credentials detector + _ "github.com/HodeTech/leakwatch/internal/detector/linear" // register linear detector + _ "github.com/HodeTech/leakwatch/internal/detector/mailgun" // register mailgun detector + _ "github.com/HodeTech/leakwatch/internal/detector/newrelic" // register newrelic detector + _ "github.com/HodeTech/leakwatch/internal/detector/notion" // register notion detector + _ "github.com/HodeTech/leakwatch/internal/detector/npm" // register npm detector + _ "github.com/HodeTech/leakwatch/internal/detector/okta" // register okta detector + _ "github.com/HodeTech/leakwatch/internal/detector/openai" // register openai detector + _ "github.com/HodeTech/leakwatch/internal/detector/pagerduty" // register pagerduty detector + _ "github.com/HodeTech/leakwatch/internal/detector/postmark" // register postmark detector + _ "github.com/HodeTech/leakwatch/internal/detector/privatekey" // register private-key detector (RSA, SSH, DSA, EC, PGP) + _ "github.com/HodeTech/leakwatch/internal/detector/pypi" // register pypi detector + _ "github.com/HodeTech/leakwatch/internal/detector/rabbitmq" // register rabbitmq detector + _ "github.com/HodeTech/leakwatch/internal/detector/redis" // register redis detector + _ "github.com/HodeTech/leakwatch/internal/detector/rubygems" // register rubygems detector + _ "github.com/HodeTech/leakwatch/internal/detector/sendgrid" // register sendgrid detector + _ "github.com/HodeTech/leakwatch/internal/detector/sentry" // register sentry detector + _ "github.com/HodeTech/leakwatch/internal/detector/shopify" // register shopify detector + _ "github.com/HodeTech/leakwatch/internal/detector/slack" // register slack detectors (token + webhook) + _ "github.com/HodeTech/leakwatch/internal/detector/snowflake" // register snowflake detector + _ "github.com/HodeTech/leakwatch/internal/detector/snyk" // register snyk detector + _ "github.com/HodeTech/leakwatch/internal/detector/sonarcloud" // register sonarcloud detector + _ "github.com/HodeTech/leakwatch/internal/detector/stripe" // register stripe detectors (live + test) + _ "github.com/HodeTech/leakwatch/internal/detector/supabase" // register supabase detector + _ "github.com/HodeTech/leakwatch/internal/detector/teams" // register microsoft teams webhook detector + _ "github.com/HodeTech/leakwatch/internal/detector/telegram" // register telegram detector + _ "github.com/HodeTech/leakwatch/internal/detector/terraform" // register terraform cloud detector + _ "github.com/HodeTech/leakwatch/internal/detector/twilio" // register twilio detector + _ "github.com/HodeTech/leakwatch/internal/detector/vault" // register hashicorp vault detector + _ "github.com/HodeTech/leakwatch/internal/detector/vercel" // register vercel detector ) // wantDetectorCount is the expected number of compile-time registered detectors. diff --git a/internal/detector/registry_test.go b/internal/detector/registry_test.go index 61f165d..661dbe0 100644 --- a/internal/detector/registry_test.go +++ b/internal/detector/registry_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/rubygems/rubygems_key.go b/internal/detector/rubygems/rubygems_key.go index 996a7c6..eabc816 100644 --- a/internal/detector/rubygems/rubygems_key.go +++ b/internal/detector/rubygems/rubygems_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var rubygemsKeyPattern = regexp.MustCompile(`rubygems_[a-f0-9]{48}`) diff --git a/internal/detector/rubygems/rubygems_key_test.go b/internal/detector/rubygems/rubygems_key_test.go index f85dfcd..fb7f1cc 100644 --- a/internal/detector/rubygems/rubygems_key_test.go +++ b/internal/detector/rubygems/rubygems_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/sendgrid/sendgrid_key.go b/internal/detector/sendgrid/sendgrid_key.go index 24a111a..e27475e 100644 --- a/internal/detector/sendgrid/sendgrid_key.go +++ b/internal/detector/sendgrid/sendgrid_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var sendGridKeyPattern = regexp.MustCompile(`SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}`) diff --git a/internal/detector/sendgrid/sendgrid_key_test.go b/internal/detector/sendgrid/sendgrid_key_test.go index 8cf12fe..4c6c92c 100644 --- a/internal/detector/sendgrid/sendgrid_key_test.go +++ b/internal/detector/sendgrid/sendgrid_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/sentry/sentry_token.go b/internal/detector/sentry/sentry_token.go index d888865..fffd5bf 100644 --- a/internal/detector/sentry/sentry_token.go +++ b/internal/detector/sentry/sentry_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var sentryTokenPattern = regexp.MustCompile(`sntrys_[A-Za-z0-9_]{40,}`) diff --git a/internal/detector/sentry/sentry_token_test.go b/internal/detector/sentry/sentry_token_test.go index 24ede3f..8e03b96 100644 --- a/internal/detector/sentry/sentry_token_test.go +++ b/internal/detector/sentry/sentry_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/shopify/shopify_token.go b/internal/detector/shopify/shopify_token.go index 47df9b9..121fd06 100644 --- a/internal/detector/shopify/shopify_token.go +++ b/internal/detector/shopify/shopify_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var shopifyTokenPattern = regexp.MustCompile(`shpat_[a-f0-9]{32}`) diff --git a/internal/detector/shopify/shopify_token_test.go b/internal/detector/shopify/shopify_token_test.go index 924e37b..e7cba87 100644 --- a/internal/detector/shopify/shopify_token_test.go +++ b/internal/detector/shopify/shopify_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/slack/slack_test.go b/internal/detector/slack/slack_test.go index 067660c..4945893 100644 --- a/internal/detector/slack/slack_test.go +++ b/internal/detector/slack/slack_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/slack/slack_token.go b/internal/detector/slack/slack_token.go index 7367b1f..46a65d0 100644 --- a/internal/detector/slack/slack_token.go +++ b/internal/detector/slack/slack_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var tokenPattern = regexp.MustCompile(`xox[bpar]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,34}`) diff --git a/internal/detector/slack/slack_webhook.go b/internal/detector/slack/slack_webhook.go index 330d9e7..7cbdcdf 100644 --- a/internal/detector/slack/slack_webhook.go +++ b/internal/detector/slack/slack_webhook.go @@ -4,8 +4,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var webhookPattern = regexp.MustCompile(`https://hooks\.slack\.com/services/T[A-Z0-9]{8,}/B[A-Z0-9]{8,}/[a-zA-Z0-9]{20,48}`) diff --git a/internal/detector/snowflake/snowflake_cred.go b/internal/detector/snowflake/snowflake_cred.go index f0a2bb9..34c4dc7 100644 --- a/internal/detector/snowflake/snowflake_cred.go +++ b/internal/detector/snowflake/snowflake_cred.go @@ -6,8 +6,8 @@ import ( "regexp" "strings" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var snowflakeCredPattern = regexp.MustCompile(`snowflakecomputing\.com[^\s]*(?:password|pwd|PWD|PASSWORD)\s*=\s*([^&\s'"]+)`) diff --git a/internal/detector/snowflake/snowflake_cred_test.go b/internal/detector/snowflake/snowflake_cred_test.go index 5f9d71e..3adf7c2 100644 --- a/internal/detector/snowflake/snowflake_cred_test.go +++ b/internal/detector/snowflake/snowflake_cred_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/snyk/snyk_key.go b/internal/detector/snyk/snyk_key.go index 8a55c13..91c3d48 100644 --- a/internal/detector/snyk/snyk_key.go +++ b/internal/detector/snyk/snyk_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var snykKeyPattern = regexp.MustCompile(`(?:SNYK_TOKEN|snyk_token|SNYK_API_KEY)\s*[=:]\s*['"]?([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})['"]?`) diff --git a/internal/detector/snyk/snyk_key_test.go b/internal/detector/snyk/snyk_key_test.go index d2f796d..37e4d02 100644 --- a/internal/detector/snyk/snyk_key_test.go +++ b/internal/detector/snyk/snyk_key_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/sonarcloud/sonarcloud_token.go b/internal/detector/sonarcloud/sonarcloud_token.go index cb31378..0ac9958 100644 --- a/internal/detector/sonarcloud/sonarcloud_token.go +++ b/internal/detector/sonarcloud/sonarcloud_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var sonarcloudTokenPattern = regexp.MustCompile(`sqp_[a-f0-9]{40}`) diff --git a/internal/detector/sonarcloud/sonarcloud_token_test.go b/internal/detector/sonarcloud/sonarcloud_token_test.go index 7f51ca7..e33e81d 100644 --- a/internal/detector/sonarcloud/sonarcloud_token_test.go +++ b/internal/detector/sonarcloud/sonarcloud_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/stripe/stripe_key.go b/internal/detector/stripe/stripe_key.go index b188d34..c6fc90a 100644 --- a/internal/detector/stripe/stripe_key.go +++ b/internal/detector/stripe/stripe_key.go @@ -6,8 +6,8 @@ import ( "regexp" "strings" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/stripe/stripe_key_test.go b/internal/detector/stripe/stripe_key_test.go index 626c9af..0b00d0e 100644 --- a/internal/detector/stripe/stripe_key_test.go +++ b/internal/detector/stripe/stripe_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/supabase/supabase_key.go b/internal/detector/supabase/supabase_key.go index 8bb08be..6f786c4 100644 --- a/internal/detector/supabase/supabase_key.go +++ b/internal/detector/supabase/supabase_key.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var supabaseKeyPattern = regexp.MustCompile(`sbp_[a-f0-9]{40}`) diff --git a/internal/detector/supabase/supabase_key_test.go b/internal/detector/supabase/supabase_key_test.go index ab57da5..64931e2 100644 --- a/internal/detector/supabase/supabase_key_test.go +++ b/internal/detector/supabase/supabase_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/teams/teams_webhook.go b/internal/detector/teams/teams_webhook.go index f2afa50..60cb0db 100644 --- a/internal/detector/teams/teams_webhook.go +++ b/internal/detector/teams/teams_webhook.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var teamsWebhookPattern = regexp.MustCompile(`https://[a-zA-Z0-9-]+\.webhook\.office\.com/webhookb2/[a-f0-9-]+/IncomingWebhook/[a-f0-9]+/[a-f0-9-]+`) diff --git a/internal/detector/teams/teams_webhook_test.go b/internal/detector/teams/teams_webhook_test.go index 5fa2178..e462605 100644 --- a/internal/detector/teams/teams_webhook_test.go +++ b/internal/detector/teams/teams_webhook_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/telegram/telegram_matcher_test.go b/internal/detector/telegram/telegram_matcher_test.go index 0396705..fc2d6c2 100644 --- a/internal/detector/telegram/telegram_matcher_test.go +++ b/internal/detector/telegram/telegram_matcher_test.go @@ -4,7 +4,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/internal/detector/testutil" + "github.com/HodeTech/leakwatch/internal/detector/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/telegram/telegram_token.go b/internal/detector/telegram/telegram_token.go index a19807b..89d35e6 100644 --- a/internal/detector/telegram/telegram_token.go +++ b/internal/detector/telegram/telegram_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var telegramTokenPattern = regexp.MustCompile(`[0-9]{7,10}:[A-Za-z0-9_-]{35}`) diff --git a/internal/detector/telegram/telegram_token_test.go b/internal/detector/telegram/telegram_token_test.go index 20687ef..f3152e0 100644 --- a/internal/detector/telegram/telegram_token_test.go +++ b/internal/detector/telegram/telegram_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/terraform/terraform_token.go b/internal/detector/terraform/terraform_token.go index abd08c6..e81e57b 100644 --- a/internal/detector/terraform/terraform_token.go +++ b/internal/detector/terraform/terraform_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var terraformTokenPattern = regexp.MustCompile(`[a-zA-Z0-9]{14}\.atlasv1\.[a-zA-Z0-9]{67,}`) diff --git a/internal/detector/terraform/terraform_token_test.go b/internal/detector/terraform/terraform_token_test.go index 69b06fc..2f185d8 100644 --- a/internal/detector/terraform/terraform_token_test.go +++ b/internal/detector/terraform/terraform_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/testutil/testutil.go b/internal/detector/testutil/testutil.go index b5544d9..cc0040d 100644 --- a/internal/detector/testutil/testutil.go +++ b/internal/detector/testutil/testutil.go @@ -6,8 +6,8 @@ package testutil import ( "context" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/matcher" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/matcher" ) // ScanViaMatcher runs det through the real Aho-Corasick matcher gate before diff --git a/internal/detector/twilio/twilio_key.go b/internal/detector/twilio/twilio_key.go index 82c46bd..cb8329c 100644 --- a/internal/detector/twilio/twilio_key.go +++ b/internal/detector/twilio/twilio_key.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/detector/twilio/twilio_key_test.go b/internal/detector/twilio/twilio_key_test.go index 63f985e..64daac7 100644 --- a/internal/detector/twilio/twilio_key_test.go +++ b/internal/detector/twilio/twilio_key_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/vault/vault_token.go b/internal/detector/vault/vault_token.go index d6c86e7..7a563d1 100644 --- a/internal/detector/vault/vault_token.go +++ b/internal/detector/vault/vault_token.go @@ -6,8 +6,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var vaultTokenPattern = regexp.MustCompile(`hvs\.[A-Za-z0-9_-]{24,}`) diff --git a/internal/detector/vault/vault_token_test.go b/internal/detector/vault/vault_token_test.go index c093c03..588ca74 100644 --- a/internal/detector/vault/vault_token_test.go +++ b/internal/detector/vault/vault_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/detector/vercel/vercel_token.go b/internal/detector/vercel/vercel_token.go index 723ae24..0395e90 100644 --- a/internal/detector/vercel/vercel_token.go +++ b/internal/detector/vercel/vercel_token.go @@ -5,8 +5,8 @@ import ( "context" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) var vercelTokenPattern = regexp.MustCompile(`vercel_[A-Za-z0-9_-]{24,}`) diff --git a/internal/detector/vercel/vercel_token_test.go b/internal/detector/vercel/vercel_token_test.go index 62e868b..b8488f7 100644 --- a/internal/detector/vercel/vercel_token_test.go +++ b/internal/detector/vercel/vercel_token_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/engine/engine.go b/internal/engine/engine.go index 0bc1867..fdf3a1f 100644 --- a/internal/engine/engine.go +++ b/internal/engine/engine.go @@ -11,13 +11,13 @@ import ( "sync" "time" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/entropy" - "github.com/cemililik/leakwatch/internal/filter" - "github.com/cemililik/leakwatch/internal/matcher" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/entropy" + "github.com/HodeTech/leakwatch/internal/filter" + "github.com/HodeTech/leakwatch/internal/matcher" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const ( diff --git a/internal/engine/engine_test.go b/internal/engine/engine_test.go index 17e21ac..960cd20 100644 --- a/internal/engine/engine_test.go +++ b/internal/engine/engine_test.go @@ -7,9 +7,9 @@ import ( "testing" "time" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/matcher/matcher.go b/internal/matcher/matcher.go index c96ae04..997e37b 100644 --- a/internal/matcher/matcher.go +++ b/internal/matcher/matcher.go @@ -9,7 +9,7 @@ import ( "github.com/cloudflare/ahocorasick" - "github.com/cemililik/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/detector" ) // Matcher performs Aho-Corasick keyword pre-filtering to determine which diff --git a/internal/matcher/matcher_test.go b/internal/matcher/matcher_test.go index ba2429e..fdbe212 100644 --- a/internal/matcher/matcher_test.go +++ b/internal/matcher/matcher_test.go @@ -8,8 +8,8 @@ import ( "sync" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/output/csv/csv_formatter.go b/internal/output/csv/csv_formatter.go index 0ebac8b..5c9ab87 100644 --- a/internal/output/csv/csv_formatter.go +++ b/internal/output/csv/csv_formatter.go @@ -7,7 +7,7 @@ import ( "io" "strings" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Formatter outputs findings in CSV format. diff --git a/internal/output/csv/csv_formatter_test.go b/internal/output/csv/csv_formatter_test.go index 35a6fc6..037a263 100644 --- a/internal/output/csv/csv_formatter_test.go +++ b/internal/output/csv/csv_formatter_test.go @@ -7,7 +7,7 @@ import ( "testing" "time" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/output/formatter.go b/internal/output/formatter.go index 61c9079..7956a16 100644 --- a/internal/output/formatter.go +++ b/internal/output/formatter.go @@ -4,7 +4,7 @@ package output import ( "io" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Formatter outputs findings in a specific format. diff --git a/internal/output/json/json_formatter.go b/internal/output/json/json_formatter.go index f27fc7c..535b7a2 100644 --- a/internal/output/json/json_formatter.go +++ b/internal/output/json/json_formatter.go @@ -6,7 +6,7 @@ import ( "fmt" "io" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Formatter outputs findings in JSON format. diff --git a/internal/output/json/json_formatter_test.go b/internal/output/json/json_formatter_test.go index 3b9e18d..782aa53 100644 --- a/internal/output/json/json_formatter_test.go +++ b/internal/output/json/json_formatter_test.go @@ -7,7 +7,7 @@ import ( "testing" "time" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/output/sarif/sarif_formatter.go b/internal/output/sarif/sarif_formatter.go index ff47688..d6e72ac 100644 --- a/internal/output/sarif/sarif_formatter.go +++ b/internal/output/sarif/sarif_formatter.go @@ -8,14 +8,14 @@ import ( "io" "strings" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) const ( sarifSchema = "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json" sarifVersion = "2.1.0" toolName = "Leakwatch" - toolInfoURI = "https://github.com/cemililik/Leakwatch" + toolInfoURI = "https://github.com/HodeTech/Leakwatch" toolVersion = "dev" rawPropertyKey = "raw" ) diff --git a/internal/output/sarif/sarif_formatter_test.go b/internal/output/sarif/sarif_formatter_test.go index cae45d5..2516ef1 100644 --- a/internal/output/sarif/sarif_formatter_test.go +++ b/internal/output/sarif/sarif_formatter_test.go @@ -6,7 +6,7 @@ import ( "testing" "time" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/output/table/table_formatter.go b/internal/output/table/table_formatter.go index 0519f39..02211d1 100644 --- a/internal/output/table/table_formatter.go +++ b/internal/output/table/table_formatter.go @@ -7,7 +7,7 @@ import ( "strings" "text/tabwriter" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // ANSI color codes for terminal output. diff --git a/internal/output/table/table_formatter_test.go b/internal/output/table/table_formatter_test.go index bb0cb59..cde4783 100644 --- a/internal/output/table/table_formatter_test.go +++ b/internal/output/table/table_formatter_test.go @@ -7,7 +7,7 @@ import ( "testing" "time" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/remediation/guidance.go b/internal/remediation/guidance.go index 1e93788..2f1ad8c 100644 --- a/internal/remediation/guidance.go +++ b/internal/remediation/guidance.go @@ -1,6 +1,6 @@ package remediation -import "github.com/cemililik/leakwatch/pkg/finding" +import "github.com/HodeTech/leakwatch/pkg/finding" // Reusable step and checklist strings to keep guidance consistent and // minimize duplication across providers. diff --git a/internal/remediation/remediation.go b/internal/remediation/remediation.go index 1d1a3af..8c2dcf0 100644 --- a/internal/remediation/remediation.go +++ b/internal/remediation/remediation.go @@ -6,7 +6,7 @@ package remediation import ( "sync" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) var ( diff --git a/internal/remediation/remediation_test.go b/internal/remediation/remediation_test.go index 0eb67da..0d66e9f 100644 --- a/internal/remediation/remediation_test.go +++ b/internal/remediation/remediation_test.go @@ -3,7 +3,7 @@ package remediation import ( "testing" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/source/container/container.go b/internal/source/container/container.go index 6c6ce15..dd502ee 100644 --- a/internal/source/container/container.go +++ b/internal/source/container/container.go @@ -17,9 +17,9 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/cemililik/leakwatch/internal/filter" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/filter" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/pkg/finding" ) const defaultMaxFileSize int64 = 10 * 1024 * 1024 diff --git a/internal/source/container/container_test.go b/internal/source/container/container_test.go index c8066b3..9b14641 100644 --- a/internal/source/container/container_test.go +++ b/internal/source/container/container_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/internal/source" ) func TestContainerSource_Type_ReturnsContainer(t *testing.T) { diff --git a/internal/source/filesystem/filesystem.go b/internal/source/filesystem/filesystem.go index b7cdb87..6f3fc03 100644 --- a/internal/source/filesystem/filesystem.go +++ b/internal/source/filesystem/filesystem.go @@ -9,9 +9,9 @@ import ( "os" "path/filepath" - "github.com/cemililik/leakwatch/internal/filter" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/filter" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/pkg/finding" ) // defaultMaxFileSize is the maximum file size to scan (10 MB). diff --git a/internal/source/gcs/gcs.go b/internal/source/gcs/gcs.go index cb5b97a..9f84802 100644 --- a/internal/source/gcs/gcs.go +++ b/internal/source/gcs/gcs.go @@ -14,9 +14,9 @@ import ( "google.golang.org/api/iterator" "google.golang.org/api/option" - "github.com/cemililik/leakwatch/internal/filter" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/filter" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/pkg/finding" ) // defaultMaxFileSize is the maximum object size to scan (10 MB). diff --git a/internal/source/gcs/gcs_test.go b/internal/source/gcs/gcs_test.go index acff80e..466c6bb 100644 --- a/internal/source/gcs/gcs_test.go +++ b/internal/source/gcs/gcs_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" "google.golang.org/api/iterator" - "github.com/cemililik/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/internal/source" ) // mockGCSClient implements the gcsClient interface for testing. diff --git a/internal/source/git/git.go b/internal/source/git/git.go index c747060..20849ca 100644 --- a/internal/source/git/git.go +++ b/internal/source/git/git.go @@ -15,9 +15,9 @@ import ( "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/object" - "github.com/cemililik/leakwatch/internal/filter" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/filter" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/pkg/finding" ) // maxSeenEntries is the upper bound for the blob deduplication map. diff --git a/internal/source/s3/s3.go b/internal/source/s3/s3.go index 006fb9b..3d98b46 100644 --- a/internal/source/s3/s3.go +++ b/internal/source/s3/s3.go @@ -13,9 +13,9 @@ import ( awsconfig "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/s3" - "github.com/cemililik/leakwatch/internal/filter" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/filter" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/pkg/finding" ) // defaultMaxFileSize is the maximum object size to scan (10 MB). diff --git a/internal/source/s3/s3_test.go b/internal/source/s3/s3_test.go index 00d6225..6077a5d 100644 --- a/internal/source/s3/s3_test.go +++ b/internal/source/s3/s3_test.go @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/internal/source" ) // mockS3Client is a minimal mock for the s3Client interface. diff --git a/internal/source/slack/slack.go b/internal/source/slack/slack.go index d54e9ce..8815f1e 100644 --- a/internal/source/slack/slack.go +++ b/internal/source/slack/slack.go @@ -11,8 +11,8 @@ import ( "github.com/slack-go/slack" "golang.org/x/time/rate" - "github.com/cemililik/leakwatch/internal/source" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/source" + "github.com/HodeTech/leakwatch/pkg/finding" ) const ( diff --git a/internal/source/source.go b/internal/source/source.go index cf8ac80..589c740 100644 --- a/internal/source/source.go +++ b/internal/source/source.go @@ -4,7 +4,7 @@ package source import ( "context" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Source represents a data source to be scanned. diff --git a/internal/verifier/airtable/airtable_verifier.go b/internal/verifier/airtable/airtable_verifier.go index 75a8fbf..b2d4558 100644 --- a/internal/verifier/airtable/airtable_verifier.go +++ b/internal/verifier/airtable/airtable_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "airtable-pat" diff --git a/internal/verifier/airtable/airtable_verifier_test.go b/internal/verifier/airtable/airtable_verifier_test.go index b574905..3034e2c 100644 --- a/internal/verifier/airtable/airtable_verifier_test.go +++ b/internal/verifier/airtable/airtable_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/anthropic/anthropic_shared_test.go b/internal/verifier/anthropic/anthropic_shared_test.go index dd0b3b9..8ddccd6 100644 --- a/internal/verifier/anthropic/anthropic_shared_test.go +++ b/internal/verifier/anthropic/anthropic_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/anthropic/anthropic_verifier.go b/internal/verifier/anthropic/anthropic_verifier.go index ff3699f..9a5fd7f 100644 --- a/internal/verifier/anthropic/anthropic_verifier.go +++ b/internal/verifier/anthropic/anthropic_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "anthropic-api-key" diff --git a/internal/verifier/anthropic/anthropic_verifier_test.go b/internal/verifier/anthropic/anthropic_verifier_test.go index ae508ca..14e0e31 100644 --- a/internal/verifier/anthropic/anthropic_verifier_test.go +++ b/internal/verifier/anthropic/anthropic_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/auth0/auth0_verifier.go b/internal/verifier/auth0/auth0_verifier.go index a1d15b7..c574e53 100644 --- a/internal/verifier/auth0/auth0_verifier.go +++ b/internal/verifier/auth0/auth0_verifier.go @@ -7,10 +7,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "auth0-management-token" diff --git a/internal/verifier/auth0/auth0_verifier_test.go b/internal/verifier/auth0/auth0_verifier_test.go index 689fad4..3dd8c0a 100644 --- a/internal/verifier/auth0/auth0_verifier_test.go +++ b/internal/verifier/auth0/auth0_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/aws/aws_verifier.go b/internal/verifier/aws/aws_verifier.go index 2d152c2..46ded41 100644 --- a/internal/verifier/aws/aws_verifier.go +++ b/internal/verifier/aws/aws_verifier.go @@ -13,9 +13,9 @@ import ( "github.com/aws/aws-sdk-go-v2/service/sts" smithy "github.com/aws/smithy-go" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "aws-access-key-id" diff --git a/internal/verifier/aws/aws_verifier_test.go b/internal/verifier/aws/aws_verifier_test.go index 5903620..c888c23 100644 --- a/internal/verifier/aws/aws_verifier_test.go +++ b/internal/verifier/aws/aws_verifier_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) // mockSTSClient implements stsClient for testing. diff --git a/internal/verifier/azure/azure_entra_verifier.go b/internal/verifier/azure/azure_entra_verifier.go index 7938cb1..477d720 100644 --- a/internal/verifier/azure/azure_entra_verifier.go +++ b/internal/verifier/azure/azure_entra_verifier.go @@ -5,9 +5,9 @@ import ( "log/slog" "regexp" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const entraDetectorID = "azure-entra-secret" diff --git a/internal/verifier/azure/azure_entra_verifier_test.go b/internal/verifier/azure/azure_entra_verifier_test.go index 3b764de..6205f5b 100644 --- a/internal/verifier/azure/azure_entra_verifier_test.go +++ b/internal/verifier/azure/azure_entra_verifier_test.go @@ -7,8 +7,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestEntraVerify_ValidSecret_ReturnsUnverified(t *testing.T) { diff --git a/internal/verifier/azure/azure_storage_verifier.go b/internal/verifier/azure/azure_storage_verifier.go index fa56e73..2e73607 100644 --- a/internal/verifier/azure/azure_storage_verifier.go +++ b/internal/verifier/azure/azure_storage_verifier.go @@ -8,9 +8,9 @@ import ( "log/slog" "strings" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const storageDetectorID = "azure-storage-key" diff --git a/internal/verifier/azure/azure_storage_verifier_test.go b/internal/verifier/azure/azure_storage_verifier_test.go index 46ddbbf..dc13c68 100644 --- a/internal/verifier/azure/azure_storage_verifier_test.go +++ b/internal/verifier/azure/azure_storage_verifier_test.go @@ -7,8 +7,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestStorageVerify_ValidConnectionString_ReturnsUnverified(t *testing.T) { diff --git a/internal/verifier/bitbucket/bitbucket_verifier.go b/internal/verifier/bitbucket/bitbucket_verifier.go index 5ba9338..4ce250c 100644 --- a/internal/verifier/bitbucket/bitbucket_verifier.go +++ b/internal/verifier/bitbucket/bitbucket_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "bitbucket-app-password" diff --git a/internal/verifier/bitbucket/bitbucket_verifier_test.go b/internal/verifier/bitbucket/bitbucket_verifier_test.go index 8e0d296..95384d3 100644 --- a/internal/verifier/bitbucket/bitbucket_verifier_test.go +++ b/internal/verifier/bitbucket/bitbucket_verifier_test.go @@ -11,8 +11,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidPassword_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/circleci/circleci_shared_test.go b/internal/verifier/circleci/circleci_shared_test.go index 2a24312..67e15ed 100644 --- a/internal/verifier/circleci/circleci_shared_test.go +++ b/internal/verifier/circleci/circleci_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/circleci/circleci_verifier.go b/internal/verifier/circleci/circleci_verifier.go index 889835a..8a01e11 100644 --- a/internal/verifier/circleci/circleci_verifier.go +++ b/internal/verifier/circleci/circleci_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "circleci-token" diff --git a/internal/verifier/circleci/circleci_verifier_test.go b/internal/verifier/circleci/circleci_verifier_test.go index 6c1d4e1..e11bce6 100644 --- a/internal/verifier/circleci/circleci_verifier_test.go +++ b/internal/verifier/circleci/circleci_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/cloudflare/cloudflare_verifier.go b/internal/verifier/cloudflare/cloudflare_verifier.go index a63d84d..c5c426b 100644 --- a/internal/verifier/cloudflare/cloudflare_verifier.go +++ b/internal/verifier/cloudflare/cloudflare_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "cloudflare-api-token" diff --git a/internal/verifier/cloudflare/cloudflare_verifier_test.go b/internal/verifier/cloudflare/cloudflare_verifier_test.go index 6784229..b6a13b5 100644 --- a/internal/verifier/cloudflare/cloudflare_verifier_test.go +++ b/internal/verifier/cloudflare/cloudflare_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/coinbase/coinbase_verifier.go b/internal/verifier/coinbase/coinbase_verifier.go index 2aaf232..b1ae68f 100644 --- a/internal/verifier/coinbase/coinbase_verifier.go +++ b/internal/verifier/coinbase/coinbase_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "coinbase-api-key" diff --git a/internal/verifier/coinbase/coinbase_verifier_test.go b/internal/verifier/coinbase/coinbase_verifier_test.go index 5926c1c..b0b2899 100644 --- a/internal/verifier/coinbase/coinbase_verifier_test.go +++ b/internal/verifier/coinbase/coinbase_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/databricks/databricks_verifier.go b/internal/verifier/databricks/databricks_verifier.go index b7ea9f3..ae426fd 100644 --- a/internal/verifier/databricks/databricks_verifier.go +++ b/internal/verifier/databricks/databricks_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "databricks-token" diff --git a/internal/verifier/databricks/databricks_verifier_test.go b/internal/verifier/databricks/databricks_verifier_test.go index 70a958c..0587a18 100644 --- a/internal/verifier/databricks/databricks_verifier_test.go +++ b/internal/verifier/databricks/databricks_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/datadog/datadog_shared_test.go b/internal/verifier/datadog/datadog_shared_test.go index d53e979..9ad6a0e 100644 --- a/internal/verifier/datadog/datadog_shared_test.go +++ b/internal/verifier/datadog/datadog_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/datadog/datadog_verifier.go b/internal/verifier/datadog/datadog_verifier.go index 213a245..7d498d0 100644 --- a/internal/verifier/datadog/datadog_verifier.go +++ b/internal/verifier/datadog/datadog_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "datadog-api-key" diff --git a/internal/verifier/datadog/datadog_verifier_test.go b/internal/verifier/datadog/datadog_verifier_test.go index 118f3ea..8fade22 100644 --- a/internal/verifier/datadog/datadog_verifier_test.go +++ b/internal/verifier/datadog/datadog_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/deepseek/deepseek_verifier.go b/internal/verifier/deepseek/deepseek_verifier.go index eebcc58..ca547ae 100644 --- a/internal/verifier/deepseek/deepseek_verifier.go +++ b/internal/verifier/deepseek/deepseek_verifier.go @@ -10,10 +10,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "deepseek-api-key" diff --git a/internal/verifier/deepseek/deepseek_verifier_test.go b/internal/verifier/deepseek/deepseek_verifier_test.go index 4a099bd..9a58918 100644 --- a/internal/verifier/deepseek/deepseek_verifier_test.go +++ b/internal/verifier/deepseek/deepseek_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/digitalocean/digitalocean_verifier.go b/internal/verifier/digitalocean/digitalocean_verifier.go index ee319d7..19cce7a 100644 --- a/internal/verifier/digitalocean/digitalocean_verifier.go +++ b/internal/verifier/digitalocean/digitalocean_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "digitalocean-token" diff --git a/internal/verifier/digitalocean/digitalocean_verifier_test.go b/internal/verifier/digitalocean/digitalocean_verifier_test.go index 47b19ac..4272c2f 100644 --- a/internal/verifier/digitalocean/digitalocean_verifier_test.go +++ b/internal/verifier/digitalocean/digitalocean_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/discord/discord_verifier.go b/internal/verifier/discord/discord_verifier.go index 971f2af..e6efaa0 100644 --- a/internal/verifier/discord/discord_verifier.go +++ b/internal/verifier/discord/discord_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "discord-bot-token" diff --git a/internal/verifier/discord/discord_verifier_test.go b/internal/verifier/discord/discord_verifier_test.go index 2bf473c..cd0da01 100644 --- a/internal/verifier/discord/discord_verifier_test.go +++ b/internal/verifier/discord/discord_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/dockerhub/dockerhub_verifier.go b/internal/verifier/dockerhub/dockerhub_verifier.go index 11df581..0ae7fc7 100644 --- a/internal/verifier/dockerhub/dockerhub_verifier.go +++ b/internal/verifier/dockerhub/dockerhub_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "dockerhub-pat" diff --git a/internal/verifier/dockerhub/dockerhub_verifier_test.go b/internal/verifier/dockerhub/dockerhub_verifier_test.go index 2e59d17..c38264c 100644 --- a/internal/verifier/dockerhub/dockerhub_verifier_test.go +++ b/internal/verifier/dockerhub/dockerhub_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/doppler/doppler_verifier.go b/internal/verifier/doppler/doppler_verifier.go index 44f0e1d..093ec88 100644 --- a/internal/verifier/doppler/doppler_verifier.go +++ b/internal/verifier/doppler/doppler_verifier.go @@ -6,10 +6,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "doppler-token" diff --git a/internal/verifier/doppler/doppler_verifier_test.go b/internal/verifier/doppler/doppler_verifier_test.go index 675029c..d7e6f10 100644 --- a/internal/verifier/doppler/doppler_verifier_test.go +++ b/internal/verifier/doppler/doppler_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/engine.go b/internal/verifier/engine.go index 02e5bfc..4b35600 100644 --- a/internal/verifier/engine.go +++ b/internal/verifier/engine.go @@ -9,7 +9,7 @@ import ( "golang.org/x/time/rate" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // DefaultTimeout is the default per-request verification timeout. diff --git a/internal/verifier/engine_test.go b/internal/verifier/engine_test.go index 9a9c0a1..a850c30 100644 --- a/internal/verifier/engine_test.go +++ b/internal/verifier/engine_test.go @@ -6,8 +6,8 @@ import ( "testing" "time" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/verifier/figma/figma_verifier.go b/internal/verifier/figma/figma_verifier.go index de7af2b..2e8ef10 100644 --- a/internal/verifier/figma/figma_verifier.go +++ b/internal/verifier/figma/figma_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "figma-pat" diff --git a/internal/verifier/figma/figma_verifier_test.go b/internal/verifier/figma/figma_verifier_test.go index 240937b..e0d23ac 100644 --- a/internal/verifier/figma/figma_verifier_test.go +++ b/internal/verifier/figma/figma_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/gcp/gcp_verifier.go b/internal/verifier/gcp/gcp_verifier.go index d0b1ea8..e38e58b 100644 --- a/internal/verifier/gcp/gcp_verifier.go +++ b/internal/verifier/gcp/gcp_verifier.go @@ -11,9 +11,9 @@ import ( "encoding/json" "log/slog" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "gcp-service-account" diff --git a/internal/verifier/gcp/gcp_verifier_test.go b/internal/verifier/gcp/gcp_verifier_test.go index 5954cca..3256394 100644 --- a/internal/verifier/gcp/gcp_verifier_test.go +++ b/internal/verifier/gcp/gcp_verifier_test.go @@ -7,9 +7,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - detectorgcp "github.com/cemililik/leakwatch/internal/detector/gcp" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + detectorgcp "github.com/HodeTech/leakwatch/internal/detector/gcp" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerifier_Type_ReturnsCorrectID(t *testing.T) { diff --git a/internal/verifier/github/github_oauth_verifier.go b/internal/verifier/github/github_oauth_verifier.go index f0ed7e2..49da59c 100644 --- a/internal/verifier/github/github_oauth_verifier.go +++ b/internal/verifier/github/github_oauth_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const oauthDetectorID = "github-oauth-token" diff --git a/internal/verifier/github/github_oauth_verifier_test.go b/internal/verifier/github/github_oauth_verifier_test.go index 76e599e..919acf0 100644 --- a/internal/verifier/github/github_oauth_verifier_test.go +++ b/internal/verifier/github/github_oauth_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestOAuthVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/github/github_shared_test.go b/internal/verifier/github/github_shared_test.go index b263cee..8e56ba1 100644 --- a/internal/verifier/github/github_shared_test.go +++ b/internal/verifier/github/github_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/github/github_verifier.go b/internal/verifier/github/github_verifier.go index 64e29f2..9f1a657 100644 --- a/internal/verifier/github/github_verifier.go +++ b/internal/verifier/github/github_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "github-token" diff --git a/internal/verifier/github/github_verifier_test.go b/internal/verifier/github/github_verifier_test.go index 27db453..32b2c98 100644 --- a/internal/verifier/github/github_verifier_test.go +++ b/internal/verifier/github/github_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/gitlab/gitlab_shared_test.go b/internal/verifier/gitlab/gitlab_shared_test.go index 2a6f638..54d8371 100644 --- a/internal/verifier/gitlab/gitlab_shared_test.go +++ b/internal/verifier/gitlab/gitlab_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/gitlab/gitlab_verifier.go b/internal/verifier/gitlab/gitlab_verifier.go index a844c7b..a3dd93e 100644 --- a/internal/verifier/gitlab/gitlab_verifier.go +++ b/internal/verifier/gitlab/gitlab_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "gitlab-pat" diff --git a/internal/verifier/gitlab/gitlab_verifier_test.go b/internal/verifier/gitlab/gitlab_verifier_test.go index 8c261d5..4c409e5 100644 --- a/internal/verifier/gitlab/gitlab_verifier_test.go +++ b/internal/verifier/gitlab/gitlab_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/grafana/grafana_verifier.go b/internal/verifier/grafana/grafana_verifier.go index 6c136f1..804cf8a 100644 --- a/internal/verifier/grafana/grafana_verifier.go +++ b/internal/verifier/grafana/grafana_verifier.go @@ -6,10 +6,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "grafana-api-key" diff --git a/internal/verifier/grafana/grafana_verifier_test.go b/internal/verifier/grafana/grafana_verifier_test.go index 7911dc8..f915735 100644 --- a/internal/verifier/grafana/grafana_verifier_test.go +++ b/internal/verifier/grafana/grafana_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/heroku/heroku_verifier.go b/internal/verifier/heroku/heroku_verifier.go index 858fa05..c1c3b67 100644 --- a/internal/verifier/heroku/heroku_verifier.go +++ b/internal/verifier/heroku/heroku_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "heroku-api-key" diff --git a/internal/verifier/heroku/heroku_verifier_test.go b/internal/verifier/heroku/heroku_verifier_test.go index 11c5c53..789c771 100644 --- a/internal/verifier/heroku/heroku_verifier_test.go +++ b/internal/verifier/heroku/heroku_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/huggingface/huggingface_verifier.go b/internal/verifier/huggingface/huggingface_verifier.go index 585f7bb..a2f4445 100644 --- a/internal/verifier/huggingface/huggingface_verifier.go +++ b/internal/verifier/huggingface/huggingface_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "huggingface-token" diff --git a/internal/verifier/huggingface/huggingface_verifier_test.go b/internal/verifier/huggingface/huggingface_verifier_test.go index be73fd3..712cfb3 100644 --- a/internal/verifier/huggingface/huggingface_verifier_test.go +++ b/internal/verifier/huggingface/huggingface_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/infura/infura_verifier.go b/internal/verifier/infura/infura_verifier.go index 03d71d9..2af3284 100644 --- a/internal/verifier/infura/infura_verifier.go +++ b/internal/verifier/infura/infura_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "infura-api-key" diff --git a/internal/verifier/infura/infura_verifier_test.go b/internal/verifier/infura/infura_verifier_test.go index 5aa7981..434dc7e 100644 --- a/internal/verifier/infura/infura_verifier_test.go +++ b/internal/verifier/infura/infura_verifier_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/internal/httpx/verify.go b/internal/verifier/internal/httpx/verify.go index 12ccff8..82ff5ef 100644 --- a/internal/verifier/internal/httpx/verify.go +++ b/internal/verifier/internal/httpx/verify.go @@ -8,7 +8,7 @@ import ( "log/slog" "net/http" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) // userAgent is the User-Agent every verifier request carries. diff --git a/internal/verifier/internal/httpx/verify_test.go b/internal/verifier/internal/httpx/verify_test.go index 3f88a9c..e08ce87 100644 --- a/internal/verifier/internal/httpx/verify_test.go +++ b/internal/verifier/internal/httpx/verify_test.go @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/assert" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/pkg/finding" ) const testToken = "test-token-1234567890" diff --git a/internal/verifier/internal/vtest/vtest.go b/internal/verifier/internal/vtest/vtest.go index 1516c13..4d7186a 100644 --- a/internal/verifier/internal/vtest/vtest.go +++ b/internal/verifier/internal/vtest/vtest.go @@ -22,9 +22,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Factory builds a verifier under test, wired to the given base URL and HTTP diff --git a/internal/verifier/launchdarkly/launchdarkly_verifier.go b/internal/verifier/launchdarkly/launchdarkly_verifier.go index 8a703b1..4bba2bf 100644 --- a/internal/verifier/launchdarkly/launchdarkly_verifier.go +++ b/internal/verifier/launchdarkly/launchdarkly_verifier.go @@ -6,10 +6,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "launchdarkly-sdk-key" diff --git a/internal/verifier/launchdarkly/launchdarkly_verifier_test.go b/internal/verifier/launchdarkly/launchdarkly_verifier_test.go index 989497c..c128281 100644 --- a/internal/verifier/launchdarkly/launchdarkly_verifier_test.go +++ b/internal/verifier/launchdarkly/launchdarkly_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/linear/linear_shared_test.go b/internal/verifier/linear/linear_shared_test.go index 006a6a9..7ad4776 100644 --- a/internal/verifier/linear/linear_shared_test.go +++ b/internal/verifier/linear/linear_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/linear/linear_verifier.go b/internal/verifier/linear/linear_verifier.go index 0a8621d..cfc168e 100644 --- a/internal/verifier/linear/linear_verifier.go +++ b/internal/verifier/linear/linear_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "linear-api-key" diff --git a/internal/verifier/linear/linear_verifier_test.go b/internal/verifier/linear/linear_verifier_test.go index 93f784c..ba5aa11 100644 --- a/internal/verifier/linear/linear_verifier_test.go +++ b/internal/verifier/linear/linear_verifier_test.go @@ -11,8 +11,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/mailgun/mailgun_verifier.go b/internal/verifier/mailgun/mailgun_verifier.go index f0dc63b..08f4efa 100644 --- a/internal/verifier/mailgun/mailgun_verifier.go +++ b/internal/verifier/mailgun/mailgun_verifier.go @@ -6,10 +6,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "mailgun-api-key" diff --git a/internal/verifier/mailgun/mailgun_verifier_test.go b/internal/verifier/mailgun/mailgun_verifier_test.go index 231e740..90127d2 100644 --- a/internal/verifier/mailgun/mailgun_verifier_test.go +++ b/internal/verifier/mailgun/mailgun_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/newrelic/newrelic_verifier.go b/internal/verifier/newrelic/newrelic_verifier.go index 4b636e9..d130348 100644 --- a/internal/verifier/newrelic/newrelic_verifier.go +++ b/internal/verifier/newrelic/newrelic_verifier.go @@ -6,10 +6,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "newrelic-api-key" diff --git a/internal/verifier/newrelic/newrelic_verifier_test.go b/internal/verifier/newrelic/newrelic_verifier_test.go index f08c188..24eec75 100644 --- a/internal/verifier/newrelic/newrelic_verifier_test.go +++ b/internal/verifier/newrelic/newrelic_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/notion/notion_verifier.go b/internal/verifier/notion/notion_verifier.go index f61ff06..68f4d13 100644 --- a/internal/verifier/notion/notion_verifier.go +++ b/internal/verifier/notion/notion_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "notion-token" diff --git a/internal/verifier/notion/notion_verifier_test.go b/internal/verifier/notion/notion_verifier_test.go index 8e4771a..ddb705d 100644 --- a/internal/verifier/notion/notion_verifier_test.go +++ b/internal/verifier/notion/notion_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/npm/npm_verifier.go b/internal/verifier/npm/npm_verifier.go index 7232141..9041735 100644 --- a/internal/verifier/npm/npm_verifier.go +++ b/internal/verifier/npm/npm_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "npm-token" diff --git a/internal/verifier/npm/npm_verifier_test.go b/internal/verifier/npm/npm_verifier_test.go index 474303c..ea02104 100644 --- a/internal/verifier/npm/npm_verifier_test.go +++ b/internal/verifier/npm/npm_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/okta/okta_verifier.go b/internal/verifier/okta/okta_verifier.go index 1d5868d..73e05c9 100644 --- a/internal/verifier/okta/okta_verifier.go +++ b/internal/verifier/okta/okta_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "okta-api-token" diff --git a/internal/verifier/okta/okta_verifier_test.go b/internal/verifier/okta/okta_verifier_test.go index e289e31..16c445e 100644 --- a/internal/verifier/okta/okta_verifier_test.go +++ b/internal/verifier/okta/okta_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/openai/openai_shared_test.go b/internal/verifier/openai/openai_shared_test.go index a99fb5e..2d0f9c2 100644 --- a/internal/verifier/openai/openai_shared_test.go +++ b/internal/verifier/openai/openai_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/openai/openai_verifier.go b/internal/verifier/openai/openai_verifier.go index fa4f9ea..0813510 100644 --- a/internal/verifier/openai/openai_verifier.go +++ b/internal/verifier/openai/openai_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "openai-api-key" diff --git a/internal/verifier/openai/openai_verifier_test.go b/internal/verifier/openai/openai_verifier_test.go index 17f0715..22decef 100644 --- a/internal/verifier/openai/openai_verifier_test.go +++ b/internal/verifier/openai/openai_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/pagerduty/pagerduty_verifier.go b/internal/verifier/pagerduty/pagerduty_verifier.go index 863e93d..75cef44 100644 --- a/internal/verifier/pagerduty/pagerduty_verifier.go +++ b/internal/verifier/pagerduty/pagerduty_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "pagerduty-api-key" diff --git a/internal/verifier/pagerduty/pagerduty_verifier_test.go b/internal/verifier/pagerduty/pagerduty_verifier_test.go index 5c857f8..0d5f9e3 100644 --- a/internal/verifier/pagerduty/pagerduty_verifier_test.go +++ b/internal/verifier/pagerduty/pagerduty_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/postmark/postmark_verifier.go b/internal/verifier/postmark/postmark_verifier.go index 18f8760..82a0025 100644 --- a/internal/verifier/postmark/postmark_verifier.go +++ b/internal/verifier/postmark/postmark_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "postmark-server-token" diff --git a/internal/verifier/postmark/postmark_verifier_test.go b/internal/verifier/postmark/postmark_verifier_test.go index 06fbe64..93eb636 100644 --- a/internal/verifier/postmark/postmark_verifier_test.go +++ b/internal/verifier/postmark/postmark_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/pypi/pypi_verifier.go b/internal/verifier/pypi/pypi_verifier.go index d7f1d52..5a5253f 100644 --- a/internal/verifier/pypi/pypi_verifier.go +++ b/internal/verifier/pypi/pypi_verifier.go @@ -8,10 +8,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "pypi-api-token" diff --git a/internal/verifier/pypi/pypi_verifier_test.go b/internal/verifier/pypi/pypi_verifier_test.go index 469a009..644e40e 100644 --- a/internal/verifier/pypi/pypi_verifier_test.go +++ b/internal/verifier/pypi/pypi_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/rabbitmq/rabbitmq_verifier.go b/internal/verifier/rabbitmq/rabbitmq_verifier.go index 6e83417..e511604 100644 --- a/internal/verifier/rabbitmq/rabbitmq_verifier.go +++ b/internal/verifier/rabbitmq/rabbitmq_verifier.go @@ -8,9 +8,9 @@ import ( "log/slog" "net/url" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "rabbitmq-connection-string" diff --git a/internal/verifier/rabbitmq/rabbitmq_verifier_test.go b/internal/verifier/rabbitmq/rabbitmq_verifier_test.go index 09c940a..67b210e 100644 --- a/internal/verifier/rabbitmq/rabbitmq_verifier_test.go +++ b/internal/verifier/rabbitmq/rabbitmq_verifier_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerifier_Type_ReturnsCorrectID(t *testing.T) { diff --git a/internal/verifier/registry_test.go b/internal/verifier/registry_test.go index dd76f7c..e80ea2e 100644 --- a/internal/verifier/registry_test.go +++ b/internal/verifier/registry_test.go @@ -4,8 +4,8 @@ import ( "context" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" "github.com/stretchr/testify/assert" ) diff --git a/internal/verifier/rubygems/rubygems_verifier.go b/internal/verifier/rubygems/rubygems_verifier.go index 4e4fb88..2fc9177 100644 --- a/internal/verifier/rubygems/rubygems_verifier.go +++ b/internal/verifier/rubygems/rubygems_verifier.go @@ -6,10 +6,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "rubygems-api-key" diff --git a/internal/verifier/rubygems/rubygems_verifier_test.go b/internal/verifier/rubygems/rubygems_verifier_test.go index 1dd6df5..d0856f3 100644 --- a/internal/verifier/rubygems/rubygems_verifier_test.go +++ b/internal/verifier/rubygems/rubygems_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/sendgrid/sendgrid_shared_test.go b/internal/verifier/sendgrid/sendgrid_shared_test.go index 72c25e5..712ee87 100644 --- a/internal/verifier/sendgrid/sendgrid_shared_test.go +++ b/internal/verifier/sendgrid/sendgrid_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/sendgrid/sendgrid_verifier.go b/internal/verifier/sendgrid/sendgrid_verifier.go index 1d3869f..8938dd6 100644 --- a/internal/verifier/sendgrid/sendgrid_verifier.go +++ b/internal/verifier/sendgrid/sendgrid_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "sendgrid-api-key" diff --git a/internal/verifier/sendgrid/sendgrid_verifier_test.go b/internal/verifier/sendgrid/sendgrid_verifier_test.go index 83200e9..57892ac 100644 --- a/internal/verifier/sendgrid/sendgrid_verifier_test.go +++ b/internal/verifier/sendgrid/sendgrid_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/sentry/sentry_shared_test.go b/internal/verifier/sentry/sentry_shared_test.go index 7c8237f..e93e6c3 100644 --- a/internal/verifier/sentry/sentry_shared_test.go +++ b/internal/verifier/sentry/sentry_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/sentry/sentry_verifier.go b/internal/verifier/sentry/sentry_verifier.go index 2083d47..68d7b67 100644 --- a/internal/verifier/sentry/sentry_verifier.go +++ b/internal/verifier/sentry/sentry_verifier.go @@ -9,10 +9,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "sentry-token" diff --git a/internal/verifier/sentry/sentry_verifier_test.go b/internal/verifier/sentry/sentry_verifier_test.go index faabecc..6ffc9f9 100644 --- a/internal/verifier/sentry/sentry_verifier_test.go +++ b/internal/verifier/sentry/sentry_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/shopify/shopify_verifier.go b/internal/verifier/shopify/shopify_verifier.go index c7f166b..c368175 100644 --- a/internal/verifier/shopify/shopify_verifier.go +++ b/internal/verifier/shopify/shopify_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "shopify-access-token" diff --git a/internal/verifier/shopify/shopify_verifier_test.go b/internal/verifier/shopify/shopify_verifier_test.go index f3a6166..cf6ccfd 100644 --- a/internal/verifier/shopify/shopify_verifier_test.go +++ b/internal/verifier/shopify/shopify_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/slack/slack_shared_test.go b/internal/verifier/slack/slack_shared_test.go index e21cbaa..4faa778 100644 --- a/internal/verifier/slack/slack_shared_test.go +++ b/internal/verifier/slack/slack_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/slack/slack_verifier.go b/internal/verifier/slack/slack_verifier.go index bf28786..d25f960 100644 --- a/internal/verifier/slack/slack_verifier.go +++ b/internal/verifier/slack/slack_verifier.go @@ -9,10 +9,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "slack-token" diff --git a/internal/verifier/slack/slack_verifier_test.go b/internal/verifier/slack/slack_verifier_test.go index 67e3961..7128f58 100644 --- a/internal/verifier/slack/slack_verifier_test.go +++ b/internal/verifier/slack/slack_verifier_test.go @@ -8,8 +8,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_Type_ReturnsCorrectID(t *testing.T) { diff --git a/internal/verifier/snowflake/snowflake_verifier.go b/internal/verifier/snowflake/snowflake_verifier.go index 80dac92..3f4ca4f 100644 --- a/internal/verifier/snowflake/snowflake_verifier.go +++ b/internal/verifier/snowflake/snowflake_verifier.go @@ -9,9 +9,9 @@ import ( "context" "log/slog" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "snowflake-credentials" diff --git a/internal/verifier/snowflake/snowflake_verifier_test.go b/internal/verifier/snowflake/snowflake_verifier_test.go index 9297af9..5e09974 100644 --- a/internal/verifier/snowflake/snowflake_verifier_test.go +++ b/internal/verifier/snowflake/snowflake_verifier_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerifier_Type_ReturnsCorrectID(t *testing.T) { diff --git a/internal/verifier/snyk/snyk_shared_test.go b/internal/verifier/snyk/snyk_shared_test.go index 3c018e8..abaf4bd 100644 --- a/internal/verifier/snyk/snyk_shared_test.go +++ b/internal/verifier/snyk/snyk_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/snyk/snyk_verifier.go b/internal/verifier/snyk/snyk_verifier.go index 7f9f2f1..04d2598 100644 --- a/internal/verifier/snyk/snyk_verifier.go +++ b/internal/verifier/snyk/snyk_verifier.go @@ -7,10 +7,10 @@ import ( "net/http" "net/url" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "snyk-api-key" diff --git a/internal/verifier/snyk/snyk_verifier_test.go b/internal/verifier/snyk/snyk_verifier_test.go index 8b8b00a..904289c 100644 --- a/internal/verifier/snyk/snyk_verifier_test.go +++ b/internal/verifier/snyk/snyk_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/sonarcloud/sonarcloud_verifier.go b/internal/verifier/sonarcloud/sonarcloud_verifier.go index 3a7206b..bed433a 100644 --- a/internal/verifier/sonarcloud/sonarcloud_verifier.go +++ b/internal/verifier/sonarcloud/sonarcloud_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "sonarcloud-token" diff --git a/internal/verifier/sonarcloud/sonarcloud_verifier_test.go b/internal/verifier/sonarcloud/sonarcloud_verifier_test.go index 0cd31c9..6836958 100644 --- a/internal/verifier/sonarcloud/sonarcloud_verifier_test.go +++ b/internal/verifier/sonarcloud/sonarcloud_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/stripe/stripe_shared_test.go b/internal/verifier/stripe/stripe_shared_test.go index e5799ba..562b3c7 100644 --- a/internal/verifier/stripe/stripe_shared_test.go +++ b/internal/verifier/stripe/stripe_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestLiveVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/stripe/stripe_verifier.go b/internal/verifier/stripe/stripe_verifier.go index 671665b..ec3eebc 100644 --- a/internal/verifier/stripe/stripe_verifier.go +++ b/internal/verifier/stripe/stripe_verifier.go @@ -8,10 +8,10 @@ import ( "fmt" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const ( diff --git a/internal/verifier/stripe/stripe_verifier_test.go b/internal/verifier/stripe/stripe_verifier_test.go index 5af07a7..2444f7b 100644 --- a/internal/verifier/stripe/stripe_verifier_test.go +++ b/internal/verifier/stripe/stripe_verifier_test.go @@ -11,8 +11,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestLiveKeyVerifier_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/supabase/supabase_verifier.go b/internal/verifier/supabase/supabase_verifier.go index e1c539c..a669598 100644 --- a/internal/verifier/supabase/supabase_verifier.go +++ b/internal/verifier/supabase/supabase_verifier.go @@ -6,10 +6,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "supabase-service-key" diff --git a/internal/verifier/supabase/supabase_verifier_test.go b/internal/verifier/supabase/supabase_verifier_test.go index 1bf575f..c9bd28e 100644 --- a/internal/verifier/supabase/supabase_verifier_test.go +++ b/internal/verifier/supabase/supabase_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/teams/teams_verifier.go b/internal/verifier/teams/teams_verifier.go index 1a44479..3c6439d 100644 --- a/internal/verifier/teams/teams_verifier.go +++ b/internal/verifier/teams/teams_verifier.go @@ -20,10 +20,10 @@ import ( "log/slog" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "teams-webhook" diff --git a/internal/verifier/teams/teams_verifier_test.go b/internal/verifier/teams/teams_verifier_test.go index 4496f61..bddcaec 100644 --- a/internal/verifier/teams/teams_verifier_test.go +++ b/internal/verifier/teams/teams_verifier_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) // TestVerify_ProbeIsNonDestructive asserts that the verifier never POSTs a diff --git a/internal/verifier/telegram/telegram_shared_test.go b/internal/verifier/telegram/telegram_shared_test.go index b99e9c2..8ea7f13 100644 --- a/internal/verifier/telegram/telegram_shared_test.go +++ b/internal/verifier/telegram/telegram_shared_test.go @@ -4,9 +4,9 @@ import ( "net/http" "testing" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/vtest" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/vtest" ) func TestVerify_SharedSafetySuite(t *testing.T) { diff --git a/internal/verifier/telegram/telegram_verifier.go b/internal/verifier/telegram/telegram_verifier.go index 9cd87a6..2d7468b 100644 --- a/internal/verifier/telegram/telegram_verifier.go +++ b/internal/verifier/telegram/telegram_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "telegram-bot-token" diff --git a/internal/verifier/telegram/telegram_verifier_test.go b/internal/verifier/telegram/telegram_verifier_test.go index f84a65f..c2c2f1b 100644 --- a/internal/verifier/telegram/telegram_verifier_test.go +++ b/internal/verifier/telegram/telegram_verifier_test.go @@ -11,8 +11,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/terraform/terraform_verifier.go b/internal/verifier/terraform/terraform_verifier.go index 2e2e7ae..5220d2f 100644 --- a/internal/verifier/terraform/terraform_verifier.go +++ b/internal/verifier/terraform/terraform_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "terraform-cloud-token" diff --git a/internal/verifier/terraform/terraform_verifier_test.go b/internal/verifier/terraform/terraform_verifier_test.go index 866cae2..3c61e3b 100644 --- a/internal/verifier/terraform/terraform_verifier_test.go +++ b/internal/verifier/terraform/terraform_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/twilio/twilio_verifier.go b/internal/verifier/twilio/twilio_verifier.go index 0fd00be..4ae9035 100644 --- a/internal/verifier/twilio/twilio_verifier.go +++ b/internal/verifier/twilio/twilio_verifier.go @@ -7,10 +7,10 @@ import ( "context" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "twilio-api-key" diff --git a/internal/verifier/twilio/twilio_verifier_test.go b/internal/verifier/twilio/twilio_verifier_test.go index 4b055d3..5bf83c9 100644 --- a/internal/verifier/twilio/twilio_verifier_test.go +++ b/internal/verifier/twilio/twilio_verifier_test.go @@ -11,8 +11,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidKey_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/vercel/vercel_verifier.go b/internal/verifier/vercel/vercel_verifier.go index 640afc3..c406a6b 100644 --- a/internal/verifier/vercel/vercel_verifier.go +++ b/internal/verifier/vercel/vercel_verifier.go @@ -8,10 +8,10 @@ import ( "io" "net/http" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/internal/verifier" - "github.com/cemililik/leakwatch/internal/verifier/internal/httpx" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/internal/verifier" + "github.com/HodeTech/leakwatch/internal/verifier/internal/httpx" + "github.com/HodeTech/leakwatch/pkg/finding" ) const detectorID = "vercel-token" diff --git a/internal/verifier/vercel/vercel_verifier_test.go b/internal/verifier/vercel/vercel_verifier_test.go index cd5c36e..a044a95 100644 --- a/internal/verifier/vercel/vercel_verifier_test.go +++ b/internal/verifier/vercel/vercel_verifier_test.go @@ -9,8 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) func TestVerify_ValidToken_ReturnsActive(t *testing.T) { diff --git a/internal/verifier/verifier.go b/internal/verifier/verifier.go index 2971189..4160f2b 100644 --- a/internal/verifier/verifier.go +++ b/internal/verifier/verifier.go @@ -6,8 +6,8 @@ package verifier import ( "context" - "github.com/cemililik/leakwatch/internal/detector" - "github.com/cemililik/leakwatch/pkg/finding" + "github.com/HodeTech/leakwatch/internal/detector" + "github.com/HodeTech/leakwatch/pkg/finding" ) // Verifier validates whether a detected secret is active or inactive. diff --git a/main.go b/main.go index b8b3a22..d14d51b 100644 --- a/main.go +++ b/main.go @@ -3,7 +3,7 @@ package main import ( "os" - "github.com/cemililik/leakwatch/cmd" + "github.com/HodeTech/leakwatch/cmd" ) // Build bilgileri (ldflags ile enjekte edilir). diff --git a/sonar-project.properties b/sonar-project.properties index 378bd29..6d78b87 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -14,7 +14,7 @@ # # curl -u "$SONAR_TOKEN:" -X POST \ # "https://sonarcloud.io/api/settings/set" \ -# -d "component=cemililik_Leakwatch" \ +# -d "component=hodetech_Leakwatch" \ # --data-urlencode "key=sonar.cpd.exclusions" \ # --data-urlencode "values=" \ # --data-urlencode "values=" @@ -25,8 +25,8 @@ # See ROADMAP "Known Gaps & Follow-up Work → P1 — SonarCloud Project Hygiene". # ============================================================================ -sonar.projectKey=cemililik_Leakwatch -sonar.organization=cemililik +sonar.projectKey=hodetech_Leakwatch +sonar.organization=hodetech sonar.host.url=https://sonarcloud.io sonar.projectName=Leakwatch @@ -74,7 +74,7 @@ sonar.coverage.exclusions=\ # # - cmd/imports.go # ~110 blank imports for compile-time plugin registration (see ADR-0004). -# Every line is structurally `_ "github.com/cemililik/leakwatch/internal//"` +# Every line is structurally `_ "github.com/HodeTech/leakwatch/internal//"` # by design. The duplication is the registration mechanism. # # - **/*_test.go diff --git a/vscode/README.md b/vscode/README.md index 2d7bcd6..31a31cf 100644 --- a/vscode/README.md +++ b/vscode/README.md @@ -11,8 +11,8 @@ Detect leaked secrets directly in your editor with real-time diagnostics. ## Requirements -- [Leakwatch CLI](https://github.com/cemililik/Leakwatch) must be installed and available in your `PATH` -- Install via: `go install github.com/cemililik/leakwatch@latest` or `brew install leakwatch` +- [Leakwatch CLI](https://github.com/HodeTech/Leakwatch) must be installed and available in your `PATH` +- Install via: `go install github.com/HodeTech/leakwatch@latest` or `brew install leakwatch` ## Commands diff --git a/vscode/package.json b/vscode/package.json index 46bd8de..6e0baaa 100644 --- a/vscode/package.json +++ b/vscode/package.json @@ -3,11 +3,11 @@ "displayName": "Leakwatch", "description": "Detect leaked secrets in your code with Leakwatch", "version": "0.1.0", - "publisher": "cemililik", + "publisher": "HodeTech", "license": "MIT", "repository": { "type": "git", - "url": "https://github.com/cemililik/Leakwatch" + "url": "https://github.com/HodeTech/Leakwatch" }, "engines": { "vscode": "^1.85.0" From 5798dfd746d575f2c33c44d65427fc08b9147b2d Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Sat, 23 May 2026 20:44:45 +0300 Subject: [PATCH 2/7] feat(site): add Redacted website, bilingual manuals, and Pages deploy Add a GitHub Pages site and a complete bilingual user manual. Site (site/): vanilla HTML/CSS/JS, no build step, dark-only "Redacted" classified-dossier theme. Landing page with an animated scan-reveal hero, a docs portal (left nav, hash routing, search, Mermaid diagrams, right-hand on-this-page TOC), and a Formspree-backed contact page. Client-side EN/TR language switching (js/translations.js + js/i18n.js). Manuals (docs/user-manuals/): 52 pages (26 EN + 26 TR) across 8 sections, driven by _meta.yaml and written to match the actual CLI/behavior. Tooling: tools/site-build (isolated Go module, goldmark) compiles the Markdown manuals into site/js/manuals/*.js. .github/workflows/site-deploy.yml recompiles and deploys site/ to GitHub Pages. Note: contact.html posts to Formspree; replace YOUR_FORM_ID with a real form ID. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/site-deploy.yml | 57 +++ docs/user-manuals/_meta.yaml | 121 ++++++ docs/user-manuals/en/ci-cd/docker-usage.md | 129 ++++++ docs/user-manuals/en/ci-cd/github-action.md | 147 +++++++ docs/user-manuals/en/ci-cd/other-ci.md | 139 +++++++ docs/user-manuals/en/ci-cd/pre-commit.md | 124 ++++++ .../en/configuration/config-file.md | 194 +++++++++ .../en/configuration/ignoring-findings.md | 126 ++++++ .../configuration/severity-and-filtering.md | 125 ++++++ .../user-manuals/en/detectors/custom-rules.md | 113 +++++ .../en/detectors/detector-catalog.md | 167 ++++++++ .../en/getting-started/how-it-works.md | 163 ++++++++ .../en/getting-started/installation.md | 101 +++++ .../en/getting-started/introduction.md | 59 +++ .../en/getting-started/quick-start.md | 152 +++++++ docs/user-manuals/en/output/output-formats.md | 164 ++++++++ docs/user-manuals/en/output/remediation.md | 113 +++++ .../en/reference/cli-reference.md | 300 ++++++++++++++ .../en/reference/environment-variables.md | 98 +++++ docs/user-manuals/en/reference/exit-codes.md | 94 +++++ .../user-manuals/en/scanning/cloud-storage.md | 146 +++++++ .../en/scanning/container-images.md | 134 ++++++ docs/user-manuals/en/scanning/filesystem.md | 123 ++++++ docs/user-manuals/en/scanning/git-history.md | 138 +++++++ .../en/scanning/multiple-repos.md | 129 ++++++ docs/user-manuals/en/scanning/slack.md | 144 +++++++ .../en/verification/how-verification-works.md | 107 +++++ .../en/verification/verification-coverage.md | 111 +++++ docs/user-manuals/tr/ci-cd/docker-usage.md | 129 ++++++ docs/user-manuals/tr/ci-cd/github-action.md | 147 +++++++ docs/user-manuals/tr/ci-cd/other-ci.md | 139 +++++++ docs/user-manuals/tr/ci-cd/pre-commit.md | 124 ++++++ .../tr/configuration/config-file.md | 194 +++++++++ .../tr/configuration/ignoring-findings.md | 126 ++++++ .../configuration/severity-and-filtering.md | 125 ++++++ .../user-manuals/tr/detectors/custom-rules.md | 113 +++++ .../tr/detectors/detector-catalog.md | 167 ++++++++ .../tr/getting-started/how-it-works.md | 163 ++++++++ .../tr/getting-started/installation.md | 101 +++++ .../tr/getting-started/introduction.md | 59 +++ .../tr/getting-started/quick-start.md | 152 +++++++ docs/user-manuals/tr/output/output-formats.md | 164 ++++++++ docs/user-manuals/tr/output/remediation.md | 117 ++++++ .../tr/reference/cli-reference.md | 300 ++++++++++++++ .../tr/reference/environment-variables.md | 98 +++++ docs/user-manuals/tr/reference/exit-codes.md | 94 +++++ .../user-manuals/tr/scanning/cloud-storage.md | 146 +++++++ .../tr/scanning/container-images.md | 134 ++++++ docs/user-manuals/tr/scanning/filesystem.md | 123 ++++++ docs/user-manuals/tr/scanning/git-history.md | 138 +++++++ .../tr/scanning/multiple-repos.md | 129 ++++++ docs/user-manuals/tr/scanning/slack.md | 144 +++++++ .../tr/verification/how-verification-works.md | 107 +++++ .../tr/verification/verification-coverage.md | 111 +++++ site/.nojekyll | 0 site/README.md | 90 ++++ site/assets/favicon.svg | 6 + site/assets/og.svg | 29 ++ site/contact.html | 142 +++++++ site/css/style.css | 387 ++++++++++++++++++ site/docs.html | 78 ++++ site/index.html | 220 ++++++++++ site/js/docs.js | 313 ++++++++++++++ site/js/i18n.js | 115 ++++++ site/js/main.js | 167 ++++++++ site/js/manuals/_index.js | 272 ++++++++++++ site/js/manuals/en.js | 3 + site/js/manuals/tr.js | 3 + site/js/translations.js | 295 +++++++++++++ tools/site-build/.gitignore | 2 + tools/site-build/go.mod | 14 + tools/site-build/go.sum | 6 + tools/site-build/main.go | 319 +++++++++++++++ 73 files changed, 9723 insertions(+) create mode 100644 .github/workflows/site-deploy.yml create mode 100644 docs/user-manuals/_meta.yaml create mode 100644 docs/user-manuals/en/ci-cd/docker-usage.md create mode 100644 docs/user-manuals/en/ci-cd/github-action.md create mode 100644 docs/user-manuals/en/ci-cd/other-ci.md create mode 100644 docs/user-manuals/en/ci-cd/pre-commit.md create mode 100644 docs/user-manuals/en/configuration/config-file.md create mode 100644 docs/user-manuals/en/configuration/ignoring-findings.md create mode 100644 docs/user-manuals/en/configuration/severity-and-filtering.md create mode 100644 docs/user-manuals/en/detectors/custom-rules.md create mode 100644 docs/user-manuals/en/detectors/detector-catalog.md create mode 100644 docs/user-manuals/en/getting-started/how-it-works.md create mode 100644 docs/user-manuals/en/getting-started/installation.md create mode 100644 docs/user-manuals/en/getting-started/introduction.md create mode 100644 docs/user-manuals/en/getting-started/quick-start.md create mode 100644 docs/user-manuals/en/output/output-formats.md create mode 100644 docs/user-manuals/en/output/remediation.md create mode 100644 docs/user-manuals/en/reference/cli-reference.md create mode 100644 docs/user-manuals/en/reference/environment-variables.md create mode 100644 docs/user-manuals/en/reference/exit-codes.md create mode 100644 docs/user-manuals/en/scanning/cloud-storage.md create mode 100644 docs/user-manuals/en/scanning/container-images.md create mode 100644 docs/user-manuals/en/scanning/filesystem.md create mode 100644 docs/user-manuals/en/scanning/git-history.md create mode 100644 docs/user-manuals/en/scanning/multiple-repos.md create mode 100644 docs/user-manuals/en/scanning/slack.md create mode 100644 docs/user-manuals/en/verification/how-verification-works.md create mode 100644 docs/user-manuals/en/verification/verification-coverage.md create mode 100644 docs/user-manuals/tr/ci-cd/docker-usage.md create mode 100644 docs/user-manuals/tr/ci-cd/github-action.md create mode 100644 docs/user-manuals/tr/ci-cd/other-ci.md create mode 100644 docs/user-manuals/tr/ci-cd/pre-commit.md create mode 100644 docs/user-manuals/tr/configuration/config-file.md create mode 100644 docs/user-manuals/tr/configuration/ignoring-findings.md create mode 100644 docs/user-manuals/tr/configuration/severity-and-filtering.md create mode 100644 docs/user-manuals/tr/detectors/custom-rules.md create mode 100644 docs/user-manuals/tr/detectors/detector-catalog.md create mode 100644 docs/user-manuals/tr/getting-started/how-it-works.md create mode 100644 docs/user-manuals/tr/getting-started/installation.md create mode 100644 docs/user-manuals/tr/getting-started/introduction.md create mode 100644 docs/user-manuals/tr/getting-started/quick-start.md create mode 100644 docs/user-manuals/tr/output/output-formats.md create mode 100644 docs/user-manuals/tr/output/remediation.md create mode 100644 docs/user-manuals/tr/reference/cli-reference.md create mode 100644 docs/user-manuals/tr/reference/environment-variables.md create mode 100644 docs/user-manuals/tr/reference/exit-codes.md create mode 100644 docs/user-manuals/tr/scanning/cloud-storage.md create mode 100644 docs/user-manuals/tr/scanning/container-images.md create mode 100644 docs/user-manuals/tr/scanning/filesystem.md create mode 100644 docs/user-manuals/tr/scanning/git-history.md create mode 100644 docs/user-manuals/tr/scanning/multiple-repos.md create mode 100644 docs/user-manuals/tr/scanning/slack.md create mode 100644 docs/user-manuals/tr/verification/how-verification-works.md create mode 100644 docs/user-manuals/tr/verification/verification-coverage.md create mode 100644 site/.nojekyll create mode 100644 site/README.md create mode 100644 site/assets/favicon.svg create mode 100644 site/assets/og.svg create mode 100644 site/contact.html create mode 100644 site/css/style.css create mode 100644 site/docs.html create mode 100644 site/index.html create mode 100644 site/js/docs.js create mode 100644 site/js/i18n.js create mode 100644 site/js/main.js create mode 100644 site/js/manuals/_index.js create mode 100644 site/js/manuals/en.js create mode 100644 site/js/manuals/tr.js create mode 100644 site/js/translations.js create mode 100644 tools/site-build/.gitignore create mode 100644 tools/site-build/go.mod create mode 100644 tools/site-build/go.sum create mode 100644 tools/site-build/main.go diff --git a/.github/workflows/site-deploy.yml b/.github/workflows/site-deploy.yml new file mode 100644 index 0000000..9a506a6 --- /dev/null +++ b/.github/workflows/site-deploy.yml @@ -0,0 +1,57 @@ +name: Deploy site + +on: + push: + branches: [main] + paths: + - "site/**" + - "docs/user-manuals/**" + - "tools/site-build/**" + - ".github/workflows/site-deploy.yml" + workflow_dispatch: + +permissions: + contents: read + pages: write + id-token: write + +# Allow one concurrent deployment; cancel in-progress runs for the same ref. +concurrency: + group: pages + cancel-in-progress: true + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25" + cache-dependency-path: tools/site-build/go.sum + + - name: Compile user manuals into the site + working-directory: tools/site-build + run: go run . -strict + + - name: Configure Pages + uses: actions/configure-pages@v5 + + - name: Upload site artifact + uses: actions/upload-pages-artifact@v3 + with: + path: site + + deploy: + needs: build + runs-on: ubuntu-latest + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 diff --git a/docs/user-manuals/_meta.yaml b/docs/user-manuals/_meta.yaml new file mode 100644 index 0000000..92a6d6e --- /dev/null +++ b/docs/user-manuals/_meta.yaml @@ -0,0 +1,121 @@ +# Leakwatch user-manual navigation metadata. +# +# This file is the single source of truth for the documentation structure. +# The site-build tool (tools/site-build) reads it to: +# 1. discover which Markdown pages to compile, and in what order, and +# 2. generate the navigation tree rendered by the website sidebar. +# +# Markdown source lives at: docs/user-manuals///.md +# Every page listed below MUST exist for every language in `languages`. + +languages: [en, tr] +default_language: en + +sections: + - id: getting-started + icon: rocket + title: + en: Getting Started + tr: Başlarken + pages: + - id: introduction + title: { en: Introduction, tr: Tanıtım } + - id: installation + title: { en: Installation, tr: Kurulum } + - id: quick-start + title: { en: Quick Start, tr: Hızlı Başlangıç } + - id: how-it-works + title: { en: How It Works, tr: Nasıl Çalışır } + + - id: scanning + icon: scan + title: + en: Scanning Sources + tr: Tarama Kaynakları + pages: + - id: filesystem + title: { en: Filesystem, tr: Dosya Sistemi } + - id: git-history + title: { en: Git History, tr: Git Geçmişi } + - id: container-images + title: { en: Container Images, tr: Konteyner İmajları } + - id: cloud-storage + title: { en: Cloud Storage (S3 & GCS), tr: Bulut Depolama (S3 & GCS) } + - id: slack + title: { en: Slack Workspace, tr: Slack Çalışma Alanı } + - id: multiple-repos + title: { en: Multiple Repositories, tr: Çoklu Depo } + + - id: verification + icon: shield + title: + en: Verification + tr: Doğrulama + pages: + - id: how-verification-works + title: { en: How Verification Works, tr: Doğrulama Nasıl Çalışır } + - id: verification-coverage + title: { en: Verification Coverage, tr: Doğrulama Kapsamı } + + - id: detectors + icon: key + title: + en: Detectors + tr: Dedektörler + pages: + - id: detector-catalog + title: { en: Detector Catalog, tr: Dedektör Kataloğu } + - id: custom-rules + title: { en: Custom Rules, tr: Özel Kurallar } + + - id: configuration + icon: sliders + title: + en: Configuration + tr: Yapılandırma + pages: + - id: config-file + title: { en: Configuration File, tr: Yapılandırma Dosyası } + - id: ignoring-findings + title: { en: Ignoring Findings, tr: Bulguları Yok Sayma } + - id: severity-and-filtering + title: { en: Severity & Filtering, tr: Önem Derecesi & Filtreleme } + + - id: output + icon: output + title: + en: Output & Remediation + tr: Çıktı & Düzeltme + pages: + - id: output-formats + title: { en: Output Formats, tr: Çıktı Formatları } + - id: remediation + title: { en: Remediation Guidance, tr: Düzeltme Rehberi } + + - id: ci-cd + icon: ci + title: + en: CI/CD Integration + tr: CI/CD Entegrasyonu + pages: + - id: github-action + title: { en: GitHub Action, tr: GitHub Action } + - id: pre-commit + title: { en: Pre-commit Hook, tr: Pre-commit Kancası } + - id: docker-usage + title: { en: Docker Usage, tr: Docker Kullanımı } + - id: other-ci + title: { en: Other CI Systems, tr: Diğer CI Sistemleri } + + - id: reference + icon: book + title: + en: Reference + tr: Başvuru + pages: + - id: cli-reference + title: { en: CLI Reference, tr: CLI Başvurusu } + - id: exit-codes + title: { en: Exit Codes, tr: Çıkış Kodları } + - id: environment-variables + title: { en: Environment Variables, tr: Ortam Değişkenleri } diff --git a/docs/user-manuals/en/ci-cd/docker-usage.md b/docs/user-manuals/en/ci-cd/docker-usage.md new file mode 100644 index 0000000..42ced87 --- /dev/null +++ b/docs/user-manuals/en/ci-cd/docker-usage.md @@ -0,0 +1,129 @@ +--- +title: "Docker Usage" +description: "Run Leakwatch scans inside a container using the official Docker image." +--- + +# Docker Usage + +The official Leakwatch container image lets you run scans without installing anything on the host machine. Because the image is statically compiled with `CGO_ENABLED=0` and runs as a non-root user, it is safe to use in locked-down CI environments and on shared machines where you do not want to modify the host system. + +## Image reference + +```text +ghcr.io/hodetech/leakwatch +``` + +| Tag | Description | +|-----|-------------| +| `:latest` | Most recent release | +| `:v1.5.0` | Exact version pin | +| `:v1.5` | Minor-version pin (tracks patch releases) | + +The image is based on Alpine, runs as the non-root user `leakwatch`, uses `/scan` as the working directory, and has `leakwatch` as its entrypoint. + +:::note +Because the entrypoint is `leakwatch`, you append the subcommand and flags directly after the image name — for example, `ghcr.io/hodetech/leakwatch:latest scan fs /scan`. There is no need to repeat the binary name. +::: + +## Scanning a local directory + +Mount the directory you want to scan to `/scan` inside the container: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan +``` + +To write results to a file on the host, write the output file into the mounted volume: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan --format sarif -o /scan/leakwatch.sarif +``` + +The file `leakwatch.sarif` appears in the current directory on your host after the container exits. + +## Scanning a remote Git repository + +```bash +docker run --rm \ + ghcr.io/hodetech/leakwatch:latest \ + scan git https://github.com/org/repo.git --format json +``` + +No volume mount is required for remote Git repositories — Leakwatch clones them into a temporary directory inside the container. + +## Scanning a container image + +Leakwatch is daemonless: it pulls image layers directly from the registry without a Docker daemon. This means you can scan a remote image from within the Leakwatch container without mounting the host Docker socket: + +```bash +docker run --rm \ + ghcr.io/hodetech/leakwatch:latest \ + scan image registry.example.com/my-app:v2.3.0 +``` + +For private registries, pass the credentials as environment variables consumed by the registry client (for example, `DOCKER_CONFIG` pointing to a mounted credentials file, or the standard registry environment variables your registry supports). + +## Passing a configuration file + +Mount `.leakwatch.yaml` into `/scan` so Leakwatch picks it up automatically: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan +``` + +As long as `.leakwatch.yaml` is in the mounted directory, Leakwatch finds it because `/scan` is both the working directory and the path passed to the scan. If your config file lives elsewhere, mount it explicitly and use `--config`: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + -v "/path/to/custom-config.yaml:/config/leakwatch.yaml:ro" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan --config /config/leakwatch.yaml +``` + +## Passing environment variables + +Environment variables for cloud scanning and token-based authentication can be injected with `-e`: + +```bash +# S3 scan with AWS credentials +docker run --rm \ + -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \ + -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \ + -e AWS_REGION=us-east-1 \ + ghcr.io/hodetech/leakwatch:latest \ + scan s3 my-bucket +``` + +For CI environments, prefer injecting secrets as masked CI variables rather than embedding them in the command line. + +## Output file pattern + +A common Docker pattern in CI is to write results into the mounted volume and then upload or archive the file as a pipeline artifact: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan \ + --format json \ + --only-verified \ + -o /scan/leakwatch-results.json +``` + +## See also + +- [Installation](#/getting-started/installation) — install the native binary instead of using Docker. +- [Filesystem Scanning](#/scanning/filesystem) — `scan fs` flags and behavior. +- [Container Images](#/scanning/container-images) — scanning OCI/Docker image layers for secrets. +- [Other CI Systems](#/ci-cd/other-ci) — using the Docker image in GitLab CI and other pipelines. +- [CLI Reference](#/reference/cli-reference) — complete flag reference for all subcommands. diff --git a/docs/user-manuals/en/ci-cd/github-action.md b/docs/user-manuals/en/ci-cd/github-action.md new file mode 100644 index 0000000..6174ade --- /dev/null +++ b/docs/user-manuals/en/ci-cd/github-action.md @@ -0,0 +1,147 @@ +--- +title: "GitHub Action" +description: "Use the official Leakwatch GitHub Action to scan for secrets in your GitHub workflows." +--- + +# GitHub Action + +Every push to your repository is an opportunity for a secret to slip through. The official **Leakwatch GitHub Action** (`HodeTech/leakwatch-action@v1`) integrates Leakwatch directly into your GitHub workflow — it installs the tool, runs a scan, maps exit codes, and optionally uploads SARIF results to GitHub Code Scanning, all without any external service dependency. + +## Quick start + +The minimal configuration blocks the workflow when secrets are found: + +```yaml +# .github/workflows/leakwatch-minimal.yml +name: Secret scan (minimal) + +on: [push, pull_request] + +jobs: + leakwatch: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: HodeTech/leakwatch-action@v1 +``` + +With only the defaults, the action scans the filesystem (`scan-type: fs`), produces SARIF output, skips live verification (`no-verify: true`), and fails the job if any finding is reported. + +## Full example with SARIF upload + +The following workflow enables SARIF upload to GitHub Code Scanning, which surfaces findings as security alerts inside the repository: + +```yaml +# .github/workflows/leakwatch.yml +name: Secret scan + +on: + push: + branches: ["main", "develop"] + pull_request: + +permissions: + contents: read + security-events: write # required for SARIF upload + +jobs: + leakwatch: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Scan for secrets + uses: HodeTech/leakwatch-action@v1 + with: + scan-type: fs + path: . + format: sarif + no-verify: "true" + min-severity: low + sarif-upload: "true" + fail-on-findings: "true" +``` + +:::note +SARIF upload requires the job to declare `permissions: security-events: write`. Without it, the upload step fails with a 403 error. The `contents: read` permission is also needed for `actions/checkout@v4`. +::: + +## Inputs + +| Input | Default | Description | +|-------|---------|-------------| +| `scan-type` | `fs` | Scan type to run: `fs`, `git`, or `image`. | +| `path` | `.` | Path to scan (for `fs`/`git`) or image reference (for `image`). | +| `format` | `sarif` | Output format: `json`, `sarif`, `csv`, or `table`. | +| `only-verified` | `false` | Report only findings confirmed active by live verification. | +| `no-verify` | `true` | Disable secret verification (no outbound calls to providers). | +| `min-severity` | `low` | Minimum severity to report: `low`, `medium`, `high`, or `critical`. | +| `sarif-upload` | `false` | Upload SARIF results to GitHub Code Scanning after the scan. | +| `fail-on-findings` | `true` | Fail the workflow step when findings are reported (exit code 1). When `false`, a `::warning::` annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code 2) always fail the step regardless of this setting. | +| `version` | `latest` | Leakwatch version to install. Use a tag such as `v1.5.0` to pin a specific release. | + +## Outputs + +| Output | Description | +|--------|-------------| +| `findings-count` | `0` if no findings were reported; `1` if findings were reported. Mirrors the Leakwatch exit code. | +| `sarif-file` | Path to the SARIF output file on the runner (set when `format: sarif`). | + +## Verification in CI + +By default, `no-verify` is `true` — live verification is **off** in CI. This keeps the scan fast and avoids making outbound network calls to provider APIs from CI runners, which may be behind a firewall or have rate-limited credentials. + +To enable verification in CI, set `no-verify: "false"`: + +```yaml +- uses: HodeTech/leakwatch-action@v1 + with: + no-verify: "false" +``` + +:::warn +Enabling verification in CI causes Leakwatch to make authenticated API calls to providers (AWS, GitHub, Stripe, etc.) for each candidate finding. Be aware of provider rate limits and ensure the runner has outbound internet access. +::: + +## How SARIF upload works + +When `sarif-upload: "true"` and `format: sarif`, the action: + +1. Tells Leakwatch to write output to `results.sarif`. +2. After the scan, calls `github/codeql-action/upload-sarif@v3` with `category: leakwatch`. +3. GitHub processes the file and surfaces findings as **Code Scanning alerts** under the repository's **Security** tab. + +The upload step runs with `if: always()`, so results are uploaded even when `fail-on-findings: "true"` causes the scan step to set a failure. + +## Using action outputs + +```yaml +- name: Scan for secrets + id: scan + uses: HodeTech/leakwatch-action@v1 + with: + fail-on-findings: "false" # let the workflow continue + +- name: Print result + run: echo "Findings reported: ${{ steps.scan.outputs.findings-count }}" +``` + +## Pinning a specific version + +For reproducible builds, pin `version` to a specific tag: + +```yaml +- uses: HodeTech/leakwatch-action@v1 + with: + version: "v1.5.0" +``` + +This installs exactly `github.com/HodeTech/leakwatch@v1.5.0` via `go install`. + +## See also + +- [Output Formats](#/output/output-formats) — understanding JSON, SARIF, CSV, and table output. +- [Exit Codes](#/reference/exit-codes) — how exit codes map to scan outcomes. +- [How Verification Works](#/verification/how-verification-works) — when and how Leakwatch calls provider APIs. +- [Pre-commit Hook](#/ci-cd/pre-commit) — catch secrets before they are committed. +- [Other CI Systems](#/ci-cd/other-ci) — GitLab CI, Jenkins, and generic shell integration. diff --git a/docs/user-manuals/en/ci-cd/other-ci.md b/docs/user-manuals/en/ci-cd/other-ci.md new file mode 100644 index 0000000..25e90cc --- /dev/null +++ b/docs/user-manuals/en/ci-cd/other-ci.md @@ -0,0 +1,139 @@ +--- +title: "Other CI Systems" +description: "Integrate Leakwatch into GitLab CI, Jenkins, Bitbucket Pipelines, and any other CI system." +--- + +# Other CI Systems + +Because Leakwatch is a single static binary with no runtime dependencies, it runs in any CI environment that can execute a shell command — GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps, and others. There is no built-in integration for these systems beyond what is described on this page; the pattern is always: install the binary, run the scan, act on the exit code. + +## Installing Leakwatch in CI + +Choose the method that best suits your runner environment: + +### via `go install` (requires Go on the runner) + +```bash +go install github.com/HodeTech/leakwatch@latest +``` + +Pin to a specific version for reproducible builds: + +```bash +go install github.com/HodeTech/leakwatch@v1.5.0 +``` + +### via the Docker image (no Go required) + +Use `ghcr.io/hodetech/leakwatch:latest` as a job image or run it with `docker run`. See [Docker Usage](#/ci-cd/docker-usage) for the full pattern. + +### via a prebuilt release binary + +Download the appropriate tarball from [GitHub Releases](https://github.com/HodeTech/Leakwatch/releases), extract, and place on `PATH`: + +```bash +curl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz +tar -xzf leakwatch_Linux_amd64.tar.gz +sudo mv leakwatch /usr/local/bin/leakwatch +``` + +## Exit codes + +Leakwatch exits with one of three codes, which is the primary mechanism for failing a CI build: + +| Code | Meaning | Recommended CI action | +|------|---------|----------------------| +| `0` | No findings | Pass the pipeline stage | +| `1` | Secrets found | Fail the pipeline stage | +| `2` | Hard error (bad config, unreadable path, etc.) | Fail the pipeline stage | + +A generic shell snippet that branches on the exit code: + +```bash +set +e +leakwatch scan fs . --format json -o leakwatch.json --no-verify +EXIT_CODE=$? +set -e + +if [ "$EXIT_CODE" -eq 0 ]; then + echo "No secrets found." +elif [ "$EXIT_CODE" -eq 1 ]; then + echo "Secrets found — failing build." + exit 1 +else + echo "Scan error (exit $EXIT_CODE) — failing build." + exit "$EXIT_CODE" +fi +``` + +## GitLab CI example + +The following `.gitlab-ci.yml` job installs Leakwatch, runs a filesystem scan, and stores the JSON report as a pipeline artifact: + +```yaml +leakwatch: + stage: test + image: golang:1.25-alpine + script: + - go install github.com/HodeTech/leakwatch@v1.5.0 + - leakwatch scan fs . --format json -o leakwatch.json --no-verify + artifacts: + when: always + paths: + - leakwatch.json + expire_in: 7 days + allow_failure: false +``` + +`allow_failure: false` (the default) means exit code `1` fails the pipeline stage. Set `allow_failure: true` if you want the scan to report without blocking the merge. + +:::tip +GitLab supports SAST report artifacts. Leakwatch produces SARIF (`--format sarif`), not GitLab's native SAST JSON schema, so use the `paths:` artifact approach rather than the `reports: sast:` key. +::: + +## Recommendations for CI runners + +**Use `--no-verify` on runners without outbound internet access.** Verification makes live API calls to providers (AWS, GitHub, Stripe, etc.). On air-gapped or firewall-restricted runners, these calls time out and slow the scan. Pass `--no-verify` to skip verification entirely: + +```bash +leakwatch scan fs . --no-verify --format sarif -o results.sarif +``` + +**Save output as an artifact.** Use `--format sarif` or `--format json` with `--output` to write a file that can be stored, uploaded to a vulnerability management platform, or reviewed after the job completes. + +**Set `--min-severity`** to focus on the secrets that matter most. In a noisy codebase, start with `--min-severity high` and lower the threshold once you have cleared the backlog. + +## Azure DevOps example + +```yaml +- script: | + go install github.com/HodeTech/leakwatch@v1.5.0 + leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify + displayName: "Leakwatch secret scan" + +- task: PublishBuildArtifacts@1 + inputs: + pathToPublish: "$(Build.ArtifactStagingDirectory)" + artifactName: "leakwatch-results" +``` + +## Jenkins example + +```groovy +stage('Secret scan') { + steps { + sh ''' + go install github.com/HodeTech/leakwatch@v1.5.0 + leakwatch scan fs . --format json -o leakwatch.json --no-verify + ''' + archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true + } +} +``` + +## See also + +- [Exit Codes](#/reference/exit-codes) — full reference for all exit code meanings. +- [Output Formats](#/output/output-formats) — JSON, SARIF, CSV, and table output. +- [Docker Usage](#/ci-cd/docker-usage) — use the container image instead of installing the binary. +- [GitHub Action](#/ci-cd/github-action) — the official action for GitHub workflows. diff --git a/docs/user-manuals/en/ci-cd/pre-commit.md b/docs/user-manuals/en/ci-cd/pre-commit.md new file mode 100644 index 0000000..9d0e170 --- /dev/null +++ b/docs/user-manuals/en/ci-cd/pre-commit.md @@ -0,0 +1,124 @@ +--- +title: "Pre-commit Hook" +description: "Use the Leakwatch pre-commit hook to scan for secrets before every commit." +--- + +# Pre-commit Hook + +The cheapest time to catch a secret is before it enters the repository at all. Leakwatch ships a native [pre-commit](https://pre-commit.com) hook that runs `leakwatch scan fs` automatically on every `git commit`, so a leaked API key or password fails the commit rather than appearing in history. + +## Prerequisites + +You need: + +- Python 3.8+ (pre-commit is a Python tool). +- [pre-commit](https://pre-commit.com/#install) installed globally (`pip install pre-commit` or `brew install pre-commit`). +- Go 1.25+ on `PATH` — the hook language is `golang`, so pre-commit compiles Leakwatch from source on first run. + +## Configuration + +Add a `.pre-commit-config.yaml` file to the root of your repository (or extend an existing one): + +```yaml +repos: + - repo: https://github.com/HodeTech/Leakwatch + rev: v1.5.0 + hooks: + - id: leakwatch +``` + +Install the hooks into the local Git repo: + +```bash +pre-commit install +``` + +That is all. From this point on, every `git commit` triggers a filesystem scan. If Leakwatch finds any secrets, the commit is blocked and the findings are printed to the terminal. + +## Running manually + +To scan the entire repository (not just staged files) at any time: + +```bash +pre-commit run --all-files +``` + +To run only the Leakwatch hook without triggering others: + +```bash +pre-commit run leakwatch --all-files +``` + +## Passing extra arguments + +The hook's default behavior matches `leakwatch scan fs` with no additional flags. You can pass extra arguments via the `args:` key: + +```yaml +repos: + - repo: https://github.com/HodeTech/Leakwatch + rev: v1.5.0 + hooks: + - id: leakwatch + args: + - --only-verified + - --min-severity + - high +``` + +This example reports only high-severity secrets that Leakwatch has confirmed are still active — a strict policy suitable for teams that want to avoid false-positive noise without sacrificing coverage. + +Other useful arguments: + +```yaml +args: + - --no-verify # skip live verification for faster commits + - --min-severity + - medium # suppress low-severity noise + - --format + - table # human-readable output in the terminal +``` + +:::note +`pass_filenames: false` is set in the hook definition, which means the hook always scans the full working tree rather than only the files staged for the current commit. This guarantees that secrets already present in unstaged files are also detected. +::: + +## What the hook scans + +The hook runs `leakwatch scan fs` against the repository working directory. It uses the same detection pipeline as the CLI: Aho-Corasick pre-filtering, regex validation, entropy calculation, and (unless `--no-verify` is set) live verification. + +Configuration in `.leakwatch.yaml` is respected automatically — exclusion patterns, entropy thresholds, and verification settings all apply without any extra hook configuration. + +## Skipping the hook temporarily + +To commit without running the hook (for example, when committing a controlled test fixture that contains a redacted secret): + +```bash +SKIP=leakwatch git commit -m "chore: add test fixture" +``` + +:::warn +Using `SKIP=leakwatch` bypasses all secret scanning for that commit. Use it only when you have confirmed the content is safe, and prefer `.leakwatchignore` or inline `leakwatch:ignore` comments for permanent suppressions instead. +::: + +## Keeping the hook version pinned + +Pin `rev:` to a specific tag rather than a branch name. This ensures all developers on the team use the same detector set and the hook does not silently upgrade mid-sprint: + +```yaml +rev: v1.5.0 # pin; do not use 'main' or 'HEAD' +``` + +Update by running: + +```bash +pre-commit autoupdate +``` + +which bumps `rev` to the latest tag and lets you review the change before committing it. + +## See also + +- [Filesystem Scanning](#/scanning/filesystem) — the underlying scan command the hook runs. +- [Configuration File](#/configuration/config-file) — control exclusions, entropy, and verification in `.leakwatch.yaml`. +- [GitHub Action](#/ci-cd/github-action) — scan on every push and pull request in GitHub CI. +- [Exit Codes](#/reference/exit-codes) — how exit codes map to scan outcomes. diff --git a/docs/user-manuals/en/configuration/config-file.md b/docs/user-manuals/en/configuration/config-file.md new file mode 100644 index 0000000..cb4e9f8 --- /dev/null +++ b/docs/user-manuals/en/configuration/config-file.md @@ -0,0 +1,194 @@ +--- +title: "Configuration File" +description: "How to configure Leakwatch with .leakwatch.yaml — full schema, defaults, validation rules, environment overrides, and the leakwatch init command." +--- + +# Configuration File + +Leakwatch's behaviour across every scan command is driven by a single YAML file named `.leakwatch.yaml`. Understanding this file lets you tune concurrency, verification, output format, and path filtering once — and have every scan pick it up automatically. + +## File discovery + +Leakwatch resolves the config file in the following order: + +1. **`--config ` flag** — use an explicit path regardless of the working directory. +2. **Current directory** — `.leakwatch.yaml` in the directory where the command is run. +3. **Home directory** — `~/.leakwatch.yaml` as a fallback. + +If no file is found, built-in defaults are used for every setting. + +## Generating a starter file + +The `leakwatch init` command writes a ready-to-edit file with recommended defaults: + +```bash +leakwatch init +``` + +By default the file is written to `.leakwatch.yaml` in the current directory. Use `--output` to choose a different path: + +```bash +leakwatch init --output /etc/leakwatch/.leakwatch.yaml +``` + +If the target file already exists, `leakwatch init` will refuse to overwrite it and exit with an error. Pass `--force` to overwrite: + +```bash +leakwatch init --force +``` + +## Environment variable overrides + +Every config key can be overridden with an environment variable. The naming rule is: + +- Prefix: `LEAKWATCH_` +- Replace `.` and `-` with `_` +- Uppercase + +Examples: + +| Config key | Environment variable | +|---|---| +| `scan.concurrency` | `LEAKWATCH_SCAN_CONCURRENCY` | +| `verification.rate-limit` | `LEAKWATCH_VERIFICATION_RATE_LIMIT` | +| `output.format` | `LEAKWATCH_OUTPUT_FORMAT` | +| `detection.entropy.threshold` | `LEAKWATCH_DETECTION_ENTROPY_THRESHOLD` | + +## Precedence + +When the same setting is specified in multiple places, the highest-priority source wins: + +1. Command-line flag (highest) +2. Environment variable +3. Config file value +4. Built-in default (lowest) + +## Full schema + +The annotated schema below shows every supported key, its default value, and valid range. + +```yaml +# ── Scan engine ────────────────────────────────────────────────────────────── + +scan: + # Number of concurrent file-processing workers. + # Defaults to the number of logical CPU cores on the host. + # Must be >= 1. + concurrency: 8 + + # Maximum file size to scan, in bytes. Files larger than this limit are + # skipped entirely. Default is 10 MB (10485760). Must be >= 1. + max-file-size: 10485760 + +# ── Detection ───────────────────────────────────────────────────────────────── + +detection: + entropy: + # Enable Shannon entropy calculation for each candidate match. + enabled: true + + # Entropy threshold used for display and custom-rule gating. + # Range: 0–8. Default: 4.0. + # See note below about built-in findings. + threshold: 4.0 + +# ── Verification ───────────────────────────────────────────────────────────── + +verification: + # Enable live verification against provider APIs. + enabled: true + + # Per-request HTTP timeout. Must be >= 1ms when verification is enabled. + # Use a duration string (e.g. "10s", "500ms") — a bare integer is + # treated as nanoseconds and will fail validation. + timeout: 10s + + # Number of concurrent verification workers. Must be >= 1. + concurrency: 4 + + # Maximum verification requests per second (token-bucket rate limiter). + # Must be > 0. + rate-limit: 10.0 + +# ── Filtering ───────────────────────────────────────────────────────────────── + +filter: + # Glob patterns for paths to exclude from scanning. + # Supported glob styles: filepath.Match patterns, ** double-star spanning + # zero or more path segments, and trailing-slash dir/ patterns that match + # the named directory at any depth. Each pattern is tested against both the + # full path and the base filename, so simple patterns like "*.min.js" match + # nested files without a leading path prefix. + # Applies to all scan sources. (On `scan fs` the --exclude flag also sets this.) + # Default: [] (no exclusions beyond the built-in binary/lock-file skips). + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "**/*.min.js" + - "**/*.min.css" + - "go.sum" + - "package-lock.json" + - "yarn.lock" + + # Detector IDs to disable entirely. Findings from listed detectors are never + # produced regardless of other settings. Default: []. + exclude-detectors: [] + +# ── Output ──────────────────────────────────────────────────────────────────── + +output: + # Output format. One of: json, sarif, csv, table. Default: json. + # The --format / -f flag overrides this at run time. + format: json + + # Write output to this file path instead of stdout. Default: "" (stdout). + # The --output / -o flag overrides this at run time. + file: "" + + # Drop findings below this severity level. + # One of: low, medium, high, critical. Default: "" (show all). + # The --min-severity flag overrides this at run time. + severity-threshold: "" + + # Include the unredacted secret value in output. + # Default: false. The --show-raw flag overrides this at run time. + show-raw: false + +# ── Custom rules ────────────────────────────────────────────────────────────── + +# Define your own detectors as YAML rules. See the custom rules page for the +# full rule schema. +# custom-rules: +# - id: "my-internal-token" +# description: "Internal Service Token" +# regex: "mycompany_[a-zA-Z0-9]{32}" +# keywords: ["mycompany_"] +# severity: critical +custom-rules: [] +``` + +:::note +`detection.entropy.threshold` controls which entropy value is displayed alongside a finding and acts as a gate for custom rules (a custom rule match whose entropy falls below the threshold is suppressed). It does **not** suppress findings from built-in detectors — built-in detectors have their own match criteria and are never dropped by this setting. +::: + +## Validation + +Leakwatch validates the loaded configuration before starting a scan and exits with an error for any of the following: + +| Condition | Error | +|---|---| +| `scan.concurrency < 1` | Invalid concurrency value | +| `scan.max-file-size < 1` | Invalid max-file-size value | +| `output.format` not in `json\|sarif\|csv\|table` | Unsupported output format | +| `detection.entropy.threshold` outside 0–8 | Invalid entropy threshold | +| `output.severity-threshold` not a valid level (when non-empty) | Invalid severity-threshold | +| `verification.timeout < 1ms` (when verification enabled) | Invalid verification timeout | +| `verification.concurrency < 1` (when verification enabled) | Invalid verification concurrency | +| `verification.rate-limit <= 0` (when verification enabled) | Invalid verification rate-limit | + +## See also + +- [Ignoring Findings](#/configuration/ignoring-findings) +- [Severity & Filtering](#/configuration/severity-and-filtering) +- [Custom Rules](#/detectors/custom-rules) +- [Environment Variables](#/reference/environment-variables) diff --git a/docs/user-manuals/en/configuration/ignoring-findings.md b/docs/user-manuals/en/configuration/ignoring-findings.md new file mode 100644 index 0000000..d2822f5 --- /dev/null +++ b/docs/user-manuals/en/configuration/ignoring-findings.md @@ -0,0 +1,126 @@ +--- +title: "Ignoring Findings" +description: "Suppress false positives with .leakwatchignore files, inline ignore markers, and built-in binary and lock-file skips." +--- + +# Ignoring Findings + +No scanner has zero false positives. Leakwatch gives you three layered mechanisms to suppress the noise: a `.leakwatchignore` file for path-based exclusions, inline markers for line-level suppression, and a set of always-on built-in skips for binary files and common lock files. + +## `.leakwatchignore` file + +Create a `.leakwatchignore` file in your repository root (or in the current directory) to exclude paths from the scan results. It uses a gitignore-style syntax: + +- Lines starting with `#` are comments. +- Blank lines are skipped. +- A `!` prefix **negates** a pattern, re-including a path that a previous pattern would have excluded. +- The **last matching pattern wins** — order matters. + +### Loading order + +Leakwatch loads `.leakwatchignore` from the scan root first, then from the current working directory. If both exist and contain patterns for the same path, the current-directory file's patterns take precedence because they are evaluated last. + +### Glob syntax + +Three pattern styles are supported: + +| Style | Description | Example | +|---|---|---| +| Standard glob | `filepath.Match`-style, matched against both the full path and the base filename | `*.pem` | +| Double-star `**` | Spans zero or more path segments | `test/fixtures/**` | +| Trailing slash `dir/` | Matches every file inside the named directory at any depth | `snapshots/` | + +### Example `.leakwatchignore` + +```text +# Ignore all test fixture files +test/fixtures/** + +# Ignore known placeholder keys in documentation +docs/examples/ + +# Ignore files with a specific extension anywhere in the tree +*.pem.example + +# Re-include a specific file excluded by the rule above +!docs/examples/real-config-sample.yaml +``` + +:::note +`.leakwatchignore` filtering is applied **after** the scan completes, based on the file path of each finding. It does not prevent files from being read — it suppresses the findings they produce. To skip files before they are read at all, use `filter.exclude-paths` in the config file or `--exclude` on `scan fs`. +::: + +## Inline ignore markers + +Place a marker directly on any source line to suppress detectors for that specific line. The marker can appear anywhere on the line — typically inside a comment — and is applied by the engine **before** verification, so an ignored line never triggers a network call. + +### Suppress all detectors on a line + +```python +# Payment processing configuration +STRIPE_KEY = "sk_test_XXXXXXXXXXXXXXXXXXXX" # leakwatch:ignore +``` + +### Suppress a specific detector on a line + +Use `leakwatch:ignore:` to suppress only one detector while leaving others active: + +```go +// This token is intentionally a placeholder for documentation +exampleToken := "ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" // leakwatch:ignore:github-token +``` + +```yaml +# CI environment variable set by the platform — not a real secret +api_key: "${CI_API_KEY_PLACEHOLDER}" # leakwatch:ignore:generic-api-key +``` + +:::tip +Prefer the detector-specific form (`leakwatch:ignore:`) over the generic one whenever possible. It documents which detector you are suppressing and keeps all other detectors active on that line. +::: + +## Built-in skips (always applied) + +Leakwatch unconditionally skips the following before running any detector: + +**Binary file extensions** — files with extensions such as `.exe`, `.dll`, `.so`, `.dylib`, `.bin`, `.png`, `.jpg`, `.gif`, `.mp4`, `.zip`, `.tar`, `.gz`, `.pdf`, `.woff`, `.ttf`, and others are never scanned. + +**Binary content detection** — any file whose first 8 KB contains a null byte is treated as binary and skipped, regardless of extension. + +**Common lock files** — the following filenames are always skipped because they contain hashes and checksums that produce high rates of false positives: + +| File | +|---| +| `package-lock.json` | +| `yarn.lock` | +| `pnpm-lock.yaml` | +| `composer.lock` | +| `Gemfile.lock` | +| `Cargo.lock` | +| `poetry.lock` | +| `go.sum` | +| `Pipfile.lock` | + +These built-in skips cannot be disabled. They are separate from the `filter.exclude-paths` setting and run before any config-based filtering. + +## Path-based exclusion before scanning + +To exclude paths before they are even read by the scan engine, use `filter.exclude-paths` in your config file: + +```yaml +filter: + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "**/*.min.js" + - "third-party/" +``` + +This setting applies to **all scan sources** (filesystem, Git history, container images, cloud storage, Slack). On the `scan fs` command you can also pass `--exclude ` on the command line, which is the flag-equivalent of `filter.exclude-paths`. + +See [Configuration File](#/configuration/config-file) for the full config schema and [Severity & Filtering](#/configuration/severity-and-filtering) for detector-level and severity-level filtering. + +## See also + +- [Configuration File](#/configuration/config-file) +- [Severity & Filtering](#/configuration/severity-and-filtering) diff --git a/docs/user-manuals/en/configuration/severity-and-filtering.md b/docs/user-manuals/en/configuration/severity-and-filtering.md new file mode 100644 index 0000000..c9e8b55 --- /dev/null +++ b/docs/user-manuals/en/configuration/severity-and-filtering.md @@ -0,0 +1,125 @@ +--- +title: "Severity & Filtering" +description: "Control which findings reach your output using severity thresholds, verified-only mode, detector exclusions, and path exclusions." +--- + +# Severity & Filtering + +A busy codebase can produce many findings. Leakwatch provides several independent filters you can combine to focus on the signals that matter most: severity thresholds drop low-priority noise, verified-only mode surfaces only confirmed live secrets, detector exclusions silence known false-positive sources, and path exclusions remove entire directory trees from scope. + +## Severity levels + +Every built-in detector ships with a default severity. The four levels, from lowest to highest priority, are: + +| Level | Typical use | +|---|---| +| `low` | Generic patterns with a higher false-positive rate | +| `medium` | Recognizable credential formats, unconfirmed | +| `high` | Well-structured secrets where exposure is likely significant | +| `critical` | Live secrets confirmed or formats with near-zero false-positive rates | + +The severity assigned to each detector is listed in the [Detector Catalog](#/detectors/detector-catalog). + +## `--min-severity`: drop findings below a threshold + +Pass `--min-severity ` to discard findings whose severity is below the specified level. Only findings at or above the threshold reach the output. + +```bash +# Show only high and critical findings +leakwatch scan fs . --min-severity high + +# Show medium, high, and critical findings +leakwatch scan fs . --min-severity medium +``` + +You can set a persistent default in the config file under `output.severity-threshold`. The `--min-severity` flag overrides the config value at run time: + +```yaml +output: + severity-threshold: medium +``` + +## `--only-verified`: confirmed active secrets only + +Pass `--only-verified` to keep only findings whose verification status is `verified_active` — secrets that Leakwatch confirmed are still valid by making a controlled read-only call to the provider API. All other findings (unverified, verified-inactive, or verify-error) are dropped. + +```bash +leakwatch scan fs . --only-verified +``` + +This flag is most useful in CI pipelines where you want to fail the build **only** on confirmed incidents, not on suspicious patterns that may be placeholders or already-rotated credentials. + +See [How Verification Works](#/verification/how-verification-works) for which detectors support live verification. + +## `filter.exclude-detectors`: disable specific detectors + +To permanently disable one or more detectors, list their IDs under `filter.exclude-detectors` in the config file. Findings from listed detectors are never produced, regardless of any other setting: + +```yaml +filter: + exclude-detectors: + - generic-api-key + - jwt +``` + +Detector IDs are listed in the [Detector Catalog](#/detectors/detector-catalog). Use this setting when a detector consistently produces false positives for your codebase and other suppression mechanisms (inline ignores or `.leakwatchignore`) are not granular enough. + +## `filter.exclude-paths`: skip paths before scanning + +To exclude paths before the scan engine reads them, use `filter.exclude-paths` in the config file. The patterns use the same glob syntax as `.leakwatchignore` (standard globs, `**` double-star, and trailing-slash directory patterns), and apply to **all scan sources**: + +```yaml +filter: + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "**/*.min.js" + - "**/*.min.css" + - "test/fixtures/" +``` + +:::note +On the `scan fs` command, the `--exclude ` flag is the command-line equivalent of `filter.exclude-paths`. The `--exclude` flag exists **only** on `scan fs` — for all other sources, use the config file setting. +::: + +## Combining filters in CI + +In a CI pipeline you typically want a low-noise, high-signal run that fails only on real incidents. A recommended combination: + +```bash +leakwatch scan fs . \ + --only-verified \ + --min-severity high \ + --format sarif \ + --output results.sarif +``` + +With a config file handling the persistent path exclusions: + +```yaml +filter: + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "test/fixtures/" + exclude-detectors: + - generic-api-key + +output: + severity-threshold: high +``` + +Then override just the format and destination at the command line for CI: + +```bash +leakwatch scan fs . --only-verified --format sarif --output results.sarif +``` + +See [How Verification Works](#/verification/how-verification-works) for verification details, [Ignoring Findings](#/configuration/ignoring-findings) for inline and file-based suppression, and [Configuration File](#/configuration/config-file) for the full schema. + +## See also + +- [Detector Catalog](#/detectors/detector-catalog) +- [How Verification Works](#/verification/how-verification-works) +- [Configuration File](#/configuration/config-file) +- [Ignoring Findings](#/configuration/ignoring-findings) diff --git a/docs/user-manuals/en/detectors/custom-rules.md b/docs/user-manuals/en/detectors/custom-rules.md new file mode 100644 index 0000000..b077fa2 --- /dev/null +++ b/docs/user-manuals/en/detectors/custom-rules.md @@ -0,0 +1,113 @@ +--- +title: "Custom Rules" +description: "How to define your own secret detection patterns in YAML and add them to a Leakwatch scan alongside the 63 built-in detectors." +--- + +# Custom Rules + +The 63 built-in detectors cover widely used credential formats, but every organisation has internal tokens, proprietary service keys, or environment-specific patterns that no generic tool can anticipate. Custom rules let you extend Leakwatch with your own patterns — defined in plain YAML, loaded at runtime — without modifying source code or rebuilding the binary. + +## Where custom rules live + +Custom rules are defined under a top-level `custom-rules:` list in your `.leakwatch.yaml` configuration file: + +```yaml +custom-rules: + - id: acme-internal-token + description: "ACME Corp internal service token" + regex: 'acme_[a-z0-9]{32}' + keywords: + - acme_ + severity: critical + entropy: 3.5 +``` + +The rules are registered at runtime when Leakwatch starts. They run alongside the built-in detectors using the same Aho-Corasick pre-filter pipeline. + +## Rule fields + +| Field | Required | Type | Description | +|-------|----------|------|-------------| +| `id` | Yes | string | Unique detector ID. Used in output and in `filter.exclude-detectors`. Must not collide with a built-in detector ID or another custom rule ID. | +| `description` | No | string | Human-readable description shown in output. | +| `regex` | Yes | string | RE2-compatible regular expression. Maximum 4096 characters. | +| `keywords` | No | list of strings | Aho-Corasick pre-filter keywords. The regex only runs on chunks that contain at least one of these strings. Omitting this field causes the regex to run on every chunk. | +| `severity` | No | string | `critical`, `high`, `medium`, or `low`. Defaults to `medium`. | +| `entropy` | No | float | Shannon entropy threshold (0–8). Matches whose entropy is **below** this value are discarded. Useful for filtering low-randomness false positives. | + +:::tip +Always supply `keywords`. Even a single short keyword (like a token prefix) dramatically reduces the number of chunks the regex engine processes, keeping scans fast on large repositories. For example, if all your internal tokens begin with `acme_`, set `keywords: [acme_]`. + +Use `entropy` to suppress matches on placeholder values like `acme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` that satisfy the pattern but are clearly not real secrets. A threshold around 3.0–3.5 is a good starting point. +::: + +## Collision handling + +If a custom rule's `id` matches an already-registered detector — either a built-in detector or a previously loaded custom rule — the duplicate is **skipped** and an error is logged. Leakwatch does not crash; the rest of the rules load normally. Check the log output if a custom rule appears to have no effect. + +## Verification + +Custom rules have no paired verifier. Findings from custom rules are always reported with status `unverified` — they never become `verified_active` or `verified_inactive`. + +## Complete example + +The following `.leakwatch.yaml` defines two custom rules: one for an internal service token and one for a signing secret used in webhooks. + +```yaml +custom-rules: + - id: acme-internal-token + description: "ACME Corp internal service token (format: acme_ + 32 hex chars)" + regex: 'acme_[a-f0-9]{32}' + keywords: + - acme_ + severity: critical + entropy: 3.2 + + - id: acme-webhook-signing-secret + description: "ACME Corp webhook signing secret (format: whsec_ + 40 base64url chars)" + regex: 'whsec_[A-Za-z0-9_\-]{40}' + keywords: + - whsec_ + severity: high + entropy: 3.5 +``` + +Run a scan with this config: + +```bash +leakwatch scan fs . --config .leakwatch.yaml +``` + +Sample JSON output for a custom-rule finding (secret value redacted): + +```json +{ + "detector_id": "acme-internal-token", + "description": "ACME Corp internal service token (format: acme_ + 32 hex chars)", + "severity": "critical", + "verification_status": "unverified", + "file": "config/production.env", + "line": 14, + "raw_redacted": "acme_********************************" +} +``` + +:::note +The `raw_redacted` field always masks the actual secret. The raw value is never written to output unless you explicitly pass `--show-raw` (not recommended outside controlled environments). +::: + +## Excluding a custom rule + +Custom rules participate in the same filtering as built-in detectors. To disable a custom rule without removing it from config: + +```yaml +filter: + exclude-detectors: + - acme-internal-token +``` + +## See also + +- [Configuration: Config File](#/configuration/config-file) — full reference for `.leakwatch.yaml`, including where `custom-rules:` sits in the document structure. +- [Detector Catalog](#/detectors/detector-catalog) — the 63 built-in detectors, to check for ID conflicts before naming your custom rule. +- [How It Works](#/getting-started/how-it-works) — the Aho-Corasick pre-filter pipeline that `keywords` plugs into. diff --git a/docs/user-manuals/en/detectors/detector-catalog.md b/docs/user-manuals/en/detectors/detector-catalog.md new file mode 100644 index 0000000..fa4a13d --- /dev/null +++ b/docs/user-manuals/en/detectors/detector-catalog.md @@ -0,0 +1,167 @@ +--- +title: "Detector Catalog" +description: "All 63 built-in detectors grouped by category, with their IDs, what they detect, and their default severity." +--- + +# Detector Catalog + +Leakwatch ships **63 built-in detectors** that cover a wide range of credential types — from cloud provider access keys and AI API tokens to database connection strings and private cryptographic keys. Each detector has a stable ID, a default severity, and (for most) a paired verifier that can confirm whether a found secret is still live. + +This page lists every built-in detector. For verification coverage details see [Verification Coverage](#/verification/verification-coverage). To add your own patterns, see [Custom Rules](#/detectors/custom-rules). + +## How to read this catalog + +- **ID** — the stable string identifier used in config and output. Pass it to `filter.exclude-detectors` to skip a detector, or use it with `--min-severity` filtering ([Severity and Filtering](#/configuration/severity-and-filtering)). +- **Detects** — what the detector is looking for. +- **Severity** — `Critical`, `High`, or `Medium`. This is the default; it feeds the `--min-severity` flag and the `output.severity-threshold` config key. + +--- + +## Cloud and Infrastructure + +| ID | Detects | Severity | +|----|---------|----------| +| `aws-access-key-id` | AWS Access Key ID | Critical | +| `gcp-service-account` | GCP Service Account Key | Critical | +| `azure-storage-key` | Azure Storage Connection String | Critical | +| `azure-entra-secret` | Azure Entra ID Client Secret | Critical | +| `digitalocean-token` | DigitalOcean Personal Access Token | Critical | +| `cloudflare-api-token` | Cloudflare API Token | Critical | +| `heroku-api-key` | Heroku API Key | Critical | +| `vercel-token` | Vercel API Token | High | +| `terraform-cloud-token` | Terraform Cloud/Enterprise API Token | Critical | +| `hashicorp-vault-token` | HashiCorp Vault Token | Critical | +| `doppler-token` | Doppler Service Token | Critical | + +## AI / ML + +| ID | Detects | Severity | +|----|---------|----------| +| `openai-api-key` | OpenAI API Key | Critical | +| `anthropic-api-key` | Anthropic API Key | Critical | +| `deepseek-api-key` | DeepSeek API Key | Critical | +| `huggingface-token` | Hugging Face API Token | Critical | + +## Payments and Commerce + +| ID | Detects | Severity | +|----|---------|----------| +| `stripe-api-key-live` | Stripe Live API Key | Critical | +| `stripe-api-key-test` | Stripe Test API Key | High | +| `coinbase-api-key` | Coinbase API Key | Critical | +| `shopify-access-token` | Shopify Access Token | Critical | + +## Dev Tools, CI, and Packages + +| ID | Detects | Severity | +|----|---------|----------| +| `github-token` | GitHub Personal Access Token | Critical | +| `github-oauth-token` | GitHub OAuth2 Token | Critical | +| `gitlab-pat` | GitLab Personal Access Token | Critical | +| `bitbucket-app-password` | Bitbucket App Password | Critical | +| `circleci-token` | CircleCI Personal API Token | High | +| `npm-token` | NPM Access Token | High | +| `pypi-api-token` | PyPI API Token | High | +| `rubygems-api-key` | RubyGems API Key | High | +| `dockerhub-pat` | Docker Hub Personal Access Token | Critical | +| `sonarcloud-token` | SonarCloud/SonarQube Token | High | +| `snyk-api-key` | Snyk API Key | High | +| `databricks-token` | Databricks Personal Access Token | Critical | +| `launchdarkly-sdk-key` | LaunchDarkly SDK Key | High | + +## Communication and Collaboration + +| ID | Detects | Severity | +|----|---------|----------| +| `slack-token` | Slack Bot/User Token | Critical | +| `slack-webhook` | Slack Webhook URL | High | +| `teams-webhook` | Microsoft Teams Incoming Webhook URL | High | +| `discord-bot-token` | Discord Bot Token | Critical | +| `telegram-bot-token` | Telegram Bot Token | High | +| `notion-token` | Notion Internal Integration Token | High | +| `linear-api-key` | Linear API Key | High | +| `figma-pat` | Figma Personal Access Token | High | +| `airtable-pat` | Airtable Personal Access Token | High | + +## Email and Messaging Delivery + +| ID | Detects | Severity | +|----|---------|----------| +| `sendgrid-api-key` | SendGrid API Key | Critical | +| `mailgun-api-key` | Mailgun API Key | Critical | +| `postmark-server-token` | Postmark Server API Token | High | +| `twilio-api-key` | Twilio API Key | Critical | + +## Monitoring and Observability + +| ID | Detects | Severity | +|----|---------|----------| +| `datadog-api-key` | Datadog API Key | Critical | +| `newrelic-api-key` | New Relic API Key | High | +| `grafana-api-key` | Grafana API Key | High | +| `sentry-token` | Sentry Auth Token | High | +| `pagerduty-api-key` | PagerDuty API Key | High | + +## Databases and Connection Strings + +| ID | Detects | Severity | +|----|---------|----------| +| `database-connection-string` | Database Connection String | Critical | +| `redis-connection-string` | Redis Connection String | Critical | +| `rabbitmq-connection-string` | RabbitMQ Connection String | Critical | +| `snowflake-credentials` | Snowflake Connection Credentials | Critical | +| `supabase-service-key` | Supabase Service Role Key | Critical | + +## Identity and Access + +| ID | Detects | Severity | +|----|---------|----------| +| `auth0-management-token` | Auth0 Management API Token | Critical | +| `okta-api-token` | Okta API Token | Critical | +| `ldap-credentials` | LDAP/LDAPS Bind Credentials | Critical | + +## Web3 + +| ID | Detects | Severity | +|----|---------|----------| +| `infura-api-key` | Infura API Key | High | + +## Generic and Cryptographic + +| ID | Detects | Severity | +|----|---------|----------| +| `generic-api-key` | Generic API Key | Medium | +| `jwt` | JSON Web Token | High | +| `private-key` | Private Key (RSA, SSH, DSA, EC, PGP) | Critical | +| `ftp-credentials` | FTP/SFTP Credentials | Critical | + +--- + +**Total: 63 built-in detectors.** + +## Filtering by severity + +Findings are filterable by severity using `--min-severity` at the command line or `output.severity-threshold` in config. Only findings at or above the specified level are included in the output. See [Severity and Filtering](#/configuration/severity-and-filtering) for details. + +## Excluding specific detectors + +To skip one or more detectors entirely, add their IDs to `filter.exclude-detectors` in `.leakwatch.yaml`: + +```yaml +filter: + exclude-detectors: + - generic-api-key + - jwt +``` + +See [Severity and Filtering](#/configuration/severity-and-filtering) for the full filtering reference. + +## Verification coverage + +Some detectors have a live verifier; others are format-validated only; nine have no verifier at all. See [Verification Coverage](#/verification/verification-coverage) for the complete breakdown. + +## See also + +- [Custom Rules](#/detectors/custom-rules) — define your own detection patterns in YAML. +- [Verification Coverage](#/verification/verification-coverage) — which detectors can be live-verified. +- [Severity and Filtering](#/configuration/severity-and-filtering) — filtering findings by severity or detector. diff --git a/docs/user-manuals/en/getting-started/how-it-works.md b/docs/user-manuals/en/getting-started/how-it-works.md new file mode 100644 index 0000000..0c3e0a8 --- /dev/null +++ b/docs/user-manuals/en/getting-started/how-it-works.md @@ -0,0 +1,163 @@ +--- +title: "How It Works" +description: "Architecture of the Leakwatch scan pipeline: sources, detection, verification, and output." +--- + +# How It Works + +Understanding the Leakwatch pipeline helps you tune performance, interpret results, and decide which flags to reach for. This page explains what happens from the moment you run a scan command to the moment a finding appears in your output. + +## The pipeline at a glance + +```mermaid +flowchart LR + A([Source\nfs / git / image\ns3 / gcs / slack]) --> B[Worker Pool\n—concurrency workers] + B --> C[Aho-Corasick\nPre-filter] + C --> D[Regex\nDetectors] + D --> E[Inline-ignore\nCheck] + E --> F[Verification\nPool\n4 workers / 10 rps] + F --> G[Post-scan\nFilters] + G --> H([Output\njson / sarif\ncsv / table]) +``` + +Each stage is described in detail below. + +## 1. Source + +Every scan starts with a **Source** — an abstraction that emits chunks of data for the engine to process. Leakwatch ships six sources: + +| Source | Command | What it emits | +|--------|---------|---------------| +| Filesystem | `scan fs` | File contents from a local directory tree | +| Git history | `scan git` | Every blob across the full commit history | +| Container image | `scan image` | Layer contents of an OCI/Docker image, daemonless | +| AWS S3 | `scan s3` | Object contents from an S3 bucket | +| Google Cloud Storage | `scan gcs` | Object contents from a GCS bucket | +| Slack | `scan slack` | Message text from channels and DMs | + +:::note +Slack scanning covers **message text only**. The contents of files uploaded to Slack are not scanned. +::: + +Chunks flow into a buffered channel consumed by the worker pool. + +## 2. Worker pool + +The engine maintains a fixed pool of **goroutines** — one per `--concurrency` value (default: number of CPUs). Each worker pulls a chunk from the channel and runs the detection pipeline independently. Because workers share no mutable state, the pool scales linearly with concurrency up to the limits of I/O and memory. + +Scans respond to `SIGINT` / `SIGTERM`: when a cancellation signal arrives, the context is cancelled, workers drain their current chunk and stop, and partial results are collected before output is written. + +## 3. Aho-Corasick keyword pre-filter + +Running 63 regex patterns on every chunk would be slow. Instead, the engine builds a single **Aho-Corasick multi-pattern automaton** at startup from the keyword lists declared by each detector. For each chunk, this automaton does a single linear pass and returns only the detectors whose keywords appeared in the chunk's bytes. + +This means most detectors never run their regex on most chunks. Detectors that declare no keywords always run (they skip the pre-filter and proceed directly to regex). + +The Aho-Corasick implementation comes from [cloudflare/ahocorasick](https://github.com/cloudflare/ahocorasick). + +## 4. Regex detectors + +Each shortlisted detector runs its compiled **regular expression** against the chunk bytes. When a pattern matches, the detector returns a `RawFinding` containing: + +- The raw secret bytes (held in memory only for verification; never logged or written to disk). +- A **redacted** representation safe for output. +- Optional extra metadata (e.g. account ID for an AWS key). + +Leakwatch ships **63 built-in detectors** across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via [custom YAML rules](#/configuration/custom-rules). + +All detectors are registered at compile time using Go's `init()` function and blank imports (ADR-0004). There is no plugin loader or dynamic discovery at runtime. + +## 5. Inline-ignore check + +Before a finding is sent to verification, the engine checks whether the source line contains an **inline ignore marker**: + +```go +// leakwatch:ignore +``` + +or a detector-scoped variant: + +```go +// leakwatch:ignore:aws-access-key-id +``` + +If the marker is present, the finding is silently dropped **before any network call is made**. This is intentional: ignored secrets should never trigger a live API request. + +## 6. Verification + +After detection completes for all chunks, the engine passes findings to a separate **verification worker pool** (default 4 workers). Verification: + +- Is guarded by a global **rate limiter** (default 10 requests per second) shared across all workers. +- Applies a **per-request timeout** (default 10 seconds) to every API call. +- Makes only **read-only, non-destructive** calls to the provider (e.g. `sts:GetCallerIdentity` for AWS keys). +- Marks each finding with one of four statuses: `verified:active`, `verified:inactive`, `unverified`, or `verify:error`. + +Leakwatch ships **54 verifiers**, covering 85.7% of the 63 built-in detector types. The remaining 9 types (such as JWTs and generic API keys) cannot be safely verified and are always reported as `unverified`. + +Pass `--no-verify` to skip this stage entirely — useful for fast, offline scans. + +For a deep dive into verification behavior and status meanings, see [How Verification Works](#/verification/how-verification-works). + +## 7. Finding ID and entropy + +Each finding receives a **deterministic ID** computed as: + +``` +sha256(detectorID + redacted + filePath + line) → truncated to 16 hex characters +``` + +The same secret at the same location always produces the same ID, making it safe to deduplicate findings across runs or track them in issue trackers. + +**Shannon entropy** (range 0–8) is computed for each finding and exposed in output for informational purposes. At the engine level, entropy does **not** gate or drop built-in findings — a low-entropy match still appears in results. Entropy thresholds only apply inside custom rules, where each rule can declare its own minimum. + +## 8. Post-scan filters + +After verification, two filters apply: + +- `--only-verified` — drops all findings that are not `verified:active`. +- `--min-severity` — drops findings below the specified severity level (`low` | `medium` | `high` | `critical`; default `low`). + +Both filters run after verification so that verification status is available when `--only-verified` is evaluated. + +## 9. Output + +Surviving findings are passed to one of four **formatters**: + +| Format | Flag | Common use | +|--------|------|------------| +| JSON | `--format json` (default) | Machine-readable, pipeline-friendly | +| SARIF v2.1.0 | `--format sarif` | GitHub Code Scanning, security dashboards | +| CSV | `--format csv` | Spreadsheets, data analysis | +| Table | `--format table` | Terminal review, color-coded by severity | + +Output goes to stdout by default; use `--output ` to write to a file. + +A **scan summary** (date, source type, target, files scanned, duration, findings count, interrupted status) is always printed to **stderr** after every scan, regardless of format or output destination. + +## Secret safety + +Leakwatch is designed so that discovered secrets never leave the process boundary except for verification calls: + +- Raw secret bytes live only in memory during detection and verification. +- The `--show-raw` flag is `false` by default; without it, only the redacted representation appears in output. +- Secrets are never written to disk, logged via `slog`, or cached between runs. + +## Design decisions + +The architecture reflects several deliberate choices documented as ADRs: + +- **Go + CGO disabled** (ADR-0001) — single static binary, no runtime dependencies, cross-compiles to all platforms. +- **Cobra + Viper** (ADR-0002) — hierarchical CLI with `flag > env > config > default` precedence. +- **go-git** (ADR-0003) — pure Go Git library; no external `git` binary required. +- **Compile-time detector registration** (ADR-0004) — `init()` + blank imports; type-safe, no runtime plugin loader. +- **Aho-Corasick hybrid matching** (ADR-0005) — pre-filter eliminates most regex work on irrelevant chunks. +- **go-containerregistry** (ADR-0006) — daemonless layer analysis; no Docker daemon required to scan images. +- **Worker pool** (ADR-0008) — fixed goroutine count, channel-based fan-out; predictable memory and CPU usage. + +## See also + +- [Quick Start](#/getting-started/quick-start) +- [How Verification Works](#/verification/how-verification-works) +- [Configuration File](#/configuration/config-file) +- [CLI Reference](#/reference/cli-reference) +- [Custom Rules](#/configuration/custom-rules) diff --git a/docs/user-manuals/en/getting-started/installation.md b/docs/user-manuals/en/getting-started/installation.md new file mode 100644 index 0000000..111e5cc --- /dev/null +++ b/docs/user-manuals/en/getting-started/installation.md @@ -0,0 +1,101 @@ +--- +title: "Installation" +description: "Install Leakwatch via Homebrew, go install, Docker, or a prebuilt binary." +--- + +# Installation + +Getting Leakwatch onto your machine takes less than a minute. Choose the method that best fits your workflow: Homebrew is the simplest option on macOS and Linux, `go install` is ideal if you already have a Go toolchain, Docker keeps your host system clean, and prebuilt binaries work everywhere without any toolchain at all. + +## Homebrew (macOS and Linux) + +The official tap supports macOS and Linux on both amd64 and arm64. + +```bash +brew install HodeTech/tap/leakwatch +``` + +The tap is hosted at [github.com/HodeTech/homebrew-tap](https://github.com/HodeTech/homebrew-tap). Homebrew handles upgrades with `brew upgrade leakwatch`. + +## Go install + +If you have Go 1.25 or later installed, you can build and install the latest release directly from source: + +```bash +go install github.com/HodeTech/leakwatch@latest +``` + +The binary is placed in `$(go env GOPATH)/bin`. Make sure that directory is on your `PATH`. + +:::note +`go install` always fetches the latest tagged release. To pin a specific version, replace `@latest` with a tag such as `@v1.5.0`. +::: + +## Docker + +A minimal, multi-stage Alpine image is published to the GitHub Container Registry. The image runs as a non-root user (`leakwatch`), has CGO disabled, and uses `/scan` as its working directory. + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan +``` + +Available tags: + +| Tag | Description | +|-----|-------------| +| `:latest` | Most recent release | +| `:v1.5.0` | Exact version pin | +| `:v1.5` | Minor-version pin (tracks patch releases) | + +Mount the directory you want to scan to `/scan` inside the container. Flags and options work identically to the native binary — see [CLI Reference](#/reference/cli-reference) for the full list. + +:::tip +For Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see [Using Docker](#/guides/docker). +::: + +## Prebuilt binary + +Every release publishes tarballs for all supported platforms on the [GitHub Releases](https://github.com/HodeTech/Leakwatch/releases) page. Download the archive for your platform, extract it, and place the binary on your `PATH`. + +**Supported platforms:** Linux, macOS, and Windows on amd64 and arm64. + +```bash +# Example for Linux amd64 — replace OS and ARCH to match your platform +curl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz +tar -xzf leakwatch_Linux_amd64.tar.gz +sudo mv leakwatch /usr/local/bin/leakwatch +``` + +Platform naming follows the pattern `leakwatch__.tar.gz` where `` is `Linux`, `Darwin`, or `Windows` and `` is `amd64` or `arm64`. + +## Verifying your installation + +After any installation method, confirm the binary is reachable and check the version: + +```bash +leakwatch version +``` + +Expected output: + +```text +leakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z) +``` + +If the command is not found, check that the install directory is on your `PATH`. + +## Next steps + +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [How It Works](#/getting-started/how-it-works) — the architecture behind a Leakwatch scan. +- [Configuration File](#/configuration/config-file) — customize scan behavior with `.leakwatch.yaml`. + +## See also + +- [Quick Start](#/getting-started/quick-start) +- [Using Docker](#/guides/docker) +- [CLI Reference](#/reference/cli-reference) +- [Configuration File](#/configuration/config-file) diff --git a/docs/user-manuals/en/getting-started/introduction.md b/docs/user-manuals/en/getting-started/introduction.md new file mode 100644 index 0000000..2b595d2 --- /dev/null +++ b/docs/user-manuals/en/getting-started/introduction.md @@ -0,0 +1,59 @@ +--- +title: "Introduction" +description: "What Leakwatch is, what it scans, and how it detects and verifies leaked secrets." +--- + +# Introduction + +**Leakwatch** is a high-performance, open-source (MIT) security tool that **detects, verifies, and reports leaked secrets** — API keys, tokens, passwords, connection strings, and private keys — across your codebases, Git history, container images, cloud storage, and Slack workspaces. + +It is written in Go, ships as a single static binary with no runtime dependencies (`CGO_ENABLED=0`), and is built to run anywhere: a developer laptop, a pre-commit hook, or a CI/CD pipeline. + +## Why Leakwatch + +A leaked credential in a single commit — even one later deleted — can stay reachable in Git history forever and be exploited within minutes of being pushed. Leakwatch is designed to catch those secrets early and tell you which ones are *actually dangerous*: + +- **Broad detection** — 63 built-in detectors covering cloud providers, AI APIs, payment platforms, databases, messaging tools, and more, plus your own YAML custom rules. +- **Verification, not just detection** — for 54 detector types Leakwatch can confirm whether a found secret is *still live* by making a controlled, read-only call to the provider. A verified-active key is an incident; an inactive one is noise. +- **Many sources** — scan a local filesystem, a full Git history, an OCI/Docker image, AWS S3, Google Cloud Storage, and Slack messages. +- **CI-native output** — JSON, SARIF (for GitHub Code Scanning), CSV, and a colorized terminal table. +- **Secret-safe by design** — discovered secrets are redacted by default and are never logged, cached, or written to disk. + +## What it scans + +| Source | Command | What it covers | +|--------|---------|----------------| +| Filesystem | `leakwatch scan fs` | Files in a local directory tree | +| Git history | `leakwatch scan git` | Every blob across the full commit history (local or remote) | +| Container image | `leakwatch scan image` | OCI/Docker image layers, daemonless | +| AWS S3 | `leakwatch scan s3` | Objects in an S3 bucket | +| Google Cloud Storage | `leakwatch scan gcs` | Objects in a GCS bucket | +| Slack | `leakwatch scan slack` | Message text in channels and (optionally) DMs | +| Multiple repos | `leakwatch scan repos` | Several Git repositories at once | + +## How detection works, briefly + +Leakwatch uses a layered pipeline so it stays fast even on large inputs: + +1. **Aho-Corasick keyword pre-filter** — a single multi-pattern automaton quickly decides which detectors *could* match a chunk, so most detectors never run their regex. +2. **Regex validation** — only the shortlisted detectors run their precise patterns. +3. **Entropy** — Shannon entropy is computed for display (and used by custom rules to drop low-randomness matches). +4. **Verification** — eligible findings are checked against the live provider API. + +:::tip +You don't have to understand the pipeline to use Leakwatch — but it explains why scans are fast and why some findings show a verification status while others don't. See [How It Works](#/getting-started/how-it-works) for the full picture. +::: + +## What Leakwatch is *not* + +To set expectations accurately: + +- It does **not** rewrite Git history or remove secrets for you — it finds and reports them, and (with `--remediation`) tells you how to rotate them. +- Slack scanning covers **message text only**; scanning the *contents* of uploaded files is not implemented. +- Verification is available for many but not all secret types — 9 detector types (such as JWTs and generic API keys) cannot be safely verified and are always reported as unverified. + +## Next steps + +- [Installation](#/getting-started/installation) — install via Homebrew, `go install`, Docker, or a prebuilt binary. +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [How It Works](#/getting-started/how-it-works) — the architecture behind the scan. diff --git a/docs/user-manuals/en/getting-started/quick-start.md b/docs/user-manuals/en/getting-started/quick-start.md new file mode 100644 index 0000000..3164689 --- /dev/null +++ b/docs/user-manuals/en/getting-started/quick-start.md @@ -0,0 +1,152 @@ +--- +title: "Quick Start" +description: "Run your first Leakwatch scan in under a minute." +--- + +# Quick Start + +The fastest way to understand what Leakwatch can do is to point it at a real directory. This page walks you through your first scan, explains what the output means, and shows the flags you will reach for most often. + +## Prerequisites + +Leakwatch must be installed and accessible on your `PATH`. If you have not done that yet, see [Installation](#/getting-started/installation). + +## Your first scan + +Scan the current directory with one command: + +```bash +leakwatch scan fs . +``` + +By default, output is JSON written to stdout. To get a human-readable, colorized table instead, add `--format table`: + +```bash +leakwatch scan fs . --format table +``` + +Here is what a result looks like: + +```text + SEVERITY DETECTOR FILE LINE REDACTED STATUS +───────────────────────────────────────────────────────────────────────────────────────────── + CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active + HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active + MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified + +── Scan Summary ───────────────────────────────── + Date: 2026-05-23 14:03:11 + Source: filesystem + Target: /home/user/myproject + Files scanned: 312 + Duration: 1.24s + Findings: 3 +───────────────────────────────────────────────── +``` + +The scan summary is always printed to **stderr**, so it never interferes with piped or redirected output. + +## Understanding a finding + +Each row in the table (or object in JSON) represents one finding. The key fields are: + +| Field | Meaning | +|-------|---------| +| **SEVERITY** | How critical the secret type is: `low`, `medium`, `high`, or `critical` | +| **DETECTOR** | The detector that matched — identifies the secret type (e.g. `aws-access-key-id`) | +| **FILE** | Path to the file where the secret was found, relative to the scan root | +| **LINE** | Line number of the match | +| **REDACTED** | A masked representation of the secret — never the raw value unless `--show-raw` is set | +| **STATUS** | Verification outcome: `verified:active`, `verified:inactive`, `unverified`, or `verify:error` | + +A `verified:active` status means Leakwatch confirmed the secret is still live by making a read-only API call to the provider. **Treat every `verified:active` finding as an open incident.** + +## Common scan options + +### Focus on confirmed secrets only + +```bash +leakwatch scan fs . --only-verified +``` + +This hides unverified and inactive findings, leaving only those confirmed live. Useful for triage when you have many results. + +### Skip network verification for a fast offline scan + +```bash +leakwatch scan fs . --no-verify +``` + +Verification is skipped entirely — no outbound network calls are made. Results appear faster and work without internet access, but all findings are marked `unverified`. + +### Add remediation guidance + +```bash +leakwatch scan fs . --remediation --format table +``` + +Each finding gains a **REMEDIATION** column explaining how to rotate or revoke the specific secret type. The same data is included in JSON, SARIF, and CSV output when the flag is set. + +### Filter by minimum severity + +```bash +leakwatch scan fs . --min-severity high +``` + +Only findings at `high` or `critical` severity are reported. + +### Save results to a file + +```bash +leakwatch scan fs . --format sarif --output results.sarif +``` + +The `--output` / `-o` flag writes to a file instead of stdout. SARIF output is compatible with [GitHub Code Scanning](https://docs.github.com/en/code-security/code-scanning). + +## Generate a configuration file + +Running Leakwatch with defaults is fine for a first try, but for repeated use you will want a project-level configuration: + +```bash +leakwatch init +``` + +This writes `.leakwatch.yaml` in the current directory with recommended defaults for concurrency, entropy, verification, output format, and common path exclusions. Use `--force` to overwrite an existing file, or `--output` to write to a different path. + +See [Configuration File](#/configuration/config-file) for a full explanation of every option. + +## Exit codes + +Leakwatch uses distinct exit codes so CI scripts can act on results without parsing output: + +| Code | Meaning | +|------|---------| +| `0` | Scan completed — no findings | +| `1` | Scan completed — one or more secrets found | +| `2` | Scan failed due to an error | + +A typical CI gate looks like: + +```bash +leakwatch scan fs . --only-verified --format sarif --output results.sarif +if [ $? -eq 1 ]; then + echo "Active secrets found — failing build" + exit 1 +fi +``` + +:::warn +Exit code `1` is returned whenever *any* finding passes the active filters (including `--min-severity` and `--only-verified`). A clean exit code `0` means no findings matched — not that no secrets exist in the codebase. +::: + +## Cancelling a scan + +Press `Ctrl+C` (or send `SIGTERM`) to cancel a running scan. Leakwatch stops gracefully: in-flight chunks finish, partial results are written, and the summary indicates `Status: interrupted (partial results)`. + +## See also + +- [Installation](#/getting-started/installation) +- [How It Works](#/getting-started/how-it-works) +- [CLI Reference](#/reference/cli-reference) +- [Configuration File](#/configuration/config-file) +- [How Verification Works](#/verification/how-verification-works) diff --git a/docs/user-manuals/en/output/output-formats.md b/docs/user-manuals/en/output/output-formats.md new file mode 100644 index 0000000..94b394f --- /dev/null +++ b/docs/user-manuals/en/output/output-formats.md @@ -0,0 +1,164 @@ +--- +title: "Output Formats" +description: "The four output formats Leakwatch supports — JSON, SARIF, CSV, and table — with examples and guidance on when to use each." +--- + +# Output Formats + +Leakwatch supports four output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, and human-readable terminal review. Select a format with `--format` (or `-f`); write to a file instead of stdout with `--output` (or `-o`). + +```bash +leakwatch scan fs . --format json +leakwatch scan fs . --format sarif --output results.sarif +leakwatch scan fs . --format csv --output findings.csv +leakwatch scan fs . --format table +``` + +The default format is `json`. + +## JSON + +JSON is the default format and the most complete representation. Leakwatch writes a JSON **array** of finding objects to stdout (or to the file given by `--output`). + +The raw secret value is **never** serialized unless `--show-raw` is explicitly set. With `--show-raw`, a `"raw"` field is added to each object. + +### Example invocation + +```bash +leakwatch scan fs ./src --format json --output findings.json +``` + +### Example finding object + +```json +{ + "id": "a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f", + "detector_id": "github-token", + "severity": "critical", + "redacted": "ghp_****************************Xk9R", + "source": { + "source_type": "filesystem", + "file_path": "scripts/deploy.sh", + "line": 14 + }, + "verification": { + "status": "verified_active" + }, + "entropy": 5.82, + "detected_at": "2026-05-23T10:15:30Z" +} +``` + +When `--remediation` is also set, a `"remediation"` object is nested inside each finding. See [Remediation Guidance](#/output/remediation). + +## SARIF + +The `sarif` format produces a SARIF v2.1.0 document, designed for upload to [GitHub Code Scanning](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github). The tool name is `Leakwatch` and `informationUri` points to `https://github.com/HodeTech/Leakwatch`. + +Each detector that appears in the findings becomes a **rule** in the SARIF driver, complete with `help` text (populated from remediation steps when `--remediation` is set) and a `helpUri` pointing to the provider documentation. Results carry a `leakwatch/v1` partial fingerprint computed from the detector ID, redacted value, and file path — this lets GitHub Code Scanning track the same alert even when surrounding code shifts. + +### Example invocation + +```bash +leakwatch scan fs . --format sarif --output results.sarif +``` + +### Uploading to GitHub Code Scanning + +```yaml +# In a GitHub Actions workflow step: +- name: Upload SARIF results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif +``` + +See [GitHub Action](#/ci-cd/github-action) for the full CI setup. + +## CSV + +The `csv` format writes a header row followed by one row per finding, using standard comma-separated values. Every cell is sanitized against spreadsheet formula injection before writing. + +**Columns (default):** + +```text +id,detector_id,severity,redacted,file_path,commit,verification_status,remediation +``` + +When `--show-raw` is set, a trailing `raw` column is appended. + +The `remediation` column contains the remediation title (e.g. `"Revoke GitHub Token"`) when `--remediation` is set, and is empty otherwise. + +### Example invocation + +```bash +leakwatch scan git . --format csv --output findings.csv +``` + +### Example output + +```csv +id,detector_id,severity,redacted,file_path,commit,verification_status,remediation +a3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token +b7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key +``` + +## Table + +The `table` format writes a human-readable tab-aligned table, best suited for interactive terminal sessions where you want a quick visual scan of the results. + +**Columns:** + +```text +SEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION +``` + +When `--show-raw` is set, a trailing `RAW` column is appended. A summary line is printed at the bottom of the table (e.g. `Found 3 secrets (1 critical, 2 high).`). + +**ANSI color** is applied to the `SEVERITY` column automatically, but only when all four conditions are met: + +1. `--format table` is selected +2. Output goes to stdout (no `--output `) +3. stdout is a TTY (not a pipe or redirect) +4. The `NO_COLOR` environment variable is unset + +| Severity | Color | +|---|---| +| `critical` | Bold red | +| `high` | Red | +| `medium` | Yellow | +| `low` | Blue | + +### Example invocation + +```bash +leakwatch scan fs . --format table --min-severity high +``` + +### Example output + +```text +SEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION +-------- -------- ---- -------- ------ ----------- +CRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token +HIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key + +Found 2 secrets (1 critical, 1 high). +``` + +## Common output flags + +| Flag | Short | Description | +|---|---|---| +| `--format` | `-f` | Output format: `json`, `sarif`, `csv`, `table` (default `json`) | +| `--output` | `-o` | Write to file instead of stdout | +| `--show-raw` | | Include unredacted secret value in output | +| `--min-severity` | | Drop findings below this severity level | +| `--only-verified` | | Keep only `verified_active` findings | +| `--remediation` | | Enrich findings with provider remediation guidance | + +## See also + +- [Remediation Guidance](#/output/remediation) +- [GitHub Action](#/ci-cd/github-action) +- [How Verification Works](#/verification/how-verification-works) diff --git a/docs/user-manuals/en/output/remediation.md b/docs/user-manuals/en/output/remediation.md new file mode 100644 index 0000000..b0c6632 --- /dev/null +++ b/docs/user-manuals/en/output/remediation.md @@ -0,0 +1,113 @@ +--- +title: "Remediation Guidance" +description: "Use --remediation to enrich findings with provider-specific rotation and revocation steps, urgency ratings, and official documentation links." +--- + +# Remediation Guidance + +Knowing a secret is leaked is only half the work — you also need to know what to do about it. Passing `--remediation` to any scan command enriches each finding with structured, provider-specific guidance: the steps to rotate or revoke the credential, a link to the provider's documentation, a link to the management console, an urgency rating, and a verification checklist. + +## How to enable it + +Add `--remediation` to any scan command: + +```bash +leakwatch scan fs . --remediation +leakwatch scan git . --remediation --format json +leakwatch scan image myapp:latest --remediation --format sarif +``` + +Remediation enrichment is disabled by default. When the flag is absent, the `remediation` field in each finding is `null` and no extra data is fetched or computed. + +## What it contains + +Each remediation entry includes the following fields: + +| Field | Description | +|---|---| +| `title` | Short name of the remediation action (e.g. `"Rotate AWS Access Key"`) | +| `steps` | Ordered list of steps to rotate or revoke the secret | +| `doc_url` | Link to the provider's official credential-management documentation | +| `console_url` | Direct link to the provider's management console page | +| `urgency` | How quickly to act: `"immediate"`, `"high"`, or `"medium"` | +| `checklist` | Post-rotation verification steps (e.g. review audit logs, notify the security team) | + +Leakwatch ships 63 remediation entries — one for every built-in detector. All 63 entries are included in the binary; no network calls are made to fetch guidance. + +## How it appears in each format + +Enrichment adds the guidance to the finding object in memory. How it surfaces depends on the output format: + +**JSON** — the full structured `remediation` object is nested inside each finding: + +```bash +leakwatch scan fs . --remediation --format json +``` + +```json +{ + "id": "a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f", + "detector_id": "github-token", + "severity": "critical", + "redacted": "ghp_****************************Xk9R", + "source": { + "source_type": "filesystem", + "file_path": "scripts/deploy.sh", + "line": 14 + }, + "verification": { + "status": "verified_active" + }, + "remediation": { + "title": "Revoke GitHub Token", + "steps": [ + "Go to GitHub Settings > Developer settings > Personal access tokens.", + "Revoke the compromised token immediately.", + "Create a new token with the minimum required scopes.", + "Update all integrations and CI/CD pipelines with the new token." + ], + "doc_url": "https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens", + "console_url": "https://github.com/settings/tokens", + "urgency": "immediate", + "checklist": [ + "Review the GitHub audit log for unauthorized actions performed with the token.", + "Check repository and organization settings for unexpected changes.", + "Notify the security team about the exposure.", + "Scan for other repositories that may contain the same token." + ] + }, + "entropy": 5.82, + "detected_at": "2026-05-23T10:15:30Z" +} +``` + +**SARIF** — the `steps` are embedded in the rule's `help.text` field, and `doc_url` is set as the rule's `helpUri`. This surfaces directly in GitHub Code Scanning's alert details panel. + +**CSV** — only the remediation `title` is written to the `remediation` column. The full structured guidance is not included in the CSV output. + +**Table** — only the remediation `title` is shown in the `REMEDIATION` column. + +```bash +leakwatch scan fs . --remediation --format table +``` + +```text +SEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION +-------- -------- ---- -------- ------ ----------- +CRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token + +Found 1 secret (1 critical). +``` + +:::tip +Use `--remediation --format json` when you need the full structured guidance for automated incident-response workflows. Use `--remediation --format table` for a quick human-readable triage session in the terminal. +::: + +:::note +Enrichment runs only when `--remediation` is set. Without the flag, the `remediation` field is absent from JSON and SARIF output, and the CSV and table `remediation` columns are empty. The flag does not modify the original scan results — it adds a layer on top. +::: + +## See also + +- [Output Formats](#/output/output-formats) +- [How Verification Works](#/verification/how-verification-works) diff --git a/docs/user-manuals/en/reference/cli-reference.md b/docs/user-manuals/en/reference/cli-reference.md new file mode 100644 index 0000000..a76cefb --- /dev/null +++ b/docs/user-manuals/en/reference/cli-reference.md @@ -0,0 +1,300 @@ +--- +title: "CLI Reference" +description: "Complete reference for every Leakwatch command, subcommand, and flag." +--- + +# CLI Reference + +This page is the authoritative reference for all Leakwatch commands and flags. For conceptual explanations and worked examples, follow the cross-links to the relevant scanning or configuration pages. + +## Global flags + +These flags are available on every command and subcommand. + +| Flag | Default | Description | +|------|---------|-------------| +| `--config ` | auto-discovered `.leakwatch.yaml` | Path to a configuration file. When omitted, Leakwatch searches the current directory and its parents for `.leakwatch.yaml`. | +| `--log-level ` | `warn` | Logging verbosity: `debug`, `info`, `warn`, or `error`. Log output goes to stderr and does not affect scan results. | + +## `leakwatch version` + +Prints the binary version, commit hash, and build timestamp, then exits. + +```bash +leakwatch version +``` + +```text +leakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z) +``` + +## `leakwatch init` + +Generates a `.leakwatch.yaml` configuration file in the current directory with recommended defaults. + +```bash +leakwatch init [flags] +``` + +| Flag | Default | Description | +|------|---------|-------------| +| `--output ` | `.leakwatch.yaml` | Write the config file to this path instead of the default. | +| `--force` | `false` | Overwrite an existing config file. Without this flag, `init` exits with an error if the output file already exists. | + +```bash +# Generate the default config +leakwatch init + +# Overwrite an existing config +leakwatch init --force +``` + +## `leakwatch scan` + +Parent command for all scan subcommands. Has no behavior on its own; run a subcommand. + +### Common scan flags + +The following flags are available on **all** `scan` subcommands. + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--format` | `-f` | `json` | Output format: `json`, `sarif`, `csv`, or `table`. | +| `--output` | `-o` | stdout | Write results to this file path instead of stdout. | +| `--concurrency` | `-c` | CPU count | Number of concurrent scan workers. | +| `--max-file-size` | — | `10485760` (10 MB) | Skip files or blobs larger than this number of bytes. | +| `--show-raw` | — | `false` | Include the raw (unredacted) secret value in output. Use with caution. | +| `--no-verify` | — | `false` | Disable live secret verification. No outbound API calls are made. | +| `--only-verified` | — | `false` | Report only findings that Leakwatch has confirmed are active via live verification. | +| `--min-severity` | — | `low` | Minimum severity to include in output: `low`, `medium`, `high`, or `critical`. | +| `--remediation` | — | `false` | Attach remediation guidance (rotation/revocation steps) to each finding. | + +--- + +### `scan fs` + +Scans a local directory tree. + +```bash +leakwatch scan fs [path] [flags] +``` + +`path` defaults to `.`. Accepts at most one positional argument. + +#### Filesystem-specific flags + +| Flag | Default | Description | +|------|---------|-------------| +| `--exclude ` | — | Glob pattern for paths to exclude. Repeatable. | + +#### Examples + +```bash +# Scan the current directory, print a colorized table +leakwatch scan fs . --format table + +# Save SARIF output, exclude test files and vendor +leakwatch scan fs . \ + --exclude "**/*_test.go" \ + --exclude "vendor/**" \ + --format sarif \ + --output results.sarif +``` + +--- + +### `scan git` + +Scans the full commit history of a local or remote Git repository. + +```bash +leakwatch scan git [flags] +``` + +Exactly one positional argument is required: a local path or an HTTP/HTTPS/SSH URL. + +#### Git-specific flags + +| Flag | Default | Description | +|------|---------|-------------| +| `--since ` | — | Scan only commits after this date. | +| `--since-commit ` | — | Scan only changes from this commit hash to HEAD. | +| `--branch ` | — | Target a specific branch instead of the default branch. | +| `--depth ` | `0` (full) | Shallow clone depth for remote repositories. `0` fetches the full history. | + +#### Examples + +```bash +# Scan full local history +leakwatch scan git . --format table + +# Scan only commits added by a pull request +leakwatch scan git . --since-commit a1b2c3d --format json +``` + +--- + +### `scan image` + +Scans the layers of an OCI/Docker image for secrets. Leakwatch is daemonless and pulls directly from the registry — no Docker socket is required. + +```bash +leakwatch scan image [flags] +``` + +Exactly one positional argument is required. + +#### Examples + +```bash +# Scan a public image +leakwatch scan image nginx:latest --format table + +# Scan a private registry image and save JSON output +leakwatch scan image registry.example.com/my-app:v2.3.0 \ + --format json \ + --output image-results.json +``` + +--- + +### `scan s3` + +Scans objects in an AWS S3 bucket. + +```bash +leakwatch scan s3 [flags] +``` + +Exactly one positional argument is required. + +#### S3-specific flags + +| Flag | Default | Description | +|------|---------|-------------| +| `--prefix ` | — | Limit the scan to objects whose key starts with this prefix. | +| `--region ` | — | AWS region of the bucket. Falls back to `AWS_REGION` environment variable or the AWS SDK default. | + +#### Examples + +```bash +# Scan an entire bucket +leakwatch scan s3 my-data-bucket --region us-east-1 --format table + +# Scan only a specific prefix +leakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json +``` + +--- + +### `scan gcs` + +Scans objects in a Google Cloud Storage bucket. + +```bash +leakwatch scan gcs [flags] +``` + +Exactly one positional argument is required. + +#### GCS-specific flags + +| Flag | Default | Description | +|------|---------|-------------| +| `--prefix ` | — | Limit the scan to objects whose name starts with this prefix. | +| `--project ` | — | GCP project ID. Required when the bucket's project cannot be inferred from the default credentials. | + +#### Examples + +```bash +# Scan an entire GCS bucket +leakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table + +# Scan a prefix +leakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json +``` + +--- + +### `scan slack` + +Scans message text in a Slack workspace. + +```bash +leakwatch scan slack [flags] +``` + +No positional arguments. + +#### Slack-specific flags + +| Flag | Default | Description | +|------|---------|-------------| +| `--token ` | — | Slack bot token. Can also be set via `LEAKWATCH_SLACK_TOKEN`. | +| `--channels ` | — | Comma-separated list of channel names or IDs to scan. Scans all accessible channels when omitted. | +| `--exclude-channels ` | — | Comma-separated list of channel names or IDs to skip. | +| `--since ` | — | Scan only messages posted after this date. | +| `--include-dms` | `false` | Include direct messages (requires additional OAuth scopes). | +| `--rate-limit ` | `20` | Maximum Slack API requests per second. | + +#### Examples + +```bash +# Scan all accessible channels +leakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table + +# Scan specific channels since a date +leakwatch scan slack \ + --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \ + --channels general,engineering \ + --since 2026-01-01 \ + --format json +``` + +--- + +### `scan repos` + +Scans multiple Git repositories in parallel. + +```bash +leakwatch scan repos [flags] +``` + +Requires at least two positional arguments (repository URLs or local paths). + +#### Repos-specific flags + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--parallel` | — | `3` | Number of repositories to scan concurrently. | +| `--concurrency` | `-c` | CPU count | Worker concurrency within each repository scan. | + +#### Examples + +```bash +# Scan two repositories in parallel +leakwatch scan repos \ + https://github.com/org/repo-a.git \ + https://github.com/org/repo-b.git \ + --format json + +# Increase parallelism for a large set of repos +leakwatch scan repos \ + https://github.com/org/repo-a.git \ + https://github.com/org/repo-b.git \ + https://github.com/org/repo-c.git \ + --parallel 3 \ + --format sarif \ + --output multi-repo.sarif +``` + +--- + +## See also + +- [Exit Codes](#/reference/exit-codes) — how exit codes map to scan outcomes. +- [Environment Variables](#/reference/environment-variables) — configure Leakwatch without flags. +- [Filesystem Scanning](#/scanning/filesystem) — detailed `scan fs` guide. +- [Git History](#/scanning/git-history) — detailed `scan git` guide. +- [Configuration File](#/configuration/config-file) — `.leakwatch.yaml` reference. diff --git a/docs/user-manuals/en/reference/environment-variables.md b/docs/user-manuals/en/reference/environment-variables.md new file mode 100644 index 0000000..ace5709 --- /dev/null +++ b/docs/user-manuals/en/reference/environment-variables.md @@ -0,0 +1,98 @@ +--- +title: "Environment Variables" +description: "Environment variables that configure Leakwatch behavior without flags." +--- + +# Environment Variables + +Leakwatch reads configuration from three sources in priority order: **command-line flags** override **environment variables**, which override the **config file** (`.leakwatch.yaml`), which falls back to built-in **defaults**. Environment variables are useful in CI environments where you cannot modify a config file or pass flags to every invocation. + +## Configuration variable pattern + +Any key from `.leakwatch.yaml` can be set as an environment variable by: + +1. Uppercasing the key name. +2. Replacing `.` and `-` with `_`. +3. Prepending `LEAKWATCH_`. + +For example, the config key `scan.concurrency` becomes `LEAKWATCH_SCAN_CONCURRENCY`. + +## Variable reference + +### Leakwatch-specific variables + +| Variable | Description | +|----------|-------------| +| `LEAKWATCH_SLACK_TOKEN` | Slack bot token for `scan slack`. Equivalent to `--token`. Set this instead of passing the token as a flag to avoid it appearing in shell history or CI logs. | +| `LEAKWATCH_SCAN_CONCURRENCY` | Number of concurrent scan workers. Equivalent to `--concurrency`. | +| `LEAKWATCH_VERIFICATION_ENABLED` | Set to `false` to disable live verification globally. Equivalent to `--no-verify`. | +| `LEAKWATCH_VERIFICATION_RATE_LIMIT` | Maximum verification requests per second across all verifiers. | +| `LEAKWATCH_OUTPUT_FORMAT` | Default output format (`json`, `sarif`, `csv`, or `table`). Equivalent to `--format`. | +| `LEAKWATCH_DETECTION_ENTROPY_THRESHOLD` | Minimum Shannon entropy for a match to be reported. Float value, e.g. `3.5`. | + +### Display variable + +| Variable | Description | +|----------|-------------| +| `NO_COLOR` | When set to any non-empty value, disables ANSI color codes in the `table` output formatter. Follows the [no-color.org](https://no-color.org) convention. | + +### AWS variables (for `scan s3` and AWS secret verification) + +These are standard AWS SDK environment variables. Leakwatch passes them through to the AWS SDK v2 default credential chain. + +| Variable | Description | +|----------|-------------| +| `AWS_ACCESS_KEY_ID` | AWS access key ID. | +| `AWS_SECRET_ACCESS_KEY` | AWS secret access key. | +| `AWS_SESSION_TOKEN` | AWS session token (for temporary credentials). | +| `AWS_REGION` | Default AWS region. | +| `AWS_PROFILE` | Named profile from `~/.aws/credentials` to use. | + +### GCS variable (for `scan gcs`) + +| Variable | Description | +|----------|-------------| +| `GOOGLE_APPLICATION_CREDENTIALS` | Path to a Google service-account JSON key file. Used by Application Default Credentials when scanning a GCS bucket. | + +## Precedence example + +Given this setup: + +- `.leakwatch.yaml` sets `output.format: table` +- `LEAKWATCH_OUTPUT_FORMAT=json` is set in the environment +- The command is run as `leakwatch scan fs .` (no `--format` flag) + +The effective format is `json` because the environment variable overrides the config file. + +If the command is run as `leakwatch scan fs . --format sarif`, the effective format is `sarif` because the flag overrides everything. + +## Credentials for verification vs. credentials for scanning + +:::note +The AWS and GCP variables above are consumed to **authenticate Leakwatch itself** when it connects to S3 or GCS to retrieve objects for scanning. They are not used to verify found secrets. Verification of a discovered AWS key, for example, uses that discovered key itself to call AWS STS — not the runner's credentials. +::: + +## Passing secrets safely in CI + +In GitHub Actions, use encrypted secrets: + +```yaml +env: + LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} +``` + +In GitLab CI, use masked CI/CD variables: + +```yaml +variables: + LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # defined as a masked variable in project settings +``` + +Never hard-code token values in workflow files or Dockerfiles. + +## See also + +- [Configuration File](#/configuration/config-file) — full `.leakwatch.yaml` key reference. +- [Cloud Storage Scanning](#/scanning/cloud-storage) — `scan s3` and `scan gcs` credentials. +- [Slack Scanning](#/scanning/slack) — Slack token scopes and permissions. +- [CLI Reference](#/reference/cli-reference) — equivalent command-line flags. diff --git a/docs/user-manuals/en/reference/exit-codes.md b/docs/user-manuals/en/reference/exit-codes.md new file mode 100644 index 0000000..ceef791 --- /dev/null +++ b/docs/user-manuals/en/reference/exit-codes.md @@ -0,0 +1,94 @@ +--- +title: "Exit Codes" +description: "Leakwatch exit code reference and how to use them in scripts and CI pipelines." +--- + +# Exit Codes + +Leakwatch uses a small, well-defined set of exit codes so that CI pipelines and shell scripts can act on scan results without parsing output. Every scan subcommand exits with one of three codes. + +## Code reference + +| Code | Name | Meaning | +|------|------|---------| +| `0` | Clean | The scan completed successfully and no findings passed the active filters. | +| `1` | Findings | The scan completed and one or more secrets were found (and passed the active filters). | +| `2` | Error | A hard error occurred — for example, an invalid flag, an unreadable path, or an authentication failure. An `Error: ...` message and a usage hint are printed to stderr. | + +## How filters affect exit code 1 + +Exit code `1` is only emitted when at least one finding survives all active output filters. The two most relevant filters are: + +- **`--min-severity`** — findings below the threshold are suppressed. If all findings are `low` severity and you run with `--min-severity high`, exit code `0` is returned even though secrets exist. +- **`--only-verified`** — only findings confirmed active by live verification are reported. If no active secrets are found, exit code `0` is returned. + +This means exit code `0` means "no findings matched your current filter settings" — not necessarily that the codebase contains no secrets at all. + +:::warn +A clean `0` exit under `--only-verified` does not guarantee the codebase is secret-free. Secrets for which verification is unavailable (9 detector types) are always reported as unverified and are suppressed by `--only-verified`. Pair `--only-verified` with a separate unfiltered scan if you need full coverage. +::: + +## Using exit codes in shell scripts + +```bash +#!/usr/bin/env bash +set +e +leakwatch scan fs . --format json --output leakwatch.json --no-verify +EXIT_CODE=$? +set -e + +case "$EXIT_CODE" in + 0) + echo "No secrets found. Build continues." + ;; + 1) + echo "Secrets found — review leakwatch.json and remediate before merging." + exit 1 + ;; + *) + echo "Leakwatch encountered an error (exit $EXIT_CODE)." + exit "$EXIT_CODE" + ;; +esac +``` + +`set +e` before the scan prevents the shell from exiting on non-zero codes, giving you the chance to capture and handle the code yourself. + +## Using exit codes in CI pipelines + +Most CI systems treat any non-zero exit code as a step failure. Since Leakwatch exits `1` when secrets are found, the pipeline fails automatically without any extra configuration — simply run the scan command. + +To allow the pipeline to continue even when secrets are found (for example, to collect the report without blocking the build), explicitly ignore the exit code: + +```bash +leakwatch scan fs . --format sarif --output results.sarif --no-verify || true +``` + +Or, in GitLab CI: + +```yaml +allow_failure: true +``` + +Or, in the GitHub Action, set `fail-on-findings: "false"`. + +## Exit code 2 in practice + +Exit code `2` indicates a configuration or runtime error that prevented the scan from running at all. Common causes: + +- An invalid flag value (for example, `--format invalid`). +- A path that does not exist or is not readable. +- A missing required argument (for example, `scan git` with no URL). +- An authentication error when connecting to a cloud source. + +The error message is printed to stderr and includes context to help diagnose the problem: + +```text +Error: unknown format "xlsx"; valid values: json, sarif, csv, table +``` + +## See also + +- [Other CI Systems](#/ci-cd/other-ci) — how to wire exit codes into GitLab CI, Jenkins, and others. +- [GitHub Action](#/ci-cd/github-action) — how the official action maps exit codes to step outcomes. +- [CLI Reference](#/reference/cli-reference) — full flag reference. diff --git a/docs/user-manuals/en/scanning/cloud-storage.md b/docs/user-manuals/en/scanning/cloud-storage.md new file mode 100644 index 0000000..8a31d4e --- /dev/null +++ b/docs/user-manuals/en/scanning/cloud-storage.md @@ -0,0 +1,146 @@ +--- +title: "Cloud Storage (S3 & GCS)" +description: "Scan AWS S3 and Google Cloud Storage buckets for leaked secrets." +--- + +# Cloud Storage (S3 & GCS) + +Secrets regularly end up in cloud storage — exported database dumps, environment files, CI artefacts, and log archives all flow into buckets that may be readable by more people than intended. Leakwatch can scan AWS S3 and Google Cloud Storage buckets object-by-object and flag any secrets it finds before they become an incident. + +## AWS S3 + +### Usage + +```bash +leakwatch scan s3 +``` + +The command takes exactly one argument: the **bucket name** (without the `s3://` prefix). The scan target is displayed as `s3://`. + +### Authentication + +Leakwatch uses the standard [AWS default credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html): + +1. Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`). +2. Shared credentials file (`~/.aws/credentials`). +3. Shared configuration file (`~/.aws/config`). +4. IAM role attached to the instance or task (EC2, ECS, Lambda). + +No additional configuration is required if you are already authenticated with the AWS CLI (`aws configure` or an assumed role). + +### S3-specific flags + +| Flag | Type | Default | Description | +|------|------|---------|-------------| +| `--prefix` | string | — | Scan only objects whose key starts with this prefix. | +| `--region` | string | From AWS config | AWS region of the bucket. | + +### S3 examples + +Scan an entire bucket: + +```bash +leakwatch scan s3 my-config-bucket +``` + +Scan only objects under a specific key prefix in a given region: + +```bash +leakwatch scan s3 my-bucket --prefix logs/ --region us-east-1 +``` + +Save results as SARIF: + +```bash +leakwatch scan s3 my-bucket --format sarif --output s3-results.sarif +``` + +:::tip +Use `--prefix` to limit the scan to a relevant sub-path. Scanning a large bucket with millions of objects can be slow and may incur S3 GET request costs. Narrow the prefix to what actually matters — for example `configs/` or `exports/`. +::: + +--- + +## Google Cloud Storage + +### Usage + +```bash +leakwatch scan gcs +``` + +The command takes exactly one argument: the **bucket name** (without the `gs://` prefix). The scan target is displayed as `gs://`. + +### Authentication + +Leakwatch uses [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials). The credential search order is: + +1. `GOOGLE_APPLICATION_CREDENTIALS` environment variable pointing to a service-account key file. +2. User credentials set up by `gcloud auth application-default login`. +3. Service account attached to a Google Compute Engine instance, Cloud Run service, or GKE workload. + +### GCS-specific flags + +| Flag | Type | Default | Description | +|------|------|---------|-------------| +| `--prefix` | string | — | Scan only objects whose name starts with this prefix. | +| `--project` | string | — | GCP project ID (required by some ADC configurations). | + +### GCS examples + +Scan an entire bucket with a specific GCP project: + +```bash +leakwatch scan gcs my-config-bucket --project my-gcp-project +``` + +Scan only objects under a specific prefix: + +```bash +leakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/ +``` + +Output as CSV: + +```bash +leakwatch scan gcs my-bucket --format csv --output gcs-results.csv +``` + +--- + +## Common scan flags + +Both `s3` and `gcs` support the same common scan flags: + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--format` | `-f` | `json` | Output format: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Write results to this file instead of stdout. | +| `--concurrency` | `-c` | CPU count | Number of concurrent workers. | +| `--max-file-size` | — | `10485760` (10 MB) | Skip objects larger than this value (bytes). | +| `--show-raw` | — | `false` | Include the raw secret value in output. | +| `--no-verify` | — | `false` | Disable secret verification. | +| `--only-verified` | — | `false` | Report only findings confirmed active by verification. | +| `--min-severity` | — | `low` | Minimum severity to report: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Attach remediation guidance to each finding. | + +Path-based exclusions (applied to object keys) are configured in `.leakwatch.yaml` under `filter.exclude-paths`. Root-level flags `--config` and `--log-level` (default `warn`) also apply. + +## Exit codes + +| Code | Meaning | +|------|---------| +| `0` | Scan completed, no findings. | +| `1` | Scan completed, findings reported. | +| `2` | Scan failed (authentication error, bucket not found, etc.). | + +A scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM. + +## See also + +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [Config File](#/configuration/config-file) — configure exclusions and other defaults. +- [Ignoring Findings](#/configuration/ignoring-findings) — suppress known false positives. +- [How Verification Works](#/verification/how-verification-works) — understand verification statuses. +- [Filesystem](#/scanning/filesystem) — scan a local directory tree. +- [CLI Reference](#/reference/cli-reference) — full flag reference for all commands. diff --git a/docs/user-manuals/en/scanning/container-images.md b/docs/user-manuals/en/scanning/container-images.md new file mode 100644 index 0000000..7a91deb --- /dev/null +++ b/docs/user-manuals/en/scanning/container-images.md @@ -0,0 +1,134 @@ +--- +title: "Container Images" +description: "Scan OCI and Docker image layers for leaked secrets without a Docker daemon." +--- + +# Container Images + +Container images are a common hiding place for secrets: API keys baked into environment variables, credentials embedded in build layers, and configuration files copied into image layers and then forgotten. `leakwatch scan image` inspects every layer of an OCI or Docker image and surfaces those secrets before the image is deployed. + +## Basic usage + +```bash +leakwatch scan image +``` + +The command takes exactly one argument: an image reference in standard `name:tag` notation. Leakwatch uses [go-containerregistry](https://github.com/google/go-containerregistry) to pull and inspect images **daemonlessly** — no running Docker daemon is required. + +```bash +# Scan a Docker Hub image +leakwatch scan image nginx:latest + +# Scan a private GitHub Container Registry image +leakwatch scan image ghcr.io/org/myapp:v1.2.0 + +# Scan an Amazon ECR image +leakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest +``` + +## Supported registries + +| Registry | Example reference | +|----------|-------------------| +| Docker Hub | `nginx:latest`, `myorg/myapp:1.0.0` | +| GitHub Container Registry (GHCR) | `ghcr.io/org/myapp:v1.2.0` | +| Amazon ECR | `123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest` | +| Google Container Registry (GCR) | `gcr.io/my-project/myapp:latest` | +| Any OCI-compatible registry | Standard `registry/name:tag` form | + +## Authentication + +Leakwatch uses the standard credential keychain used by Docker and other OCI tools. If you are already authenticated via `docker login` (or an equivalent tool such as `crane`, `skopeo`, or cloud-provider credential helpers), Leakwatch will use those credentials automatically. + +```bash +# Log in to GHCR first +docker login ghcr.io + +# Then scan — credentials are picked up automatically +leakwatch scan image ghcr.io/org/private-app:latest +``` + +For Amazon ECR, configure the ECR credential helper or set `AWS_ACCESS_KEY_ID` and related environment variables before scanning. + +## How it scans + +Leakwatch pulls the image manifest, iterates over each layer in order, and extracts the files within each layer. Each file's content is run through the same detection pipeline as a filesystem scan. Path exclusions from `filter.exclude-paths` in `.leakwatch.yaml` apply here, limiting which file paths inside layers are examined. + +## Flags + +There are no image-specific flags. All common scan flags apply: + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--format` | `-f` | `json` | Output format: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Write results to this file instead of stdout. | +| `--concurrency` | `-c` | CPU count | Number of concurrent workers. | +| `--max-file-size` | — | `10485760` (10 MB) | Skip files larger than this value (bytes). | +| `--show-raw` | — | `false` | Include the raw secret value in output. | +| `--no-verify` | — | `false` | Disable secret verification. | +| `--only-verified` | — | `false` | Report only findings confirmed active by verification. | +| `--min-severity` | — | `low` | Minimum severity to report: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Attach remediation guidance to each finding. | + +Path-based exclusions are configured in `.leakwatch.yaml` under `filter.exclude-paths`. See [Config File](#/configuration/config-file) for details. + +Root-level flags `--config` and `--log-level` (default `warn`) also apply. + +## Examples + +Scan a Docker Hub image and print results as a table: + +```bash +leakwatch scan image alpine:3.20 --format table +``` + +Scan a private registry image and save SARIF output: + +```bash +leakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif +``` + +Scan and show only verified active secrets: + +```bash +leakwatch scan image myapp:latest --only-verified --format table +``` + +Include remediation guidance in JSON output: + +```bash +leakwatch scan image myapp:latest --remediation --format json -o image-findings.json +``` + +## Finding metadata + +Each finding from an image scan includes layer metadata: + +| Field | Description | +|-------|-------------| +| `image` | The image reference that was scanned. | +| `layer` | The layer digest where the finding was detected. | +| `file_path` | The path of the file within the layer. | + +:::tip +Integrate container image scanning into your CI/CD pipeline's build stage to catch secrets before the image is pushed to a registry. Use `--format sarif` to upload results directly to GitHub Code Scanning. +::: + +## Exit codes + +| Code | Meaning | +|------|---------| +| `0` | Scan completed, no findings. | +| `1` | Scan completed, findings reported. | +| `2` | Scan failed (image not found, authentication error, etc.). | + +A scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM. + +## See also + +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [Filesystem](#/scanning/filesystem) — scan a local directory tree. +- [Config File](#/configuration/config-file) — configure exclusions and other defaults. +- [Ignoring Findings](#/configuration/ignoring-findings) — suppress known false positives. +- [How Verification Works](#/verification/how-verification-works) — understand verification statuses. +- [CLI Reference](#/reference/cli-reference) — full flag reference for all commands. diff --git a/docs/user-manuals/en/scanning/filesystem.md b/docs/user-manuals/en/scanning/filesystem.md new file mode 100644 index 0000000..49d7b3b --- /dev/null +++ b/docs/user-manuals/en/scanning/filesystem.md @@ -0,0 +1,123 @@ +--- +title: "Filesystem" +description: "Scan a local directory tree for leaked secrets with leakwatch scan fs." +--- + +# Filesystem + +Local source code is where secrets most often appear first. The `leakwatch scan fs` command walks every file in a directory tree, runs the full detection pipeline on each one, and reports any findings before they can be committed — or after the fact on an existing codebase. + +## Basic usage + +```bash +leakwatch scan fs [path] +``` + +`path` is optional. When omitted, Leakwatch scans the current working directory (`.`). Only one path argument is accepted. + +```bash +# Scan the current directory +leakwatch scan fs + +# Scan a specific project folder +leakwatch scan fs ./my-project +``` + +## What the filesystem source skips automatically + +To keep scans fast and noise-free, the filesystem source skips the following without any configuration: + +- **Binary files** — detected by the presence of a null byte in the first 8 KB of the file. +- **Known binary extensions** — common compiled, image, audio, video, and archive formats. +- **Lock files** — `package-lock.json`, `yarn.lock`, `Pipfile.lock`, and similar. + +## Flags + +### Filesystem-specific + +| Flag | Type | Default | Description | +|------|------|---------|-------------| +| `--exclude` | string (repeatable) | — | Glob patterns for paths to exclude. Can be repeated or comma-separated. | + +### Common scan flags + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--format` | `-f` | `json` | Output format: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Write results to this file instead of stdout. | +| `--concurrency` | `-c` | CPU count | Number of concurrent workers. | +| `--max-file-size` | — | `10485760` (10 MB) | Skip files larger than this value (bytes). | +| `--show-raw` | — | `false` | Include the raw secret value in output. | +| `--no-verify` | — | `false` | Disable secret verification. | +| `--only-verified` | — | `false` | Report only findings confirmed active by verification. | +| `--min-severity` | — | `low` | Minimum severity to report: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Attach remediation guidance to each finding. | + +Root-level flags `--config` and `--log-level` (default `warn`) also apply. + +## Examples + +Scan the current directory and print a colorized table to the terminal: + +```bash +leakwatch scan fs . --format table +``` + +Exclude test files and vendor directories, then save SARIF output for GitHub Code Scanning: + +```bash +leakwatch scan fs . \ + --exclude "**/*_test.go" \ + --exclude "vendor/**" \ + --format sarif \ + --output results.sarif +``` + +Limit file size to 5 MB and increase worker count for a large monorepo: + +```bash +leakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table +``` + +Show only high-severity findings and include rotation instructions: + +```bash +leakwatch scan fs . --min-severity high --remediation --format table +``` + +## Excluding paths + +The `--exclude` flag accepts glob patterns and can be specified multiple times or as a comma-separated list: + +```bash +# Two separate flags +leakwatch scan fs . --exclude "**/*_test.go" --exclude "docs/**" + +# Comma-separated +leakwatch scan fs . --exclude "**/*_test.go,docs/**" +``` + +For permanent exclusion rules shared across your team, add them to `.leakwatch.yaml` under `filter.exclude-paths`. Those rules apply to every source, not just filesystem scans. You can also create a `.leakwatchignore` file in your project root. See [Config File](#/configuration/config-file) and [Ignoring Findings](#/configuration/ignoring-findings) for details. + +## Exit codes + +| Code | Meaning | +|------|---------| +| `0` | Scan completed, no findings. | +| `1` | Scan completed, findings reported. | +| `2` | Scan failed (configuration error, unreadable path, etc.). | + +A scan summary (source type, target, file count, duration, and finding count) is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM. + +:::tip +Run `leakwatch scan fs . --format table` during development to get a quick visual overview. Switch to `--format sarif` in CI pipelines to integrate with GitHub Code Scanning. +::: + +## See also + +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [Config File](#/configuration/config-file) — configure default format, exclusions, and more. +- [Ignoring Findings](#/configuration/ignoring-findings) — `.leakwatchignore` and inline suppression. +- [How Verification Works](#/verification/how-verification-works) — understand verification statuses. +- [Git History](#/scanning/git-history) — scan committed history, not just the working tree. +- [CLI Reference](#/reference/cli-reference) — full flag reference for all commands. diff --git a/docs/user-manuals/en/scanning/git-history.md b/docs/user-manuals/en/scanning/git-history.md new file mode 100644 index 0000000..7f1eeb0 --- /dev/null +++ b/docs/user-manuals/en/scanning/git-history.md @@ -0,0 +1,138 @@ +--- +title: "Git History" +description: "Scan the full commit history of a local or remote Git repository for leaked secrets." +--- + +# Git History + +A secret that was committed and then deleted is still present in every earlier commit, reachable to anyone with repository access. `leakwatch scan git` walks the *entire* commit history of a repository — local or remote — and surfaces those secrets before they can be exploited. + +## Basic usage + +```bash +leakwatch scan git +``` + +The command takes exactly one argument: either a **local filesystem path** to a repository (`.` for the current directory) or a **remote HTTP/HTTPS or SSH URL**. + +Leakwatch uses [go-git](https://github.com/go-git/go-git) for all Git operations — a pure Go implementation with no dependency on a system `git` binary. + +```bash +# Scan the local repository in the current directory +leakwatch scan git . + +# Scan a remote repository over HTTPS +leakwatch scan git https://github.com/org/repo.git + +# Scan over SSH +leakwatch scan git git@github.com:org/repo.git +``` + +## How it scans + +Leakwatch walks every commit in the history and examines the blobs introduced by each commit. **Blob-hash deduplication** ensures that identical file content is scanned only once, no matter how many commits reference it. This keeps scan time proportional to the *unique content* in the repository rather than to the raw commit count. + +:::note +Because Leakwatch examines commit-by-commit diffs, it finds secrets that were introduced and later deleted — content that is invisible in the current working tree. +::: + +## Flags + +### Git-specific + +| Flag | Type | Default | Description | +|------|------|---------|-------------| +| `--since` | string (YYYY-MM-DD) | — | Scan only commits after this date. | +| `--since-commit` | string | — | Scan only changes from this commit hash to HEAD (diff-based). | +| `--branch` | string | — | Target a specific branch instead of the default. | +| `--depth` | int | `0` (full) | Clone depth for **remote repositories only**. `0` means full history. | + +### Common scan flags + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--format` | `-f` | `json` | Output format: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Write results to this file instead of stdout. | +| `--concurrency` | `-c` | CPU count | Number of concurrent workers. | +| `--max-file-size` | — | `10485760` (10 MB) | Skip blobs larger than this value (bytes). | +| `--show-raw` | — | `false` | Include the raw secret value in output. | +| `--no-verify` | — | `false` | Disable secret verification. | +| `--only-verified` | — | `false` | Report only findings confirmed active by verification. | +| `--min-severity` | — | `low` | Minimum severity to report: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Attach remediation guidance to each finding. | + +Root-level flags `--config` and `--log-level` (default `warn`) also apply. + +## Examples + +Scan the full history of the local repository and print a table: + +```bash +leakwatch scan git . --format table +``` + +Scan only commits made after a specific date on the `develop` branch: + +```bash +leakwatch scan git . --since 2026-02-23 --branch develop +``` + +Scan changes introduced since a specific commit (useful in CI to check only new commits): + +```bash +leakwatch scan git . --since-commit a1b2c3d +``` + +Do a shallow clone of a large remote repository to speed up the initial scan: + +```bash +leakwatch scan git https://github.com/org/repo.git --depth 50 +``` + +Scan a remote repository and save verified findings only as SARIF: + +```bash +leakwatch scan git https://github.com/org/repo.git \ + --only-verified \ + --format sarif \ + --output git-results.sarif +``` + +## Finding metadata + +Each finding from a Git scan includes commit metadata: + +| Field | Description | +|-------|-------------| +| `repository` | URL or path of the scanned repository (credentials stripped). | +| `commit` | Commit hash where the secret was introduced. | +| `author` | Commit author name and email. | +| `date` | Commit timestamp. | +| `branch` | Branch context (when available). | + +:::tip +Use `--since-commit` in pull-request CI jobs to scan only the commits added by the PR. Use `--since ` for scheduled nightly scans covering recent activity. +::: + +## Credential safety + +When a repository URL contains embedded credentials (for example `https://user:TOKEN@host/repo.git`), Leakwatch strips those credentials before writing anything to logs or output, so the token never appears in scan results or CI traces. + +## Exit codes + +| Code | Meaning | +|------|---------| +| `0` | Scan completed, no findings. | +| `1` | Scan completed, findings reported. | +| `2` | Scan failed (invalid URL, authentication error, etc.). | + +A scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM. + +## See also + +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [Multiple Repositories](#/scanning/multiple-repos) — scan several repositories in one command. +- [Filesystem](#/scanning/filesystem) — scan the working tree instead of history. +- [How Verification Works](#/verification/how-verification-works) — understand verification statuses. +- [Ignoring Findings](#/configuration/ignoring-findings) — suppress known false positives. +- [CLI Reference](#/reference/cli-reference) — full flag reference for all commands. diff --git a/docs/user-manuals/en/scanning/multiple-repos.md b/docs/user-manuals/en/scanning/multiple-repos.md new file mode 100644 index 0000000..b701213 --- /dev/null +++ b/docs/user-manuals/en/scanning/multiple-repos.md @@ -0,0 +1,129 @@ +--- +title: "Multiple Repositories" +description: "Scan several Git repositories concurrently and combine results into a single report." +--- + +# Multiple Repositories + +When an organization grows, secrets can land in any of dozens or hundreds of repositories. Checking them one by one is impractical. `leakwatch scan repos` accepts multiple repository URLs and scans them concurrently, merging all findings into a single output — one command, one report. + +## Basic usage + +```bash +leakwatch scan repos [url...] +``` + +The command requires **at least two** repository URLs. All repositories are cloned, scanned, and cleaned up automatically. The combined finding count and a single scan summary are reported at the end. + +```bash +leakwatch scan repos \ + https://github.com/org/api.git \ + https://github.com/org/web.git +``` + +## How it works + +Leakwatch spawns up to `--parallel` repository scans at once. Each repository is: + +1. Cloned from the provided URL (credentials are stripped from logs and output for safety). +2. Scanned with the full detection pipeline, using `--concurrency` workers for that repository. +3. Cleaned up (the temporary clone is deleted) once the scan completes. + +All findings from all repositories are collected and written as a single output, as if the scan had been a single-source run. The displayed target is ` repositories`. + +## Flags + +### Multi-repo-specific + +| Flag | Type | Default | Description | +|------|------|---------|-------------| +| `--parallel` | int | `3` | Number of repositories to scan in parallel. | + +### Common scan flags + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--format` | `-f` | `json` | Output format: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Write results to this file instead of stdout. | +| `--concurrency` | `-c` | CPU count | Number of concurrent workers **per repository**. | +| `--max-file-size` | — | `10485760` (10 MB) | Skip blobs larger than this value (bytes). | +| `--show-raw` | — | `false` | Include the raw secret value in output. | +| `--no-verify` | — | `false` | Disable secret verification. | +| `--only-verified` | — | `false` | Report only findings confirmed active by verification. | +| `--min-severity` | — | `low` | Minimum severity to report: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Attach remediation guidance to each finding. | + +Path exclusions from `filter.exclude-paths` in `.leakwatch.yaml` apply to all repositories. Root-level flags `--config` and `--log-level` (default `warn`) also apply. + +## Examples + +Scan two repositories and display results as a table: + +```bash +leakwatch scan repos \ + https://github.com/org/api.git \ + https://github.com/org/web.git \ + --format table +``` + +Scan five repositories with higher parallelism and save the combined results as SARIF: + +```bash +leakwatch scan repos \ + https://github.com/org/api.git \ + https://github.com/org/web.git \ + https://github.com/org/infra.git \ + https://github.com/org/mobile.git \ + https://github.com/org/docs.git \ + --parallel 4 \ + --format sarif \ + --output all-repos.sarif +``` + +Scan with more workers per repository and show only verified findings: + +```bash +leakwatch scan repos \ + https://github.com/org/backend.git \ + https://github.com/org/frontend.git \ + --concurrency 8 \ + --only-verified \ + --format json \ + --output verified-findings.json +``` + +## Tuning parallelism + +Two knobs control throughput: + +- `--parallel` controls how many repository clones and scans run simultaneously. The default of `3` is appropriate for most workloads. Raise it when network bandwidth and CPU headroom allow; lower it on constrained machines. +- `--concurrency` (`-c`) controls how many worker goroutines process file blobs *within* each individual repository. This is the same flag available on all scan commands. + +Total concurrent operations at peak = `--parallel` × `--concurrency`. + +:::note +If one or more repository scans fail (for example, due to a network error or authentication failure), Leakwatch logs the error and continues scanning the remaining repositories. The exit code will be `2` if any individual repo scan failed, even if other repos produced findings. +::: + +## Credential safety + +Any embedded credentials in repository URLs (e.g. `https://user:TOKEN@host/repo.git`) are stripped before the URL is written to logs, output, or the scan summary. + +## Exit codes + +| Code | Meaning | +|------|---------| +| `0` | All scans completed, no findings. | +| `1` | All scans completed, findings reported. | +| `2` | One or more repository scans failed, or a configuration error occurred. | + +A scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM. + +## See also + +- [Git History](#/scanning/git-history) — scan a single repository in depth. +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [Config File](#/configuration/config-file) — configure shared defaults for all sources. +- [Ignoring Findings](#/configuration/ignoring-findings) — suppress known false positives. +- [How Verification Works](#/verification/how-verification-works) — understand verification statuses. +- [CLI Reference](#/reference/cli-reference) — full flag reference for all commands. diff --git a/docs/user-manuals/en/scanning/slack.md b/docs/user-manuals/en/scanning/slack.md new file mode 100644 index 0000000..bf2c6ca --- /dev/null +++ b/docs/user-manuals/en/scanning/slack.md @@ -0,0 +1,144 @@ +--- +title: "Slack Workspace" +description: "Scan Slack channel and DM message text for leaked secrets." +--- + +# Slack Workspace + +Developers frequently share credentials in chat — a token pasted into a channel for a quick test, a password sent in a DM, or an API key mentioned in an incident thread. `leakwatch scan slack` reads message text across your Slack workspace and flags any secrets it finds. + +:::warn +Leakwatch scans **message text only**. Scanning the contents of uploaded files (attachments, snippets) is not implemented. Only the text body of messages is analysed. +::: + +## Basic usage + +```bash +leakwatch scan slack +``` + +This command takes **no positional arguments**. All configuration is provided through flags or environment variables. + +## Authentication + +A Slack Bot Token is required. Provide it via the `--token` flag or the `LEAKWATCH_SLACK_TOKEN` environment variable. Using an environment variable is recommended so the token never appears in shell history or process listings. + +```bash +export LEAKWATCH_SLACK_TOKEN=xoxb-... +leakwatch scan slack +``` + +### Required bot token scopes + +The bot token must be associated with a Slack app that has the following OAuth scopes: + +| Scope | Purpose | +|-------|---------| +| `channels:history` | Read messages in public channels the bot has joined. | +| `groups:history` | Read messages in private channels the bot has joined. | +| `im:history` | Read direct messages (required only with `--include-dms`). | +| `mpim:history` | Read group direct messages (required only with `--include-dms`). | + +## Flags + +### Slack-specific + +| Flag | Type | Default | Description | +|------|------|---------|-------------| +| `--token` | string | — | Slack Bot Token. Prefer `LEAKWATCH_SLACK_TOKEN` env var. | +| `--channels` | string | all channels | Comma-separated list of channel names to scan. | +| `--exclude-channels` | string | — | Comma-separated list of channel names to skip. | +| `--since` | string (YYYY-MM-DD) | — | Scan messages posted on or after this date. | +| `--include-dms` | bool | `false` | Also scan direct messages and group DMs. | +| `--rate-limit` | float | `20` | Maximum Slack API requests per second. | + +### Common scan flags + +| Flag | Short | Default | Description | +|------|-------|---------|-------------| +| `--format` | `-f` | `json` | Output format: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Write results to this file instead of stdout. | +| `--concurrency` | `-c` | CPU count | Number of concurrent workers. | +| `--max-file-size` | — | `10485760` (10 MB) | Internal chunk size limit (bytes). | +| `--show-raw` | — | `false` | Include the raw secret value in output. | +| `--no-verify` | — | `false` | Disable secret verification. | +| `--only-verified` | — | `false` | Report only findings confirmed active by verification. | +| `--min-severity` | — | `low` | Minimum severity to report: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Attach remediation guidance to each finding. | + +Root-level flags `--config` and `--log-level` (default `warn`) also apply. + +## Examples + +Scan all channels the bot has access to, using an environment variable for the token: + +```bash +export LEAKWATCH_SLACK_TOKEN=xoxb-... +leakwatch scan slack +``` + +Scan specific channels and limit to messages since the start of the year: + +```bash +leakwatch scan slack \ + --channels general,engineering,backend \ + --since 2026-01-01 +``` + +Exclude noisy channels and include direct messages: + +```bash +leakwatch scan slack \ + --exclude-channels random,social,giphy \ + --include-dms +``` + +Reduce the API request rate to avoid Slack rate-limit errors on large workspaces: + +```bash +leakwatch scan slack --rate-limit 10 --format table +``` + +Save only verified active findings to a JSON file: + +```bash +leakwatch scan slack \ + --only-verified \ + --format json \ + --output slack-findings.json +``` + +## Finding metadata + +Each finding from a Slack scan includes message and channel metadata: + +| Field | Description | +|-------|-------------| +| `channel` | The channel name where the finding was detected. | +| `message_ts` | Slack message timestamp (unique message ID). | +| `author` | Slack user ID of the message author. | + +## Performance considerations + +Slack API requests are subject to rate limits enforced by Slack. The `--rate-limit` flag (default `20` requests/second) controls how aggressively Leakwatch makes requests. Lower this value if you see `429 Too Many Requests` errors, especially on large workspaces. + +Use `--channels` to target specific channels rather than scanning the entire workspace on every run. Combine with `--since` to scan only recent messages incrementally. + +## Exit codes + +| Code | Meaning | +|------|---------| +| `0` | Scan completed, no findings. | +| `1` | Scan completed, findings reported. | +| `2` | Scan failed (missing token, authentication error, etc.). | + +A scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM. + +## See also + +- [Quick Start](#/getting-started/quick-start) — run your first scan in under a minute. +- [Config File](#/configuration/config-file) — configure defaults in `.leakwatch.yaml`. +- [Ignoring Findings](#/configuration/ignoring-findings) — suppress known false positives. +- [How Verification Works](#/verification/how-verification-works) — understand verification statuses. +- [Git History](#/scanning/git-history) — scan committed history for secrets. +- [CLI Reference](#/reference/cli-reference) — full flag reference for all commands. diff --git a/docs/user-manuals/en/verification/how-verification-works.md b/docs/user-manuals/en/verification/how-verification-works.md new file mode 100644 index 0000000..b1b1aef --- /dev/null +++ b/docs/user-manuals/en/verification/how-verification-works.md @@ -0,0 +1,107 @@ +--- +title: "How Verification Works" +description: "How Leakwatch confirms whether a detected secret is still active, which verification modes it uses, and how to configure or disable verification." +--- + +# How Verification Works + +Finding a secret in a codebase is only half the story. A key that was rotated six months ago is noise; a key that is still live is an active incident. Verification is the step that draws that line — it takes each detected finding and, where possible, confirms whether the secret is currently valid at the provider. + +## From detection to verification + +After the scan engine collects findings, the verifier pool picks them up. Each finding carries a `detector_id`; Leakwatch looks up whether a verifier is registered for that ID: + +- If a verifier exists, it runs and returns a status. +- If no verifier is registered for that detector type, the finding passes through unchanged with status `unverified`. + +## Two verification modes + +Not all secrets can be verified the same way. Leakwatch uses two distinct approaches depending on what is safe for each credential type. + +### Live API verification + +For approximately 49 detector types, Leakwatch makes a **controlled, read-only API call** to the provider — for example, calling `sts:GetCallerIdentity` for AWS keys or `GET /user` for GitHub tokens. The call uses only the minimum endpoint required to confirm identity; it never modifies data, creates resources, or triggers billing events. + +If the provider returns a success response, the finding is marked `verified_active`. If the provider rejects the credential (for example with HTTP 401 or 403), the finding is marked `verified_inactive`. + +### Format validation only + +For five credential types, no safe live check exists — the provider has no anonymous identity endpoint, or a real call would have side effects. For these, Leakwatch validates the structure of the credential without making any network request: + +| Detector ID | What is validated | +|-------------|------------------| +| `gcp-service-account` | JSON structure — `type`, `project_id`, `private_key_id`, `client_email` fields present | +| `rabbitmq-connection-string` | AMQP URL parsed successfully | +| `snowflake-credentials` | Format check only — a valid format proves nothing, result is always `unverified` | +| `azure-storage-key` | Format check | +| `azure-entra-secret` | Format check | + +:::note +Even when the format check passes, the result remains `unverified`. A structurally valid credential may be expired or revoked. These findings always require manual triage. +::: + +## Verification statuses + +Every finding in Leakwatch output carries one of four statuses: + +| Status | Meaning | Recommended action | +|--------|---------|-------------------| +| `verified_active` | The secret was confirmed live by the provider. | Treat as an active incident. Rotate immediately. | +| `verified_inactive` | The provider rejected the credential. | Likely already rotated. Review context and close. | +| `unverified` | No verifier exists for this type, or format validation returned no result, or verification was disabled. | Triage manually; context determines risk. | +| `verify_error` | The verifier ran but encountered a network error, timeout, or unexpected response. | Treat as potentially active. Retry or triage manually. | + +## The verification engine + +Verification runs in a dedicated concurrent worker pool, isolated from the scan worker pool. The defaults are conservative to avoid triggering provider rate limits: + +| Setting | Default | Config key | +|---------|---------|-----------| +| Worker count | 4 | `verification.concurrency` | +| Global rate limit | 10 requests/second | `verification.rate-limit` | +| Per-request timeout | 10 s | `verification.timeout` | + +All three values are tunable under the `verification:` block in `.leakwatch.yaml`: + +```yaml +verification: + enabled: true + concurrency: 4 + rate-limit: 10.0 # requests per second (global) + timeout: 10s +``` + +:::tip +If you are scanning a repository that triggers hundreds of findings, consider lowering `rate-limit` to 5 or enabling `--only-verified` to keep the verified-active set small and actionable. +::: + +## Controlling verification at the command line + +**Disable verification entirely** with `--no-verify` (or set `verification.enabled: false` in config). Every finding passes through as `unverified`. Use this for offline or air-gapped environments, or when you want the fastest possible scan without touching any provider API. + +```bash +leakwatch scan fs . --no-verify +``` + +**Show only confirmed-live secrets** with `--only-verified`. Everything that is not `verified_active` is dropped from the output. This is the fastest way to triage a large result set — you see only the keys you must act on now. + +```bash +leakwatch scan git . --only-verified +``` + +:::warn +`--only-verified` silently drops `unverified` and `verify_error` findings. Do not use it as your sole filter in a compliance context — some credential types (JWTs, generic API keys, private keys) can never be verified and would always be excluded. +::: + +## Secret safety + +Verification is designed so that the raw secret value never leaves the process boundary in an unsafe way: + +- Verifiers pass the secret directly to the provider's HTTP endpoint over TLS — it is never written to disk, emitted to a log, or cached between runs. +- A verifier that fails to initialise or encounters a panic is caught by the engine, which marks the finding `verify_error` and continues rather than crashing the scan. + +## See also + +- [Verification Coverage](#/verification/verification-coverage) — which detector types are live-verified, format-validated, or not verifiable at all. +- [Configuration: Config File](#/configuration/config-file) — full reference for the `verification:` block. +- [Output Formats](#/output/output-formats) — how the verification status appears in JSON, SARIF, CSV, and table output. diff --git a/docs/user-manuals/en/verification/verification-coverage.md b/docs/user-manuals/en/verification/verification-coverage.md new file mode 100644 index 0000000..1d28145 --- /dev/null +++ b/docs/user-manuals/en/verification/verification-coverage.md @@ -0,0 +1,111 @@ +--- +title: "Verification Coverage" +description: "Which of the 63 built-in detectors are live-verified, format-validated only, or not verifiable — and what that means for triage." +--- + +# Verification Coverage + +Leakwatch ships 63 built-in detectors and 54 verifiers, giving a coverage rate of **85.7%** (54 of 63 detector types have some form of verification). This page maps every detector to its verification status so you know what to expect in your output. + +## Live-verified (49 detector types) + +For these types, Leakwatch makes a controlled, read-only API call to the provider and returns `verified_active` or `verified_inactive`. No data is created or modified; the call uses the minimum endpoint needed to confirm identity. + +| Detector type | Provider | +|--------------|---------| +| `aws-access-key-id` | AWS STS (`GetCallerIdentity`) | +| `github-token` | GitHub REST API | +| `github-oauth-token` | GitHub REST API | +| `gitlab-pat` | GitLab REST API | +| `slack-token` | Slack Web API | +| `openai-api-key` | OpenAI API | +| `anthropic-api-key` | Anthropic API | +| `deepseek-api-key` | DeepSeek API | +| `huggingface-token` | Hugging Face API | +| `sendgrid-api-key` | SendGrid Web API | +| `mailgun-api-key` | Mailgun API | +| `postmark-server-token` | Postmark API | +| `stripe-api-key-live` | Stripe API | +| `stripe-api-key-test` | Stripe API | +| `digitalocean-token` | DigitalOcean API | +| `cloudflare-api-token` | Cloudflare API | +| `heroku-api-key` | Heroku Platform API | +| `vercel-token` | Vercel REST API | +| `npm-token` | npm Registry API | +| `pypi-api-token` | PyPI API | +| `rubygems-api-key` | RubyGems API | +| `dockerhub-pat` | Docker Hub API | +| `circleci-token` | CircleCI API | +| `terraform-cloud-token` | Terraform Cloud API | +| `discord-bot-token` | Discord API | +| `telegram-bot-token` | Telegram Bot API | +| `sentry-token` | Sentry API | +| `pagerduty-api-key` | PagerDuty API | +| `newrelic-api-key` | New Relic API | +| `grafana-api-key` | Grafana API | +| `datadog-api-key` | Datadog API | +| `snyk-api-key` | Snyk API | +| `twilio-api-key` | Twilio API | +| `doppler-token` | Doppler API | +| `launchdarkly-sdk-key` | LaunchDarkly API | +| `sonarcloud-token` | SonarCloud API | +| `shopify-access-token` | Shopify Admin API | +| `notion-token` | Notion API | +| `linear-api-key` | Linear API | +| `figma-pat` | Figma REST API | +| `airtable-pat` | Airtable API | +| `okta-api-token` | Okta API | +| `auth0-management-token` | Auth0 Management API | +| `databricks-token` | Databricks REST API | +| `bitbucket-app-password` | Bitbucket REST API | +| `coinbase-api-key` | Coinbase API | +| `supabase-service-key` | Supabase API | +| `infura-api-key` | Infura API | +| `teams-webhook` | Microsoft Teams | + +## Format-validated only (5 detector types) + +These verifiers run entirely offline. No network request is made. Because a valid format does not prove a credential is active, all five always return `unverified` regardless of whether the format check passes or fails. + +| Detector ID | What is validated | Why no live check | +|-------------|------------------|------------------| +| `gcp-service-account` | JSON structure (`type`, `project_id`, `private_key_id`, `client_email`) | Live check requires a GCP OAuth2 token exchange, which has side effects | +| `rabbitmq-connection-string` | AMQP URL parsed successfully | No public unauthenticated health endpoint | +| `snowflake-credentials` | Password length and host substring check | Live check requires a JDBC/ODBC database connection | +| `azure-storage-key` | Format check | Requires per-account HMAC signing; no generic identity endpoint | +| `azure-entra-secret` | Format check | Client credential flow would create sessions | + +## Not verifiable (9 detector types) + +These detector types have no verifier at all. Findings from them are always `unverified`. This is **not** because they are unimportant — they are detected and reported in full — but because no public verification API exists, or because any verification attempt would have side effects. + +| Detector ID | Reason | +|-------------|--------| +| `jwt` | A JWT can be issued by any party; there is no universal validation endpoint | +| `private-key` | No provider to call; active use cannot be detected remotely | +| `generic-api-key` | Unknown provider by definition | +| `database-connection-string` | Connecting would create sessions on the target database | +| `redis-connection-string` | Connecting would open a live connection to the Redis instance | +| `ftp-credentials` | No safe read-only FTP probe | +| `ldap-credentials` | LDAP bind would create an authenticated session | +| `slack-webhook` | Confirming a webhook is active requires sending a message | +| `hashicorp-vault-token` | Vault token validation requires knowing the Vault endpoint | + +:::note +"Not verifiable" does not mean "not found". All 9 of these types are still detected and appear in your output. They require manual triage to determine whether the credential is live and whether it needs rotation. +::: + +## Coverage summary + +| Category | Count | +|----------|-------| +| Live-verified | 49 | +| Format-validated only | 5 | +| Not verifiable | 9 | +| **Total detectors** | **63** | +| **Verifiers (any coverage)** | **54 (85.7%)** | + +## See also + +- [How Verification Works](#/verification/how-verification-works) — the two verification modes, statuses, and the verification engine. +- [Detector Catalog](#/detectors/detector-catalog) — the full list of built-in detectors with severities. diff --git a/docs/user-manuals/tr/ci-cd/docker-usage.md b/docs/user-manuals/tr/ci-cd/docker-usage.md new file mode 100644 index 0000000..4f52c8f --- /dev/null +++ b/docs/user-manuals/tr/ci-cd/docker-usage.md @@ -0,0 +1,129 @@ +--- +title: "Docker Kullanımı" +description: "Resmi Docker imajını kullanarak Leakwatch taramalarını bir konteyner içinde çalıştırın." +--- + +# Docker Kullanımı + +Resmi Leakwatch konteyner imajı, ana makineye herhangi bir şey kurmadan tarama yapmanızı sağlar. İmaj `CGO_ENABLED=0` ile statik olarak derlenmiş ve root olmayan bir kullanıcı olarak çalışır; bu nedenle kilitli CI ortamlarında ve ana sistemi değiştirmek istemediğiniz paylaşımlı makinelerde güvenle kullanılabilir. + +## İmaj referansı + +```text +ghcr.io/hodetech/leakwatch +``` + +| Etiket | Açıklama | +|--------|----------| +| `:latest` | En son sürüm | +| `:v1.5.0` | Tam sürüm sabitleme | +| `:v1.5` | Küçük sürüm sabitleme (yama sürümlerini takip eder) | + +İmaj Alpine tabanlıdır, root olmayan `leakwatch` kullanıcısı olarak çalışır, çalışma dizini olarak `/scan` kullanır ve giriş noktası olarak `leakwatch`'ı ayarlar. + +:::note +Giriş noktası `leakwatch` olduğundan alt komutu ve bayrakları doğrudan imaj adının ardına eklersiniz — örneğin `ghcr.io/hodetech/leakwatch:latest scan fs /scan`. İkili dosya adını tekrar yazmanıza gerek yoktur. +::: + +## Yerel dizin tarama + +Taramak istediğiniz dizini konteyner içindeki `/scan` dizinine bağlayın: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan +``` + +Ana makinedeki bir dosyaya sonuç yazmak için çıktı dosyasını bağlı birime yazın: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan --format sarif -o /scan/leakwatch.sarif +``` + +`leakwatch.sarif` dosyası, konteyner çıktıktan sonra ana makinedeki geçerli dizinde görünür. + +## Uzak Git deposu tarama + +```bash +docker run --rm \ + ghcr.io/hodetech/leakwatch:latest \ + scan git https://github.com/org/repo.git --format json +``` + +Uzak Git depoları için birim bağlaması gerekli değildir — Leakwatch bunları konteyner içindeki geçici bir dizine klonlar. + +## Konteyner imajı tarama + +Leakwatch daemonsuz çalışır: imaj katmanlarını Docker daemon'ına ihtiyaç duymadan doğrudan kayıt defterinden çeker. Bu, Leakwatch konteynerinden, ana makine Docker soketini bağlamadan uzak bir imajı tarayabileceğiniz anlamına gelir: + +```bash +docker run --rm \ + ghcr.io/hodetech/leakwatch:latest \ + scan image registry.example.com/my-app:v2.3.0 +``` + +Özel kayıt defterleri için kimlik bilgilerini, kayıt defterinizin desteklediği standart ortam değişkenleri aracılığıyla geçirin (örneğin, bağlı bir kimlik bilgisi dosyasına işaret eden `DOCKER_CONFIG`). + +## Yapılandırma dosyası geçirme + +`.leakwatch.yaml` dosyasını `/scan` dizinine bağlayın; Leakwatch onu otomatik olarak bulur: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan +``` + +`.leakwatch.yaml` bağlanan dizinde olduğu sürece Leakwatch onu bulur çünkü `/scan` hem çalışma dizini hem de taramaya geçirilen yoldur. Yapılandırma dosyanız başka bir yerdeyse onu ayrıca bağlayın ve `--config` kullanın: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + -v "/path/to/custom-config.yaml:/config/leakwatch.yaml:ro" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan --config /config/leakwatch.yaml +``` + +## Ortam değişkenleri geçirme + +Bulut taraması ve token tabanlı kimlik doğrulama için ortam değişkenleri `-e` ile enjekte edilebilir: + +```bash +# AWS kimlik bilgileriyle S3 taraması +docker run --rm \ + -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \ + -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \ + -e AWS_REGION=us-east-1 \ + ghcr.io/hodetech/leakwatch:latest \ + scan s3 my-bucket +``` + +CI ortamlarında, kimlik bilgilerini komut satırına gömmek yerine maskelenmiş CI değişkenleri olarak enjekte etmeyi tercih edin. + +## Çıktı dosyası kalıbı + +CI'da yaygın bir Docker kalıbı, sonuçları bağlı birime yazmak ve ardından dosyayı bir pipeline artifact'i olarak yüklemek veya arşivlemektir: + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan \ + --format json \ + --only-verified \ + -o /scan/leakwatch-results.json +``` + +## Ayrıca bakın + +- [Kurulum](#/getting-started/installation) — Docker kullanmak yerine yerel ikili dosyayı kurma. +- [Dosya Sistemi Taraması](#/scanning/filesystem) — `scan fs` bayrakları ve davranışı. +- [Konteyner İmajları](#/scanning/container-images) — OCI/Docker imaj katmanlarını sır açısından tarama. +- [Diğer CI Sistemleri](#/ci-cd/other-ci) — GitLab CI ve diğer pipeline'larda Docker imajını kullanma. +- [CLI Referansı](#/reference/cli-reference) — tüm alt komutlar için tam bayrak referansı. diff --git a/docs/user-manuals/tr/ci-cd/github-action.md b/docs/user-manuals/tr/ci-cd/github-action.md new file mode 100644 index 0000000..ac870a2 --- /dev/null +++ b/docs/user-manuals/tr/ci-cd/github-action.md @@ -0,0 +1,147 @@ +--- +title: "GitHub Action" +description: "GitHub iş akışlarında sır taraması yapmak için resmi Leakwatch GitHub Action'ını kullanın." +--- + +# GitHub Action + +Deponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. Resmi **Leakwatch GitHub Action** (`HodeTech/leakwatch-action@v1`), Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder — aracı kurar, taramayı çalıştırır, çıkış kodlarını işler ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler; bunların hepsini harici bir servis bağımlılığı olmadan yapar. + +## Hızlı başlangıç + +Sır bulunduğunda iş akışını engelleyen minimal yapılandırma: + +```yaml +# .github/workflows/leakwatch-minimal.yml +name: Sır taraması (minimal) + +on: [push, pull_request] + +jobs: + leakwatch: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: HodeTech/leakwatch-action@v1 +``` + +Yalnızca varsayılan değerlerle action, dosya sistemi taraması yapar (`scan-type: fs`), SARIF çıktısı üretir, canlı doğrulamayı atlar (`no-verify: true`) ve herhangi bir bulgu raporlandığında işi başarısız kılar. + +## SARIF yükleme ile tam örnek + +Aşağıdaki iş akışı, GitHub Code Scanning'e SARIF yüklemeyi etkinleştirir ve bulguları depo içinde güvenlik uyarıları olarak gösterir: + +```yaml +# .github/workflows/leakwatch.yml +name: Sır taraması + +on: + push: + branches: ["main", "develop"] + pull_request: + +permissions: + contents: read + security-events: write # SARIF yüklemesi için gerekli + +jobs: + leakwatch: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Sırları tara + uses: HodeTech/leakwatch-action@v1 + with: + scan-type: fs + path: . + format: sarif + no-verify: "true" + min-severity: low + sarif-upload: "true" + fail-on-findings: "true" +``` + +:::note +SARIF yüklemesi, işin `permissions: security-events: write` bildirmesini gerektirir. Bu olmadan yükleme adımı 403 hatasıyla başarısız olur. `actions/checkout@v4` için `contents: read` izni de gereklidir. +::: + +## Girdiler + +| Girdi | Varsayılan | Açıklama | +|-------|-----------|----------| +| `scan-type` | `fs` | Çalıştırılacak tarama türü: `fs`, `git` veya `image`. | +| `path` | `.` | Taranacak yol (`fs`/`git` için) veya imaj referansı (`image` için). | +| `format` | `sarif` | Çıktı biçimi: `json`, `sarif`, `csv` veya `table`. | +| `only-verified` | `false` | Yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla. | +| `no-verify` | `true` | Sır doğrulamasını devre dışı bırak (sağlayıcılara giden ağ çağrısı yapılmaz). | +| `min-severity` | `low` | Raporlanacak minimum önem derecesi: `low`, `medium`, `high` veya `critical`. | +| `sarif-upload` | `false` | Taramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle. | +| `fail-on-findings` | `true` | Bulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. `false` olarak ayarlandığında adım başarısız olmak yerine `::warning::` ek açıklaması yayar. Ciddi hatalar (çıkış kodu 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar. | +| `version` | `latest` | Kurulacak Leakwatch sürümü. Belirli bir sürümü sabitlemek için `v1.5.0` gibi bir etiket kullanın. | + +## Çıktılar + +| Çıktı | Açıklama | +|-------|----------| +| `findings-count` | Bulgu raporlanmadıysa `0`; bulgu raporlandıysa `1`. Leakwatch çıkış kodunu yansıtır. | +| `sarif-file` | Runner üzerindeki SARIF çıktı dosyasının yolu (`format: sarif` olduğunda ayarlanır). | + +## CI'da doğrulama + +Varsayılan olarak `no-verify` değeri `true`'dur — CI'da canlı doğrulama **kapalıdır**. Bu, taramayı hızlı tutar ve CI runner'larından sağlayıcı API'lerine giden ağ çağrılarını önler; runner'lar güvenlik duvarı arkasında olabilir veya hız sınırlı kimlik bilgilerine sahip olabilir. + +CI'da doğrulamayı etkinleştirmek için `no-verify: "false"` olarak ayarlayın: + +```yaml +- uses: HodeTech/leakwatch-action@v1 + with: + no-verify: "false" +``` + +:::warn +CI'da doğrulamayı etkinleştirmek, Leakwatch'ın her aday bulgu için sağlayıcılara (AWS, GitHub, Stripe vb.) kimlik doğrulamalı API çağrıları yapmasına neden olur. Sağlayıcı hız limitlerinden haberdar olun ve runner'ın giden internet erişimine sahip olduğundan emin olun. +::: + +## SARIF yüklemesi nasıl çalışır + +`sarif-upload: "true"` ve `format: sarif` olduğunda action: + +1. Leakwatch'a çıktıyı `results.sarif` dosyasına yazmasını söyler. +2. Taramanın ardından `category: leakwatch` ile `github/codeql-action/upload-sarif@v3`'ü çağırır. +3. GitHub dosyayı işler ve bulguları deponun **Security** sekmesinde **Code Scanning uyarıları** olarak gösterir. + +Yükleme adımı `if: always()` ile çalışır; dolayısıyla `fail-on-findings: "true"` tarama adımını başarısız kılsa bile sonuçlar yüklenir. + +## Action çıktılarını kullanmak + +```yaml +- name: Sırları tara + id: scan + uses: HodeTech/leakwatch-action@v1 + with: + fail-on-findings: "false" # iş akışının devam etmesine izin ver + +- name: Sonucu yazdır + run: echo "Raporlanan bulgular: ${{ steps.scan.outputs.findings-count }}" +``` + +## Belirli bir sürümü sabitleme + +Yeniden üretilebilir derlemeler için `version` değerini belirli bir etikete sabitleyin: + +```yaml +- uses: HodeTech/leakwatch-action@v1 + with: + version: "v1.5.0" +``` + +Bu, `go install` aracılığıyla tam olarak `github.com/HodeTech/leakwatch@v1.5.0`'ı kurar. + +## Ayrıca bakın + +- [Çıktı Biçimleri](#/output/output-formats) — JSON, SARIF, CSV ve tablo çıktısını anlama. +- [Çıkış Kodları](#/reference/exit-codes) — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği. +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — Leakwatch'ın sağlayıcı API'lerini ne zaman ve nasıl çağırdığı. +- [Pre-commit Kancası](#/ci-cd/pre-commit) — commit edilmeden önce sırları yakalama. +- [Diğer CI Sistemleri](#/ci-cd/other-ci) — GitLab CI, Jenkins ve genel kabuk entegrasyonu. diff --git a/docs/user-manuals/tr/ci-cd/other-ci.md b/docs/user-manuals/tr/ci-cd/other-ci.md new file mode 100644 index 0000000..1fe03d8 --- /dev/null +++ b/docs/user-manuals/tr/ci-cd/other-ci.md @@ -0,0 +1,139 @@ +--- +title: "Diğer CI Sistemleri" +description: "Leakwatch'ı GitLab CI, Jenkins, Bitbucket Pipelines ve diğer CI sistemlerine entegre edin." +--- + +# Diğer CI Sistemleri + +Leakwatch, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olduğundan, kabuk komutu çalıştırabilen herhangi bir CI ortamında çalışır: GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps ve diğerleri. Bu sayfada açıklananların ötesinde bu sistemler için yerleşik bir entegrasyon yoktur; kalıp her zaman aynıdır: ikili dosyayı kur, taramayı çalıştır, çıkış koduna göre hareket et. + +## CI'da Leakwatch kurma + +Runner ortamınıza en uygun yöntemi seçin: + +### `go install` aracılığıyla (runner'da Go gerektirir) + +```bash +go install github.com/HodeTech/leakwatch@latest +``` + +Yeniden üretilebilir derlemeler için belirli bir sürüme sabitleyin: + +```bash +go install github.com/HodeTech/leakwatch@v1.5.0 +``` + +### Docker imajı aracılığıyla (Go gerekmez) + +`ghcr.io/hodetech/leakwatch:latest`'i iş imajı olarak kullanın veya `docker run` ile çalıştırın. Tam kalıp için [Docker Kullanımı](#/ci-cd/docker-usage) sayfasına bakın. + +### Hazır bir sürüm ikili dosyası aracılığıyla + +Uygun tar arşivini [GitHub Releases](https://github.com/HodeTech/Leakwatch/releases) sayfasından indirin, çıkarın ve `PATH`'e ekleyin: + +```bash +curl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz +tar -xzf leakwatch_Linux_amd64.tar.gz +sudo mv leakwatch /usr/local/bin/leakwatch +``` + +## Çıkış kodları + +Leakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için iyi tanımlanmış üç çıkış kodu kullanır: + +| Kod | Anlam | Önerilen CI eylemi | +|-----|-------|-------------------| +| `0` | Bulgu yok | Pipeline aşamasını geç | +| `1` | Sırlar bulundu | Pipeline aşamasını başarısız kıl | +| `2` | Ciddi hata (hatalı yapılandırma, okunamaz yol vb.) | Pipeline aşamasını başarısız kıl | + +Çıkış koduna göre dallanma yapan genel bir kabuk parçacığı: + +```bash +set +e +leakwatch scan fs . --format json -o leakwatch.json --no-verify +EXIT_CODE=$? +set -e + +if [ "$EXIT_CODE" -eq 0 ]; then + echo "Sır bulunamadı." +elif [ "$EXIT_CODE" -eq 1 ]; then + echo "Sırlar bulundu — derlemeyi başarısız kılıyorum." + exit 1 +else + echo "Tarama hatası (çıkış $EXIT_CODE) — derlemeyi başarısız kılıyorum." + exit "$EXIT_CODE" +fi +``` + +## GitLab CI örneği + +Aşağıdaki `.gitlab-ci.yml` işi Leakwatch'ı kurar, dosya sistemi taraması çalıştırır ve JSON raporunu pipeline artifact'i olarak saklar: + +```yaml +leakwatch: + stage: test + image: golang:1.25-alpine + script: + - go install github.com/HodeTech/leakwatch@v1.5.0 + - leakwatch scan fs . --format json -o leakwatch.json --no-verify + artifacts: + when: always + paths: + - leakwatch.json + expire_in: 7 gün + allow_failure: false +``` + +`allow_failure: false` (varsayılan) değeri, çıkış kodu `1`'in pipeline aşamasını başarısız kılması anlamına gelir. Taramanın merge işlemini engellemeden raporlamasını istiyorsanız `allow_failure: true` olarak ayarlayın. + +:::tip +GitLab, SAST raporu artifact'larını destekler. Leakwatch SARIF üretir (`--format sarif`) ancak GitLab'ın yerel SAST JSON şemasını değil; bu nedenle `reports: sast:` anahtarı yerine `paths:` artifact yaklaşımını kullanın. +::: + +## CI runner'ları için öneriler + +**Giden internet erişimi olmayan runner'larda `--no-verify` kullanın.** Doğrulama, sağlayıcılara (AWS, GitHub, Stripe vb.) canlı API çağrıları yapar. Hava boşluklu veya güvenlik duvarıyla kısıtlanmış runner'larda bu çağrılar zaman aşımına uğrar ve taramayı yavaşlatır. Doğrulamayı tamamen atlamak için `--no-verify` geçirin: + +```bash +leakwatch scan fs . --no-verify --format sarif -o results.sarif +``` + +**Çıktıyı artifact olarak kaydedin.** İşi tamamlandıktan sonra saklanabilecek, bir güvenlik açığı yönetim platformuna yüklenebilecek veya incelenebilecek bir dosya yazmak için `--format sarif` ya da `--format json` ile birlikte `--output` kullanın. + +**`--min-severity`** değerini en çok önem taşıyan sırlara odaklanmak için ayarlayın. Gürültülü bir kod tabanında `--min-severity high` ile başlayın ve birikmiş öğeleri temizledikten sonra eşiği düşürün. + +## Azure DevOps örneği + +```yaml +- script: | + go install github.com/HodeTech/leakwatch@v1.5.0 + leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify + displayName: "Leakwatch sır taraması" + +- task: PublishBuildArtifacts@1 + inputs: + pathToPublish: "$(Build.ArtifactStagingDirectory)" + artifactName: "leakwatch-sonuclari" +``` + +## Jenkins örneği + +```groovy +stage('Sır taraması') { + steps { + sh ''' + go install github.com/HodeTech/leakwatch@v1.5.0 + leakwatch scan fs . --format json -o leakwatch.json --no-verify + ''' + archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true + } +} +``` + +## Ayrıca bakın + +- [Çıkış Kodları](#/reference/exit-codes) — tüm çıkış kodlarının tam referansı. +- [Çıktı Biçimleri](#/output/output-formats) — JSON, SARIF, CSV ve tablo çıktısı. +- [Docker Kullanımı](#/ci-cd/docker-usage) — ikili dosyayı kurmak yerine konteyner imajını kullanma. +- [GitHub Action](#/ci-cd/github-action) — GitHub iş akışları için resmi action. diff --git a/docs/user-manuals/tr/ci-cd/pre-commit.md b/docs/user-manuals/tr/ci-cd/pre-commit.md new file mode 100644 index 0000000..de931fa --- /dev/null +++ b/docs/user-manuals/tr/ci-cd/pre-commit.md @@ -0,0 +1,124 @@ +--- +title: "Pre-commit Kancası" +description: "Her commit'ten önce sır taraması yapmak için Leakwatch pre-commit kancasını kullanın." +--- + +# Pre-commit Kancası + +Bir sırrı yakalamak için en ucuz an, onu depoya girmeden önce durdurmaktır. Leakwatch, her `git commit` işleminde `leakwatch scan fs` komutunu otomatik olarak çalıştıran yerel bir [pre-commit](https://pre-commit.com) kancası sunar; böylece sızan bir API anahtarı veya parola, geçmişte yer almak yerine commit işlemini başarısız kılar. + +## Ön koşullar + +Şunlara ihtiyacınız var: + +- Python 3.8+ (pre-commit bir Python aracıdır). +- Genel olarak kurulmuş [pre-commit](https://pre-commit.com/#install) (`pip install pre-commit` veya `brew install pre-commit`). +- `PATH` üzerinde Go 1.25+ — kanca dili `golang` olduğundan pre-commit, ilk çalıştırmada Leakwatch'ı kaynaktan derler. + +## Yapılandırma + +Deponuzun köküne bir `.pre-commit-config.yaml` dosyası ekleyin (veya mevcut olanı genişletin): + +```yaml +repos: + - repo: https://github.com/HodeTech/Leakwatch + rev: v1.5.0 + hooks: + - id: leakwatch +``` + +Kancaları yerel Git deposuna kurun: + +```bash +pre-commit install +``` + +Hepsi bu kadar. Bundan itibaren her `git commit` işlemi bir dosya sistemi taraması tetikler. Leakwatch herhangi bir sır bulursa commit engellenir ve bulgular terminale yazdırılır. + +## Elle çalıştırma + +Tüm depoyu (yalnızca staged dosyaları değil) istediğiniz zaman taramak için: + +```bash +pre-commit run --all-files +``` + +Diğerlerini tetiklemeden yalnızca Leakwatch kancasını çalıştırmak için: + +```bash +pre-commit run leakwatch --all-files +``` + +## Ek argümanlar geçirme + +Kancanın varsayılan davranışı, ek bayrak olmadan `leakwatch scan fs`'e karşılık gelir. `args:` anahtarı aracılığıyla ek argümanlar geçirebilirsiniz: + +```yaml +repos: + - repo: https://github.com/HodeTech/Leakwatch + rev: v1.5.0 + hooks: + - id: leakwatch + args: + - --only-verified + - --min-severity + - high +``` + +Bu örnek, yalnızca Leakwatch'ın hâlâ etkin olduğunu doğruladığı yüksek önem dereceli sırları raporlar — yanlış pozitif gürültüsünden kaçınmak isteyen ancak kapsam kaybetmek istemeyen ekipler için uygun katı bir politika. + +Diğer kullanışlı argümanlar: + +```yaml +args: + - --no-verify # daha hızlı commit'ler için canlı doğrulamayı atla + - --min-severity + - medium # düşük önem dereceli gürültüyü bastır + - --format + - table # terminalde insan tarafından okunabilir çıktı +``` + +:::note +Kanca tanımında `pass_filenames: false` ayarlandığından kanca, yalnızca mevcut commit için staged dosyaları değil her zaman tam çalışma ağacını tarar. Bu, staged olmayan dosyalarda halihazırda bulunan sırların da tespit edileceğini garanti eder. +::: + +## Kancanın taradıkları + +Kanca, depo çalışma dizinine karşı `leakwatch scan fs` çalıştırır. CLI ile aynı tespit hattını kullanır: Aho-Corasick ön filtreleme, regex doğrulama, entropi hesaplama ve (`--no-verify` ayarlanmadıkça) canlı doğrulama. + +`.leakwatch.yaml`'daki yapılandırma otomatik olarak uygulanır — dışlama kalıpları, entropi eşikleri ve doğrulama ayarları, herhangi bir ek kanca yapılandırması olmadan geçerli olur. + +## Kancayı geçici olarak atlama + +Kancayı çalıştırmadan commit yapmak için (örneğin, maskelenmiş sır içeren bir test sabiti commit edilirken): + +```bash +SKIP=leakwatch git commit -m "chore: test sabiti ekle" +``` + +:::warn +`SKIP=leakwatch` kullanmak, o commit için tüm sır taramasını devre dışı bırakır. Yalnızca içeriğin güvenli olduğunu teyit ettiğinizde kullanın; kalıcı bastırmalar için bunun yerine `.leakwatchignore` veya satır içi `leakwatch:ignore` yorumlarını tercih edin. +::: + +## Kanca sürümünü sabitli tutma + +`rev:` değerini dal adı yerine belirli bir etikete sabitleyin. Bu, ekipteki tüm geliştiricilerin aynı dedektör setini kullandığını ve kancanın sprint ortasında sessizce yükseltilmediğini garantiler: + +```yaml +rev: v1.5.0 # sabitle; 'main' veya 'HEAD' kullanmayın +``` + +Güncellemek için: + +```bash +pre-commit autoupdate +``` + +Bu komut `rev` değerini en son etikete yükseltir ve siz onu commit etmeden önce değişikliği inceleme fırsatı tanır. + +## Ayrıca bakın + +- [Dosya Sistemi Taraması](#/scanning/filesystem) — kancanın çalıştırdığı temel tarama komutu. +- [Yapılandırma Dosyası](#/configuration/config-file) — `.leakwatch.yaml`'da dışlamaları, entropiyi ve doğrulamayı kontrol etme. +- [GitHub Action](#/ci-cd/github-action) — GitHub CI'da her push ve pull request'te tarama. +- [Çıkış Kodları](#/reference/exit-codes) — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği. diff --git a/docs/user-manuals/tr/configuration/config-file.md b/docs/user-manuals/tr/configuration/config-file.md new file mode 100644 index 0000000..f123293 --- /dev/null +++ b/docs/user-manuals/tr/configuration/config-file.md @@ -0,0 +1,194 @@ +--- +title: "Yapılandırma Dosyası" +description: "Leakwatch'ı .leakwatch.yaml ile yapılandırma — tam şema, varsayılanlar, doğrulama kuralları, ortam değişkeni geçersiz kılmaları ve leakwatch init komutu." +--- + +# Yapılandırma Dosyası + +Leakwatch'ın her tarama komutundaki davranışı, `.leakwatch.yaml` adlı tek bir YAML dosyasıyla yönetilir. Bu dosyayı anlamak; eşzamanlılık, doğrulama, çıktı biçimi ve yol filtrelemeyi bir kez ayarlamanızı ve her taramanın bu ayarları otomatik olarak almasını sağlar. + +## Dosya keşfi + +Leakwatch, yapılandırma dosyasını aşağıdaki sırayla çözer: + +1. **`--config ` bayrağı** — çalışma dizininden bağımsız olarak açık bir yol kullanır. +2. **Geçerli dizin** — komutun çalıştırıldığı dizindeki `.leakwatch.yaml`. +3. **Ana dizin** — yedek olarak `~/.leakwatch.yaml`. + +Hiçbir dosya bulunamazsa, her ayar için yerleşik varsayılanlar kullanılır. + +## Başlangıç dosyası oluşturma + +`leakwatch init` komutu, önerilen varsayılanlarla düzenlemeye hazır bir dosya yazar: + +```bash +leakwatch init +``` + +Varsayılan olarak dosya, geçerli dizindeki `.leakwatch.yaml` konumuna yazılır. Farklı bir yol seçmek için `--output` kullanın: + +```bash +leakwatch init --output /etc/leakwatch/.leakwatch.yaml +``` + +Hedef dosya zaten mevcutsa, `leakwatch init` üzerine yazmayı reddeder ve hata vererek çıkar. Üzerine yazmak için `--force` kullanın: + +```bash +leakwatch init --force +``` + +## Ortam değişkeni geçersiz kılmaları + +Her yapılandırma anahtarı bir ortam değişkeniyle geçersiz kılınabilir. İsimlendirme kuralı şudur: + +- Önek: `LEAKWATCH_` +- `.` ve `-` karakterlerini `_` ile değiştirin +- Büyük harfe çevirin + +Örnekler: + +| Yapılandırma anahtarı | Ortam değişkeni | +|---|---| +| `scan.concurrency` | `LEAKWATCH_SCAN_CONCURRENCY` | +| `verification.rate-limit` | `LEAKWATCH_VERIFICATION_RATE_LIMIT` | +| `output.format` | `LEAKWATCH_OUTPUT_FORMAT` | +| `detection.entropy.threshold` | `LEAKWATCH_DETECTION_ENTROPY_THRESHOLD` | + +## Öncelik sırası + +Aynı ayar birden fazla yerde belirtildiğinde, en yüksek öncelikli kaynak kazanır: + +1. Komut satırı bayrağı (en yüksek) +2. Ortam değişkeni +3. Yapılandırma dosyası değeri +4. Yerleşik varsayılan (en düşük) + +## Tam şema + +Aşağıdaki açıklamalı şema, desteklenen her anahtarı, varsayılan değerini ve geçerli aralığını göstermektedir. + +```yaml +# ── Tarama motoru ───────────────────────────────────────────────────────────── + +scan: + # Eşzamanlı dosya işleme worker sayısı. + # Varsayılan olarak ana makinedeki mantıksal CPU çekirdeği sayısı kullanılır. + # >= 1 olmalıdır. + concurrency: 8 + + # Taranacak maksimum dosya boyutu (bayt cinsinden). Bu sınırı aşan dosyalar + # tamamen atlanır. Varsayılan: 10 MB (10485760). >= 1 olmalıdır. + max-file-size: 10485760 + +# ── Tespit ──────────────────────────────────────────────────────────────────── + +detection: + entropy: + # Her aday eşleşme için Shannon entropi hesaplamasını etkinleştirir. + enabled: true + + # Gösterim ve özel kural kapısı için kullanılan entropi eşiği. + # Aralık: 0–8. Varsayılan: 4.0. + # Yerleşik bulgular hakkındaki nota bakın. + threshold: 4.0 + +# ── Doğrulama ───────────────────────────────────────────────────────────────── + +verification: + # Sağlayıcı API'lerine karşı canlı doğrulamayı etkinleştirir. + enabled: true + + # İstek başına HTTP zaman aşımı. Doğrulama etkinleştirildiğinde >= 1ms olmalıdır. + # Süre dizesi kullanın (örn. "10s", "500ms") — tam sayı nanosaniye olarak + # yorumlanır ve doğrulama başarısız olur. + timeout: 10s + + # Eşzamanlı doğrulama worker sayısı. >= 1 olmalıdır. + concurrency: 4 + + # Saniyedeki maksimum doğrulama isteği (token-bucket hız sınırlayıcı). + # > 0 olmalıdır. + rate-limit: 10.0 + +# ── Filtreleme ──────────────────────────────────────────────────────────────── + +filter: + # Taramadan hariç tutulacak yollar için glob desenleri. + # Desteklenen glob stilleri: filepath.Match desenleri, sıfır veya daha fazla + # yol segmentini kapsayan ** çift yıldız ve herhangi bir derinlikte adlandırılmış + # dizini eşleştiren sondaki eğik çizgili dir/ desenleri. Her desen hem tam yol + # hem de temel dosya adına karşı test edilir. + # Tüm tarama kaynaklarına uygulanır. (`scan fs` komutunda --exclude bayrağı da bunu ayarlar.) + # Varsayılan: [] (yerleşik ikili/kilit dosya atlamalarının ötesinde hariç tutma yok). + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "**/*.min.js" + - "**/*.min.css" + - "go.sum" + - "package-lock.json" + - "yarn.lock" + + # Tamamen devre dışı bırakılacak dedektör ID'leri. Listelenen dedektörlerden + # gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez. + # Varsayılan: []. + exclude-detectors: [] + +# ── Çıktı ───────────────────────────────────────────────────────────────────── + +output: + # Çıktı biçimi. Şunlardan biri: json, sarif, csv, table. Varsayılan: json. + # --format / -f bayrağı bunu çalışma zamanında geçersiz kılar. + format: json + + # Çıktıyı stdout yerine bu dosya yoluna yaz. Varsayılan: "" (stdout). + # --output / -o bayrağı bunu çalışma zamanında geçersiz kılar. + file: "" + + # Bu önem seviyesinin altındaki bulguları bırak. + # Şunlardan biri: low, medium, high, critical. Varsayılan: "" (tümünü göster). + # --min-severity bayrağı bunu çalışma zamanında geçersiz kılar. + severity-threshold: "" + + # Çıktıda maskelenmemiş sır değerini dahil et. + # Varsayılan: false. --show-raw bayrağı bunu çalışma zamanında geçersiz kılar. + show-raw: false + +# ── Özel kurallar ───────────────────────────────────────────────────────────── + +# Kendi dedektörlerinizi YAML kuralları olarak tanımlayın. Tam kural şeması +# için özel kurallar sayfasına bakın. +# custom-rules: +# - id: "my-internal-token" +# description: "Internal Service Token" +# regex: "mycompany_[a-zA-Z0-9]{32}" +# keywords: ["mycompany_"] +# severity: critical +custom-rules: [] +``` + +:::note +`detection.entropy.threshold`, bir bulgunun yanında gösterilen entropi değerini kontrol eder ve özel kurallar için bir kapı görevi görür (entropisi eşiğin altına düşen özel kural eşleşmeleri bastırılır). Yerleşik dedektörlerin bulgularını **bastırmaz** — yerleşik dedektörlerin kendi eşleşme kriterleri vardır ve bu ayar tarafından hiçbir zaman bırakılmazlar. +::: + +## Doğrulama + +Leakwatch, taramaya başlamadan önce yüklenen yapılandırmayı doğrular ve aşağıdaki durumların herhangi birinde hata vererek çıkar: + +| Koşul | Hata | +|---|---| +| `scan.concurrency < 1` | Geçersiz eşzamanlılık değeri | +| `scan.max-file-size < 1` | Geçersiz max-file-size değeri | +| `output.format` `json\|sarif\|csv\|table` içinde değil | Desteklenmeyen çıktı biçimi | +| `detection.entropy.threshold` 0–8 dışında | Geçersiz entropi eşiği | +| `output.severity-threshold` geçerli bir seviye değil (boş değilse) | Geçersiz severity-threshold | +| `verification.timeout < 1ms` (doğrulama etkinleştirildiğinde) | Geçersiz doğrulama zaman aşımı | +| `verification.concurrency < 1` (doğrulama etkinleştirildiğinde) | Geçersiz doğrulama eşzamanlılığı | +| `verification.rate-limit <= 0` (doğrulama etkinleştirildiğinde) | Geçersiz doğrulama rate-limit | + +## Ayrıca bakın + +- [Bulguları Yok Sayma](#/configuration/ignoring-findings) +- [Önem Derecesi & Filtreleme](#/configuration/severity-and-filtering) +- [Özel Kurallar](#/detectors/custom-rules) +- [Ortam Değişkenleri](#/reference/environment-variables) diff --git a/docs/user-manuals/tr/configuration/ignoring-findings.md b/docs/user-manuals/tr/configuration/ignoring-findings.md new file mode 100644 index 0000000..9753892 --- /dev/null +++ b/docs/user-manuals/tr/configuration/ignoring-findings.md @@ -0,0 +1,126 @@ +--- +title: "Bulguları Yok Sayma" +description: ".leakwatchignore dosyaları, satır içi yok sayma işaretçileri ve yerleşik ikili dosya ve kilit dosyası atlamaları ile yanlış pozitifleri bastırın." +--- + +# Bulguları Yok Sayma + +Hiçbir tarayıcının yanlış pozitif oranı sıfır değildir. Leakwatch, gürültüyü bastırmak için size üç katmanlı mekanizma sunar: yol tabanlı dışlamalar için bir `.leakwatchignore` dosyası, satır düzeyinde bastırma için satır içi işaretçiler ve ikili dosyalar ile yaygın kilit dosyaları için her zaman etkin olan yerleşik atlamalar. + +## `.leakwatchignore` dosyası + +Tarama sonuçlarından yolları hariç tutmak için depo kökünüze (veya geçerli dizine) bir `.leakwatchignore` dosyası oluşturun. Gitignore stilinde söz dizimi kullanır: + +- `#` ile başlayan satırlar yorum satırlarıdır. +- Boş satırlar atlanır. +- `!` öneki bir deseni **geçersiz kılar**; önceki bir desen tarafından dışlanmış olacak bir yolu yeniden dahil eder. +- **Son eşleşen desen kazanır** — sıra önemlidir. + +### Yükleme sırası + +Leakwatch, `.leakwatchignore` dosyasını önce tarama kökünden, ardından geçerli çalışma dizininden yükler. Her ikisi de aynı yol için desen içeriyorsa, geçerli dizin dosyasının desenleri öncelik kazanır çünkü son değerlendirilenler bunlardır. + +### Glob söz dizimi + +Üç desen stili desteklenir: + +| Stil | Açıklama | Örnek | +|---|---|---| +| Standart glob | `filepath.Match` stili, hem tam yola hem de temel dosya adına karşı eşleştirilen | `*.pem` | +| Çift yıldız `**` | Sıfır veya daha fazla yol segmentini kapsar | `test/fixtures/**` | +| Sondaki eğik çizgi `dir/` | Adlandırılmış dizinin herhangi bir derinliğindeki her dosyayla eşleşir | `snapshots/` | + +### `.leakwatchignore` örneği + +```text +# Tüm test fixture dosyalarını yok say +test/fixtures/** + +# Dokümantasyondaki bilinen yer tutucu anahtarları yok say +docs/examples/ + +# Ağaçtaki herhangi bir yerdeki belirli uzantılı dosyaları yok say +*.pem.example + +# Yukarıdaki kural tarafından dışlanan belirli bir dosyayı yeniden dahil et +!docs/examples/real-config-sample.yaml +``` + +:::note +`.leakwatchignore` filtrelemesi, her bulgunun dosya yoluna göre tarama tamamlandıktan **sonra** uygulanır. Dosyaların okunmasını engellemez — ürettikleri bulguları bastırır. Dosyaları okunmadan önce atlamak için yapılandırma dosyasında `filter.exclude-paths` veya `scan fs` komutunda `--exclude` kullanın. +::: + +## Satır içi yok sayma işaretçileri + +Söz konusu satırdaki dedektörleri bastırmak için herhangi bir kaynak satırına doğrudan bir işaretçi koyun. İşaretçi satırın herhangi bir yerine yerleştirilebilir — genellikle bir yorum içinde — ve motor tarafından doğrulamadan **önce** uygulanır; böylece yok sayılan bir satır hiçbir zaman ağ çağrısını tetiklemez. + +### Bir satırdaki tüm dedektörleri bastır + +```python +# Ödeme işleme yapılandırması +STRIPE_KEY = "sk_test_XXXXXXXXXXXXXXXXXXXX" # leakwatch:ignore +``` + +### Bir satırdaki belirli bir dedektörü bastır + +Yalnızca bir dedektörü bastırırken diğerlerini etkin bırakmak için `leakwatch:ignore:` kullanın: + +```go +// Bu token dokümantasyon için kasıtlı olarak bir yer tutucudur +exampleToken := "ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" // leakwatch:ignore:github-token +``` + +```yaml +# Platform tarafından ayarlanan CI ortam değişkeni — gerçek bir sır değil +api_key: "${CI_API_KEY_PLACEHOLDER}" # leakwatch:ignore:generic-api-key +``` + +:::tip +Mümkün olduğunda genel form yerine dedektöre özgü formu (`leakwatch:ignore:`) tercih edin. Hangi dedektörü bastırdığınızı belgeler ve diğer tüm dedektörleri o satırda etkin bırakır. +::: + +## Yerleşik atlamalar (her zaman uygulanır) + +Leakwatch, herhangi bir dedektörü çalıştırmadan önce aşağıdakileri koşulsuz olarak atlar: + +**İkili dosya uzantıları** — `.exe`, `.dll`, `.so`, `.dylib`, `.bin`, `.png`, `.jpg`, `.gif`, `.mp4`, `.zip`, `.tar`, `.gz`, `.pdf`, `.woff`, `.ttf` ve diğerleri gibi uzantılara sahip dosyalar hiçbir zaman taranmaz. + +**İkili içerik tespiti** — ilk 8 KB'ı null bayt içeren herhangi bir dosya, uzantısından bağımsız olarak ikili olarak kabul edilir ve atlanır. + +**Yaygın kilit dosyaları** — aşağıdaki dosya adları, yüksek oranda yanlış pozitif üreten hash ve sağlama toplamları içerdikleri için her zaman atlanır: + +| Dosya | +|---| +| `package-lock.json` | +| `yarn.lock` | +| `pnpm-lock.yaml` | +| `composer.lock` | +| `Gemfile.lock` | +| `Cargo.lock` | +| `poetry.lock` | +| `go.sum` | +| `Pipfile.lock` | + +Bu yerleşik atlamalar devre dışı bırakılamaz. `filter.exclude-paths` ayarından ayrıdır ve yapılandırma tabanlı filtrelemeden önce çalışır. + +## Tarama öncesi yol tabanlı dışlama + +Yolları tarama motoru tarafından okunmadan önce dışlamak için yapılandırma dosyanızda `filter.exclude-paths` kullanın: + +```yaml +filter: + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "**/*.min.js" + - "third-party/" +``` + +Bu ayar **tüm tarama kaynaklarına** uygulanır (dosya sistemi, Git geçmişi, konteyner imajları, bulut depolama, Slack). `scan fs` komutunda ayrıca komut satırında `--exclude ` parametresi de geçirebilirsiniz; bu, `filter.exclude-paths` ile eşdeğer bir bayraktır. + +Tam yapılandırma şeması için [Yapılandırma Dosyası](#/configuration/config-file), dedektör düzeyinde ve önem derecesi düzeyinde filtreleme için [Önem Derecesi & Filtreleme](#/configuration/severity-and-filtering) bölümlerine bakın. + +## Ayrıca bakın + +- [Yapılandırma Dosyası](#/configuration/config-file) +- [Önem Derecesi & Filtreleme](#/configuration/severity-and-filtering) diff --git a/docs/user-manuals/tr/configuration/severity-and-filtering.md b/docs/user-manuals/tr/configuration/severity-and-filtering.md new file mode 100644 index 0000000..63fa0c9 --- /dev/null +++ b/docs/user-manuals/tr/configuration/severity-and-filtering.md @@ -0,0 +1,125 @@ +--- +title: "Önem Derecesi & Filtreleme" +description: "Önem eşikleri, yalnızca doğrulanmış mod, dedektör dışlamaları ve yol dışlamaları kullanarak hangi bulguların çıktınıza ulaşacağını kontrol edin." +--- + +# Önem Derecesi & Filtreleme + +Yoğun bir kod tabanı çok sayıda bulgu üretebilir. Leakwatch, en önemli sinyallere odaklanmak için birleştirebileceğiniz birkaç bağımsız filtre sunar: önem eşikleri düşük öncelikli gürültüyü eler, yalnızca doğrulanmış mod yalnızca onaylanmış canlı sırları ortaya çıkarır, dedektör dışlamaları bilinen yanlış pozitif kaynakları susturur ve yol dışlamaları tüm dizin ağaçlarını kapsamın dışında bırakır. + +## Önem seviyeleri + +Her yerleşik dedektör, varsayılan bir önem derecesiyle birlikte gelir. En düşükten en yüksek önceliğe doğru dört seviye şunlardır: + +| Seviye | Tipik kullanım | +|---|---| +| `low` | Daha yüksek yanlış pozitif oranına sahip genel desenler | +| `medium` | Tanınabilir kimlik bilgisi biçimleri, doğrulanmamış | +| `high` | Maruziyetin büyük olasılıkla önemli olduğu iyi yapılandırılmış sırlar | +| `critical` | Onaylanmış canlı sırlar veya neredeyse sıfır yanlış pozitif oranlı biçimler | + +Her dedektöre atanan önem derecesi [Dedektör Kataloğu](#/detectors/detector-catalog)'nda listelenmiştir. + +## `--min-severity`: eşiğin altındaki bulguları bırak + +Belirtilen seviyenin altındaki önem derecesine sahip bulguları atmak için `--min-severity ` parametresini kullanın. Yalnızca eşik değerinde veya üzerindeki bulgular çıktıya ulaşır. + +```bash +# Yalnızca high ve critical bulguları göster +leakwatch scan fs . --min-severity high + +# medium, high ve critical bulguları göster +leakwatch scan fs . --min-severity medium +``` + +`output.severity-threshold` altında yapılandırma dosyasında kalıcı bir varsayılan ayarlayabilirsiniz. `--min-severity` bayrağı, çalışma zamanında yapılandırma değerini geçersiz kılar: + +```yaml +output: + severity-threshold: medium +``` + +## `--only-verified`: yalnızca onaylanmış aktif sırlar + +Yalnızca doğrulama durumu `verified_active` olan bulguları, yani Leakwatch'ın sağlayıcı API'sine kontrollü bir salt-okunur çağrı yaparak hâlâ geçerli olduğunu doğruladığı sırları tutmak için `--only-verified` parametresini kullanın. Diğer tüm bulgular (doğrulanmamış, doğrulanmış-etkin değil veya doğrulama hatası) bırakılır. + +```bash +leakwatch scan fs . --only-verified +``` + +Bu bayrak, derlemeyi yalnızca onaylanmış olaylar üzerinde, yer tutucu veya zaten döndürülmüş kimlik bilgileri olabilecek şüpheli desenler üzerinde değil, başarısız kılmak istediğiniz CI hatlarında en kullanışlıdır. + +Hangi dedektörlerin canlı doğrulamayı desteklediği için [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) bölümüne bakın. + +## `filter.exclude-detectors`: belirli dedektörleri devre dışı bırak + +Bir veya daha fazla dedektörü kalıcı olarak devre dışı bırakmak için ID'lerini yapılandırma dosyasındaki `filter.exclude-detectors` altında listeleyin. Listelenen dedektörlerden gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez: + +```yaml +filter: + exclude-detectors: + - generic-api-key + - jwt +``` + +Dedektör ID'leri [Dedektör Kataloğu](#/detectors/detector-catalog)'nda listelenmiştir. Bir dedektör sürekli olarak kod tabanınız için yanlış pozitifler ürettiğinde ve diğer bastırma mekanizmaları (satır içi yok saymalar veya `.leakwatchignore`) yeterince ayrıntılı olmadığında bu ayarı kullanın. + +## `filter.exclude-paths`: tarama öncesi yolları atla + +Yolları tarama motoru okumadan önce dışlamak için yapılandırma dosyasında `filter.exclude-paths` kullanın. Desenler, `.leakwatchignore` ile aynı glob söz dizimini kullanır (standart globlar, `**` çift yıldız ve sondaki eğik çizgili dizin desenleri) ve **tüm tarama kaynaklarına** uygulanır: + +```yaml +filter: + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "**/*.min.js" + - "**/*.min.css" + - "test/fixtures/" +``` + +:::note +`scan fs` komutunda `--exclude ` bayrağı, `filter.exclude-paths` ile komut satırı eşdeğeridir. `--exclude` bayrağı **yalnızca** `scan fs` komutunda mevcuttur — diğer tüm kaynaklar için yapılandırma dosyası ayarını kullanın. +::: + +## CI'da filtreleri birleştirme + +Bir CI hattında genellikle yalnızca gerçek olaylarda başarısız olan, düşük gürültülü ve yüksek sinyalli bir çalışma istersiniz. Önerilen bir kombinasyon: + +```bash +leakwatch scan fs . \ + --only-verified \ + --min-severity high \ + --format sarif \ + --output results.sarif +``` + +Yapılandırma dosyasının kalıcı yol dışlamalarını yönetmesiyle: + +```yaml +filter: + exclude-paths: + - "vendor/**" + - "node_modules/**" + - "test/fixtures/" + exclude-detectors: + - generic-api-key + +output: + severity-threshold: high +``` + +Ardından CI için yalnızca biçimi ve hedefi komut satırında geçersiz kılın: + +```bash +leakwatch scan fs . --only-verified --format sarif --output results.sarif +``` + +Doğrulama ayrıntıları için [Doğrulama Nasıl Çalışır](#/verification/how-verification-works), satır içi ve dosya tabanlı bastırma için [Bulguları Yok Sayma](#/configuration/ignoring-findings) ve tam şema için [Yapılandırma Dosyası](#/configuration/config-file) bölümlerine bakın. + +## Ayrıca bakın + +- [Dedektör Kataloğu](#/detectors/detector-catalog) +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) +- [Yapılandırma Dosyası](#/configuration/config-file) +- [Bulguları Yok Sayma](#/configuration/ignoring-findings) diff --git a/docs/user-manuals/tr/detectors/custom-rules.md b/docs/user-manuals/tr/detectors/custom-rules.md new file mode 100644 index 0000000..6a0ef00 --- /dev/null +++ b/docs/user-manuals/tr/detectors/custom-rules.md @@ -0,0 +1,113 @@ +--- +title: "Özel Kurallar" +description: "YAML ile kendi sır tespit kalıplarınızı nasıl tanımlayacağınız ve 63 yerleşik dedektörün yanında bir Leakwatch taramasına nasıl ekleyeceğiniz." +--- + +# Özel Kurallar + +63 yerleşik dedektör yaygın kullanılan kimlik bilgisi formatlarını kapsar; ancak her kuruluşun dahili token'ları, özel servis anahtarları veya hiçbir genel aracın önceden tahmin edemeyeceği ortama özgü kalıpları vardır. Özel kurallar, kaynak kodu değiştirmeden veya ikili dosyayı yeniden derlemeden kendi kalıplarınızı düz YAML ile tanımlamanıza ve çalışma zamanında yüklemenize olanak tanıyarak Leakwatch'ı genişletmenizi sağlar. + +## Özel kurallar nerede tanımlanır + +Özel kurallar, `.leakwatch.yaml` yapılandırma dosyanızda en üst düzey bir `custom-rules:` listesi altında tanımlanır: + +```yaml +custom-rules: + - id: acme-internal-token + description: "ACME Corp dahili servis token'ı" + regex: 'acme_[a-z0-9]{32}' + keywords: + - acme_ + severity: critical + entropy: 3.5 +``` + +Kurallar, Leakwatch başladığında çalışma zamanında kaydedilir. Aynı Aho-Corasick ön-filtre hattını kullanarak yerleşik dedektörlerle birlikte çalışırlar. + +## Kural alanları + +| Alan | Zorunlu | Tür | Açıklama | +|------|---------|-----|----------| +| `id` | Evet | string | Benzersiz dedektör ID'si. Çıktıda ve `filter.exclude-detectors` içinde kullanılır. Yerleşik dedektör ID'si veya başka bir özel kural ID'si ile çakışmamalıdır. | +| `description` | Hayır | string | Çıktıda gösterilen insan tarafından okunabilir açıklama. | +| `regex` | Evet | string | RE2 uyumlu düzenli ifade. Maksimum 4096 karakter. | +| `keywords` | Hayır | string listesi | Aho-Corasick ön-filtre anahtar kelimeleri. Regex yalnızca bu dizelerden en az birini içeren parçalar üzerinde çalışır. Bu alanın atlanması regex'in her parça üzerinde çalışmasına neden olur. | +| `severity` | Hayır | string | `critical`, `high`, `medium` veya `low`. Varsayılan `medium`'dur. | +| `entropy` | Hayır | float | Shannon entropi eşiği (0–8). Entropisi bu değerin **altında** olan eşleşmeler atılır. Düşük rastgelelikli yanlış pozitifleri filtrelemek için kullanışlıdır. | + +:::tip +Her zaman `keywords` belirtin. Tek kısa bir anahtar kelime bile (token ön eki gibi) regex motorunun işlediği parça sayısını önemli ölçüde azaltır ve büyük depolarda taramaların hızlı kalmasını sağlar. Örneğin tüm dahili token'larınız `acme_` ile başlıyorsa `keywords: [acme_]` ayarlayın. + +`entropy` kullanarak `acme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` gibi kalıbı karşılayan ancak açıkça gerçek sır olmayan yer tutucu değerlerdeki eşleşmeleri bastırın. 3,0–3,5 civarı bir eşik iyi bir başlangıç noktasıdır. +::: + +## Çakışma yönetimi + +Bir özel kuralın `id`'si zaten kayıtlı bir dedektörle eşleşirse — yerleşik dedektör veya daha önce yüklenen özel kural olsun fark etmez — yinelenen kural **atlanır** ve bir hata loglanır. Leakwatch çökmez; geri kalan kurallar normal şekilde yüklenir. Bir özel kuralın etkisiz göründüğü durumlarda log çıktısını kontrol edin. + +## Doğrulama + +Özel kuralların eşleştirilmiş doğrulayıcısı yoktur. Özel kurallardan gelen bulgular her zaman `unverified` durumuyla raporlanır — hiçbir zaman `verified_active` veya `verified_inactive` olmaz. + +## Tam örnek + +Aşağıdaki `.leakwatch.yaml`, iki özel kural tanımlar: biri dahili servis token'ı, diğeri webhook'larda kullanılan imzalama sırrı için. + +```yaml +custom-rules: + - id: acme-internal-token + description: "ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)" + regex: 'acme_[a-f0-9]{32}' + keywords: + - acme_ + severity: critical + entropy: 3.2 + + - id: acme-webhook-signing-secret + description: "ACME Corp webhook imzalama sırrı (format: whsec_ + 40 base64url karakter)" + regex: 'whsec_[A-Za-z0-9_\-]{40}' + keywords: + - whsec_ + severity: high + entropy: 3.5 +``` + +Bu yapılandırmayla bir tarama çalıştırın: + +```bash +leakwatch scan fs . --config .leakwatch.yaml +``` + +Özel kural bulgusu için örnek JSON çıktısı (sır değeri maskelenmiştir): + +```json +{ + "detector_id": "acme-internal-token", + "description": "ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)", + "severity": "critical", + "verification_status": "unverified", + "file": "config/production.env", + "line": 14, + "raw_redacted": "acme_********************************" +} +``` + +:::note +`raw_redacted` alanı gerçek sırrı her zaman maskeler. Ham değer, açıkça `--show-raw` geçilmedikçe çıktıya asla yazılmaz (kontrollü ortamlar dışında önerilmez). +::: + +## Özel kuralı hariç tutma + +Özel kurallar, yerleşik dedektörlerle aynı filtrelemeye katılır. Bir özel kuralı yapılandırmadan kaldırmadan devre dışı bırakmak için: + +```yaml +filter: + exclude-detectors: + - acme-internal-token +``` + +## Ayrıca bakın + +- [Yapılandırma: Yapılandırma Dosyası](#/configuration/config-file) — `custom-rules:` öğesinin belge yapısındaki yeri dahil `.leakwatch.yaml` için tam referans. +- [Dedektör Kataloğu](#/detectors/detector-catalog) — özel kuralınızı adlandırmadan önce ID çakışmalarını kontrol etmek için 63 yerleşik dedektör. +- [Nasıl Çalışır](#/getting-started/how-it-works) — `keywords` öğesinin bağlandığı Aho-Corasick ön-filtre hattı. diff --git a/docs/user-manuals/tr/detectors/detector-catalog.md b/docs/user-manuals/tr/detectors/detector-catalog.md new file mode 100644 index 0000000..4a72709 --- /dev/null +++ b/docs/user-manuals/tr/detectors/detector-catalog.md @@ -0,0 +1,167 @@ +--- +title: "Dedektör Kataloğu" +description: "Kategorilere göre gruplanmış tüm 63 yerleşik dedektör; ID'leri, ne tespit ettikleri ve varsayılan şiddet seviyeleri ile." +--- + +# Dedektör Kataloğu + +Leakwatch, bulut sağlayıcısı erişim anahtarlarından ve yapay zekâ API token'larından veritabanı bağlantı dizelerine ve özel kriptografik anahtarlara kadar geniş bir kimlik bilgisi türü yelpazesini kapsayan **63 yerleşik dedektör** ile gelir. Her dedektörün kararlı bir ID'si, varsayılan bir şiddet seviyesi ve (çoğu için) bulunan sırrın hâlâ canlı olup olmadığını teyit edebilen eşleştirilmiş bir doğrulayıcısı vardır. + +Bu sayfa her yerleşik dedektörü listeler. Doğrulama kapsamı ayrıntıları için [Doğrulama Kapsamı](#/verification/verification-coverage) bölümüne bakın. Kendi kalıplarınızı eklemek için [Özel Kurallar](#/detectors/custom-rules) bölümüne bakın. + +## Bu katalogu nasıl okuyacaksınız + +- **ID** — yapılandırma ve çıktıda kullanılan kararlı dize tanımlayıcısı. Bir dedektörü atlamak için `filter.exclude-detectors` listesine ekleyin veya `--min-severity` filtrelemesiyle birlikte kullanın ([Şiddet ve Filtreleme](#/configuration/severity-and-filtering)). +- **Tespit eder** — dedektörün ne aradığı. +- **Şiddet** — `Critical` (Kritik), `High` (Yüksek) veya `Medium` (Orta). Bu varsayılandır; `--min-severity` bayrağını ve `output.severity-threshold` yapılandırma anahtarını besler. + +--- + +## Bulut ve Altyapı + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `aws-access-key-id` | AWS Access Key ID | Critical | +| `gcp-service-account` | GCP Servis Hesabı Anahtarı | Critical | +| `azure-storage-key` | Azure Storage Bağlantı Dizesi | Critical | +| `azure-entra-secret` | Azure Entra ID İstemci Sırrı | Critical | +| `digitalocean-token` | DigitalOcean Kişisel Erişim Token'ı | Critical | +| `cloudflare-api-token` | Cloudflare API Token'ı | Critical | +| `heroku-api-key` | Heroku API Anahtarı | Critical | +| `vercel-token` | Vercel API Token'ı | High | +| `terraform-cloud-token` | Terraform Cloud/Enterprise API Token'ı | Critical | +| `hashicorp-vault-token` | HashiCorp Vault Token'ı | Critical | +| `doppler-token` | Doppler Servis Token'ı | Critical | + +## Yapay Zekâ / Makine Öğrenimi + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `openai-api-key` | OpenAI API Anahtarı | Critical | +| `anthropic-api-key` | Anthropic API Anahtarı | Critical | +| `deepseek-api-key` | DeepSeek API Anahtarı | Critical | +| `huggingface-token` | Hugging Face API Token'ı | Critical | + +## Ödemeler ve Ticaret + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `stripe-api-key-live` | Stripe Canlı API Anahtarı | Critical | +| `stripe-api-key-test` | Stripe Test API Anahtarı | High | +| `coinbase-api-key` | Coinbase API Anahtarı | Critical | +| `shopify-access-token` | Shopify Erişim Token'ı | Critical | + +## Geliştirme Araçları, CI ve Paketler + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `github-token` | GitHub Kişisel Erişim Token'ı | Critical | +| `github-oauth-token` | GitHub OAuth2 Token'ı | Critical | +| `gitlab-pat` | GitLab Kişisel Erişim Token'ı | Critical | +| `bitbucket-app-password` | Bitbucket Uygulama Parolası | Critical | +| `circleci-token` | CircleCI Kişisel API Token'ı | High | +| `npm-token` | NPM Erişim Token'ı | High | +| `pypi-api-token` | PyPI API Token'ı | High | +| `rubygems-api-key` | RubyGems API Anahtarı | High | +| `dockerhub-pat` | Docker Hub Kişisel Erişim Token'ı | Critical | +| `sonarcloud-token` | SonarCloud/SonarQube Token'ı | High | +| `snyk-api-key` | Snyk API Anahtarı | High | +| `databricks-token` | Databricks Kişisel Erişim Token'ı | Critical | +| `launchdarkly-sdk-key` | LaunchDarkly SDK Anahtarı | High | + +## İletişim ve İşbirliği + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `slack-token` | Slack Bot/Kullanıcı Token'ı | Critical | +| `slack-webhook` | Slack Webhook URL'si | High | +| `teams-webhook` | Microsoft Teams Gelen Webhook URL'si | High | +| `discord-bot-token` | Discord Bot Token'ı | Critical | +| `telegram-bot-token` | Telegram Bot Token'ı | High | +| `notion-token` | Notion Dahili Entegrasyon Token'ı | High | +| `linear-api-key` | Linear API Anahtarı | High | +| `figma-pat` | Figma Kişisel Erişim Token'ı | High | +| `airtable-pat` | Airtable Kişisel Erişim Token'ı | High | + +## E-posta ve Mesajlaşma Teslimatı + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `sendgrid-api-key` | SendGrid API Anahtarı | Critical | +| `mailgun-api-key` | Mailgun API Anahtarı | Critical | +| `postmark-server-token` | Postmark Sunucu API Token'ı | High | +| `twilio-api-key` | Twilio API Anahtarı | Critical | + +## İzleme ve Gözlemlenebilirlik + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `datadog-api-key` | Datadog API Anahtarı | Critical | +| `newrelic-api-key` | New Relic API Anahtarı | High | +| `grafana-api-key` | Grafana API Anahtarı | High | +| `sentry-token` | Sentry Kimlik Doğrulama Token'ı | High | +| `pagerduty-api-key` | PagerDuty API Anahtarı | High | + +## Veritabanları ve Bağlantı Dizeleri + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `database-connection-string` | Veritabanı Bağlantı Dizesi | Critical | +| `redis-connection-string` | Redis Bağlantı Dizesi | Critical | +| `rabbitmq-connection-string` | RabbitMQ Bağlantı Dizesi | Critical | +| `snowflake-credentials` | Snowflake Bağlantı Kimlik Bilgileri | Critical | +| `supabase-service-key` | Supabase Servis Rolü Anahtarı | Critical | + +## Kimlik ve Erişim + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `auth0-management-token` | Auth0 Yönetim API Token'ı | Critical | +| `okta-api-token` | Okta API Token'ı | Critical | +| `ldap-credentials` | LDAP/LDAPS Bağlama Kimlik Bilgileri | Critical | + +## Web3 + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `infura-api-key` | Infura API Anahtarı | High | + +## Genel ve Kriptografik + +| ID | Tespit eder | Şiddet | +|----|------------|--------| +| `generic-api-key` | Genel API Anahtarı | Medium | +| `jwt` | JSON Web Token | High | +| `private-key` | Özel Anahtar (RSA, SSH, DSA, EC, PGP) | Critical | +| `ftp-credentials` | FTP/SFTP Kimlik Bilgileri | Critical | + +--- + +**Toplam: 63 yerleşik dedektör.** + +## Şiddete göre filtreleme + +Bulgular, komut satırında `--min-severity` veya yapılandırmada `output.severity-threshold` kullanılarak şiddet seviyesine göre filtrelenebilir. Yalnızca belirtilen seviyede veya üzerindeki bulgular çıktıya dahil edilir. Ayrıntılar için [Şiddet ve Filtreleme](#/configuration/severity-and-filtering) bölümüne bakın. + +## Belirli dedektörleri hariç tutma + +Bir veya daha fazla dedektörü tamamen atlamak için ID'lerini `.leakwatch.yaml` içindeki `filter.exclude-detectors` listesine ekleyin: + +```yaml +filter: + exclude-detectors: + - generic-api-key + - jwt +``` + +Tam filtreleme referansı için [Şiddet ve Filtreleme](#/configuration/severity-and-filtering) bölümüne bakın. + +## Doğrulama kapsamı + +Bazı dedektörlerin canlı doğrulayıcısı vardır; bazıları yalnızca format doğrulamasına tabi tutulur; dokuzu ise hiç doğrulayıcıya sahip değildir. Tam döküm için [Doğrulama Kapsamı](#/verification/verification-coverage) bölümüne bakın. + +## Ayrıca bakın + +- [Özel Kurallar](#/detectors/custom-rules) — YAML ile kendi tespit kalıplarınızı tanımlayın. +- [Doğrulama Kapsamı](#/verification/verification-coverage) — hangi dedektörlerin canlı doğrulanabileceği. +- [Şiddet ve Filtreleme](#/configuration/severity-and-filtering) — bulguları şiddet seviyesine veya dedektöre göre filtreleme. diff --git a/docs/user-manuals/tr/getting-started/how-it-works.md b/docs/user-manuals/tr/getting-started/how-it-works.md new file mode 100644 index 0000000..d49cde1 --- /dev/null +++ b/docs/user-manuals/tr/getting-started/how-it-works.md @@ -0,0 +1,163 @@ +--- +title: "Nasıl Çalışır" +description: "Leakwatch tarama hattının mimarisi: kaynaklar, tespit, doğrulama ve çıktı." +--- + +# Nasıl Çalışır + +Leakwatch hattını anlamak, performansı ayarlamanıza, sonuçları yorumlamanıza ve hangi bayrakları kullanacağınıza karar vermenize yardımcı olur. Bu sayfa, bir tarama komutunu çalıştırdığınız andan bir bulgunun çıktınızda göründüğü ana kadar neler olduğunu açıklar. + +## Hatta genel bakış + +```mermaid +flowchart LR + A([Kaynak\nfs / git / image\ns3 / gcs / slack]) --> B[İşçi Havuzu\n—concurrency işçi] + B --> C[Aho-Corasick\nÖn-Filtre] + C --> D[Regex\nDedektörler] + D --> E[Satır İçi İgnore\nKontrolü] + E --> F[Doğrulama\nHavuzu\n4 işçi / 10 rps] + F --> G[Tarama Sonrası\nFiltreler] + G --> H([Çıktı\njson / sarif\ncsv / table]) +``` + +Her aşama aşağıda ayrıntılı olarak açıklanmaktadır. + +## 1. Kaynak + +Her tarama, motorun işlemesi için veri parçaları yayan bir soyutlama olan **Kaynak** ile başlar. Leakwatch altı kaynak ile birlikte gelir: + +| Kaynak | Komut | Ne yayar | +|--------|-------|----------| +| Dosya sistemi | `scan fs` | Yerel bir dizin ağacındaki dosya içerikleri | +| Git geçmişi | `scan git` | Tüm commit geçmişindeki her blob | +| Konteyner imajı | `scan image` | Bir OCI/Docker imajının katman içerikleri, daemonsuz | +| AWS S3 | `scan s3` | Bir S3 kovasındaki nesne içerikleri | +| Google Cloud Storage | `scan gcs` | Bir GCS kovasındaki nesne içerikleri | +| Slack | `scan slack` | Kanal ve DM'lerdeki mesaj metni | + +:::note +Slack taraması yalnızca **mesaj metnini** kapsar. Slack'e yüklenen dosyaların içerikleri taranmaz. +::: + +Parçalar, işçi havuzu tarafından tüketilen tamponlu bir kanala akar. + +## 2. İşçi havuzu + +Motor, sabit sayıda **goroutine** içeren bir havuz yönetir — her biri `--concurrency` değerine karşılık gelir (varsayılan: CPU sayısı). Her işçi kanaldan bir parça alır ve tespit hattını bağımsız olarak çalıştırır. İşçiler değişebilir durum paylaşmadığından havuz, I/O ve bellek sınırlarına kadar eşzamanlılıkla doğrusal ölçeklenir. + +Taramalar `SIGINT` / `SIGTERM`'e yanıt verir: iptal sinyali geldiğinde bağlam iptal edilir, işçiler mevcut parçalarını tamamlayıp durur ve kısmi sonuçlar çıktı yazılmadan önce toplanır. + +## 3. Aho-Corasick anahtar kelime ön-filtresi + +Her parça üzerinde 63 regex desenini çalıştırmak yavaş olur. Bunun yerine motor, başlangıçta her dedektörün bildirdiği anahtar kelime listelerinden tek bir **Aho-Corasick çok-desenli otomat** oluşturur. Her parça için bu otomat tek bir doğrusal geçiş yapar ve yalnızca anahtar kelimeleri parçanın baytlarında görünen dedektörleri döndürür. + +Bu, çoğu dedektörün çoğu parça üzerinde regex'ini hiç çalıştırmadığı anlamına gelir. Anahtar kelime bildirmeyen dedektörler her zaman çalışır (ön filtreyi atlayarak doğrudan regex'e geçerler). + +Aho-Corasick uygulaması [cloudflare/ahocorasick](https://github.com/cloudflare/ahocorasick) kütüphanesinden gelmektedir. + +## 4. Regex dedektörler + +Kısa listeye alınan her dedektör, derlenmiş **düzenli ifadesini** parça baytları üzerinde çalıştırır. Bir desen eşleştiğinde dedektör şunları içeren bir `RawFinding` döndürür: + +- Ham sır baytları (yalnızca doğrulama için bellekte tutulur; asla loglanmaz veya diske yazılmaz). +- Çıktı için güvenli olan **maskelenmiş** bir gösterim. +- İsteğe bağlı ek meta veri (örneğin bir AWS anahtarı için hesap kimliği). + +Leakwatch, 60 paket genelinde **63 yerleşik dedektör** ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. [Özel YAML kuralları](#/configuration/custom-rules) aracılığıyla kendi desenlerinizi ekleyebilirsiniz. + +Tüm dedektörler, Go'nun `init()` işlevi ve boş importlar kullanılarak derleme zamanında kaydedilir (ADR-0004). Çalışma zamanında eklenti yükleyici veya dinamik keşif yoktur. + +## 5. Satır içi ignore kontrolü + +Bir bulgu doğrulamaya gönderilmeden önce motor, kaynak satırın bir **satır içi ignore işareti** içerip içermediğini kontrol eder: + +```go +// leakwatch:ignore +``` + +veya dedektöre özgü bir varyant: + +```go +// leakwatch:ignore:aws-access-key-id +``` + +İşaret mevcutsa bulgu, **herhangi bir ağ çağrısı yapılmadan önce** sessizce bırakılır. Bu kasıtlıdır: yoksayılan sırlar asla canlı bir API isteğini tetiklememeli. + +## 6. Doğrulama + +Tüm parçalar için tespit tamamlandıktan sonra motor, bulguları ayrı bir **doğrulama işçi havuzuna** geçirir (varsayılan 4 işçi). Doğrulama: + +- Tüm işçiler arasında paylaşılan global bir **hız sınırlayıcı** (varsayılan saniyede 10 istek) ile korunur. +- Her API çağrısına **istek başına zaman aşımı** (varsayılan 10 saniye) uygular. +- Sağlayıcıya yalnızca **salt-okunur, yıkıcı olmayan** çağrılar yapar (örneğin AWS anahtarları için `sts:GetCallerIdentity`). +- Her bulguyu dört durumdan biriyle işaretler: `verified:active`, `verified:inactive`, `unverified` veya `verify:error`. + +Leakwatch **54 doğrulayıcı** ile birlikte gelir; 63 yerleşik dedektör türünün %85,7'sini kapsar. Kalan 9 tür (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman `unverified` olarak raporlanır. + +Bu aşamayı tamamen atlamak için `--no-verify` geçirin — hızlı, çevrimdışı taramalar için kullanışlıdır. + +Doğrulama davranışı ve durum anlamları hakkında derinlemesine bilgi için [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) sayfasına bakın. + +## 7. Bulgu kimliği ve entropi + +Her bulgu, şu şekilde hesaplanan **deterministik bir kimlik** alır: + +``` +sha256(dedektörID + maskelendi + dosyaYolu + satır) → 16 hex karaktere kısaltıldı +``` + +Aynı konumdaki aynı sır her zaman aynı kimliği üretir; bu da bulguları çalıştırmalar arasında yinelenenleri kaldırmayı veya sorun izleyicilerde takip etmeyi güvenli kılar. + +**Shannon entropisi** (aralık 0–8) her bulgu için hesaplanır ve bilgilendirme amacıyla çıktıda gösterilir. Motor düzeyinde entropi, yerleşik bulguları **engellemez veya düşürmez** — düşük entropili bir eşleşme yine de sonuçlarda görünür. Entropi eşikleri yalnızca özel kuralların içinde geçerlidir; her kural kendi minimumunu bildirebilir. + +## 8. Tarama sonrası filtreler + +Doğrulamadan sonra iki filtre uygulanır: + +- `--only-verified` — `verified:active` olmayan tüm bulguları bırakır. +- `--min-severity` — belirtilen önem düzeyinin (`low` | `medium` | `high` | `critical`; varsayılan `low`) altındaki bulguları bırakır. + +Her iki filtre de doğrulama sonrasında çalışır; böylece `--only-verified` değerlendirildiğinde doğrulama durumu kullanılabilir olur. + +## 9. Çıktı + +Hayatta kalan bulgular dört **biçimleyiciden** birine iletilir: + +| Biçim | Bayrak | Yaygın kullanım | +|-------|--------|-----------------| +| JSON | `--format json` (varsayılan) | Makine tarafından okunabilir, hat dostu | +| SARIF v2.1.0 | `--format sarif` | GitHub Code Scanning, güvenlik panoları | +| CSV | `--format csv` | Elektronik tablolar, veri analizi | +| Tablo | `--format table` | Terminal incelemesi, önem derecesine göre renklendirilmiş | + +Çıktı varsayılan olarak stdout'a gider; bir dosyaya yazmak için `--output ` kullanın. + +Biçim veya çıktı hedefi ne olursa olsun, her taramadan sonra bir **tarama özeti** (tarih, kaynak türü, hedef, taranan dosyalar, süre, bulgu sayısı, kesme durumu) her zaman **stderr**'e yazdırılır. + +## Sır güvenliği + +Leakwatch, bulunan sırların doğrulama çağrıları dışında süreç sınırını asla terk etmemesi için tasarlanmıştır: + +- Ham sır baytları yalnızca tespit ve doğrulama sırasında bellekte yaşar. +- `--show-raw` bayrağı varsayılan olarak `false`'tur; bu olmadan çıktıda yalnızca maskelenmiş gösterim görünür. +- Sırlar asla diske yazılmaz, `slog` aracılığıyla loglanmaz veya çalıştırmalar arasında önbelleğe alınmaz. + +## Tasarım kararları + +Mimari, ADR'ler olarak belgelenmiş çeşitli bilinçli seçimleri yansıtır: + +- **Go + CGO devre dışı** (ADR-0001) — tek statik ikili dosya, çalışma zamanı bağımlılığı yok, tüm platformlara çapraz derlenir. +- **Cobra + Viper** (ADR-0002) — `bayrak > env > yapılandırma > varsayılan` önceliğiyle hiyerarşik CLI. +- **go-git** (ADR-0003) — saf Go Git kütüphanesi; harici `git` ikili dosyası gerekmez. +- **Derleme zamanı dedektör kaydı** (ADR-0004) — `init()` + boş importlar; tür güvenli, çalışma zamanı eklenti yükleyicisi yok. +- **Aho-Corasick hibrit eşleştirme** (ADR-0005) — ön filtre, alakasız parçalardaki regex çalışmasının çoğunu ortadan kaldırır. +- **go-containerregistry** (ADR-0006) — daemonsuz katman analizi; imajları taramak için Docker daemon gerekmez. +- **İşçi havuzu** (ADR-0008) — sabit goroutine sayısı, kanal tabanlı fan-out; öngörülebilir bellek ve CPU kullanımı. + +## Ayrıca bakın + +- [Hızlı Başlangıç](#/getting-started/quick-start) +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) +- [Yapılandırma Dosyası](#/configuration/config-file) +- [CLI Referansı](#/reference/cli-reference) +- [Özel Kurallar](#/configuration/custom-rules) diff --git a/docs/user-manuals/tr/getting-started/installation.md b/docs/user-manuals/tr/getting-started/installation.md new file mode 100644 index 0000000..72f2efc --- /dev/null +++ b/docs/user-manuals/tr/getting-started/installation.md @@ -0,0 +1,101 @@ +--- +title: "Kurulum" +description: "Leakwatch'ı Homebrew, go install, Docker veya hazır bir ikili dosya ile kurun." +--- + +# Kurulum + +Leakwatch'ı makinenize kurmak bir dakikadan az sürer. İş akışınıza en uygun yöntemi seçin: Homebrew macOS ve Linux'ta en basit seçenektir, `go install` halihazırda bir Go araç zinciriniz varsa idealdir, Docker ana sisteminizi temiz tutar ve hazır ikili dosyalar herhangi bir araç zinciri gerektirmeden her yerde çalışır. + +## Homebrew (macOS ve Linux) + +Resmi tap, amd64 ve arm64 mimarilerinde macOS ve Linux'u destekler. + +```bash +brew install HodeTech/tap/leakwatch +``` + +Tap, [github.com/HodeTech/homebrew-tap](https://github.com/HodeTech/homebrew-tap) adresinde barındırılmaktadır. Homebrew ile yükseltmek için `brew upgrade leakwatch` komutunu kullanın. + +## go install + +Go 1.25 veya daha yeni bir sürümü yüklüyse, en son sürümü doğrudan kaynaktan derleyip kurabilirsiniz: + +```bash +go install github.com/HodeTech/leakwatch@latest +``` + +İkili dosya `$(go env GOPATH)/bin` dizinine yerleştirilir. Bu dizinin `PATH` değişkeninde olduğundan emin olun. + +:::note +`go install` her zaman en son etiketli sürümü getirir. Belirli bir sürüme sabitlemek için `@latest` yerine `@v1.5.0` gibi bir etiket kullanın. +::: + +## Docker + +Minimal, çok aşamalı bir Alpine imajı GitHub Container Registry'de yayımlanmaktadır. İmaj, root olmayan bir kullanıcı (`leakwatch`) olarak çalışır, CGO devre dışıdır ve çalışma dizini olarak `/scan` kullanır. + +```bash +docker run --rm \ + -v "$(pwd):/scan" \ + ghcr.io/hodetech/leakwatch:latest \ + scan fs /scan +``` + +Kullanılabilir etiketler: + +| Etiket | Açıklama | +|--------|----------| +| `:latest` | En son sürüm | +| `:v1.5.0` | Tam sürüm sabitleme | +| `:v1.5` | Küçük sürüm sabitleme (yama sürümlerini takip eder) | + +Taramak istediğiniz dizini konteyner içindeki `/scan` dizinine bağlayın. Bayraklar ve seçenekler yerel ikili dosyayla tamamen aynı şekilde çalışır — tam liste için [CLI Referansı](#/reference/cli-reference) sayfasına bakın. + +:::tip +Uzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için [Docker Kullanımı](#/guides/docker) sayfasına bakın. +::: + +## Hazır ikili dosya + +Her sürüm, desteklenen tüm platformlar için [GitHub Releases](https://github.com/HodeTech/Leakwatch/releases) sayfasında tar arşivleri yayımlar. Platformunuza ait arşivi indirin, açın ve ikili dosyayı `PATH` değişkeninizdeki bir dizine taşıyın. + +**Desteklenen platformlar:** amd64 ve arm64 mimarilerinde Linux, macOS ve Windows. + +```bash +# Linux amd64 örneği — OS ve ARCH değerlerini platformunuza göre değiştirin +curl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz +tar -xzf leakwatch_Linux_amd64.tar.gz +sudo mv leakwatch /usr/local/bin/leakwatch +``` + +Platform adlandırması `leakwatch__.tar.gz` kalıbını izler; `` değeri `Linux`, `Darwin` veya `Windows`, `` değeri ise `amd64` veya `arm64` olabilir. + +## Kurulumu doğrulama + +Herhangi bir kurulum yönteminin ardından ikili dosyanın erişilebilir olduğunu doğrulayın ve sürümü kontrol edin: + +```bash +leakwatch version +``` + +Beklenen çıktı: + +```text +leakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z) +``` + +Komut bulunamazsa kurulum dizininin `PATH` değişkeninde olup olmadığını kontrol edin. + +## Sonraki adımlar + +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Nasıl Çalışır](#/getting-started/how-it-works) — Leakwatch taramasının arkasındaki mimari. +- [Yapılandırma Dosyası](#/configuration/config-file) — `.leakwatch.yaml` ile tarama davranışını özelleştirin. + +## Ayrıca bakın + +- [Hızlı Başlangıç](#/getting-started/quick-start) +- [Docker Kullanımı](#/guides/docker) +- [CLI Referansı](#/reference/cli-reference) +- [Yapılandırma Dosyası](#/configuration/config-file) diff --git a/docs/user-manuals/tr/getting-started/introduction.md b/docs/user-manuals/tr/getting-started/introduction.md new file mode 100644 index 0000000..993caf0 --- /dev/null +++ b/docs/user-manuals/tr/getting-started/introduction.md @@ -0,0 +1,59 @@ +--- +title: "Tanıtım" +description: "Leakwatch nedir, neyi tarar ve sızan sırları nasıl tespit edip doğrular." +--- + +# Tanıtım + +**Leakwatch**, sızan sırları — API anahtarları, token'lar, parolalar, bağlantı dizeleri ve özel anahtarlar — kod tabanlarınızda, Git geçmişinizde, konteyner imajlarınızda, bulut depolamanızda ve Slack çalışma alanlarınızda **tespit eden, doğrulayan ve raporlayan** yüksek performanslı, açık kaynaklı (MIT) bir güvenlik aracıdır. + +Go ile yazılmıştır, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olarak dağıtılır (`CGO_ENABLED=0`) ve her yerde çalışacak şekilde tasarlanmıştır: bir geliştirici dizüstü bilgisayarı, bir pre-commit kancası veya bir CI/CD hattı. + +## Neden Leakwatch + +Tek bir commit'te sızan bir kimlik bilgisi — sonradan silinse bile — Git geçmişinde sonsuza dek erişilebilir kalabilir ve push edildikten dakikalar sonra istismar edilebilir. Leakwatch, bu sırları erken yakalamak ve hangilerinin *gerçekten tehlikeli* olduğunu söylemek için tasarlanmıştır: + +- **Geniş tespit** — bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını ve daha fazlasını kapsayan 63 yerleşik dedektör; ayrıca kendi YAML özel kurallarınız. +- **Yalnızca tespit değil, doğrulama** — 54 dedektör türü için Leakwatch, bulunan bir sırrın *hâlâ etkin* olup olmadığını sağlayıcıya kontrollü, salt-okunur bir çağrı yaparak teyit edebilir. Etkin olduğu doğrulanmış bir anahtar bir olaydır; etkin olmayan bir anahtar ise gürültüdür. +- **Çok sayıda kaynak** — yerel dosya sistemi, eksiksiz bir Git geçmişi, bir OCI/Docker imajı, AWS S3, Google Cloud Storage ve Slack mesajları. +- **CI-uyumlu çıktı** — JSON, SARIF (GitHub Code Scanning için), CSV ve renklendirilmiş terminal tablosu. +- **Tasarımı gereği sır-güvenli** — bulunan sırlar varsayılan olarak maskelenir ve asla loglanmaz, önbelleğe alınmaz veya diske yazılmaz. + +## Neleri tarar + +| Kaynak | Komut | Neyi kapsar | +|--------|-------|-------------| +| Dosya sistemi | `leakwatch scan fs` | Yerel bir dizin ağacındaki dosyalar | +| Git geçmişi | `leakwatch scan git` | Tüm commit geçmişindeki her blob (yerel veya uzak) | +| Konteyner imajı | `leakwatch scan image` | OCI/Docker imaj katmanları, daemonsuz | +| AWS S3 | `leakwatch scan s3` | Bir S3 kovasındaki nesneler | +| Google Cloud Storage | `leakwatch scan gcs` | Bir GCS kovasındaki nesneler | +| Slack | `leakwatch scan slack` | Kanallardaki ve (isteğe bağlı) DM'lerdeki mesaj metni | +| Çoklu depo | `leakwatch scan repos` | Aynı anda birden fazla Git deposu | + +## Tespit kısaca nasıl çalışır + +Leakwatch, büyük girdilerde bile hızlı kalmak için katmanlı bir hat kullanır: + +1. **Aho-Corasick anahtar kelime ön-filtresi** — tek bir çok-desenli otomat, bir parçayı hangi dedektörlerin eşleştirebileceğine hızla karar verir; böylece dedektörlerin çoğu regex'ini hiç çalıştırmaz. +2. **Regex doğrulaması** — yalnızca kısa listeye alınan dedektörler kesin desenlerini çalıştırır. +3. **Entropi** — Shannon entropisi gösterim için hesaplanır (ve özel kurallar tarafından düşük rastgelelikteki eşleşmeleri elemek için kullanılır). +4. **Doğrulama** — uygun bulgular canlı sağlayıcı API'sine karşı kontrol edilir. + +:::tip +Leakwatch'ı kullanmak için bu hattı anlamanız gerekmez — ancak taramaların neden hızlı olduğunu ve bazı bulguların neden bir doğrulama durumu gösterirken bazılarının göstermediğini açıklar. Tam tablo için [Nasıl Çalışır](#/getting-started/how-it-works) bölümüne bakın. +::: + +## Leakwatch *ne değildir* + +Beklentileri doğru belirlemek için: + +- Git geçmişini yeniden yazmaz veya sırları sizin için **kaldırmaz** — onları bulup raporlar ve (`--remediation` ile) nasıl döndüreceğinizi söyler. +- Slack taraması yalnızca **mesaj metnini** kapsar; yüklenen dosyaların *içeriğini* taramak uygulanmamıştır. +- Doğrulama, birçok sır türü için mevcuttur ancak hepsi için değil — 9 dedektör türü (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman doğrulanmamış olarak raporlanır. + +## Sonraki adımlar + +- [Kurulum](#/getting-started/installation) — Homebrew, `go install`, Docker veya hazır bir ikili dosya ile kurun. +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Nasıl Çalışır](#/getting-started/how-it-works) — taramanın arkasındaki mimari. diff --git a/docs/user-manuals/tr/getting-started/quick-start.md b/docs/user-manuals/tr/getting-started/quick-start.md new file mode 100644 index 0000000..08d5f50 --- /dev/null +++ b/docs/user-manuals/tr/getting-started/quick-start.md @@ -0,0 +1,152 @@ +--- +title: "Hızlı Başlangıç" +description: "İlk Leakwatch taramanızı bir dakikadan kısa sürede çalıştırın." +--- + +# Hızlı Başlangıç + +Leakwatch'ın neler yapabileceğini anlamanın en hızlı yolu, onu gerçek bir dizine yönlendirmektir. Bu sayfa ilk taramanızda size rehberlik eder, çıktının ne anlama geldiğini açıklar ve en sık kullanacağınız bayrakları gösterir. + +## Ön koşullar + +Leakwatch kurulu ve `PATH` değişkeninizde erişilebilir olmalıdır. Henüz yapmadıysanız [Kurulum](#/getting-started/installation) sayfasına bakın. + +## İlk taramanız + +Mevcut dizini tek bir komutla tarayın: + +```bash +leakwatch scan fs . +``` + +Varsayılan olarak çıktı JSON biçiminde stdout'a yazılır. Bunun yerine okunabilir, renklendirilmiş bir tablo almak için `--format table` ekleyin: + +```bash +leakwatch scan fs . --format table +``` + +Bir sonucun nasıl göründüğü aşağıdadır: + +```text + SEVERITY DETECTOR FILE LINE REDACTED STATUS +───────────────────────────────────────────────────────────────────────────────────────────── + CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active + HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active + MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified + +── Scan Summary ───────────────────────────────── + Date: 2026-05-23 14:03:11 + Source: filesystem + Target: /home/user/myproject + Files scanned: 312 + Duration: 1.24s + Findings: 3 +───────────────────────────────────────────────── +``` + +Tarama özeti her zaman **stderr**'e yazdırılır; bu nedenle pipe veya yeniden yönlendirilen çıktıyla hiçbir zaman çakışmaz. + +## Bulguyu anlamak + +Tablodaki her satır (veya JSON'daki her nesne) bir bulguyu temsil eder. Temel alanlar şunlardır: + +| Alan | Anlam | +|------|-------| +| **SEVERITY** | Sır türünün ne kadar kritik olduğu: `low`, `medium`, `high` veya `critical` | +| **DETECTOR** | Eşleşen dedektör — sır türünü tanımlar (örneğin `aws-access-key-id`) | +| **FILE** | Sırrın bulunduğu dosyanın tarama köküne göreli yolu | +| **LINE** | Eşleşmenin satır numarası | +| **REDACTED** | Sırrın maskelenmiş gösterimi — `--show-raw` ayarlanmadıkça ham değer hiçbir zaman gösterilmez | +| **STATUS** | Doğrulama sonucu: `verified:active`, `verified:inactive`, `unverified` veya `verify:error` | + +`verified:active` durumu, Leakwatch'ın sağlayıcıya salt-okunur bir API çağrısı yaparak sırrın hâlâ etkin olduğunu doğruladığı anlamına gelir. **Her `verified:active` bulgusunu açık bir olay olarak değerlendirin.** + +## Yaygın tarama seçenekleri + +### Yalnızca onaylanmış sırlara odaklanın + +```bash +leakwatch scan fs . --only-verified +``` + +Bu seçenek doğrulanmamış ve etkin olmayan bulguları gizler; yalnızca etkin olduğu onaylananları bırakır. Çok sayıda sonucunuz olduğunda önceliklendirme için kullanışlıdır. + +### Hızlı çevrimdışı tarama için ağ doğrulamasını atlayın + +```bash +leakwatch scan fs . --no-verify +``` + +Doğrulama tamamen atlanır — hiçbir giden ağ çağrısı yapılmaz. Sonuçlar daha hızlı görünür ve internet bağlantısı olmadan çalışır, ancak tüm bulgular `unverified` olarak işaretlenir. + +### Düzeltme kılavuzu ekleyin + +```bash +leakwatch scan fs . --remediation --format table +``` + +Her bulgu, söz konusu sır türünü nasıl döndüreceğinizi veya iptal edeceğinizi açıklayan bir **REMEDIATION** sütunu kazanır. Bayrak ayarlandığında aynı veriler JSON, SARIF ve CSV çıktısına da dahil edilir. + +### Minimum önem derecesine göre filtreleyin + +```bash +leakwatch scan fs . --min-severity high +``` + +Yalnızca `high` veya `critical` önem derecesindeki bulgular raporlanır. + +### Sonuçları dosyaya kaydedin + +```bash +leakwatch scan fs . --format sarif --output results.sarif +``` + +`--output` / `-o` bayrağı stdout yerine bir dosyaya yazar. SARIF çıktısı [GitHub Code Scanning](https://docs.github.com/en/code-security/code-scanning) ile uyumludur. + +## Yapılandırma dosyası oluşturma + +İlk denemede varsayılanlarla çalıştırmak uygundur; ancak tekrarlayan kullanım için proje düzeyinde bir yapılandırma isteyeceksiniz: + +```bash +leakwatch init +``` + +Bu komut, eşzamanlılık, entropi, doğrulama, çıktı biçimi ve yaygın yol dışlamaları için önerilen varsayılanlarla mevcut dizine `.leakwatch.yaml` yazar. Mevcut bir dosyanın üzerine yazmak için `--force`, farklı bir yola yazmak için `--output` kullanın. + +Her seçeneğin tam açıklaması için [Yapılandırma Dosyası](#/configuration/config-file) sayfasına bakın. + +## Çıkış kodları + +Leakwatch, CI betiklerinin çıktıyı ayrıştırmadan sonuçlara göre hareket edebilmesi için farklı çıkış kodları kullanır: + +| Kod | Anlam | +|-----|-------| +| `0` | Tarama tamamlandı — bulgu yok | +| `1` | Tarama tamamlandı — bir veya daha fazla sır bulundu | +| `2` | Tarama bir hata nedeniyle başarısız oldu | + +Tipik bir CI kapısı şöyle görünür: + +```bash +leakwatch scan fs . --only-verified --format sarif --output results.sarif +if [ $? -eq 1 ]; then + echo "Etkin sırlar bulundu — derleme başarısız" + exit 1 +fi +``` + +:::warn +Çıkış kodu `1`, etkin filtreleri geçen (`--min-severity` ve `--only-verified` dahil) *herhangi bir* bulgu olduğunda döndürülür. Temiz çıkış kodu `0`, hiçbir bulgunun eşleşmediği anlamına gelir — kod tabanında sır olmadığı anlamına gelmez. +::: + +## Taramayı iptal etme + +Çalışan bir taramayı iptal etmek için `Ctrl+C` tuşuna basın (veya `SIGTERM` gönderin). Leakwatch düzgün biçimde durur: işlemdeki parçalar tamamlanır, kısmi sonuçlar yazılır ve özet `Status: interrupted (partial results)` olarak gösterilir. + +## Ayrıca bakın + +- [Kurulum](#/getting-started/installation) +- [Nasıl Çalışır](#/getting-started/how-it-works) +- [CLI Referansı](#/reference/cli-reference) +- [Yapılandırma Dosyası](#/configuration/config-file) +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) diff --git a/docs/user-manuals/tr/output/output-formats.md b/docs/user-manuals/tr/output/output-formats.md new file mode 100644 index 0000000..4150aa3 --- /dev/null +++ b/docs/user-manuals/tr/output/output-formats.md @@ -0,0 +1,164 @@ +--- +title: "Çıktı Formatları" +description: "Leakwatch'ın desteklediği dört çıktı formatı — JSON, SARIF, CSV ve tablo — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik." +--- + +# Çıktı Formatları + +Leakwatch dört çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları ve insan tarafından okunabilir terminal incelemesi. `--format` (veya `-f`) ile bir format seçin; stdout yerine bir dosyaya yazmak için `--output` (veya `-o`) kullanın. + +```bash +leakwatch scan fs . --format json +leakwatch scan fs . --format sarif --output results.sarif +leakwatch scan fs . --format csv --output findings.csv +leakwatch scan fs . --format table +``` + +Varsayılan format `json`'dur. + +## JSON + +JSON varsayılan format ve en eksiksiz temsil biçimidir. Leakwatch, stdout'a (veya `--output` ile verilen dosyaya) bulgu nesnelerinden oluşan bir JSON **dizisi** yazar. + +Ham sır değeri, `--show-raw` açıkça ayarlanmadıkça **hiçbir zaman** serileştirilmez. `--show-raw` ile her nesneye bir `"raw"` alanı eklenir. + +### Örnek çağrı + +```bash +leakwatch scan fs ./src --format json --output findings.json +``` + +### Örnek bulgu nesnesi + +```json +{ + "id": "a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f", + "detector_id": "github-token", + "severity": "critical", + "redacted": "ghp_****************************Xk9R", + "source": { + "source_type": "filesystem", + "file_path": "scripts/deploy.sh", + "line": 14 + }, + "verification": { + "status": "verified_active" + }, + "entropy": 5.82, + "detected_at": "2026-05-23T10:15:30Z" +} +``` + +`--remediation` de ayarlandığında her bulgunun içine iç içe bir `"remediation"` nesnesi yerleştirilir. Bkz. [Düzeltme Rehberi](#/output/remediation). + +## SARIF + +`sarif` formatı, [GitHub Code Scanning](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)'e yüklenmek üzere tasarlanmış bir SARIF v2.1.0 belgesi üretir. Araç adı `Leakwatch`'tır ve `informationUri` `https://github.com/HodeTech/Leakwatch` adresine işaret eder. + +Bulgularda görünen her dedektör, SARIF sürücüsünde bir **kural** haline gelir; `--remediation` ayarlandığında düzeltme adımlarından doldurulan `help` metni ve sağlayıcı belgelerine işaret eden bir `helpUri` ile birlikte. Sonuçlar, dedektör ID'si, maskelenmiş değer ve dosya yolundan hesaplanan bir `leakwatch/v1` kısmi parmak izi taşır — bu, çevresindeki kod kaydığında bile GitHub Code Scanning'in aynı uyarıyı takip etmesini sağlar. + +### Örnek çağrı + +```bash +leakwatch scan fs . --format sarif --output results.sarif +``` + +### GitHub Code Scanning'e yükleme + +```yaml +# Bir GitHub Actions iş akışı adımında: +- name: SARIF sonuçlarını yükle + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif +``` + +Tam CI kurulumu için [GitHub Action](#/ci-cd/github-action) bölümüne bakın. + +## CSV + +`csv` formatı, bir başlık satırı ve ardından bulgu başına bir satır yazar; standart virgülle ayrılmış değerler kullanır. Her hücre yazılmadan önce elektronik tablo formül enjeksiyonuna karşı sterilize edilir. + +**Sütunlar (varsayılan):** + +```text +id,detector_id,severity,redacted,file_path,commit,verification_status,remediation +``` + +`--show-raw` ayarlandığında, sona bir `raw` sütunu eklenir. + +`remediation` sütunu, `--remediation` ayarlandığında düzeltme başlığını (örn. `"Revoke GitHub Token"`) içerir, aksi hâlde boş kalır. + +### Örnek çağrı + +```bash +leakwatch scan git . --format csv --output findings.csv +``` + +### Örnek çıktı + +```csv +id,detector_id,severity,redacted,file_path,commit,verification_status,remediation +a3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token +b7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key +``` + +## Tablo + +`table` formatı, insan tarafından okunabilir sekme hizalı bir tablo yazar; sonuçların hızlı görsel taramasını istediğiniz etkileşimli terminal oturumları için en uygun formattır. + +**Sütunlar:** + +```text +SEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION +``` + +`--show-raw` ayarlandığında, sona bir `RAW` sütunu eklenir. Tablonun altına bir özet satırı yazdırılır (örn. `Found 3 secrets (1 critical, 2 high).`). + +**ANSI rengi**, `SEVERITY` sütununa otomatik olarak uygulanır, ancak yalnızca dört koşulun tamamı sağlandığında: + +1. `--format table` seçilmiş +2. Çıktı stdout'a gidiyor (`--output ` yok) +3. stdout bir TTY (pipe veya yönlendirme değil) +4. `NO_COLOR` ortam değişkeni ayarlanmamış + +| Önem derecesi | Renk | +|---|---| +| `critical` | Kalın kırmızı | +| `high` | Kırmızı | +| `medium` | Sarı | +| `low` | Mavi | + +### Örnek çağrı + +```bash +leakwatch scan fs . --format table --min-severity high +``` + +### Örnek çıktı + +```text +SEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION +-------- -------- ---- -------- ------ ----------- +CRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token +HIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key + +Found 2 secrets (1 critical, 1 high). +``` + +## Yaygın çıktı bayrakları + +| Bayrak | Kısa | Açıklama | +|---|---|---| +| `--format` | `-f` | Çıktı formatı: `json`, `sarif`, `csv`, `table` (varsayılan `json`) | +| `--output` | `-o` | stdout yerine dosyaya yaz | +| `--show-raw` | | Çıktıya maskelenmemiş sır değerini dahil et | +| `--min-severity` | | Bu önem seviyesinin altındaki bulguları bırak | +| `--only-verified` | | Yalnızca `verified_active` bulgularını tut | +| `--remediation` | | Bulguları sağlayıcı düzeltme rehberiyle zenginleştir | + +## Ayrıca bakın + +- [Düzeltme Rehberi](#/output/remediation) +- [GitHub Action](#/ci-cd/github-action) +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) diff --git a/docs/user-manuals/tr/output/remediation.md b/docs/user-manuals/tr/output/remediation.md new file mode 100644 index 0000000..814dc74 --- /dev/null +++ b/docs/user-manuals/tr/output/remediation.md @@ -0,0 +1,117 @@ +--- +title: "Düzeltme Rehberi" +description: "Bulguları sağlayıcıya özgü döndürme ve iptal adımları, aciliyet dereceleri ve resmi dokümantasyon bağlantılarıyla zenginleştirmek için --remediation kullanın." +--- + +# Düzeltme Rehberi + +Bir sırrın sızdığını bilmek işin yalnızca yarısıdır — ayrıca ne yapacağınızı da bilmeniz gerekir. Herhangi bir tarama komutuna `--remediation` eklemek, her bulguyu yapılandırılmış, sağlayıcıya özgü rehberlikle zenginleştirir: kimlik bilgisini döndürme veya iptal etme adımları, sağlayıcının belgelerine bağlantı, yönetim konsoluna bağlantı, aciliyet derecelendirmesi ve bir doğrulama kontrol listesi. + +## Nasıl etkinleştirilir + +Herhangi bir tarama komutuna `--remediation` ekleyin: + +```bash +leakwatch scan fs . --remediation +leakwatch scan git . --remediation --format json +leakwatch scan image myapp:latest --remediation --format sarif +``` + +Düzeltme zenginleştirmesi varsayılan olarak devre dışıdır. Bayrak yoksa, her bulgunun `remediation` alanı `null` olur ve fazladan veri alınmaz veya hesaplanmaz. + +## Ne içerir + +Her düzeltme girişi aşağıdaki alanları içerir: + +| Alan | Açıklama | +|---|---| +| `title` | Düzeltme eyleminin kısa adı (örn. `"Rotate AWS Access Key"`) | +| `steps` | Sırrı döndürmek veya iptal etmek için sıralı adımlar listesi | +| `doc_url` | Sağlayıcının resmi kimlik bilgisi yönetimi belgelerine bağlantı | +| `console_url` | Sağlayıcının yönetim konsolu sayfasına doğrudan bağlantı | +| `urgency` | Ne kadar hızlı harekete geçileceği: `"immediate"`, `"high"` veya `"medium"` | +| `checklist` | Döndürme sonrası doğrulama adımları (örn. denetim günlüklerini inceleyin, güvenlik ekibini bilgilendirin) | + +Leakwatch, her yerleşik dedektör için bir tane olmak üzere 63 düzeltme girişiyle birlikte gelir. 63 girişin tamamı ikili dosyaya dahildir; rehberliği almak için herhangi bir ağ çağrısı yapılmaz. Bu, çevrimdışı ortamlarda veya hava boşluklu ağlarda bile düzeltme rehberliğinin sorunsuz çalışması anlamına gelir. + +## Her formatta nasıl görünür + +Zenginleştirme, rehberliği bellekteki bulgu nesnesine ekler. Nasıl göründüğü çıktı formatına bağlıdır: + +**JSON** — tam yapılandırılmış `remediation` nesnesi her bulgunun içine yerleştirilir: + +```bash +leakwatch scan fs . --remediation --format json +``` + +```json +{ + "id": "a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f", + "detector_id": "github-token", + "severity": "critical", + "redacted": "ghp_****************************Xk9R", + "source": { + "source_type": "filesystem", + "file_path": "scripts/deploy.sh", + "line": 14 + }, + "verification": { + "status": "verified_active" + }, + "remediation": { + "title": "Revoke GitHub Token", + "steps": [ + "Go to GitHub Settings > Developer settings > Personal access tokens.", + "Revoke the compromised token immediately.", + "Create a new token with the minimum required scopes.", + "Update all integrations and CI/CD pipelines with the new token." + ], + "doc_url": "https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens", + "console_url": "https://github.com/settings/tokens", + "urgency": "immediate", + "checklist": [ + "Review the GitHub audit log for unauthorized actions performed with the token.", + "Check repository and organization settings for unexpected changes.", + "Notify the security team about the exposure.", + "Scan for other repositories that may contain the same token." + ] + }, + "entropy": 5.82, + "detected_at": "2026-05-23T10:15:30Z" +} +``` + +**SARIF** — `steps` alanları, kuralın `help.text` alanına yerleştirilir ve `doc_url`, kuralın `helpUri`'si olarak ayarlanır. Bu, GitHub Code Scanning'in uyarı ayrıntıları panelinde doğrudan görünür. + +**CSV** — yalnızca düzeltme `title`'ı `remediation` sütununa yazılır. Tam yapılandırılmış rehberlik CSV çıktısına dahil edilmez. + +**Tablo** — `REMEDIATION` sütununda yalnızca düzeltme `title`'ı gösterilir. + +```bash +leakwatch scan fs . --remediation --format table +``` + +```text +SEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION +-------- -------- ---- -------- ------ ----------- +CRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token + +Found 1 secret (1 critical). +``` + +:::tip +Otomatik olay müdahale iş akışları için tam yapılandırılmış rehberliğe ihtiyaç duyduğunuzda `--remediation --format json` kullanın. Terminalde hızlı, insan tarafından okunabilir bir önceliklendirme oturumu için `--remediation --format table` kullanın. +::: + +:::note +Zenginleştirme yalnızca `--remediation` ayarlandığında çalışır. Bayrak olmadan, `remediation` alanı JSON ve SARIF çıktısında yoktur ve CSV ile tablo `remediation` sütunları boştur. Bayrak, orijinal tarama sonuçlarını değiştirmez — bunların üzerine bir katman ekler. +::: + +## Özel kurallar ve düzeltme + +Özel kural tanımları bir `remediation` bloğunu desteklemez — düzeltme rehberliği yalnızca yerleşik dedektörler için mevcuttur. Özel bir kural tarafından tetiklenen bulgu için `--remediation` bayrağı geçildiğinde, o bulgunun `remediation` alanı boş kalır; diğer alanlar etkilenmez. + +## Ayrıca bakın + +- [Çıktı Formatları](#/output/output-formats) +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) diff --git a/docs/user-manuals/tr/reference/cli-reference.md b/docs/user-manuals/tr/reference/cli-reference.md new file mode 100644 index 0000000..ce30335 --- /dev/null +++ b/docs/user-manuals/tr/reference/cli-reference.md @@ -0,0 +1,300 @@ +--- +title: "CLI Başvurusu" +description: "Her Leakwatch komutu, alt komutu ve bayrağı için tam başvuru kaynağı." +--- + +# CLI Başvurusu + +Bu sayfa, tüm Leakwatch komutları ve bayrakları için yetkili başvuru kaynağıdır. Kavramsal açıklamalar ve çalışma örnekleri için ilgili tarama veya yapılandırma sayfalarındaki çapraz bağlantıları takip edin. + +## Global bayraklar + +Bu bayraklar her komut ve alt komut üzerinde kullanılabilir. + +| Bayrak | Varsayılan | Açıklama | +|--------|-----------|----------| +| `--config ` | Otomatik olarak bulunan `.leakwatch.yaml` | Yapılandırma dosyasının yolu. Atlandığında Leakwatch, geçerli dizinde ve üst dizinlerinde `.leakwatch.yaml` arar. | +| `--log-level ` | `warn` | Günlük ayrıntı düzeyi: `debug`, `info`, `warn` veya `error`. Günlük çıktısı stderr'e gider ve tarama sonuçlarını etkilemez. | + +## `leakwatch version` + +İkili dosya sürümünü, commit karmasını ve derleme zaman damgasını yazdırır, ardından çıkar. + +```bash +leakwatch version +``` + +```text +leakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z) +``` + +## `leakwatch init` + +Geçerli dizinde önerilen varsayılanlarla bir `.leakwatch.yaml` yapılandırma dosyası oluşturur. + +```bash +leakwatch init [bayraklar] +``` + +| Bayrak | Varsayılan | Açıklama | +|--------|-----------|----------| +| `--output ` | `.leakwatch.yaml` | Yapılandırma dosyasını varsayılan yerine bu yola yaz. | +| `--force` | `false` | Mevcut bir yapılandırma dosyasının üzerine yaz. Bu bayrak olmadan, çıktı dosyası zaten mevcutsa `init` hatayla çıkar. | + +```bash +# Varsayılan yapılandırmayı oluştur +leakwatch init + +# Mevcut yapılandırmanın üzerine yaz +leakwatch init --force +``` + +## `leakwatch scan` + +Tüm tarama alt komutları için üst komut. Kendi başına davranışı yoktur; bir alt komut çalıştırın. + +### Ortak tarama bayrakları + +Aşağıdaki bayraklar **tüm** `scan` alt komutlarında kullanılabilir. + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|-----------|----------| +| `--format` | `-f` | `json` | Çıktı biçimi: `json`, `sarif`, `csv` veya `table`. | +| `--output` | `-o` | stdout | Sonuçları stdout yerine bu dosya yoluna yaz. | +| `--concurrency` | `-c` | CPU sayısı | Eşzamanlı tarama çalışanı sayısı. | +| `--max-file-size` | — | `10485760` (10 MB) | Bu bayt sayısından büyük dosyaları veya blob'ları atla. | +| `--show-raw` | — | `false` | Çıktıya ham (maskelenmemiş) sır değerini dahil et. Dikkatli kullanın. | +| `--no-verify` | — | `false` | Canlı sır doğrulamasını devre dışı bırak. Giden API çağrısı yapılmaz. | +| `--only-verified` | — | `false` | Yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla. | +| `--min-severity` | — | `low` | Çıktıya dahil edilecek minimum önem derecesi: `low`, `medium`, `high` veya `critical`. | +| `--remediation` | — | `false` | Her bulguya düzeltme rehberi (dönüşüm/iptal adımları) ekle. | + +--- + +### `scan fs` + +Yerel bir dizin ağacını tarar. + +```bash +leakwatch scan fs [path] [bayraklar] +``` + +`path` varsayılan olarak `.`'dır. En fazla bir konumsal argüman kabul eder. + +#### Dosya sistemine özgü bayraklar + +| Bayrak | Varsayılan | Açıklama | +|--------|-----------|----------| +| `--exclude ` | — | Dışlanacak yollar için glob kalıbı. Tekrarlanabilir. | + +#### Örnekler + +```bash +# Geçerli dizini tara, renklendirilmiş tablo yazdır +leakwatch scan fs . --format table + +# SARIF çıktısını kaydet, test dosyalarını ve vendor'ı dışla +leakwatch scan fs . \ + --exclude "**/*_test.go" \ + --exclude "vendor/**" \ + --format sarif \ + --output results.sarif +``` + +--- + +### `scan git` + +Yerel veya uzak bir Git deposunun tam commit geçmişini tarar. + +```bash +leakwatch scan git [bayraklar] +``` + +Tam olarak bir konumsal argüman gereklidir: yerel bir yol veya HTTP/HTTPS/SSH URL'si. + +#### Git'e özgü bayraklar + +| Bayrak | Varsayılan | Açıklama | +|--------|-----------|----------| +| `--since ` | — | Yalnızca bu tarihten sonraki commit'leri tara. | +| `--since-commit ` | — | Yalnızca bu commit karmasından HEAD'e kadar olan değişiklikleri tara. | +| `--branch ` | — | Varsayılan dal yerine belirli bir dalı hedefle. | +| `--depth ` | `0` (tam) | Uzak depolar için sığ klonlama derinliği. `0` tam geçmişi getirir. | + +#### Örnekler + +```bash +# Tam yerel geçmişi tara +leakwatch scan git . --format table + +# Bir pull request tarafından eklenen commit'leri tara +leakwatch scan git . --since-commit a1b2c3d --format json +``` + +--- + +### `scan image` + +Bir OCI/Docker imajının katmanlarını sırlar açısından tarar. Leakwatch daemonsuz çalışır ve kayıt defterinden doğrudan çeker — Docker soketi gerekmez. + +```bash +leakwatch scan image [bayraklar] +``` + +Tam olarak bir konumsal argüman gereklidir. + +#### Örnekler + +```bash +# Genel bir imajı tara +leakwatch scan image nginx:latest --format table + +# Özel kayıt defteri imajını tara, JSON çıktısını kaydet +leakwatch scan image registry.example.com/my-app:v2.3.0 \ + --format json \ + --output image-results.json +``` + +--- + +### `scan s3` + +Bir AWS S3 kovasındaki nesneleri tarar. + +```bash +leakwatch scan s3 [bayraklar] +``` + +Tam olarak bir konumsal argüman gereklidir. + +#### S3'e özgü bayraklar + +| Bayrak | Varsayılan | Açıklama | +|--------|-----------|----------| +| `--prefix ` | — | Taramayı, anahtarı bu ön ekle başlayan nesnelerle sınırla. | +| `--region ` | — | Kovanın bulunduğu AWS bölgesi. `AWS_REGION` ortam değişkenine veya AWS SDK varsayılanına geri döner. | + +#### Örnekler + +```bash +# Tüm kovayı tara +leakwatch scan s3 my-data-bucket --region us-east-1 --format table + +# Belirli bir ön eki tara +leakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json +``` + +--- + +### `scan gcs` + +Bir Google Cloud Storage kovasındaki nesneleri tarar. + +```bash +leakwatch scan gcs [bayraklar] +``` + +Tam olarak bir konumsal argüman gereklidir. + +#### GCS'ye özgü bayraklar + +| Bayrak | Varsayılan | Açıklama | +|--------|-----------|----------| +| `--prefix ` | — | Taramayı, adı bu ön ekle başlayan nesnelerle sınırla. | +| `--project ` | — | GCP proje kimliği. Varsayılan kimlik bilgilerinden proje çıkarılamadığında gereklidir. | + +#### Örnekler + +```bash +# Tüm GCS kovasını tara +leakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table + +# Ön ek tara +leakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json +``` + +--- + +### `scan slack` + +Bir Slack çalışma alanındaki mesaj metnini tarar. + +```bash +leakwatch scan slack [bayraklar] +``` + +Konumsal argüman yoktur. + +#### Slack'e özgü bayraklar + +| Bayrak | Varsayılan | Açıklama | +|--------|-----------|----------| +| `--token ` | — | Slack bot token'ı. `LEAKWATCH_SLACK_TOKEN` ortam değişkeni ile de ayarlanabilir. | +| `--channels ` | — | Taranacak kanal adları veya kimliklerinin virgülle ayrılmış listesi. Atlandığında erişilebilir tüm kanalları tarar. | +| `--exclude-channels ` | — | Atlanacak kanal adları veya kimliklerinin virgülle ayrılmış listesi. | +| `--since ` | — | Yalnızca bu tarihten sonra gönderilen mesajları tara. | +| `--include-dms` | `false` | Doğrudan mesajları dahil et (ek OAuth kapsamları gerektirir). | +| `--rate-limit ` | `20` | Saniye başına maksimum Slack API isteği. | + +#### Örnekler + +```bash +# Erişilebilir tüm kanalları tara +leakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table + +# Belirli kanalları belirli bir tarihten itibaren tara +leakwatch scan slack \ + --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \ + --channels general,engineering \ + --since 2026-01-01 \ + --format json +``` + +--- + +### `scan repos` + +Birden fazla Git deposunu paralel olarak tarar. + +```bash +leakwatch scan repos [bayraklar] +``` + +En az iki konumsal argüman (depo URL'leri veya yerel yollar) gereklidir. + +#### Repos'a özgü bayraklar + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|-----------|----------| +| `--parallel` | — | `3` | Eşzamanlı olarak taranacak depo sayısı. | +| `--concurrency` | `-c` | CPU sayısı | Her depo taramasındaki çalışan eşzamanlılığı. | + +#### Örnekler + +```bash +# İki depoyu paralel olarak tara +leakwatch scan repos \ + https://github.com/org/repo-a.git \ + https://github.com/org/repo-b.git \ + --format json + +# Büyük bir depo seti için paralellizmi artır +leakwatch scan repos \ + https://github.com/org/repo-a.git \ + https://github.com/org/repo-b.git \ + https://github.com/org/repo-c.git \ + --parallel 3 \ + --format sarif \ + --output multi-repo.sarif +``` + +--- + +## Ayrıca bakın + +- [Çıkış Kodları](#/reference/exit-codes) — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği. +- [Ortam Değişkenleri](#/reference/environment-variables) — Leakwatch'ı bayrak kullanmadan yapılandırma. +- [Dosya Sistemi Taraması](#/scanning/filesystem) — ayrıntılı `scan fs` rehberi. +- [Git Geçmişi](#/scanning/git-history) — ayrıntılı `scan git` rehberi. +- [Yapılandırma Dosyası](#/configuration/config-file) — `.leakwatch.yaml` başvurusu. diff --git a/docs/user-manuals/tr/reference/environment-variables.md b/docs/user-manuals/tr/reference/environment-variables.md new file mode 100644 index 0000000..7d91326 --- /dev/null +++ b/docs/user-manuals/tr/reference/environment-variables.md @@ -0,0 +1,98 @@ +--- +title: "Ortam Değişkenleri" +description: "Leakwatch davranışını bayrak kullanmadan yapılandıran ortam değişkenleri." +--- + +# Ortam Değişkenleri + +Leakwatch, yapılandırmayı öncelik sırasına göre üç kaynaktan okur: **komut satırı bayrakları**, **ortam değişkenlerini** geçersiz kılar; ortam değişkenleri **yapılandırma dosyasını** (`.leakwatch.yaml`) geçersiz kılar; yapılandırma dosyası yerleşik **varsayılanlara** geri döner. Ortam değişkenleri, bir yapılandırma dosyasını değiştiremeyeceğiniz veya her çağrıya bayrak geçiremeyeceğiniz CI ortamlarında kullanışlıdır. + +## Yapılandırma değişkeni kalıbı + +`.leakwatch.yaml`'daki herhangi bir anahtar, ortam değişkeni olarak şu şekilde ayarlanabilir: + +1. Anahtar adını büyük harfe çevir. +2. `.` ve `-` karakterlerini `_` ile değiştir. +3. Başına `LEAKWATCH_` ekle. + +Örneğin, `scan.concurrency` yapılandırma anahtarı `LEAKWATCH_SCAN_CONCURRENCY` olur. + +## Değişken başvurusu + +### Leakwatch'a özgü değişkenler + +| Değişken | Açıklama | +|----------|----------| +| `LEAKWATCH_SLACK_TOKEN` | `scan slack` için Slack bot token'ı. `--token`'a eşdeğer. Token'ın kabuk geçmişinde veya CI günlüklerinde görünmesini önlemek için bayrak olarak geçirmek yerine bunu ayarlayın. | +| `LEAKWATCH_SCAN_CONCURRENCY` | Eşzamanlı tarama çalışanı sayısı. `--concurrency`'e eşdeğer. | +| `LEAKWATCH_VERIFICATION_ENABLED` | Canlı doğrulamayı genel olarak devre dışı bırakmak için `false` olarak ayarlayın. `--no-verify`'e eşdeğer. | +| `LEAKWATCH_VERIFICATION_RATE_LIMIT` | Tüm doğrulayıcılar genelinde saniye başına maksimum doğrulama isteği. | +| `LEAKWATCH_OUTPUT_FORMAT` | Varsayılan çıktı biçimi (`json`, `sarif`, `csv` veya `table`). `--format`'a eşdeğer. | +| `LEAKWATCH_DETECTION_ENTROPY_THRESHOLD` | Bir eşleşmenin raporlanması için gereken minimum Shannon entropisi. Float değer, örn. `3.5`. | + +### Görüntüleme değişkeni + +| Değişken | Açıklama | +|----------|----------| +| `NO_COLOR` | Boş olmayan herhangi bir değere ayarlandığında, `table` çıktı biçimlendiricisindeki ANSI renk kodlarını devre dışı bırakır. [no-color.org](https://no-color.org) kuralını izler. | + +### AWS değişkenleri (`scan s3` ve AWS sır doğrulaması için) + +Bunlar standart AWS SDK ortam değişkenleridir. Leakwatch bunları AWS SDK v2 varsayılan kimlik bilgisi zincirine aktarır. + +| Değişken | Açıklama | +|----------|----------| +| `AWS_ACCESS_KEY_ID` | AWS erişim anahtarı kimliği. | +| `AWS_SECRET_ACCESS_KEY` | AWS gizli erişim anahtarı. | +| `AWS_SESSION_TOKEN` | AWS oturum token'ı (geçici kimlik bilgileri için). | +| `AWS_REGION` | Varsayılan AWS bölgesi. | +| `AWS_PROFILE` | Kullanılacak `~/.aws/credentials` dosyasından adlandırılmış profil. | + +### GCS değişkeni (`scan gcs` için) + +| Değişken | Açıklama | +|----------|----------| +| `GOOGLE_APPLICATION_CREDENTIALS` | Google hizmet hesabı JSON anahtar dosyasının yolu. Bir GCS kovasını tararken Uygulama Varsayılan Kimlik Bilgileri tarafından kullanılır. | + +## Öncelik örneği + +Şu kurulumu varsayın: + +- `.leakwatch.yaml`, `output.format: table` olarak ayarlıyor +- Ortamda `LEAKWATCH_OUTPUT_FORMAT=json` ayarlanmış +- Komut `leakwatch scan fs .` olarak çalıştırılıyor (`--format` bayrağı yok) + +Ortam değişkeni yapılandırma dosyasını geçersiz kıldığından geçerli biçim `json`'dır. + +Komut `leakwatch scan fs . --format sarif` olarak çalıştırılırsa, bayrak her şeyi geçersiz kıldığından geçerli biçim `sarif` olur. + +## Doğrulama kimlik bilgileri ve tarama kimlik bilgileri + +:::note +Yukarıdaki AWS ve GCP değişkenleri, Leakwatch'ın **kendisinin** nesneleri taramak için S3 veya GCS'ye bağlanırken kimliğini doğrulaması için kullanılır. Bulunan sırları doğrulamak için kullanılmazlar. Keşfedilen bir AWS anahtarının doğrulanması, örneğin, runner'ın kimlik bilgilerini değil, keşfedilen anahtarın kendisini kullanarak AWS STS'yi çağırır. +::: + +## CI'da sırları güvenli biçimde geçirme + +GitHub Actions'ta şifrelenmiş sırları kullanın: + +```yaml +env: + LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} +``` + +GitLab CI'da maskelenmiş CI/CD değişkenlerini kullanın: + +```yaml +variables: + LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # proje ayarlarında maskelenmiş değişken olarak tanımlanmış +``` + +Token değerlerini hiçbir zaman iş akışı dosyalarına veya Dockerfile'lara sabit olarak kodlamayın. + +## Ayrıca bakın + +- [Yapılandırma Dosyası](#/configuration/config-file) — tam `.leakwatch.yaml` anahtar başvurusu. +- [Bulut Depolama Taraması](#/scanning/cloud-storage) — `scan s3` ve `scan gcs` kimlik bilgileri. +- [Slack Taraması](#/scanning/slack) — Slack token kapsamları ve izinleri. +- [CLI Başvurusu](#/reference/cli-reference) — eşdeğer komut satırı bayrakları. diff --git a/docs/user-manuals/tr/reference/exit-codes.md b/docs/user-manuals/tr/reference/exit-codes.md new file mode 100644 index 0000000..62991a7 --- /dev/null +++ b/docs/user-manuals/tr/reference/exit-codes.md @@ -0,0 +1,94 @@ +--- +title: "Çıkış Kodları" +description: "Leakwatch çıkış kodu başvurusu ve bunların betiklerde ve CI pipeline'larında nasıl kullanılacağı." +--- + +# Çıkış Kodları + +Leakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için küçük, iyi tanımlanmış bir çıkış kodu seti kullanır. Her tarama alt komutu üç koddan biriyle çıkar. + +## Kod başvurusu + +| Kod | Ad | Anlam | +|-----|----|-------| +| `0` | Temiz | Tarama başarıyla tamamlandı ve etkin filtrelerden hiçbir bulgu geçmedi. | +| `1` | Bulgular var | Tarama tamamlandı ve etkin filtrelerden geçen bir veya daha fazla sır bulundu. | +| `2` | Hata | Taramanın hiç çalışamamasına neden olan ciddi bir hata oluştu — örneğin geçersiz bir bayrak, okunamaz bir yol veya kimlik doğrulama hatası. Stderr'e bir `Error: ...` mesajı ve kullanım ipucu yazdırılır. | + +## Filtrelerin çıkış kodu 1'i nasıl etkilediği + +Çıkış kodu `1`, yalnızca en az bir bulgu etkin çıktı filtrelerinin tümünden geçtiğinde yayılır. En ilgili iki filtre şunlardır: + +- **`--min-severity`** — eşiğin altındaki bulgular bastırılır. Tüm bulgular `low` önem derecesindeyse ve `--min-severity high` ile çalışıyorsanız, sırlar mevcut olmasına rağmen çıkış kodu `0` döndürülür. +- **`--only-verified`** — yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulgular raporlanır. Etkin sır bulunamazsa çıkış kodu `0` döndürülür. + +Bu, çıkış kodu `0`'ın "mevcut filtre ayarlarınızla eşleşen bulgu yok" anlamına geldiği anlamına gelir — kod tabanının hiçbir sır içermediği değil. + +:::warn +`--only-verified` altında temiz `0` çıkışı, kod tabanının sırdan arındırılmış olduğunu garanti etmez. Doğrulamanın mevcut olmadığı sır türleri (9 dedektör türü) her zaman doğrulanmamış olarak raporlanır ve `--only-verified` tarafından bastırılır. Tam kapsam için `--only-verified` ile birlikte ayrı bir filtresiz tarama yapın. +::: + +## Kabuk betiklerinde çıkış kodlarını kullanma + +```bash +#!/usr/bin/env bash +set +e +leakwatch scan fs . --format json --output leakwatch.json --no-verify +EXIT_CODE=$? +set -e + +case "$EXIT_CODE" in + 0) + echo "Sır bulunamadı. Derleme devam ediyor." + ;; + 1) + echo "Sırlar bulundu — birleştirmeden önce leakwatch.json'u inceleyin ve düzeltin." + exit 1 + ;; + *) + echo "Leakwatch bir hatayla karşılaştı (çıkış $EXIT_CODE)." + exit "$EXIT_CODE" + ;; +esac +``` + +Taramadan önce `set +e` kullanmak, kabuğun sıfır dışı kodlarda çıkmasını engeller ve kodu kendiniz yakalayıp işlemenize olanak tanır. + +## CI pipeline'larında çıkış kodlarını kullanma + +Çoğu CI sistemi, sıfır dışı herhangi bir çıkış kodunu adım başarısızlığı olarak değerlendirir. Leakwatch sırlar bulunduğunda `1` ile çıktığından, ek yapılandırma olmadan pipeline otomatik olarak başarısız olur — yalnızca tarama komutunu çalıştırın. + +Sırlar bulunsa bile pipeline'ın devam etmesine izin vermek için (örneğin, derlemeyi engellemeden raporu toplamak amacıyla) çıkış kodunu açıkça yoksayın: + +```bash +leakwatch scan fs . --format sarif --output results.sarif --no-verify || true +``` + +Ya da GitLab CI'da: + +```yaml +allow_failure: true +``` + +Ya da GitHub Action'da `fail-on-findings: "false"` olarak ayarlayın. + +## Uygulamada çıkış kodu 2 + +Çıkış kodu `2`, taramanın hiç çalışamamasına neden olan bir yapılandırma veya çalışma zamanı hatasını gösterir. Yaygın nedenler: + +- Geçersiz bir bayrak değeri (örneğin `--format invalid`). +- Mevcut olmayan veya okunamaz bir yol. +- Eksik gerekli argüman (örneğin, URL olmadan `scan git`). +- Bir bulut kaynağına bağlanırken kimlik doğrulama hatası. + +Hata mesajı stderr'e yazdırılır ve sorunu teşhis etmeye yardımcı olacak bağlam içerir: + +```text +Error: unknown format "xlsx"; valid values: json, sarif, csv, table +``` + +## Ayrıca bakın + +- [Diğer CI Sistemleri](#/ci-cd/other-ci) — çıkış kodlarını GitLab CI, Jenkins ve diğerlerine bağlama. +- [GitHub Action](#/ci-cd/github-action) — resmi action'ın çıkış kodlarını adım sonuçlarıyla nasıl eşlediği. +- [CLI Başvurusu](#/reference/cli-reference) — tam bayrak başvurusu. diff --git a/docs/user-manuals/tr/scanning/cloud-storage.md b/docs/user-manuals/tr/scanning/cloud-storage.md new file mode 100644 index 0000000..5434736 --- /dev/null +++ b/docs/user-manuals/tr/scanning/cloud-storage.md @@ -0,0 +1,146 @@ +--- +title: "Bulut Depolama (S3 & GCS)" +description: "AWS S3 ve Google Cloud Storage kovalarını sızan sırlara karşı tarayın." +--- + +# Bulut Depolama (S3 & GCS) + +Sırlar sıklıkla bulut depolamaya taşınır — dışa aktarılan veritabanı dökümleri, ortam dosyaları, CI artefaktları ve günlük arşivleri, düşünüldüğünden çok daha fazla kişinin erişebildiği kovalara akar. Leakwatch, AWS S3 ve Google Cloud Storage kovalarını nesne nesne tarayabilir ve bulduğu sırları bir olaya dönüşmeden işaretler. + +## AWS S3 + +### Kullanım + +```bash +leakwatch scan s3 +``` + +Komut tam olarak bir argüman alır: **kova adı** (`s3://` öneki olmadan). Tarama hedefi `s3://` olarak gösterilir. + +### Kimlik doğrulama + +Leakwatch standart [AWS varsayılan kimlik bilgisi zincirini](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html) kullanır: + +1. Ortam değişkenleri (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`). +2. Paylaşılan kimlik bilgileri dosyası (`~/.aws/credentials`). +3. Paylaşılan yapılandırma dosyası (`~/.aws/config`). +4. Örneğe veya göreve atanmış IAM rolü (EC2, ECS, Lambda). + +AWS CLI ile zaten kimlik doğrulaması yaptıysanız (`aws configure` veya üstlenilmiş bir rol) ek yapılandırma gerekmez. + +### S3'e özgü bayraklar + +| Bayrak | Tür | Varsayılan | Açıklama | +|--------|-----|------------|----------| +| `--prefix` | string | — | Yalnızca anahtarı bu önekle başlayan nesneleri tara. | +| `--region` | string | AWS yapılandırmasından | Kovanın bulunduğu AWS bölgesi. | + +### S3 örnekleri + +Tüm kovayı tarayın: + +```bash +leakwatch scan s3 my-config-bucket +``` + +Belirli bir bölgede belirli bir anahtar öneki altındaki nesneleri tarayın: + +```bash +leakwatch scan s3 my-bucket --prefix logs/ --region us-east-1 +``` + +SARIF olarak kaydedin: + +```bash +leakwatch scan s3 my-bucket --format sarif --output s3-results.sarif +``` + +:::tip +Taramayı ilgili bir alt yola sınırlamak için `--prefix` kullanın. Milyonlarca nesne içeren büyük bir kovayı taramak yavaş olabilir ve S3 GET istek maliyeti doğurabilir. Öneki gerçekten önemli olana — örneğin `configs/` veya `exports/` — daraltın. +::: + +--- + +## Google Cloud Storage + +### Kullanım + +```bash +leakwatch scan gcs +``` + +Komut tam olarak bir argüman alır: **kova adı** (`gs://` öneki olmadan). Tarama hedefi `gs://` olarak gösterilir. + +### Kimlik doğrulama + +Leakwatch [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials) kullanır. Kimlik bilgisi arama sırası şu şekildedir: + +1. Hizmet hesabı anahtar dosyasına işaret eden `GOOGLE_APPLICATION_CREDENTIALS` ortam değişkeni. +2. `gcloud auth application-default login` ile yapılandırılmış kullanıcı kimlik bilgileri. +3. Google Compute Engine örneğine, Cloud Run hizmetine veya GKE iş yüküne atanmış hizmet hesabı. + +### GCS'e özgü bayraklar + +| Bayrak | Tür | Varsayılan | Açıklama | +|--------|-----|------------|----------| +| `--prefix` | string | — | Yalnızca adı bu önekle başlayan nesneleri tara. | +| `--project` | string | — | GCP proje kimliği (bazı ADC yapılandırmalarında gereklidir). | + +### GCS örnekleri + +Belirli bir GCP projesiyle tüm kovayı tarayın: + +```bash +leakwatch scan gcs my-config-bucket --project my-gcp-project +``` + +Yalnızca belirli bir önek altındaki nesneleri tarayın: + +```bash +leakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/ +``` + +CSV olarak çıktı alın: + +```bash +leakwatch scan gcs my-bucket --format csv --output gcs-results.csv +``` + +--- + +## Ortak tarama bayrakları + +Hem `s3` hem de `gcs` aynı ortak tarama bayraklarını destekler: + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|------------|----------| +| `--format` | `-f` | `json` | Çıktı biçimi: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Sonuçları stdout yerine bu dosyaya yaz. | +| `--concurrency` | `-c` | CPU sayısı | Eşzamanlı çalışan sayısı. | +| `--max-file-size` | — | `10485760` (10 MB) | Bu boyutu aşan nesneleri atla (bayt). | +| `--show-raw` | — | `false` | Çıktıda ham sır değerini göster. | +| `--no-verify` | — | `false` | Sır doğrulamasını devre dışı bırak. | +| `--only-verified` | — | `false` | Yalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla. | +| `--min-severity` | — | `low` | Raporlanacak minimum önem: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Her bulguya düzeltme rehberi ekle. | + +Nesne anahtarlarına uygulanan yol dışlamaları `.leakwatch.yaml` dosyasında `filter.exclude-paths` altında yapılandırılır. `--config` ve `--log-level` (varsayılan `warn`) kök bayrakları da geçerlidir. + +## Çıkış kodları + +| Kod | Anlam | +|-----|-------| +| `0` | Tarama tamamlandı, bulgu yok. | +| `1` | Tarama tamamlandı, bulgular raporlandı. | +| `2` | Tarama başarısız oldu (kimlik doğrulama hatası, kova bulunamadı, vb.). | + +Her çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir. + +## Ayrıca bakınız + +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Yapılandırma Dosyası](#/configuration/config-file) — dışlamaları ve diğer varsayılanları yapılandırın. +- [Bulguları Yoksayma](#/configuration/ignoring-findings) — bilinen yanlış pozitifleri bastırın. +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — doğrulama durumlarını anlayın. +- [Dosya Sistemi](#/scanning/filesystem) — yerel bir dizin ağacını tarayın. +- [CLI Referansı](#/reference/cli-reference) — tüm komutlar için tam bayrak referansı. diff --git a/docs/user-manuals/tr/scanning/container-images.md b/docs/user-manuals/tr/scanning/container-images.md new file mode 100644 index 0000000..48b6c6d --- /dev/null +++ b/docs/user-manuals/tr/scanning/container-images.md @@ -0,0 +1,134 @@ +--- +title: "Konteyner İmajları" +description: "Docker daemon gerektirmeksizin OCI ve Docker imaj katmanlarını sızan sırlara karşı tarayın." +--- + +# Konteyner İmajları + +Konteyner imajları sırların sıklıkla gizlendiği yerlerden biridir: ortam değişkenlerine gömülen API anahtarları, derleme katmanlarına yerleştirilmiş kimlik bilgileri ve imaj katmanlarına kopyalanıp unutulan yapılandırma dosyaları. `leakwatch scan image`, bir OCI veya Docker imajının her katmanını inceler ve bu sırları dağıtım öncesinde gün yüzüne çıkarır. + +## Temel kullanım + +```bash +leakwatch scan image +``` + +Komut tam olarak bir argüman alır: standart `name:tag` gösteriminde bir imaj referansı. Leakwatch imajları çekmek ve incelemek için [go-containerregistry](https://github.com/google/go-containerregistry) kullanır — herhangi bir Docker daemon **gerekmez**. + +```bash +# Docker Hub imajını tara +leakwatch scan image nginx:latest + +# Özel GitHub Container Registry imajını tara +leakwatch scan image ghcr.io/org/myapp:v1.2.0 + +# Amazon ECR imajını tara +leakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest +``` + +## Desteklenen kayıt sunucuları + +| Kayıt Sunucusu | Örnek referans | +|----------------|----------------| +| Docker Hub | `nginx:latest`, `myorg/myapp:1.0.0` | +| GitHub Container Registry (GHCR) | `ghcr.io/org/myapp:v1.2.0` | +| Amazon ECR | `123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest` | +| Google Container Registry (GCR) | `gcr.io/my-project/myapp:latest` | +| OCI uyumlu herhangi bir kayıt sunucusu | Standart `registry/name:tag` biçimi | + +## Kimlik doğrulama + +Leakwatch, Docker ve diğer OCI araçları tarafından kullanılan standart kimlik bilgisi anahtarlığını kullanır. `docker login` (veya `crane`, `skopeo`, bulut sağlayıcısı kimlik bilgisi yardımcıları gibi eşdeğer araçlar) ile oturum açtıysanız, Leakwatch bu kimlik bilgilerini otomatik olarak kullanır. + +```bash +# Önce GHCR'a giriş yapın +docker login ghcr.io + +# Ardından tarayın — kimlik bilgileri otomatik olarak alınır +leakwatch scan image ghcr.io/org/private-app:latest +``` + +Amazon ECR için, taramadan önce ECR kimlik bilgisi yardımcısını yapılandırın ya da `AWS_ACCESS_KEY_ID` ve ilgili ortam değişkenlerini ayarlayın. + +## Tarama nasıl çalışır + +Leakwatch imaj manifestini çeker, her katmanı sırayla işler ve her katmandaki dosyaları çıkarır. Her dosyanın içeriği, dosya sistemi taramasıyla aynı tespit hattından geçirilir. `.leakwatch.yaml` içindeki `filter.exclude-paths` yol dışlamaları burada da geçerlidir ve katmanlar içinde hangi dosya yollarının inceleneceğini sınırlar. + +## Bayraklar + +İmaja özgü bayrak yoktur. Tüm ortak tarama bayrakları geçerlidir: + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|------------|----------| +| `--format` | `-f` | `json` | Çıktı biçimi: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Sonuçları stdout yerine bu dosyaya yaz. | +| `--concurrency` | `-c` | CPU sayısı | Eşzamanlı çalışan sayısı. | +| `--max-file-size` | — | `10485760` (10 MB) | Bu boyutu aşan dosyaları atla (bayt). | +| `--show-raw` | — | `false` | Çıktıda ham sır değerini göster. | +| `--no-verify` | — | `false` | Sır doğrulamasını devre dışı bırak. | +| `--only-verified` | — | `false` | Yalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla. | +| `--min-severity` | — | `low` | Raporlanacak minimum önem: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Her bulguya düzeltme rehberi ekle. | + +Yol tabanlı dışlamalar `.leakwatch.yaml` dosyasında `filter.exclude-paths` altında yapılandırılır. Ayrıntılar için [Yapılandırma Dosyası](#/configuration/config-file) sayfasına bakın. + +`--config` ve `--log-level` (varsayılan `warn`) kök bayrakları da geçerlidir. + +## Örnekler + +Docker Hub imajını tarayın ve sonuçları tablo olarak yazdırın: + +```bash +leakwatch scan image alpine:3.20 --format table +``` + +Özel kayıt sunucusu imajını tarayın ve SARIF çıktısı kaydedin: + +```bash +leakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif +``` + +Yalnızca doğrulanmış aktif sırları gösterin: + +```bash +leakwatch scan image myapp:latest --only-verified --format table +``` + +JSON çıktısına düzeltme rehberi dahil edin: + +```bash +leakwatch scan image myapp:latest --remediation --format json -o image-findings.json +``` + +## Bulgu meta verisi + +İmaj taramasından elde edilen her bulgu katman meta verisi içerir: + +| Alan | Açıklama | +|------|----------| +| `image` | Taranan imaj referansı. | +| `layer` | Bulgunun tespit edildiği katman özeti. | +| `file_path` | Katman içindeki dosyanın yolu. | + +:::tip +Gizli bilgilerin bir kayıt sunucusuna push edilmeden önce yakalanması için konteyner imaj taramasını CI/CD hattınızın derleme aşamasına entegre edin. Sonuçları doğrudan GitHub Code Scanning'e yüklemek için `--format sarif` kullanın. +::: + +## Çıkış kodları + +| Kod | Anlam | +|-----|-------| +| `0` | Tarama tamamlandı, bulgu yok. | +| `1` | Tarama tamamlandı, bulgular raporlandı. | +| `2` | Tarama başarısız oldu (imaj bulunamadı, kimlik doğrulama hatası, vb.). | + +Her çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir. + +## Ayrıca bakınız + +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Dosya Sistemi](#/scanning/filesystem) — yerel bir dizin ağacını tarayın. +- [Yapılandırma Dosyası](#/configuration/config-file) — dışlamaları ve diğer varsayılanları yapılandırın. +- [Bulguları Yoksayma](#/configuration/ignoring-findings) — bilinen yanlış pozitifleri bastırın. +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — doğrulama durumlarını anlayın. +- [CLI Referansı](#/reference/cli-reference) — tüm komutlar için tam bayrak referansı. diff --git a/docs/user-manuals/tr/scanning/filesystem.md b/docs/user-manuals/tr/scanning/filesystem.md new file mode 100644 index 0000000..b9d4996 --- /dev/null +++ b/docs/user-manuals/tr/scanning/filesystem.md @@ -0,0 +1,123 @@ +--- +title: "Dosya Sistemi" +description: "leakwatch scan fs komutuyla yerel bir dizin ağacını sızan sırlara karşı tarayın." +--- + +# Dosya Sistemi + +Sırlar çoğu zaman önce yerel kaynak kodda ortaya çıkar. `leakwatch scan fs` komutu, bir dizin ağacındaki tüm dosyaları dolaşır, her biri üzerinde tam tespit hattını çalıştırır ve bulguları raporlar — henüz commit edilmeden önce yakalamak ya da mevcut bir kod tabanını sonradan taramak için kullanabilirsiniz. + +## Temel kullanım + +```bash +leakwatch scan fs [path] +``` + +`path` isteğe bağlıdır. Belirtilmediğinde Leakwatch geçerli çalışma dizinini (`.`) tarar. Yalnızca tek bir path argümanı kabul edilir. + +```bash +# Geçerli dizini tara +leakwatch scan fs + +# Belirli bir proje klasörünü tara +leakwatch scan fs ./my-project +``` + +## Dosya sistemi kaynağının otomatik olarak atladıkları + +Taramaları hızlı ve gürültüsüz tutmak için dosya sistemi kaynağı herhangi bir yapılandırma gerekmeksizin şunları atlar: + +- **İkili dosyalar** — dosyanın ilk 8 KB'ında null byte bulunmasıyla tespit edilir. +- **Bilinen ikili uzantılar** — yaygın derlenmiş, görsel, ses, video ve arşiv biçimleri. +- **Kilit dosyaları** — `package-lock.json`, `yarn.lock`, `Pipfile.lock` ve benzerleri. + +## Bayraklar + +### Dosya sistemine özgü + +| Bayrak | Tür | Varsayılan | Açıklama | +|--------|-----|------------|----------| +| `--exclude` | string (tekrarlanabilir) | — | Dışlanacak yollar için glob desenleri. Birden fazla kez belirtilebilir veya virgülle ayrılabilir. | + +### Ortak tarama bayrakları + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|------------|----------| +| `--format` | `-f` | `json` | Çıktı biçimi: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Sonuçları stdout yerine bu dosyaya yaz. | +| `--concurrency` | `-c` | CPU sayısı | Eşzamanlı çalışan sayısı. | +| `--max-file-size` | — | `10485760` (10 MB) | Bu boyutu aşan dosyaları atla (bayt). | +| `--show-raw` | — | `false` | Çıktıda ham sır değerini göster. | +| `--no-verify` | — | `false` | Sır doğrulamasını devre dışı bırak. | +| `--only-verified` | — | `false` | Yalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla. | +| `--min-severity` | — | `low` | Raporlanacak minimum önem: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Her bulguya düzeltme rehberi ekle. | + +`--config` ve `--log-level` (varsayılan `warn`) kök bayrakları da geçerlidir. + +## Örnekler + +Geçerli dizini tarayın ve terminalde renklendirilmiş bir tablo yazdırın: + +```bash +leakwatch scan fs . --format table +``` + +Test dosyalarını ve vendor dizinlerini dışlayıp GitHub Code Scanning için SARIF çıktısı kaydedin: + +```bash +leakwatch scan fs . \ + --exclude "**/*_test.go" \ + --exclude "vendor/**" \ + --format sarif \ + --output results.sarif +``` + +Büyük bir monorepo için dosya boyutunu sınırlayın ve çalışan sayısını artırın: + +```bash +leakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table +``` + +Yalnızca yüksek önem dereceli bulguları gösterip rotasyon talimatlarını dahil edin: + +```bash +leakwatch scan fs . --min-severity high --remediation --format table +``` + +## Yolları dışlama + +`--exclude` bayrağı glob desenlerini kabul eder ve birden fazla kez belirtilebilir ya da virgülle ayrılmış liste olarak kullanılabilir: + +```bash +# İki ayrı bayrak +leakwatch scan fs . --exclude "**/*_test.go" --exclude "docs/**" + +# Virgülle ayrılmış +leakwatch scan fs . --exclude "**/*_test.go,docs/**" +``` + +Takımınızla paylaşılan kalıcı dışlama kuralları için `.leakwatch.yaml` dosyasına `filter.exclude-paths` altında ekleyin. Bu kurallar yalnızca dosya sistemi taramalarına değil, tüm kaynaklara uygulanır. Proje kök dizininizde bir `.leakwatchignore` dosyası da oluşturabilirsiniz. Ayrıntılar için [Yapılandırma Dosyası](#/configuration/config-file) ve [Bulguları Yoksayma](#/configuration/ignoring-findings) sayfalarına bakın. + +## Çıkış kodları + +| Kod | Anlam | +|-----|-------| +| `0` | Tarama tamamlandı, bulgu yok. | +| `1` | Tarama tamamlandı, bulgular raporlandı. | +| `2` | Tarama başarısız oldu (yapılandırma hatası, okunamayan yol, vb.). | + +Her çalıştırmanın ardından stderr'e bir tarama özeti (kaynak türü, hedef, dosya sayısı, süre ve bulgu sayısı) yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir. + +:::tip +Geliştirme sırasında `leakwatch scan fs . --format table` komutunu çalıştırarak hızlı bir görsel genel bakış elde edin. CI hatlarında GitHub Code Scanning ile entegrasyon için `--format sarif` seçeneğine geçin. +::: + +## Ayrıca bakınız + +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Yapılandırma Dosyası](#/configuration/config-file) — varsayılan biçimi, dışlamaları ve daha fazlasını yapılandırın. +- [Bulguları Yoksayma](#/configuration/ignoring-findings) — `.leakwatchignore` ve satır içi baskılama. +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — doğrulama durumlarını anlayın. +- [Git Geçmişi](#/scanning/git-history) — çalışma ağacı yerine commit edilmiş geçmişi tarayın. +- [CLI Referansı](#/reference/cli-reference) — tüm komutlar için tam bayrak referansı. diff --git a/docs/user-manuals/tr/scanning/git-history.md b/docs/user-manuals/tr/scanning/git-history.md new file mode 100644 index 0000000..30d2de2 --- /dev/null +++ b/docs/user-manuals/tr/scanning/git-history.md @@ -0,0 +1,138 @@ +--- +title: "Git Geçmişi" +description: "Yerel veya uzak bir Git deposunun tüm commit geçmişini sızan sırlara karşı tarayın." +--- + +# Git Geçmişi + +Commit edilip sonradan silinen bir sır, önceki her commit'te hâlâ mevcuttur ve depoya erişimi olan herkes tarafından ulaşılabilir durumdadır. `leakwatch scan git`, bir deponun — yerel veya uzak — *tüm* commit geçmişini dolaşarak bu sırları, istismar edilmeden önce gün yüzüne çıkarır. + +## Temel kullanım + +```bash +leakwatch scan git +``` + +Komut tam olarak bir argüman alır: depoya giden **yerel dosya sistemi yolu** (geçerli dizin için `.`) ya da **uzak HTTP/HTTPS veya SSH URL'si**. + +Leakwatch tüm Git işlemleri için [go-git](https://github.com/go-git/go-git) kullanır; bu, sistem `git` ikili dosyasına bağımlılığı olmayan saf bir Go uygulamasıdır. + +```bash +# Geçerli dizindeki yerel depoyu tara +leakwatch scan git . + +# HTTPS üzerinden uzak bir depoyu tara +leakwatch scan git https://github.com/org/repo.git + +# SSH üzerinden tara +leakwatch scan git git@github.com:org/repo.git +``` + +## Tarama nasıl çalışır + +Leakwatch geçmişteki her commit'i dolaşır ve her commit tarafından eklenen blob'ları inceler. **Blob-hash tekilleştirmesi**, aynı dosya içeriğinin kaç commit tarafından referans alındığından bağımsız olarak yalnızca bir kez taranmasını sağlar. Bu, tarama süresini ham commit sayısı yerine depodaki *benzersiz içerik* miktarıyla orantılı tutar. + +:::note +Leakwatch commit-bazlı diff'leri incelediğinden, sonradan silinen — yani mevcut çalışma ağacında görünmeyen — sırları da bulur. +::: + +## Bayraklar + +### Git'e özgü + +| Bayrak | Tür | Varsayılan | Açıklama | +|--------|-----|------------|----------| +| `--since` | string (YYYY-MM-DD) | — | Yalnızca bu tarihten sonraki commit'leri tara. | +| `--since-commit` | string | — | Yalnızca bu commit hash'inden HEAD'e kadar olan değişiklikleri tara (diff tabanlı). | +| `--branch` | string | — | Varsayılan yerine belirli bir dalı hedef al. | +| `--depth` | int | `0` (tam) | **Yalnızca uzak depolar** için klonlama derinliği. `0` tam geçmişi tarar. | + +### Ortak tarama bayrakları + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|------------|----------| +| `--format` | `-f` | `json` | Çıktı biçimi: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Sonuçları stdout yerine bu dosyaya yaz. | +| `--concurrency` | `-c` | CPU sayısı | Eşzamanlı çalışan sayısı. | +| `--max-file-size` | — | `10485760` (10 MB) | Bu boyutu aşan blob'ları atla (bayt). | +| `--show-raw` | — | `false` | Çıktıda ham sır değerini göster. | +| `--no-verify` | — | `false` | Sır doğrulamasını devre dışı bırak. | +| `--only-verified` | — | `false` | Yalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla. | +| `--min-severity` | — | `low` | Raporlanacak minimum önem: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Her bulguya düzeltme rehberi ekle. | + +`--config` ve `--log-level` (varsayılan `warn`) kök bayrakları da geçerlidir. + +## Örnekler + +Yerel deponun tam geçmişini tarayın ve tablo olarak yazdırın: + +```bash +leakwatch scan git . --format table +``` + +`develop` dalında belirli bir tarihten sonraki commit'leri tarayın: + +```bash +leakwatch scan git . --since 2026-02-23 --branch develop +``` + +Belirli bir commit'ten bu yana tanıtılan değişiklikleri tarayın (CI'da yeni commit'leri kontrol etmek için kullanışlıdır): + +```bash +leakwatch scan git . --since-commit a1b2c3d +``` + +Büyük bir uzak depoyu hızlandırmak için sığ klonlama yapın: + +```bash +leakwatch scan git https://github.com/org/repo.git --depth 50 +``` + +Uzak depoyu tarayıp yalnızca doğrulanmış bulguları SARIF olarak kaydedin: + +```bash +leakwatch scan git https://github.com/org/repo.git \ + --only-verified \ + --format sarif \ + --output git-results.sarif +``` + +## Bulgu meta verisi + +Git taramasından elde edilen her bulgu commit meta verisi içerir: + +| Alan | Açıklama | +|------|----------| +| `repository` | Taranan deponun URL'si veya yolu (kimlik bilgileri ayıklanmış). | +| `commit` | Sırrın tanıtıldığı commit hash'i. | +| `author` | Commit yazarının adı ve e-postası. | +| `date` | Commit zaman damgası. | +| `branch` | Dal bağlamı (kullanılabilir olduğunda). | + +:::tip +Pull request CI işlerinde yalnızca PR tarafından eklenen commit'leri taramak için `--since-commit` kullanın. Son aktiviteyi kapsayan zamanlanmış gece taramaları için `--since ` tercih edin. +::: + +## Kimlik bilgisi güvenliği + +Depo URL'leri gömülü kimlik bilgileri içeriyorsa (örn. `https://user:TOKEN@host/repo.git`), Leakwatch bu bilgileri günlüklere veya çıktıya yazmadan önce URL'den ayırır; bu sayede token tarama sonuçlarında veya CI izlerinde hiçbir zaman görünmez. + +## Çıkış kodları + +| Kod | Anlam | +|-----|-------| +| `0` | Tarama tamamlandı, bulgu yok. | +| `1` | Tarama tamamlandı, bulgular raporlandı. | +| `2` | Tarama başarısız oldu (geçersiz URL, kimlik doğrulama hatası, vb.). | + +Her çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir. + +## Ayrıca bakınız + +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Çoklu Depo](#/scanning/multiple-repos) — tek komutla birden fazla depoyu tarayın. +- [Dosya Sistemi](#/scanning/filesystem) — geçmiş yerine çalışma ağacını tarayın. +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — doğrulama durumlarını anlayın. +- [Bulguları Yoksayma](#/configuration/ignoring-findings) — bilinen yanlış pozitifleri bastırın. +- [CLI Referansı](#/reference/cli-reference) — tüm komutlar için tam bayrak referansı. diff --git a/docs/user-manuals/tr/scanning/multiple-repos.md b/docs/user-manuals/tr/scanning/multiple-repos.md new file mode 100644 index 0000000..ce248fc --- /dev/null +++ b/docs/user-manuals/tr/scanning/multiple-repos.md @@ -0,0 +1,129 @@ +--- +title: "Çoklu Depo" +description: "Birden fazla Git deposunu eşzamanlı olarak tarayın ve sonuçları tek bir raporda birleştirin." +--- + +# Çoklu Depo + +Bir kuruluş büyüdükçe sırlar düzinelerce hatta yüzlerce deponun herhangi birine yerleşebilir. Bunları tek tek kontrol etmek pratik değildir. `leakwatch scan repos`, birden fazla depo URL'sini alır, bunları eşzamanlı olarak tarar ve tüm bulguları tek bir çıktıda birleştirir — tek komut, tek rapor. + +## Temel kullanım + +```bash +leakwatch scan repos [url...] +``` + +Komut **en az iki** depo URL'si gerektirir. Tüm depolar otomatik olarak klonlanır, taranır ve temizlenir. Sonunda birleşik bulgu sayısı ve tek bir tarama özeti raporlanır. + +```bash +leakwatch scan repos \ + https://github.com/org/api.git \ + https://github.com/org/web.git +``` + +## Nasıl çalışır + +Leakwatch aynı anda en fazla `--parallel` sayıda depo taraması başlatır. Her depo: + +1. Sağlanan URL'den klonlanır (güvenlik açısından kimlik bilgileri günlüklerden ve çıktıdan ayıklanır). +2. Tam tespit hattıyla taranır; bu depo için `--concurrency` sayıda çalışan kullanılır. +3. Tarama tamamlandığında temizlenir (geçici klon silinir). + +Tüm depolardan elde edilen bulgular toplanır ve tek bir kaynaktan yapılmış tarama gibi tek bir çıktı olarak yazılır. Görüntülenen hedef ` repositories` (N depo) şeklindedir. + +## Bayraklar + +### Çoklu depoya özgü + +| Bayrak | Tür | Varsayılan | Açıklama | +|--------|-----|------------|----------| +| `--parallel` | int | `3` | Eşzamanlı olarak taranacak depo sayısı. | + +### Ortak tarama bayrakları + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|------------|----------| +| `--format` | `-f` | `json` | Çıktı biçimi: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Sonuçları stdout yerine bu dosyaya yaz. | +| `--concurrency` | `-c` | CPU sayısı | **Depo başına** eşzamanlı çalışan sayısı. | +| `--max-file-size` | — | `10485760` (10 MB) | Bu boyutu aşan blob'ları atla (bayt). | +| `--show-raw` | — | `false` | Çıktıda ham sır değerini göster. | +| `--no-verify` | — | `false` | Sır doğrulamasını devre dışı bırak. | +| `--only-verified` | — | `false` | Yalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla. | +| `--min-severity` | — | `low` | Raporlanacak minimum önem: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Her bulguya düzeltme rehberi ekle. | + +`.leakwatch.yaml` dosyasındaki `filter.exclude-paths` yol dışlamaları tüm depolara uygulanır. `--config` ve `--log-level` (varsayılan `warn`) kök bayrakları da geçerlidir. + +## Örnekler + +İki depoyu tarayın ve sonuçları tablo olarak görüntüleyin: + +```bash +leakwatch scan repos \ + https://github.com/org/api.git \ + https://github.com/org/web.git \ + --format table +``` + +Beş depoyu daha yüksek paralellik ile tarayın ve birleşik sonuçları SARIF olarak kaydedin: + +```bash +leakwatch scan repos \ + https://github.com/org/api.git \ + https://github.com/org/web.git \ + https://github.com/org/infra.git \ + https://github.com/org/mobile.git \ + https://github.com/org/docs.git \ + --parallel 4 \ + --format sarif \ + --output all-repos.sarif +``` + +Depo başına daha fazla çalışan kullanarak yalnızca doğrulanmış bulguları gösterin: + +```bash +leakwatch scan repos \ + https://github.com/org/backend.git \ + https://github.com/org/frontend.git \ + --concurrency 8 \ + --only-verified \ + --format json \ + --output verified-findings.json +``` + +## Paralelliği ayarlama + +Verimi kontrol eden iki parametre vardır: + +- `--parallel`, kaç depo klonlama ve taramasının aynı anda çalışacağını kontrol eder. Varsayılan `3`, çoğu iş yükü için uygundur. Ağ bant genişliği ve CPU kapasitesi izin verdiğinde artırın; kısıtlı makinelerde düşürün. +- `--concurrency` (`-c`), her bir depodaki dosya blob'larını işleyen çalışan goroutine sayısını kontrol eder. Bu, tüm tarama komutlarında bulunan aynı bayraktır. + +Tepe noktasındaki toplam eşzamanlı işlem = `--parallel` × `--concurrency`. + +:::note +Bir veya daha fazla depo taraması başarısız olursa (örneğin ağ hatası veya kimlik doğrulama sorunu nedeniyle), Leakwatch hatayı günlüğe kaydeder ve kalan depoları taramaya devam eder. Diğer depolar bulgu üretmiş olsa bile herhangi bir depo taraması başarısız olursa çıkış kodu `2` olur. +::: + +## Kimlik bilgisi güvenliği + +Depo URL'lerindeki gömülü kimlik bilgileri (örn. `https://user:TOKEN@host/repo.git`), URL günlüklere, çıktıya veya tarama özetine yazılmadan önce ayıklanır. + +## Çıkış kodları + +| Kod | Anlam | +|-----|-------| +| `0` | Tüm taramalar tamamlandı, bulgu yok. | +| `1` | Tüm taramalar tamamlandı, bulgular raporlandı. | +| `2` | Bir veya daha fazla depo taraması başarısız oldu ya da yapılandırma hatası oluştu. | + +Her çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir. + +## Ayrıca bakınız + +- [Git Geçmişi](#/scanning/git-history) — tek bir depoyu derinlemesine tarayın. +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Yapılandırma Dosyası](#/configuration/config-file) — tüm kaynaklar için paylaşılan varsayılanları yapılandırın. +- [Bulguları Yoksayma](#/configuration/ignoring-findings) — bilinen yanlış pozitifleri bastırın. +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — doğrulama durumlarını anlayın. +- [CLI Referansı](#/reference/cli-reference) — tüm komutlar için tam bayrak referansı. diff --git a/docs/user-manuals/tr/scanning/slack.md b/docs/user-manuals/tr/scanning/slack.md new file mode 100644 index 0000000..b18315c --- /dev/null +++ b/docs/user-manuals/tr/scanning/slack.md @@ -0,0 +1,144 @@ +--- +title: "Slack Çalışma Alanı" +description: "Slack kanal ve DM mesaj metinlerini sızan sırlara karşı tarayın." +--- + +# Slack Çalışma Alanı + +Geliştiriciler çoğu zaman kimlik bilgilerini sohbet üzerinden paylaşır — hızlı bir test için bir kanala yapıştırılan token, DM ile gönderilen parola ya da bir olay başlığında söz edilen API anahtarı. `leakwatch scan slack`, Slack çalışma alanınızdaki mesaj metinlerini okur ve bulduğu sırları işaretler. + +:::warn +Leakwatch yalnızca **mesaj metnini** tarar. Yüklenen dosyaların (ekler, snippet'ler) içeriğini taramak uygulanmamıştır. Yalnızca mesajların metin gövdesi analiz edilir. +::: + +## Temel kullanım + +```bash +leakwatch scan slack +``` + +Bu komut **konumsal argüman almaz**. Tüm yapılandırma bayraklar veya ortam değişkenleri aracılığıyla sağlanır. + +## Kimlik doğrulama + +Bir Slack Bot Token gereklidir. `--token` bayrağı veya `LEAKWATCH_SLACK_TOKEN` ortam değişkeni aracılığıyla sağlayın. Ortam değişkeni kullanmak önerilir; böylece token kabuk geçmişinde veya süreç listelerinde asla görünmez. + +```bash +export LEAKWATCH_SLACK_TOKEN=xoxb-... +leakwatch scan slack +``` + +### Gerekli bot token kapsamları + +Bot token'ı, aşağıdaki OAuth kapsamlarına sahip bir Slack uygulamasıyla ilişkilendirilmiş olmalıdır: + +| Kapsam | Amaç | +|--------|------| +| `channels:history` | Botun katıldığı genel kanallardaki mesajları oku. | +| `groups:history` | Botun katıldığı özel kanallardaki mesajları oku. | +| `im:history` | Doğrudan mesajları oku (yalnızca `--include-dms` ile gerekli). | +| `mpim:history` | Grup doğrudan mesajlarını oku (yalnızca `--include-dms` ile gerekli). | + +## Bayraklar + +### Slack'e özgü + +| Bayrak | Tür | Varsayılan | Açıklama | +|--------|-----|------------|----------| +| `--token` | string | — | Slack Bot Token. `LEAKWATCH_SLACK_TOKEN` ortam değişkeni tercih edilir. | +| `--channels` | string | tüm kanallar | Taranacak kanal adlarının virgülle ayrılmış listesi. | +| `--exclude-channels` | string | — | Atlanacak kanal adlarının virgülle ayrılmış listesi. | +| `--since` | string (YYYY-MM-DD) | — | Bu tarihte veya sonrasında gönderilen mesajları tara. | +| `--include-dms` | bool | `false` | Doğrudan mesajları ve grup DM'lerini de tara. | +| `--rate-limit` | float | `20` | Saniye başına maksimum Slack API istek sayısı. | + +### Ortak tarama bayrakları + +| Bayrak | Kısa | Varsayılan | Açıklama | +|--------|------|------------|----------| +| `--format` | `-f` | `json` | Çıktı biçimi: `json`, `sarif`, `csv`, `table`. | +| `--output` | `-o` | stdout | Sonuçları stdout yerine bu dosyaya yaz. | +| `--concurrency` | `-c` | CPU sayısı | Eşzamanlı çalışan sayısı. | +| `--max-file-size` | — | `10485760` (10 MB) | Dahili parça boyutu sınırı (bayt). | +| `--show-raw` | — | `false` | Çıktıda ham sır değerini göster. | +| `--no-verify` | — | `false` | Sır doğrulamasını devre dışı bırak. | +| `--only-verified` | — | `false` | Yalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla. | +| `--min-severity` | — | `low` | Raporlanacak minimum önem: `low`, `medium`, `high`, `critical`. | +| `--remediation` | — | `false` | Her bulguya düzeltme rehberi ekle. | + +`--config` ve `--log-level` (varsayılan `warn`) kök bayrakları da geçerlidir. + +## Örnekler + +Token için ortam değişkeni kullanarak botun erişebildiği tüm kanalları tarayın: + +```bash +export LEAKWATCH_SLACK_TOKEN=xoxb-... +leakwatch scan slack +``` + +Belirli kanalları tarayın ve yılın başından bu yana gönderilen mesajlarla sınırlayın: + +```bash +leakwatch scan slack \ + --channels general,engineering,backend \ + --since 2026-01-01 +``` + +Gürültülü kanalları dışlayın ve doğrudan mesajları dahil edin: + +```bash +leakwatch scan slack \ + --exclude-channels random,social,giphy \ + --include-dms +``` + +Büyük çalışma alanlarında Slack hız sınırı hatalarını önlemek için API istek hızını düşürün: + +```bash +leakwatch scan slack --rate-limit 10 --format table +``` + +Yalnızca doğrulanmış aktif bulguları bir JSON dosyasına kaydedin: + +```bash +leakwatch scan slack \ + --only-verified \ + --format json \ + --output slack-findings.json +``` + +## Bulgu meta verisi + +Slack taramasından elde edilen her bulgu mesaj ve kanal meta verisi içerir: + +| Alan | Açıklama | +|------|----------| +| `channel` | Bulgunun tespit edildiği kanal adı. | +| `message_ts` | Slack mesaj zaman damgası (benzersiz mesaj kimliği). | +| `author` | Mesaj yazarının Slack kullanıcı kimliği. | + +## Performans değerlendirmeleri + +Slack API istekleri, Slack tarafından uygulanan hız sınırlarına tabidir. `--rate-limit` bayrağı (varsayılan saniyede `20` istek), Leakwatch'ın istekleri ne kadar agresif yapacağını kontrol eder. Özellikle büyük çalışma alanlarında `429 Too Many Requests` hatası alıyorsanız bu değeri düşürün. + +Her çalıştırmada tüm çalışma alanını taramak yerine belirli kanalları hedeflemek için `--channels` kullanın. Mesajları artımlı biçimde taramak için `--since` ile birleştirin. + +## Çıkış kodları + +| Kod | Anlam | +|-----|-------| +| `0` | Tarama tamamlandı, bulgu yok. | +| `1` | Tarama tamamlandı, bulgular raporlandı. | +| `2` | Tarama başarısız oldu (eksik token, kimlik doğrulama hatası, vb.). | + +Her çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir. + +## Ayrıca bakınız + +- [Hızlı Başlangıç](#/getting-started/quick-start) — ilk taramanızı bir dakikadan kısa sürede çalıştırın. +- [Yapılandırma Dosyası](#/configuration/config-file) — `.leakwatch.yaml` ile varsayılanları yapılandırın. +- [Bulguları Yoksayma](#/configuration/ignoring-findings) — bilinen yanlış pozitifleri bastırın. +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — doğrulama durumlarını anlayın. +- [Git Geçmişi](#/scanning/git-history) — commit edilmiş geçmişi sırlara karşı tarayın. +- [CLI Referansı](#/reference/cli-reference) — tüm komutlar için tam bayrak referansı. diff --git a/docs/user-manuals/tr/verification/how-verification-works.md b/docs/user-manuals/tr/verification/how-verification-works.md new file mode 100644 index 0000000..bb56057 --- /dev/null +++ b/docs/user-manuals/tr/verification/how-verification-works.md @@ -0,0 +1,107 @@ +--- +title: "Doğrulama Nasıl Çalışır" +description: "Leakwatch'ın tespit edilen bir sırrın hâlâ aktif olup olmadığını nasıl teyit ettiği, hangi doğrulama modlarını kullandığı ve doğrulamanın nasıl yapılandırılacağı veya devre dışı bırakılacağı." +--- + +# Doğrulama Nasıl Çalışır + +Bir kod tabanında sır bulmak hikayenin yalnızca yarısıdır. Altı ay önce döndürülen bir anahtar gürültüdür; hâlâ canlı olan bir anahtar ise aktif bir olayı temsil eder. Doğrulama, bu çizgiyi çizen adımdır — tespit edilen her bulguyu alır ve mümkün olan durumlarda sırrın sağlayıcıda hâlâ geçerli olup olmadığını teyit eder. + +## Tespiten doğrulamaya + +Tarama motoru bulguları topladıktan sonra doğrulayıcı havuzu onları işlemeye alır. Her bulgu bir `detector_id` taşır; Leakwatch bu ID için kayıtlı bir doğrulayıcı olup olmadığını arar: + +- Bir doğrulayıcı mevcutsa çalışır ve bir durum döndürür. +- O dedektör türü için kayıtlı bir doğrulayıcı yoksa bulgu değiştirilmeden `unverified` durumuyla geçer. + +## İki doğrulama modu + +Tüm sırlar aynı şekilde doğrulanamaz. Leakwatch, her kimlik bilgisi türü için güvenli olan yaklaşıma göre iki farklı yöntem kullanır. + +### Canlı API doğrulaması + +Yaklaşık 49 dedektör türü için Leakwatch, sağlayıcıya **kontrollü, salt-okunur bir API çağrısı** yapar — örneğin AWS anahtarları için `sts:GetCallerIdentity`, GitHub token'ları için `GET /user`. Çağrı yalnızca kimliği doğrulamak için gereken minimum uç noktayı kullanır; hiçbir zaman veri değiştirmez, kaynak oluşturmaz veya faturalandırma olayı tetiklemez. + +Sağlayıcı başarılı bir yanıt döndürürse bulgu `verified_active` olarak işaretlenir. Sağlayıcı kimlik bilgisini reddederse (örneğin HTTP 401 veya 403 ile) bulgu `verified_inactive` olarak işaretlenir. + +### Yalnızca format doğrulaması + +Beş kimlik bilgisi türü için güvenli bir canlı kontrol mevcut değildir — sağlayıcının anonim bir kimlik uç noktası yoktur ya da gerçek bir çağrı yan etkiye yol açar. Bu durumlar için Leakwatch, herhangi bir ağ isteği yapmadan kimlik bilgisinin yapısını doğrular: + +| Dedektör ID | Doğrulanan özellik | +|-------------|-------------------| +| `gcp-service-account` | JSON yapısı — `type`, `project_id`, `private_key_id`, `client_email` alanlarının varlığı | +| `rabbitmq-connection-string` | AMQP URL'nin başarıyla ayrıştırılması | +| `snowflake-credentials` | Yalnızca format kontrolü — geçerli bir format hiçbir şeyi kanıtlamaz, sonuç her zaman `unverified` | +| `azure-storage-key` | Format kontrolü | +| `azure-entra-secret` | Format kontrolü | + +:::note +Format kontrolü geçse bile sonuç `unverified` olarak kalır. Yapısal olarak geçerli bir kimlik bilgisi süresi dolmuş veya iptal edilmiş olabilir. Bu bulgular her zaman manuel inceleme gerektirir. +::: + +## Doğrulama durumları + +Leakwatch çıktısındaki her bulgu dört durumdan birini taşır: + +| Durum | Anlam | Önerilen eylem | +|-------|-------|----------------| +| `verified_active` | Sırrın sağlayıcı tarafından canlı olduğu teyit edildi. | Aktif bir olay olarak ele alın. Hemen döndürün. | +| `verified_inactive` | Sağlayıcı kimlik bilgisini reddetti. | Muhtemelen zaten döndürülmüş. Bağlamı gözden geçirin ve kapatın. | +| `unverified` | Bu tür için doğrulayıcı yok, format doğrulaması sonuç vermedi veya doğrulama devre dışı bırakıldı. | Manuel olarak inceleyin; risk bağlama göre belirlenir. | +| `verify_error` | Doğrulayıcı çalıştı ancak ağ hatası, zaman aşımı veya beklenmedik yanıtla karşılaştı. | Potansiyel olarak aktif kabul edin. Yeniden deneyin veya manuel olarak inceleyin. | + +## Doğrulama motoru + +Doğrulama, tarama çalışan havuzundan yalıtılmış ayrı bir eşzamanlı çalışan havuzunda çalışır. Sağlayıcı hız sınırlarını tetiklememek için varsayılanlar temkinlidir: + +| Ayar | Varsayılan | Yapılandırma anahtarı | +|------|-----------|----------------------| +| Çalışan sayısı | 4 | `verification.concurrency` | +| Global hız sınırı | 10 istek/saniye | `verification.rate-limit` | +| İstek başına zaman aşımı | 10 sn | `verification.timeout` | + +Her üç değer de `.leakwatch.yaml` içindeki `verification:` bloğu altında ayarlanabilir: + +```yaml +verification: + enabled: true + concurrency: 4 + rate-limit: 10.0 # global, saniye başına istek sayısı + timeout: 10s +``` + +:::tip +Yüzlerce bulgu tetikleyen bir depoyu tarıyorsanız `rate-limit` değerini 5'e düşürmeyi veya `--only-verified` etkinleştirmeyi düşünün; bu, doğrulanmış-aktif kümesini küçük ve uygulanabilir tutar. +::: + +## Komut satırından doğrulamayı kontrol etme + +`--no-verify` ile **doğrulamayı tamamen devre dışı bırakın** (ya da yapılandırmada `verification.enabled: false` ayarlayın). Her bulgu `unverified` olarak geçer. Bunu çevrimdışı veya hava boşluklu ortamlar için ya da herhangi bir sağlayıcı API'sine dokunmadan mümkün olan en hızlı taramayı istediğinizde kullanın. + +```bash +leakwatch scan fs . --no-verify +``` + +**Yalnızca canlı olduğu doğrulanan sırları görmek** için `--only-verified` kullanın. `verified_active` olmayan her şey çıktıdan düşürülür. Bu, büyük bir sonuç kümesini önceliklendirmenin en hızlı yoludur — yalnızca hemen harekete geçmeniz gereken anahtarları görürsünüz. + +```bash +leakwatch scan git . --only-verified +``` + +:::warn +`--only-verified`, `unverified` ve `verify_error` bulgularını sessizce düşürür. Bunu uyumluluk bağlamında tek filtreniz olarak kullanmayın — bazı kimlik bilgisi türleri (JWT'ler, genel API anahtarları, özel anahtarlar) hiçbir zaman doğrulanamaz ve her zaman dışarıda kalır. +::: + +## Sır güvenliği + +Doğrulama, ham sır değerinin süreç sınırını güvensiz biçimde asla terk etmeyecek şekilde tasarlanmıştır: + +- Doğrulayıcılar sırrı TLS üzerinden doğrudan sağlayıcının HTTP uç noktasına iletir — diske yazılmaz, bir loga gönderilmez ve çalıştırmalar arasında önbelleğe alınmaz. +- Başlatılamayan veya panikle karşılaşan bir doğrulayıcı motor tarafından yakalanır; motor, bulguyu `verify_error` olarak işaretler ve taramayı çökertmeden devam eder. + +## Ayrıca bakın + +- [Doğrulama Kapsamı](#/verification/verification-coverage) — hangi dedektör türlerinin canlı doğrulandığı, format doğrulandığı veya hiç doğrulanamadığı. +- [Yapılandırma: Yapılandırma Dosyası](#/configuration/config-file) — `verification:` bloğunun tam referansı. +- [Çıktı Formatları](#/output/output-formats) — doğrulama durumunun JSON, SARIF, CSV ve tablo çıktısında nasıl göründüğü. diff --git a/docs/user-manuals/tr/verification/verification-coverage.md b/docs/user-manuals/tr/verification/verification-coverage.md new file mode 100644 index 0000000..25ff4b9 --- /dev/null +++ b/docs/user-manuals/tr/verification/verification-coverage.md @@ -0,0 +1,111 @@ +--- +title: "Doğrulama Kapsamı" +description: "63 yerleşik dedektörün hangilerinin canlı doğrulandığı, yalnızca format doğrulandığı veya doğrulanamaz olduğu ve bunun önceliklendirme açısından ne anlama geldiği." +--- + +# Doğrulama Kapsamı + +Leakwatch 63 yerleşik dedektör ve 54 doğrulayıcı ile gelir; bu, **%85,7** kapsama oranı sağlar (63 dedektör türünün 54'ünün bir tür doğrulaması mevcuttur). Bu sayfa, çıktınızda ne beklemeniz gerektiğini bilmeniz için her dedektörü doğrulama durumuna göre eşler. + +## Canlı doğrulanan (49 dedektör türü) + +Bu türler için Leakwatch, sağlayıcıya kontrollü, salt-okunur bir API çağrısı yapar ve `verified_active` ya da `verified_inactive` döndürür. Hiçbir veri oluşturulmaz veya değiştirilmez; çağrı, kimliği doğrulamak için gereken minimum uç noktayı kullanır. + +| Dedektör türü | Sağlayıcı | +|--------------|----------| +| `aws-access-key-id` | AWS STS (`GetCallerIdentity`) | +| `github-token` | GitHub REST API | +| `github-oauth-token` | GitHub REST API | +| `gitlab-pat` | GitLab REST API | +| `slack-token` | Slack Web API | +| `openai-api-key` | OpenAI API | +| `anthropic-api-key` | Anthropic API | +| `deepseek-api-key` | DeepSeek API | +| `huggingface-token` | Hugging Face API | +| `sendgrid-api-key` | SendGrid Web API | +| `mailgun-api-key` | Mailgun API | +| `postmark-server-token` | Postmark API | +| `stripe-api-key-live` | Stripe API | +| `stripe-api-key-test` | Stripe API | +| `digitalocean-token` | DigitalOcean API | +| `cloudflare-api-token` | Cloudflare API | +| `heroku-api-key` | Heroku Platform API | +| `vercel-token` | Vercel REST API | +| `npm-token` | npm Registry API | +| `pypi-api-token` | PyPI API | +| `rubygems-api-key` | RubyGems API | +| `dockerhub-pat` | Docker Hub API | +| `circleci-token` | CircleCI API | +| `terraform-cloud-token` | Terraform Cloud API | +| `discord-bot-token` | Discord API | +| `telegram-bot-token` | Telegram Bot API | +| `sentry-token` | Sentry API | +| `pagerduty-api-key` | PagerDuty API | +| `newrelic-api-key` | New Relic API | +| `grafana-api-key` | Grafana API | +| `datadog-api-key` | Datadog API | +| `snyk-api-key` | Snyk API | +| `twilio-api-key` | Twilio API | +| `doppler-token` | Doppler API | +| `launchdarkly-sdk-key` | LaunchDarkly API | +| `sonarcloud-token` | SonarCloud API | +| `shopify-access-token` | Shopify Admin API | +| `notion-token` | Notion API | +| `linear-api-key` | Linear API | +| `figma-pat` | Figma REST API | +| `airtable-pat` | Airtable API | +| `okta-api-token` | Okta API | +| `auth0-management-token` | Auth0 Management API | +| `databricks-token` | Databricks REST API | +| `bitbucket-app-password` | Bitbucket REST API | +| `coinbase-api-key` | Coinbase API | +| `supabase-service-key` | Supabase API | +| `infura-api-key` | Infura API | +| `teams-webhook` | Microsoft Teams | + +## Yalnızca format doğrulaması (5 dedektör türü) + +Bu doğrulayıcılar tamamen çevrimdışı çalışır. Hiçbir ağ isteği yapılmaz. Geçerli bir format kimlik bilgisinin aktif olduğunu kanıtlamadığından, beşi de format kontrolünün geçip geçmediğinden bağımsız olarak her zaman `unverified` döndürür. + +| Dedektör ID | Doğrulanan özellik | Neden canlı kontrol yok | +|-------------|-------------------|------------------------| +| `gcp-service-account` | JSON yapısı (`type`, `project_id`, `private_key_id`, `client_email`) | Canlı kontrol, yan etkileri olan GCP OAuth2 token değişimi gerektirir | +| `rabbitmq-connection-string` | AMQP URL'nin başarıyla ayrıştırılması | Herkese açık kimlik doğrulamasız sağlık uç noktası yok | +| `snowflake-credentials` | Parola uzunluğu ve host alt dize kontrolü | Canlı kontrol bir JDBC/ODBC veritabanı bağlantısı gerektirir | +| `azure-storage-key` | Format kontrolü | Hesap başına HMAC imzalama gerektirir; genel kimlik uç noktası yok | +| `azure-entra-secret` | Format kontrolü | İstemci kimlik bilgisi akışı oturum oluşturur | + +## Doğrulanamaz (9 dedektör türü) + +Bu dedektör türlerinin hiç doğrulayıcısı yoktur. Bunlardan gelen bulgular her zaman `unverified` olur. Bu durum önemsiz oldukları anlamına **gelmez** — tam olarak tespit edilip raporlanırlar — ancak herkese açık bir doğrulama API'si bulunmamakta ya da herhangi bir doğrulama girişimi yan etkiye yol açmaktadır. + +| Dedektör ID | Neden | +|-------------|-------| +| `jwt` | JWT herhangi bir tarafça yayınlanabilir; evrensel bir doğrulama uç noktası yoktur | +| `private-key` | Çağrılacak sağlayıcı yok; aktif kullanım uzaktan tespit edilemez | +| `generic-api-key` | Tanım gereği bilinmeyen sağlayıcı | +| `database-connection-string` | Bağlanmak hedef veritabanında oturum oluşturur | +| `redis-connection-string` | Bağlanmak Redis örneğinde canlı bağlantı açar | +| `ftp-credentials` | Güvenli, salt-okunur FTP yoklama yöntemi yok | +| `ldap-credentials` | LDAP bind kimliği doğrulanmış bir oturum oluşturur | +| `slack-webhook` | Webhook'un aktif olduğunu doğrulamak mesaj göndermeyi gerektirir | +| `hashicorp-vault-token` | Vault token doğrulaması, Vault uç noktasının bilinmesini gerektirir | + +:::note +"Doğrulanamaz" "bulunamaz" anlamına gelmez. Bu 9 türün tamamı yine de tespit edilir ve çıktınızda görünür. Kimlik bilgisinin canlı olup olmadığını ve döndürülmesi gerekip gerekmediğini belirlemek için manuel inceleme gerektirir. +::: + +## Kapsam özeti + +| Kategori | Sayı | +|----------|------| +| Canlı doğrulanan | 49 | +| Yalnızca format doğrulaması | 5 | +| Doğrulanamaz | 9 | +| **Toplam dedektör** | **63** | +| **Doğrulayıcı (herhangi bir kapsam)** | **54 (%85,7)** | + +## Ayrıca bakın + +- [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) — iki doğrulama modu, durumlar ve doğrulama motoru. +- [Dedektör Kataloğu](#/detectors/detector-catalog) — yerleşik dedektörlerin tam listesi ve şiddet seviyeleri. diff --git a/site/.nojekyll b/site/.nojekyll new file mode 100644 index 0000000..e69de29 diff --git a/site/README.md b/site/README.md new file mode 100644 index 0000000..ec02c13 --- /dev/null +++ b/site/README.md @@ -0,0 +1,90 @@ +# Leakwatch website + +The marketing site and documentation portal for Leakwatch, published to GitHub +Pages. It is a **dependency-free static site** — plain HTML, CSS, and vanilla +JavaScript, no runtime framework and no client-side build step. The visual +concept is **"Redacted"**: a classified-dossier aesthetic with redaction bars, +scan-line reveals, and evidence stamps. Dark-only by design. + +## Structure + +``` +site/ +├── index.html Landing page (Redacted hero with a scan-reveal document) +├── docs.html Documentation portal (sidebar + hash-routed content) +├── contact.html Contact page (Formspree-backed form + GitHub channels) +├── css/style.css Design system (the Redacted dossier theme) +├── js/ +│ ├── translations.js UI strings for EN / TR (marketing chrome + docs shell) +│ ├── i18n.js Language detection, switching, persistence +│ ├── main.js Mobile nav, copy buttons, hero scan animation, contact form +│ ├── docs.js Docs portal controller (nav, routing, search, Mermaid) +│ └── manuals/ GENERATED — compiled manual content (do not edit by hand) +│ ├── _index.js Navigation tree (from docs/user-manuals/_meta.yaml) +│ ├── en.js English manual pages, rendered to HTML +│ └── tr.js Turkish manual pages, rendered to HTML +├── assets/ favicon.svg, og.svg +└── .nojekyll Disable Jekyll (so files like _index.js are served) +``` + +## Internationalization + +The site is bilingual (English + Turkish) with **client-side switching**: a +single set of URLs, with the language toggled in the navbar and remembered in +`localStorage`. UI strings live in `js/translations.js`; manual content is +compiled per language into `js/manuals/.js`. + +## Contact form (Formspree) + +`contact.html` posts to [Formspree](https://formspree.io). Before it works you +must create a free form and paste its endpoint ID: + +1. Create a form at https://formspree.io and copy your form ID. +2. In `contact.html`, replace `YOUR_FORM_ID` in the form's `action`: + `https://formspree.io/f/YOUR_FORM_ID` → `https://formspree.io/f/abcdwxyz`. + +The form submits via `fetch` (inline success/error) and degrades to a normal +POST without JavaScript. It includes a honeypot field and never asks for secrets. + +## Editing the documentation + +Manual pages are authored as Markdown under +[`../docs/user-manuals/`](../docs/user-manuals/): + +``` +docs/user-manuals/ +├── _meta.yaml navigation: sections, page order, titles +├── en/
/.md English source +└── tr/
/.md Turkish source +``` + +Each page has YAML front matter (`title`, `description`), GFM Markdown, fenced +code blocks, optional `:::tip` / `:::note` / `:::warn` / `:::danger` callouts, +and ` ```mermaid ` diagrams. Cross-links use the hash-router form +`[Label](#/
/)`. + +After editing Markdown (or `_meta.yaml`), regenerate the compiled bags: + +```bash +cd tools/site-build +go run . # add -strict to fail on any missing translation +``` + +## Local preview + +Serve the folder over HTTP (the docs portal loads JS files, so `file://` will +not work): + +```bash +cd site +python3 -m http.server 8080 +# then open http://localhost:8080/ +``` + +## Deployment + +Pushes to `main` that touch `site/`, `docs/user-manuals/`, or +`tools/site-build/` trigger +[`.github/workflows/site-deploy.yml`](../.github/workflows/site-deploy.yml), +which recompiles the manuals and deploys `site/` to GitHub Pages. Enable it once +under **Settings → Pages → Build and deployment → Source: GitHub Actions**. diff --git a/site/assets/favicon.svg b/site/assets/favicon.svg new file mode 100644 index 0000000..29d4eb3 --- /dev/null +++ b/site/assets/favicon.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/site/assets/og.svg b/site/assets/og.svg new file mode 100644 index 0000000..b930efd --- /dev/null +++ b/site/assets/og.svg @@ -0,0 +1,29 @@ + + + + + + + + + CLASSIFIED — LEAKWATCH FIELD REPORT + + + + + + + + Leakwatch + + Some secrets shouldn't be █████████. + Leakwatch finds the ones that are — detect · verify · report. + + + 63 detectors + 54 live verifiers + 6 sources + SARIF · JSON · CSV + + github.com/HodeTech/Leakwatch · MIT + diff --git a/site/contact.html b/site/contact.html new file mode 100644 index 0000000..1e25ff5 --- /dev/null +++ b/site/contact.html @@ -0,0 +1,142 @@ + + + + + +Contact — Leakwatch + + + + + + + + + + + +
⬤ Classified — Leakwatch field reportSecure channel · open
+ + + + +
+
+
§ contact
+

Open a secure channel

+

Questions about Leakwatch, a bug to report, or an idea to share? Send a message below, or use one of the channels on the right. We never ask for secrets — please don't paste real credentials.

+ +
+ +
+
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+ + + +

We use your email only to reply. No tracking, no newsletter.

+

+
+
+ + +
+
+
+ +

Bugs & feature requests

Open an issue on GitHub — the fastest way to reach maintainers.

github.com/HodeTech/Leakwatch/issues →
+
+
+ +

Security disclosure

Found a vulnerability? Report it privately via a GitHub security advisory.

Open a private advisory →
+
+
+ +

Read the docs first

Most questions are answered in the bilingual user manual.

Browse the documentation →
+
+
+
+
+
+
+ + + + + + + + diff --git a/site/css/style.css b/site/css/style.css new file mode 100644 index 0000000..9793c7a --- /dev/null +++ b/site/css/style.css @@ -0,0 +1,387 @@ +/* ========================================================================== + Leakwatch — "Redacted" design system + A classified-dossier aesthetic: redaction bars, scan-line reveals, stamps, + corner-ticked frames. Dark-only by design. Vanilla CSS, no framework. + Covers: marketing homepage, contact page, and the documentation portal. + ========================================================================== */ + +:root{ + --ink:#0a0b0d; --panel:#111316; --panel-2:#16191e; --panel-3:#1b1f25; + --line:#23272e; --line-2:#2c313a; + --paper:#f1eee5; --text:#d4d1c7; --muted:#8b9098; --faint:#5b616b; + --redact:#000; --alert:#e6394d; --alert-2:#ff6377; --alert-deep:#b3263a; + --cleared:#34d39a; --warn:#f0b429; --info:#5aa9e6; + + /* severity */ + --sev-critical:#e6394d; --sev-high:#f0852f; --sev-medium:#f0b429; --sev-low:#5aa9e6; + + /* code tokens */ + --code-bg:#060708; --code-text:#cdd4c8; --code-key:#9aa4b2; --code-str:#8fd6bf; + --code-flag:#f0b429; --code-com:#5b616b; + + --mono:'JetBrains Mono',ui-monospace,SFMono-Regular,Menlo,Consolas,monospace; + --display:'Space Grotesk',system-ui,-apple-system,sans-serif; + + --maxw:1120px; --nav-h:62px; --radius:8px; + --shadow:0 18px 50px rgba(0,0,0,.5); + --t:.2s ease; --t-fast:.14s ease; +} + +*,*::before,*::after{box-sizing:border-box} +*{margin:0;padding:0} +html{scroll-behavior:smooth;scroll-padding-top:calc(var(--nav-h) + 20px);-webkit-text-size-adjust:100%} +body{background:var(--ink);color:var(--text);font-family:var(--mono);font-size:15px;line-height:1.65;-webkit-font-smoothing:antialiased;text-rendering:optimizeLegibility;overflow-x:hidden;min-height:100vh} + +/* faint grid backdrop */ +body::before{content:"";position:fixed;inset:0;z-index:-1; + background-image:linear-gradient(var(--line) 1px,transparent 1px),linear-gradient(90deg,var(--line) 1px,transparent 1px); + background-size:34px 34px;opacity:.16; + -webkit-mask-image:radial-gradient(circle at 72% -5%,#000,transparent 78%); + mask-image:radial-gradient(circle at 72% -5%,#000,transparent 78%);pointer-events:none} + +a{color:var(--cleared);text-decoration:none;transition:color var(--t-fast)} +a:hover{color:var(--cleared)} +img,svg{display:block;max-width:100%} +::selection{background:var(--alert);color:#fff} + +.wrap,.container{width:100%;max-width:var(--maxw);margin:0 auto;padding:0 26px} +h1,h2,h3,h4{font-family:var(--display);font-weight:700;letter-spacing:-.015em;color:var(--paper)} +.mono-label{font-family:var(--mono);font-size:11px;letter-spacing:.22em;text-transform:uppercase;color:var(--faint)} +.accent{color:var(--alert)} + +.skip-link{position:absolute;left:-999px;top:8px;z-index:1000;background:var(--alert);color:#fff;padding:10px 16px;border-radius:6px} +.skip-link:focus{left:16px} + +/* ---- redaction primitives ---- */ +.redact{background:var(--redact);color:transparent;border-radius:2px;padding:0 .35em;position:relative;cursor:help; + box-shadow:inset 0 0 0 1px #000;transition:background .35s ease,color .35s ease} +.redact::after{content:"";position:absolute;inset:0;border-radius:2px; + background:repeating-linear-gradient(90deg,#000 0 6px,#0a0a0a 6px 12px)} +.redact.revealed{background:rgba(230,57,77,.12);color:var(--alert-2);box-shadow:inset 0 0 0 1px rgba(230,57,77,.4)} +.redact.revealed::after{opacity:0} +.redact.cleared.revealed{background:rgba(52,211,154,.12);color:var(--cleared);box-shadow:inset 0 0 0 1px rgba(52,211,154,.35)} + +.stamp{display:inline-block;font-family:var(--display);font-weight:700;text-transform:uppercase;letter-spacing:.12em; + padding:5px 12px;border:2px solid var(--alert);color:var(--alert);border-radius:5px;transform:rotate(-7deg);font-size:13px; + opacity:0;transition:opacity .3s ease} +.stamp.in{opacity:.95} +.stamp.green{border-color:var(--cleared);color:var(--cleared)} + +/* corner-ticked frame */ +.frame{position:relative;border:1px solid var(--line-2);background:var(--panel)} +.frame::before,.frame::after{content:"";position:absolute;width:12px;height:12px;border:2px solid var(--alert);opacity:.7;pointer-events:none} +.frame::before{top:-1px;left:-1px;border-right:0;border-bottom:0} +.frame::after{bottom:-1px;right:-1px;border-left:0;border-top:0} + +/* ---- classbar + nav ---- */ +.classbar{background:var(--alert);color:#0a0b0d} +.classbar .wrap{display:flex;justify-content:space-between;align-items:center;height:28px;font-weight:700;font-size:10.5px;letter-spacing:.26em;text-transform:uppercase} +.nav{position:sticky;top:0;z-index:100;background:rgba(10,11,13,.86);backdrop-filter:blur(12px) saturate(140%);-webkit-backdrop-filter:blur(12px) saturate(140%);border-bottom:1px solid var(--line)} +.nav-inner{width:100%;max-width:var(--maxw);margin:0 auto;padding:0 26px;display:flex;align-items:center;gap:18px;height:var(--nav-h)} +.nav-brand{display:flex;align-items:center;gap:10px;font-family:var(--display);font-weight:700;font-size:19px;letter-spacing:-.01em;color:var(--paper)} +.nav-brand:hover{color:var(--paper)} +.nav-brand .logo{width:30px;height:30px;flex:none} +.nav-brand b{color:var(--alert)} +.nav-menu{display:flex;gap:4px;margin-left:14px} +.nav-link{font-size:13px;color:var(--muted);padding:8px 12px;border-radius:6px;transition:color var(--t-fast),background var(--t-fast)} +.nav-link:hover{color:var(--paper);background:var(--panel-2)} +.nav-actions{margin-left:auto;display:flex;align-items:center;gap:9px} + +.btn{font-family:var(--mono);font-size:13px;font-weight:600;padding:10px 16px;border-radius:6px;border:1px solid var(--line-2); + background:var(--panel-2);color:var(--text);cursor:pointer;display:inline-flex;align-items:center;gap:8px;white-space:nowrap;transition:.15s;line-height:1} +.btn:hover{border-color:var(--alert);color:var(--paper)} +.btn svg{width:16px;height:16px} +.btn-red{background:var(--alert);border-color:var(--alert);color:#0a0b0d} +.btn-red:hover{background:var(--alert-2);border-color:var(--alert-2);color:#0a0b0d} +.btn-lg{padding:13px 22px;font-size:14px} +.btn-sm{padding:8px 13px;font-size:12.5px} +.btn:disabled{opacity:.6;cursor:default} + +.icon-btn{display:inline-flex;align-items:center;justify-content:center;width:38px;height:38px;border-radius:6px;cursor:pointer; + background:var(--panel-2);border:1px solid var(--line-2);color:var(--muted);transition:.15s} +.icon-btn:hover{color:var(--paper);border-color:var(--alert)} +.icon-btn svg{width:18px;height:18px} + +/* language switcher (used by i18n.js) */ +.lang{position:relative} +.lang-toggle{width:auto;gap:6px;padding:0 12px;font-family:var(--mono);font-size:12px;font-weight:600} +.lang-menu{position:absolute;top:calc(100% + 8px);right:0;min-width:130px;background:var(--panel);border:1px solid var(--line-2); + border-radius:8px;box-shadow:var(--shadow);padding:6px;display:none;flex-direction:column;gap:2px;z-index:60} +.lang-menu.open{display:flex} +.lang-menu button{display:flex;align-items:center;justify-content:space-between;gap:10px;background:none;border:0;color:var(--muted); + cursor:pointer;padding:8px 10px;border-radius:6px;font-family:var(--mono);font-size:13px;text-align:left} +.lang-menu button:hover{background:var(--panel-2);color:var(--paper)} +.lang-menu button[aria-current="true"]{color:var(--cleared)} +.lang-menu button[aria-current="true"]::after{content:"✓";font-weight:700} +.nav-burger{display:none} + +/* ---- generic section ---- */ +.section{padding:70px 0;border-top:1px solid var(--line);position:relative} +.section.no-rule{border-top:0} +.sec-head{display:flex;align-items:baseline;gap:16px;margin-bottom:14px} +.sec-head .idx{color:var(--alert);font-weight:700} +.sec-head h2{font-size:clamp(24px,3.4vw,36px);letter-spacing:-.02em} +.sec-intro{color:var(--muted);max-width:64ch;margin-bottom:30px;font-size:15px} + +/* ---- hero ---- */ +.hero{padding:62px 0 44px;display:grid;grid-template-columns:1.02fr 1fr;gap:46px;align-items:center} +.hero .tag{display:inline-flex;gap:8px;align-items:center;margin-bottom:22px} +.hero .tag b{color:var(--alert)} +.hero h1{font-size:clamp(34px,5.2vw,58px);line-height:1.03;letter-spacing:-.025em;margin-bottom:20px} +.hero h1 .rd{font-size:.94em} +.hero p.lede{color:var(--muted);font-size:16px;max-width:48ch;margin-bottom:26px} +.hero .cta{display:flex;gap:12px;flex-wrap:wrap;margin-bottom:22px} +.kv{font-size:12px;color:var(--faint)} + +/* document panel + scan reveal */ +.doc{border-radius:8px;overflow:hidden} +.doc-head{display:flex;align-items:center;gap:10px;padding:11px 16px;border-bottom:1px solid var(--line);background:var(--panel-2);font-size:12px;color:var(--muted)} +.doc-head .file{color:var(--paper);font-weight:600} +.doc-head .meta{margin-left:auto;color:var(--alert)} +.scanwrap{position:relative} +.scanline{position:absolute;left:0;right:0;height:46px;top:0;pointer-events:none;opacity:0;mix-blend-mode:screen; + background:linear-gradient(180deg,transparent,rgba(230,57,77,.12) 60%,rgba(230,57,77,.5));border-bottom:1px solid var(--alert)} +.doc-body{padding:16px 0;font-size:13.5px;line-height:2} +.code-row{display:grid;grid-template-columns:46px 1fr;align-items:start} +.code-row .ln{color:var(--faint);text-align:right;padding-right:14px;border-right:1px solid var(--line);user-select:none} +.code-row .src{padding:0 16px;white-space:pre-wrap;word-break:break-word} +.tok-key{color:var(--code-key)}.tok-str{color:var(--code-str)} +.finding-card{margin:8px 16px 8px 62px;border:1px solid var(--line-2);border-left:3px solid var(--alert);background:var(--panel-2); + border-radius:0 7px 7px 0;padding:10px 14px;display:flex;align-items:center;gap:14px;opacity:0;transform:translateX(-8px);transition:.35s} +.finding-card.in{opacity:1;transform:none} +.finding-card .det{font-weight:700;color:var(--paper)} +.finding-card .st{margin-left:auto;font-size:12px} +.st.live{color:var(--cleared)}.st.unv{color:var(--muted)}.st.fmt{color:var(--info)} +.doc-foot{padding:14px 16px;border-top:1px solid var(--line);display:flex;gap:12px;align-items:center} + +.sev{font-family:var(--display);font-weight:700;font-size:11px;letter-spacing:.08em;padding:3px 8px;border-radius:4px;display:inline-block} +.sev.c{background:rgba(230,57,77,.16);color:var(--alert-2)} +.sev.h{background:rgba(240,133,47,.16);color:var(--sev-high)} +.sev.m{background:rgba(240,180,41,.16);color:var(--warn)} +.sev.l{background:rgba(90,169,230,.16);color:var(--sev-low)} + +/* ---- stat band ---- */ +.stats{display:grid;grid-template-columns:repeat(4,1fr);border-radius:8px;overflow:hidden} +.stats .cell{padding:24px 18px;text-align:center;background:var(--panel)} +.stats .cell:not(:last-child){border-right:1px solid var(--line)} +.stats .n{font-family:var(--display);font-weight:700;font-size:clamp(30px,4vw,40px);color:var(--paper)} +.stats .n b{color:var(--alert)} +.stats .l{font-size:12px;color:var(--muted);margin-top:4px} + +/* ---- case file table ---- */ +.case{border-radius:8px;overflow:hidden} +.case-row{display:grid;grid-template-columns:40px 120px 1fr 150px 120px;gap:14px;align-items:center;padding:14px 18px;border-bottom:1px solid var(--line);font-size:13px} +.case-row:last-child{border-bottom:0} +.case-row.h{background:var(--panel-2);color:var(--faint);font-size:11px;letter-spacing:.12em;text-transform:uppercase} +.case-row .num{color:var(--faint)} +.case-row .loc{color:var(--faint);font-size:12px} +.case-row b{color:var(--paper)} + +/* ---- chain (pipeline) ---- */ +.chain{display:grid;grid-template-columns:repeat(5,1fr);gap:10px} +.chain-step{background:var(--panel);border:1px solid var(--line-2);border-radius:8px;padding:20px 16px;position:relative} +.chain-step .n{font-family:var(--mono);font-size:11px;color:var(--alert-2);border:1px solid var(--line-2);border-radius:999px;padding:2px 8px;display:inline-block;margin-bottom:12px} +.chain-step h4{font-size:15px;margin-bottom:6px} +.chain-step p{font-size:12.5px;color:var(--muted)} +.chain-step .arr{position:absolute;right:-9px;top:50%;transform:translateY(-50%);color:var(--line-2);z-index:2} +.chain-step:last-child .arr{display:none} + +/* ---- cards grid (watch points, verification, formats) ---- */ +.grid-3{display:grid;grid-template-columns:repeat(3,1fr);gap:16px} +.grid-2{display:grid;grid-template-columns:repeat(2,1fr);gap:16px} +.card{background:var(--panel);border:1px solid var(--line-2);border-radius:8px;padding:22px;transition:transform var(--t),border-color var(--t)} +.card:hover{transform:translateY(-3px);border-color:var(--alert)} +.point .pf{display:flex;justify-content:space-between;align-items:center;margin-bottom:10px;gap:10px} +.point .pid{font-family:var(--display);font-weight:700;color:var(--paper);font-size:16px} +.point .cmd{font-family:var(--mono);font-size:12px;color:var(--warn)} +.point p{font-size:13px;color:var(--muted)} + +.vrow{display:flex;align-items:center;gap:14px;padding:14px 0;border-bottom:1px solid var(--line)} +.vrow:last-child{border-bottom:0} +.vrow .vk{font-family:var(--mono);font-size:12px;font-weight:700;min-width:130px} +.vrow .vk.live{color:var(--cleared)}.vrow .vk.fmt{color:var(--info)}.vrow .vk.no{color:var(--faint)} +.vrow .vd{color:var(--muted);font-size:13.5px} +.vcount{font-family:var(--display);font-weight:700;color:var(--paper);margin-left:auto} + +.format-card .fmt{font-family:var(--mono);font-weight:700;color:var(--alert-2);font-size:14px;margin-bottom:6px} +.format-card p{font-size:13px;color:var(--muted)} + +/* ---- detector index ---- */ +.index-grid{display:flex;flex-wrap:wrap;gap:8px} +.idx-chip{font-family:var(--mono);font-size:12px;color:var(--muted);border:1px solid var(--line-2);border-radius:4px;padding:6px 11px;background:var(--panel)} +.idx-chip.r{background:#000;color:transparent;box-shadow:inset 0 0 0 1px #000;width:78px} +.idx-chip.more{color:var(--alert);border-color:rgba(230,57,77,.4)} +.idx-chip.more:hover{background:rgba(230,57,77,.08)} + +/* ---- CTA ---- */ +.cta-box{border-radius:10px;padding:48px 40px;text-align:center} +.cta-box h2{font-size:clamp(24px,3.4vw,38px);margin-bottom:10px} +.cta-box p{color:var(--muted);margin-bottom:24px} +.install-tabs{display:flex;flex-direction:column;gap:10px;max-width:560px;margin:0 auto} +.cmd-line{display:flex;align-items:center;gap:12px;font-family:var(--mono);font-size:13.5px;background:#000;border:1px solid var(--line-2);border-radius:7px;padding:12px 16px} +.cmd-line .p{color:var(--alert);user-select:none} +.cmd-line code{overflow-x:auto;white-space:nowrap;color:var(--code-text)} +.copy-btn{margin-left:auto;flex:none;background:var(--panel-2);border:1px solid var(--line-2);color:var(--muted);border-radius:5px; + width:28px;height:28px;cursor:pointer;display:inline-flex;align-items:center;justify-content:center;transition:.14s} +.copy-btn:hover,.copy-btn.copied{color:var(--cleared);border-color:var(--cleared)} +.copy-btn svg{width:14px;height:14px} + +/* ---- contact ---- */ +.contact-grid{display:grid;grid-template-columns:1.1fr .9fr;gap:30px;align-items:start} +.form-frame{border-radius:10px;padding:30px} +.field{margin-bottom:18px} +.field label{display:block;font-family:var(--mono);font-size:12px;letter-spacing:.08em;text-transform:uppercase;color:var(--muted);margin-bottom:7px} +.field input,.field textarea,.field select{width:100%;background:#000;border:1px solid var(--line-2);border-radius:7px;color:var(--text); + font-family:var(--mono);font-size:14px;padding:11px 13px;transition:border-color var(--t-fast)} +.field input:focus,.field textarea:focus,.field select:focus{outline:none;border-color:var(--alert)} +.field textarea{resize:vertical;min-height:140px} +.hp{position:absolute!important;left:-9999px!important;width:1px;height:1px;opacity:0;pointer-events:none} +.form-note{font-size:12px;color:var(--faint);margin-top:10px} +.form-status{margin-top:14px;font-family:var(--mono);font-size:13px;display:none} +.form-status.show{display:block} +.form-status.ok{color:var(--cleared)} +.form-status.err{color:var(--alert-2)} +.channels .ch{display:flex;gap:14px;align-items:flex-start;padding:16px 0;border-bottom:1px solid var(--line)} +.channels .ch:last-child{border-bottom:0} +.channels .ch .ic{width:38px;height:38px;flex:none;border-radius:8px;border:1px solid var(--line-2);display:flex;align-items:center;justify-content:center;color:var(--alert-2)} +.channels .ch h4{font-size:15px;margin-bottom:3px} +.channels .ch p{font-size:13px;color:var(--muted)} + +/* ---- footer ---- */ +.footer{border-top:1px solid var(--line);padding:50px 0 36px;background:var(--panel)} +.footer-grid{display:grid;grid-template-columns:1.6fr 1fr 1fr 1fr;gap:30px;margin-bottom:36px} +.footer-brand p{color:var(--muted);font-size:13px;margin-top:12px;max-width:32ch} +.footer h4{font-family:var(--mono);font-size:11px;text-transform:uppercase;letter-spacing:.12em;color:var(--faint);margin-bottom:14px} +.footer ul{list-style:none;display:flex;flex-direction:column;gap:9px} +.footer a{color:var(--muted);font-size:13px} +.footer a:hover{color:var(--cleared)} +.footer-bottom{display:flex;justify-content:space-between;align-items:center;flex-wrap:wrap;gap:12px;padding-top:24px;border-top:1px solid var(--line);color:var(--faint);font-size:12px} + +/* ---- reveal ---- */ +.reveal{opacity:0;transform:translateY(20px);transition:opacity .55s ease,transform .55s ease} +.reveal.in{opacity:1;transform:none} + +/* ========================================================================== + Documentation portal + ========================================================================== */ +.docs-shell{display:grid;grid-template-columns:280px minmax(0,1fr) 236px;min-height:100vh} +.docs-sidebar{position:sticky;top:var(--nav-h);align-self:start;height:calc(100vh - var(--nav-h));overflow-y:auto; + border-right:1px solid var(--line);padding:24px 14px 60px;background:var(--panel)} +.docs-search{width:100%;background:#000;border:1px solid var(--line-2);border-radius:7px;color:var(--text); + padding:10px 12px;font-family:var(--mono);font-size:13px;margin-bottom:18px} +.docs-search:focus{outline:none;border-color:var(--alert)} +.docs-search::placeholder{color:var(--faint)} +.docs-nav-section{margin-bottom:16px} +.docs-nav-title{display:flex;align-items:center;gap:9px;font-family:var(--mono);font-size:11px;text-transform:uppercase;letter-spacing:.1em; + color:var(--faint);font-weight:700;padding:6px 10px;margin-bottom:4px} +.docs-nav-title svg{width:15px;height:15px;color:var(--alert-2)} +.docs-nav-section ul{list-style:none} +.docs-nav-link{display:block;color:var(--muted);font-size:13px;padding:7px 10px 7px 32px;border-radius:6px;border-left:2px solid transparent;transition:.14s} +.docs-nav-link:hover{color:var(--paper);background:var(--panel-2)} +.docs-nav-link.active{color:var(--alert-2);background:rgba(230,57,77,.08);border-left-color:var(--alert);font-weight:600} +.docs-nav-link.hidden,.docs-nav-section.hidden{display:none} + +.docs-main{min-width:0;padding:38px clamp(20px,5vw,68px) 90px;max-width:900px} +.docs-progress{position:fixed;top:var(--nav-h);left:280px;right:0;height:2px;z-index:50} +.docs-progress span{display:block;height:100%;width:0;background:var(--alert);transition:width .1s linear} +.docs-breadcrumb{font-family:var(--mono);font-size:12px;color:var(--faint);margin-bottom:18px;letter-spacing:.04em} +.docs-breadcrumb b{color:var(--alert-2)} + +.doc-content{font-size:15px} +.doc-content h1{font-family:var(--display);font-size:clamp(28px,4vw,40px);line-height:1.12;margin-bottom:20px;letter-spacing:-.02em} +.doc-content h2{font-family:var(--display);font-size:24px;margin:42px 0 16px;padding-bottom:8px;border-bottom:1px solid var(--line);letter-spacing:-.01em} +.doc-content h3{font-family:var(--display);font-size:19px;margin:28px 0 12px} +.doc-content h4{font-family:var(--display);font-size:16px;margin:22px 0 10px} +.doc-content p{margin:0 0 16px;color:var(--text)} +.doc-content a{color:var(--cleared);border-bottom:1px solid color-mix(in srgb,var(--cleared) 35%,transparent)} +.doc-content a:hover{border-bottom-color:var(--cleared)} +.doc-content ul,.doc-content ol{margin:0 0 18px;padding-left:24px} +.doc-content li{margin-bottom:7px;color:var(--text)} +.doc-content li::marker{color:var(--alert-2)} +.doc-content strong{color:var(--paper)} +.doc-content hr{border:0;border-top:1px solid var(--line);margin:30px 0} +.doc-content :not(pre)>code{font-family:var(--mono);font-size:.85em;color:var(--alert-2); + background:rgba(230,57,77,.08);border:1px solid var(--line);padding:.1em .4em;border-radius:4px;word-break:break-word} +.doc-content pre{background:var(--code-bg);border:1px solid var(--line-2);border-radius:8px;padding:16px 18px;overflow-x:auto;margin:0 0 20px;position:relative} +.doc-content pre code{font-family:var(--mono);font-size:13px;color:var(--code-text);line-height:1.7} +.doc-content pre .copy-btn{position:absolute;top:10px;right:10px;opacity:0;transition:opacity var(--t-fast)} +.doc-content pre:hover .copy-btn{opacity:1} + +.doc-content table{width:100%;border-collapse:collapse;margin:0 0 22px;font-size:13.5px;border:1px solid var(--line-2);border-radius:8px;overflow:hidden;display:block;overflow-x:auto} +.doc-content thead{background:var(--panel-2)} +.doc-content th{text-align:left;padding:11px 14px;font-weight:700;color:var(--paper);border-bottom:1px solid var(--line-2);white-space:nowrap;font-family:var(--mono);font-size:12px;letter-spacing:.04em} +.doc-content td{padding:10px 14px;border-bottom:1px solid var(--line);color:var(--muted);vertical-align:top} +.doc-content tbody tr:last-child td{border-bottom:0} +.doc-content tbody tr:hover{background:var(--panel-2)} +.doc-content td code{white-space:nowrap} +.doc-content blockquote{border-left:3px solid var(--cleared);background:var(--panel-2);padding:12px 18px;margin:0 0 18px;border-radius:0 8px 8px 0;color:var(--muted)} + +/* callouts */ +.callout{border:1px solid var(--line-2);border-left-width:3px;border-radius:0 8px 8px 0;background:var(--panel-2);padding:14px 18px;margin:0 0 20px} +.callout-label{font-family:var(--mono);font-weight:700;font-size:11px;text-transform:uppercase;letter-spacing:.08em;margin-bottom:6px} +.callout-body>:last-child{margin-bottom:0} +.callout-tip{border-left-color:var(--cleared)} .callout-tip .callout-label{color:var(--cleared)} +.callout-note{border-left-color:var(--info)} .callout-note .callout-label{color:var(--info)} +.callout-warn{border-left-color:var(--warn)} .callout-warn .callout-label{color:var(--warn)} +.callout-danger{border-left-color:var(--alert);background:rgba(230,57,77,.07)} .callout-danger .callout-label{color:var(--alert)} + +.doc-content .mermaid{background:var(--panel);border:1px solid var(--line-2);border-radius:8px;padding:18px;margin:0 0 22px;text-align:center;overflow-x:auto} + +.doc-pager{display:flex;justify-content:space-between;gap:16px;margin-top:50px;padding-top:26px;border-top:1px solid var(--line)} +.doc-pager a{flex:1;max-width:48%;border:1px solid var(--line-2);border-radius:8px;padding:14px 18px;background:var(--panel);color:var(--text);transition:.14s} +.doc-pager a:hover{border-color:var(--alert);transform:translateY(-2px);color:var(--text)} +.doc-pager .dir{font-family:var(--mono);font-size:11px;color:var(--faint)} +.doc-pager .ttl{font-family:var(--display);font-weight:600;margin-top:3px;color:var(--paper)} +.doc-pager .next{text-align:right;margin-left:auto} +.docs-empty{color:var(--muted);padding:40px 0} +.docs-mobile-bar{display:none;position:sticky;top:var(--nav-h);z-index:40;align-items:center;gap:12px;padding:10px 16px;background:var(--panel);border-bottom:1px solid var(--line)} + +/* right-hand "on this page" table of contents */ +.docs-toc{position:sticky;top:var(--nav-h);align-self:start;height:calc(100vh - var(--nav-h));overflow-y:auto; + padding:36px 18px 60px;border-left:1px solid var(--line)} +.docs-toc.empty{visibility:hidden} +.toc-title{font-family:var(--mono);font-size:11px;text-transform:uppercase;letter-spacing:.12em;color:var(--faint);font-weight:700;margin-bottom:12px;padding-left:12px} +#tocNav{display:flex;flex-direction:column;gap:1px;border-left:1px solid var(--line);position:relative} +.toc-link{display:block;font-size:12.5px;line-height:1.4;color:var(--muted);padding:6px 10px 6px 14px;margin-left:-1px; + border-left:2px solid transparent;cursor:pointer;background:none;text-align:left;font-family:var(--mono);transition:color var(--t-fast),border-color var(--t-fast)} +.toc-link:hover{color:var(--paper)} +.toc-link.lvl-3{padding-left:26px;font-size:12px;color:var(--faint)} +.toc-link.lvl-3:hover{color:var(--muted)} +.toc-link.active{color:var(--alert-2);border-left-color:var(--alert)} + +/* ========================================================================== + Responsive + ========================================================================== */ +@media(max-width:1180px){ + .docs-shell{grid-template-columns:280px minmax(0,1fr)} + .docs-toc{display:none} +} +@media(max-width:980px){ + .hero{grid-template-columns:1fr;gap:34px} + .hero p.lede{max-width:none} + .chain{grid-template-columns:1fr 1fr}.chain-step .arr{display:none} + .grid-3{grid-template-columns:repeat(2,1fr)} + .footer-grid{grid-template-columns:1fr 1fr} + .docs-progress{left:0} + .contact-grid{grid-template-columns:1fr} +} +@media(max-width:760px){ + .section{padding:56px 0} + .nav-menu{display:none} + .nav-burger{display:inline-flex} + .stats{grid-template-columns:1fr 1fr} + .grid-3,.grid-2,.chain{grid-template-columns:1fr} + .footer-grid{grid-template-columns:1fr;gap:24px} + .case-row{grid-template-columns:30px 1fr 96px;gap:8px} + .case-row .loc,.case-row .num,.case-row .h-action{display:none} + .docs-shell{grid-template-columns:1fr} + .docs-mobile-bar{display:flex} + .docs-sidebar{position:fixed;top:var(--nav-h);left:0;bottom:0;width:min(300px,84vw);z-index:60;transform:translateX(-100%);transition:transform var(--t);height:auto} + .docs-sidebar.open{transform:none;box-shadow:var(--shadow)} + .docs-main{padding:24px 20px 80px} + .doc-pager{flex-direction:column}.doc-pager a{max-width:100%} +} +@media(prefers-reduced-motion:reduce){ + *{animation-duration:.001ms!important;animation-iteration-count:1!important;transition-duration:.001ms!important;scroll-behavior:auto!important} + .reveal{opacity:1;transform:none} +} diff --git a/site/docs.html b/site/docs.html new file mode 100644 index 0000000..a170012 --- /dev/null +++ b/site/docs.html @@ -0,0 +1,78 @@ + + + + + +Documentation — Leakwatch + + + + + + + + + + + + + + + + +
+ + +
+ +
+ +
+ +

Loading documentation…

+ +
+ +
+ + + + + + + + + + diff --git a/site/index.html b/site/index.html new file mode 100644 index 0000000..88d93b4 --- /dev/null +++ b/site/index.html @@ -0,0 +1,220 @@ + + + + + +Leakwatch — Detect, verify & report leaked secrets + + + + + + + + + + + + + + + + +
⬤ Classified — Leakwatch field reportDeclassify on scan
+ + + + +
+ + +
+
+
Open-source secret scanner · MIT
+

Some secrets shouldn't be visible.
Leakwatch finds the ones that are.

+

Detect, verify, and report leaked API keys, tokens, and credentials across code, Git history, containers, and the cloud — then watch the redactions lift.

+
+ + Read the dossier +
+
63 detectors · 54 live verifiers · 6 sources · exit-code aware
+
+ +
+
prod.env3 REDACTED
+
+
+
+
01DB_HOST=db.internal.acme.io
+
02AWS_ACCESS_KEY_ID=AKIA3F7QExampleR8XZ
+
CRITICALaws-access-key-id✓ verified active
+
03JWT_SECRET=eyJhbGciOiJIUzI1NiJ9
+
HIGHjwtunverified
+
04OPENAI_API_KEY=sk-proj-Example9aZ
+
CRITICALopenai-api-key✓ verified active
+
+
+
+ 3 findings + hover a redaction to reveal it +
+
+
+ + +
+
+
63
secret detectors
+
54
live verifiers
+
6
scan sources
+
4
output formats
+
+
+ + +
+
§ 01

The case file

+

Every finding is logged like evidence: what it is, where it was found, how severe it is, and whether the key is still live. Verified-active keys are incidents — the rest is triage.

+
+
#SeverityDetector / locationStatusAction
+
01CRITICALaws-access-key-id
config/prod.yaml:12
✓ verified activerotate now
+
02CRITICALopenai-api-key
.env:3
✓ verified activerotate now
+
03HIGHjwt
src/auth.go:88
unverifiedreview
+
+
+ + +
+
§ 02

Six watch points

+

Secrets leak through more than source files. Leakwatch reaches into history, build artifacts, the cloud, and chat.

+
+
Filesystemscan fs

Walk a directory tree; skip binaries and lock files automatically.

+
Git historyscan git

Every commit — recover secrets that were committed and later deleted.

+
Container imagesscan image

Inspect OCI/Docker image layers directly. No Docker daemon required.

+
AWS S3scan s3

Bucket objects via your existing AWS credential chain.

+
Google Cloudscan gcs

Cloud Storage objects with Application Default Credentials.

+
Slackscan slack

Message text across channels and DMs for pasted credentials.

+
+
+ + +
+
§ 03

Chain of custody

+

A keyword pre-filter shortlists candidate detectors before any regex runs, so scans stay fast even across full Git history.

+
+
01

Source

Stream chunks from files, Git, images, cloud, or Slack.

+
02

Pre-filter

Aho-Corasick keyword matching shortlists detectors.

+
03

Match

Shortlisted detectors run precise regex patterns.

+
04

Verify

Eligible findings are checked against the live provider API.

+
05

Report

Filter by severity; emit JSON, SARIF, CSV, or a table.

+
+
+ + +
+
§ 04

Is it still live?

+

Detection is half the job. For most secret types, Leakwatch makes a controlled, read-only API call to the provider to confirm whether a key is active — separating real incidents from noise.

+
+
Live verifiedA read-only API call confirms the key is active or inactive.~49
+
Format checkedValidated by structure where no safe live check exists.5
+
Not verifiableNo public verification API (e.g. JWTs, private keys) — still detected, triaged manually.9
+
+
+ + +
+
§ 05

Reports that fit your workflow

+
+
JSON

Structured findings for tooling and automation.

+
SARIF

v2.1.0 — upload straight to GitHub Code Scanning.

+
CSV

Spreadsheet-ready, sanitized against formula injection.

+
Table

Colorized terminal output for local triage.

+
+
+ + +
+
§ 06

Redacted index — 63 detectors

+

A sample of the catalog. 54 of these can be verified against the live provider. Add your own with YAML custom rules.

+
+ aws-access-key-idgcp-service-accountopenai-api-keyanthropic-api-keygithub-tokenstripe-api-key-liveslack-tokentwilio-api-keydatadog-api-keycloudflare-api-tokenprivate-keyjwtsupabase-service-keygitlab-pat+ 45 more · view full catalog → +
+
+ + +
+
+

Declassify your repo

+

One static binary. No daemon, no runtime dependencies. Install it your way.

+
+
$brew install HodeTech/tap/leakwatch
+
$go install github.com/HodeTech/leakwatch@latest
+
$docker run --rm -v $(pwd):/scan ghcr.io/hodetech/leakwatch scan fs /scan
+
+ +
+
+ +
+ + + + + + + + + diff --git a/site/js/docs.js b/site/js/docs.js new file mode 100644 index 0000000..7d85e4d --- /dev/null +++ b/site/js/docs.js @@ -0,0 +1,313 @@ +/* Documentation portal controller. + Renders the sidebar navigation and page content from the compiled manual + bags (js/manuals/*.js), driven by a `#/
/` hash route. + Handles language switching, search, Mermaid diagrams, code copy buttons, + prev/next paging, and the reading-progress bar. */ +(function () { + "use strict"; + + var INDEX = window.LW_MANUAL_INDEX; + if (!INDEX) return; + + var navEl = document.getElementById("docsNav"); + var contentEl = document.getElementById("docContent"); + var crumbEl = document.getElementById("breadcrumb"); + var mobileCrumbEl = document.getElementById("mobileCrumb"); + var pagerEl = document.getElementById("docPager"); + var searchEl = document.getElementById("docsSearch"); + var sidebarEl = document.getElementById("docsSidebar"); + var progressEl = document.getElementById("docsProgress"); + var tocNavEl = document.getElementById("tocNav"); + var tocAsideEl = document.getElementById("docsToc"); + var tocHeadings = []; + + var ICONS = { + rocket: '', + scan: '', + shield: '', + key: '', + sliders: '', + output: '', + ci: '', + book: '' + }; + var COPY_SVG = ''; + + function lang() { return window.LWI18n ? window.LWI18n.getLang() : (INDEX.default || "en"); } + function t(key) { return window.LWI18n ? window.LWI18n.t(key) : key; } + function bag(l) { + var m = window.LW_MANUAL || {}; + return m[l || lang()] || m[INDEX.default || "en"] || {}; + } + function titleFor(obj) { return (obj.title && (obj.title[lang()] || obj.title[INDEX.default])) || obj.id; } + + // Flat ordered list of pages for prev/next. + function flat() { + var out = []; + INDEX.sections.forEach(function (s) { + s.pages.forEach(function (p) { + out.push({ key: s.id + "/" + p.id, section: s, page: p }); + }); + }); + return out; + } + + /* ---- Sidebar ------------------------------------------------------------ */ + function buildNav() { + navEl.innerHTML = ""; + INDEX.sections.forEach(function (s) { + var sec = document.createElement("div"); + sec.className = "docs-nav-section"; + sec.dataset.section = s.id; + + var title = document.createElement("div"); + title.className = "docs-nav-title"; + title.innerHTML = '' + (ICONS[s.icon] || "") + "" + escapeHtml(titleFor(s)) + ""; + sec.appendChild(title); + + var ul = document.createElement("ul"); + s.pages.forEach(function (p) { + var key = s.id + "/" + p.id; + var li = document.createElement("li"); + var a = document.createElement("a"); + a.className = "docs-nav-link"; + a.href = "#/" + key; + a.dataset.key = key; + a.textContent = titleFor(p); + li.appendChild(a); + ul.appendChild(li); + }); + sec.appendChild(ul); + navEl.appendChild(sec); + }); + } + + function setActive(key) { + navEl.querySelectorAll(".docs-nav-link").forEach(function (a) { + a.classList.toggle("active", a.dataset.key === key); + }); + } + + /* ---- Rendering ---------------------------------------------------------- */ + function currentKey() { + var h = location.hash.replace(/^#\/?/, ""); + return h || (flat()[0] && flat()[0].key); + } + + function render() { + var key = currentKey(); + var data = bag()[key] || bag("en")[key]; + var meta = flat().filter(function (x) { return x.key === key; })[0]; + + if (!data) { + contentEl.innerHTML = '

' + escapeHtml(t("docs.notfound") || "Not found") + "

"; + pagerEl.innerHTML = ""; + crumbEl.textContent = ""; + return; + } + + contentEl.innerHTML = data.html; + document.title = data.title + " — Leakwatch"; + setActive(key); + + var crumb = meta + ? "" + escapeHtml(titleFor(meta.section)) + " / " + escapeHtml(titleFor(meta.page)) + : ""; + crumbEl.innerHTML = crumb; + if (mobileCrumbEl) mobileCrumbEl.innerHTML = crumb; + + enhanceCode(); + renderMermaid(); + buildPager(key); + buildToc(); + + contentEl.querySelectorAll("img").forEach(function (img) { img.loading = "lazy"; }); + window.scrollTo({ top: 0, behavior: "auto" }); + updateProgress(); + } + + function buildPager(key) { + var list = flat(); + var idx = -1; + for (var i = 0; i < list.length; i++) { if (list[i].key === key) { idx = i; break; } } + pagerEl.innerHTML = ""; + if (idx === -1) return; + if (idx > 0) { + var prev = list[idx - 1]; + pagerEl.appendChild(pagerLink(prev, "prev", t("docs.prev") || "Previous")); + } + if (idx < list.length - 1) { + var next = list[idx + 1]; + pagerEl.appendChild(pagerLink(next, "next", t("docs.next") || "Next")); + } + } + function pagerLink(item, dir, label) { + var a = document.createElement("a"); + a.href = "#/" + item.key; + a.className = dir; + a.innerHTML = '
' + (dir === "prev" ? "← " : "") + escapeHtml(label) + (dir === "next" ? " →" : "") + + '
' + escapeHtml(titleFor(item.page)) + "
"; + return a; + } + + /* ---- Code copy buttons -------------------------------------------------- */ + function enhanceCode() { + contentEl.querySelectorAll("pre").forEach(function (pre) { + var code = pre.querySelector("code"); + if (code && /\blanguage-mermaid\b/.test(code.className)) return; + var text = code ? code.textContent : pre.textContent; + var btn = document.createElement("button"); + btn.className = "copy-btn"; + btn.setAttribute("aria-label", "Copy code"); + btn.innerHTML = COPY_SVG; + btn.addEventListener("click", function () { if (window.LWCopy) window.LWCopy(text, btn); }); + pre.appendChild(btn); + }); + } + + /* ---- Mermaid ------------------------------------------------------------ */ + var _mermaid = null; + function loadMermaid() { + if (_mermaid) return Promise.resolve(_mermaid); + return import("https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.esm.min.mjs") + .then(function (mod) { + _mermaid = mod.default; + _mermaid.initialize({ + startOnLoad: false, + theme: document.documentElement.getAttribute("data-theme") === "light" ? "default" : "dark", + securityLevel: "strict", + fontFamily: "JetBrains Mono, monospace" + }); + return _mermaid; + }); + } + function renderMermaid() { + var blocks = contentEl.querySelectorAll("pre > code.language-mermaid"); + if (!blocks.length) return; + var nodes = []; + blocks.forEach(function (code) { + var div = document.createElement("div"); + div.className = "mermaid"; + div.textContent = code.textContent; + code.parentElement.replaceWith(div); + nodes.push(div); + }); + loadMermaid().then(function (m) { + try { m.run({ nodes: nodes }); } catch (e) {} + }).catch(function () {}); + } + + /* ---- Search ------------------------------------------------------------- */ + function initSearch() { + if (!searchEl) return; + searchEl.addEventListener("input", function () { + var q = searchEl.value.toLowerCase().trim(); + navEl.querySelectorAll(".docs-nav-section").forEach(function (sec) { + var visible = 0; + sec.querySelectorAll(".docs-nav-link").forEach(function (a) { + var match = !q || a.textContent.toLowerCase().indexOf(q) !== -1; + a.classList.toggle("hidden", !match); + if (match) visible++; + }); + sec.classList.toggle("hidden", visible === 0); + }); + }); + } + + /* ---- Mobile sidebar ----------------------------------------------------- */ + function initMobileSidebar() { + var toggle = document.getElementById("sidebarToggle"); + if (toggle && sidebarEl) { + toggle.addEventListener("click", function () { sidebarEl.classList.toggle("open"); }); + } + navEl.addEventListener("click", function (e) { + if (e.target.closest(".docs-nav-link") && sidebarEl) sidebarEl.classList.remove("open"); + }); + } + + /* ---- "On this page" table of contents ---------------------------------- */ + function buildToc() { + if (!tocNavEl) return; + tocNavEl.innerHTML = ""; + tocHeadings = [].slice.call(contentEl.querySelectorAll("h2[id], h3[id]")); + if (!tocHeadings.length) { + if (tocAsideEl) tocAsideEl.classList.add("empty"); + return; + } + if (tocAsideEl) tocAsideEl.classList.remove("empty"); + tocHeadings.forEach(function (h) { + var a = document.createElement("a"); + a.className = "toc-link " + (h.tagName === "H3" ? "lvl-3" : "lvl-2"); + a.textContent = h.textContent; + a.setAttribute("role", "link"); + a.setAttribute("tabindex", "0"); + a.dataset.id = h.id; + function go() { + h.scrollIntoView({ behavior: "smooth", block: "start" }); + setTocActive(h.id); + } + a.addEventListener("click", function (e) { e.preventDefault(); go(); }); + a.addEventListener("keydown", function (e) { if (e.key === "Enter" || e.key === " ") { e.preventDefault(); go(); } }); + tocNavEl.appendChild(a); + }); + updateTocActive(); + } + + function setTocActive(id) { + if (!tocNavEl) return; + tocNavEl.querySelectorAll(".toc-link").forEach(function (a) { + a.classList.toggle("active", a.dataset.id === id); + }); + } + + function updateTocActive() { + if (!tocHeadings.length) return; + var top = (parseInt(getComputedStyle(document.documentElement).scrollPaddingTop, 10) || 90) + 16; + var current = tocHeadings[0]; + for (var i = 0; i < tocHeadings.length; i++) { + if (tocHeadings[i].getBoundingClientRect().top <= top) current = tocHeadings[i]; + else break; + } + setTocActive(current.id); + } + + /* ---- Progress bar ------------------------------------------------------- */ + function updateProgress() { + if (!progressEl) return; + var h = document.documentElement; + var max = h.scrollHeight - h.clientHeight; + progressEl.style.width = (max > 0 ? (h.scrollTop / max) * 100 : 0) + "%"; + } + + function escapeHtml(s) { + return String(s).replace(/[&<>"']/g, function (c) { + return { "&": "&", "<": "<", ">": ">", '"': """, "'": "'" }[c]; + }); + } + + /* ---- Boot --------------------------------------------------------------- */ + function init() { + buildNav(); + initSearch(); + initMobileSidebar(); + + if (!location.hash) { + location.replace("#/" + currentKey()); + } + render(); + + window.addEventListener("hashchange", render); + window.addEventListener("scroll", function () { updateProgress(); updateTocActive(); }, { passive: true }); + document.addEventListener("lw:langchange", function () { + _mermaid = null; // re-init theme/locale on next diagram + buildNav(); + if (searchEl) searchEl.value = ""; + render(); + }); + } + if (document.readyState === "loading") { + document.addEventListener("DOMContentLoaded", init); + } else { + init(); + } +})(); diff --git a/site/js/i18n.js b/site/js/i18n.js new file mode 100644 index 0000000..3d108be --- /dev/null +++ b/site/js/i18n.js @@ -0,0 +1,115 @@ +/* Client-side internationalization for the Leakwatch site. + - Detects language from localStorage, then the browser, then falls back to EN. + - Applies UI strings to [data-i18n], [data-i18n-html], [data-i18n-attr] nodes. + - Persists the choice and broadcasts `lw:langchange` so the docs portal can + re-render the active page in the new language. */ +(function () { + "use strict"; + + var STORAGE_KEY = "leakwatch-lang"; + var SUPPORTED = ["en", "tr"]; + var DEFAULT = "en"; + var T = window.LW_T || {}; + + function detect() { + var saved = localStorage.getItem(STORAGE_KEY); + if (saved && SUPPORTED.indexOf(saved) !== -1) return saved; + var nav = (navigator.language || navigator.userLanguage || DEFAULT).slice(0, 2).toLowerCase(); + return SUPPORTED.indexOf(nav) !== -1 ? nav : DEFAULT; + } + + var current = detect(); + + function t(key, lang) { + lang = lang || current; + var dict = T[lang] || {}; + if (key in dict) return dict[key]; + if (T[DEFAULT] && key in T[DEFAULT]) return T[DEFAULT][key]; + return null; + } + + function apply(lang) { + document.documentElement.setAttribute("lang", lang); + + document.querySelectorAll("[data-i18n]").forEach(function (el) { + var v = t(el.getAttribute("data-i18n"), lang); + if (v !== null) el.textContent = v; + }); + document.querySelectorAll("[data-i18n-html]").forEach(function (el) { + var v = t(el.getAttribute("data-i18n-html"), lang); + if (v !== null) el.innerHTML = v; + }); + document.querySelectorAll("[data-i18n-attr]").forEach(function (el) { + el.getAttribute("data-i18n-attr").split(",").forEach(function (pair) { + var bits = pair.split(":"); + if (bits.length === 2) { + var v = t(bits[1].trim(), lang); + if (v !== null) el.setAttribute(bits[0].trim(), v); + } + }); + }); + + // Reflect state in the language switcher. + var label = document.getElementById("langCurrent"); + if (label) label.textContent = lang.toUpperCase(); + document.querySelectorAll("#langMenu [data-lang]").forEach(function (b) { + b.setAttribute("aria-current", b.getAttribute("data-lang") === lang ? "true" : "false"); + }); + } + + function setLang(lang) { + if (SUPPORTED.indexOf(lang) === -1 || lang === current) { + if (lang === current) closeMenu(); + return; + } + current = lang; + localStorage.setItem(STORAGE_KEY, lang); + apply(lang); + closeMenu(); + document.dispatchEvent(new CustomEvent("lw:langchange", { detail: { lang: lang } })); + } + + function closeMenu() { + var menu = document.getElementById("langMenu"); + var toggle = document.getElementById("langToggle"); + if (menu) menu.classList.remove("open"); + if (toggle) toggle.setAttribute("aria-expanded", "false"); + } + + function wireSwitcher() { + var toggle = document.getElementById("langToggle"); + var menu = document.getElementById("langMenu"); + if (!toggle || !menu) return; + + toggle.addEventListener("click", function (e) { + e.stopPropagation(); + var open = menu.classList.toggle("open"); + toggle.setAttribute("aria-expanded", open ? "true" : "false"); + }); + menu.querySelectorAll("[data-lang]").forEach(function (btn) { + btn.addEventListener("click", function () { setLang(btn.getAttribute("data-lang")); }); + }); + document.addEventListener("click", function (e) { + if (!menu.contains(e.target) && e.target !== toggle) closeMenu(); + }); + document.addEventListener("keydown", function (e) { if (e.key === "Escape") closeMenu(); }); + } + + // Public API for other scripts (docs.js). + window.LWI18n = { + getLang: function () { return current; }, + setLang: setLang, + t: t, + supported: SUPPORTED + }; + + function init() { + apply(current); + wireSwitcher(); + } + if (document.readyState === "loading") { + document.addEventListener("DOMContentLoaded", init); + } else { + init(); + } +})(); diff --git a/site/js/main.js b/site/js/main.js new file mode 100644 index 0000000..c972de6 --- /dev/null +++ b/site/js/main.js @@ -0,0 +1,167 @@ +/* Shared interactions for the Leakwatch "Redacted" site: + mobile navigation, copy-to-clipboard, scroll reveals, the hero scan-reveal + animation, and the Formspree-backed contact form. */ +(function () { + "use strict"; + + var reduceMotion = window.matchMedia("(prefers-reduced-motion: reduce)").matches; + function t(key) { return (window.LWI18n && window.LWI18n.t(key)) || key; } + + /* ---- Mobile nav --------------------------------------------------------- */ + function initNav() { + var burger = document.getElementById("navBurger"); + var menu = document.getElementById("navMenu"); + if (!burger || !menu) return; + burger.addEventListener("click", function () { + var open = menu.classList.toggle("nav-open"); + burger.setAttribute("aria-expanded", open ? "true" : "false"); + menu.style.cssText = open + ? "display:flex;position:fixed;top:var(--nav-h);left:0;right:0;flex-direction:column;gap:2px;padding:12px 16px;background:var(--panel);border-bottom:1px solid var(--line-2);z-index:90" + : ""; + }); + menu.querySelectorAll("a").forEach(function (a) { + a.addEventListener("click", function () { + menu.classList.remove("nav-open"); menu.style.cssText = ""; + burger.setAttribute("aria-expanded", "false"); + }); + }); + } + + /* ---- Copy to clipboard -------------------------------------------------- */ + function copyText(text, btn) { + var done = function () { + if (!btn) return; + btn.classList.add("copied"); + var orig = btn.innerHTML; + btn.innerHTML = ''; + setTimeout(function () { btn.classList.remove("copied"); btn.innerHTML = orig; }, 1600); + }; + if (navigator.clipboard && navigator.clipboard.writeText) { + navigator.clipboard.writeText(text).then(done).catch(function () {}); + } else { + var ta = document.createElement("textarea"); + ta.value = text; document.body.appendChild(ta); ta.select(); + try { document.execCommand("copy"); done(); } catch (e) {} + document.body.removeChild(ta); + } + } + window.LWCopy = copyText; + function initCopy() { + document.querySelectorAll("[data-copy]").forEach(function (line) { + var btn = line.querySelector(".copy-btn"); + var text = line.getAttribute("data-copy"); + if (btn && text) btn.addEventListener("click", function () { copyText(text, btn); }); + }); + } + + /* ---- Scroll reveal ------------------------------------------------------ */ + function initReveal() { + var els = document.querySelectorAll(".reveal"); + if (reduceMotion || !("IntersectionObserver" in window)) { + els.forEach(function (el) { el.classList.add("in"); }); + return; + } + var io = new IntersectionObserver(function (entries) { + entries.forEach(function (e) { + if (e.isIntersecting) { e.target.classList.add("in"); io.unobserve(e.target); } + }); + }, { threshold: 0.12 }); + els.forEach(function (el) { io.observe(el); }); + } + + /* ---- Hero scan-reveal animation ---------------------------------------- */ + function initScan() { + var doc = document.getElementById("heroDoc"); + var redacts = doc ? [].slice.call(doc.querySelectorAll(".redact")) : []; + var cards = doc ? [].slice.call(doc.querySelectorAll(".finding-card")) : []; + + // hover-peek on any redaction bar (hero document + headline word) + document.querySelectorAll(".redact[data-real]").forEach(function (r) { + r.addEventListener("mouseenter", function () { r.classList.add("revealed"); }); + }); + + function run() { + if (!doc) return; + var sl = document.getElementById("scanLine"); + var stamp = document.getElementById("docStamp"); + redacts.forEach(function (r) { r.classList.remove("revealed"); }); + cards.forEach(function (c) { c.classList.remove("in"); }); + if (stamp) stamp.classList.remove("in"); + + if (reduceMotion) { + redacts.forEach(function (r) { r.classList.add("revealed"); }); + cards.forEach(function (c) { c.classList.add("in"); }); + if (stamp) { stamp.classList.add("in"); stamp.textContent = "3 FINDINGS · 2 VERIFIED"; } + return; + } + + if (sl) { + sl.style.transition = "none"; sl.style.top = "0"; sl.style.opacity = "0"; + requestAnimationFrame(function () { + sl.style.transition = "top 2.4s linear, opacity .3s"; sl.style.opacity = "1"; + var body = doc.querySelector(".doc-body"); + if (body) sl.style.top = (body.offsetHeight - 40) + "px"; + }); + } + cards.forEach(function (card, i) { + setTimeout(function () { + if (redacts[i]) redacts[i].classList.add("revealed"); + card.classList.add("in"); + }, 700 + i * 620); + }); + setTimeout(function () { + if (sl) sl.style.opacity = "0"; + if (stamp) { stamp.classList.add("in"); stamp.textContent = "3 FINDINGS · 2 VERIFIED"; } + }, 700 + cards.length * 620 + 200); + } + + document.querySelectorAll("[data-scan]").forEach(function (b) { + b.addEventListener("click", run); + }); + if (doc) setTimeout(run, 500); + } + + /* ---- Contact form (Formspree) ------------------------------------------ */ + function initContactForm() { + var form = document.getElementById("contactForm"); + if (!form) return; + var statusEl = document.getElementById("cf-status"); + var btn = document.getElementById("cf-submit"); + + function setStatus(kind, msg) { + if (!statusEl) return; + statusEl.className = "form-status show" + (kind ? " " + kind : ""); + statusEl.textContent = msg; + } + + form.addEventListener("submit", function (e) { + e.preventDefault(); + var action = form.getAttribute("action") || ""; + if (!form.checkValidity()) { form.reportValidity(); return; } + setStatus("", t("contact.f.sending")); + if (btn) btn.disabled = true; + + fetch(action, { method: "POST", body: new FormData(form), headers: { Accept: "application/json" } }) + .then(function (r) { + if (r.ok) { form.reset(); setStatus("ok", t("contact.f.ok")); } + else { setStatus("err", t("contact.f.err")); } + }) + .catch(function () { setStatus("err", t("contact.f.err")); }) + .finally(function () { if (btn) btn.disabled = false; }); + }); + } + + /* ---- Boot --------------------------------------------------------------- */ + function init() { + initNav(); + initCopy(); + initReveal(); + initScan(); + initContactForm(); + } + if (document.readyState === "loading") { + document.addEventListener("DOMContentLoaded", init); + } else { + init(); + } +})(); diff --git a/site/js/manuals/_index.js b/site/js/manuals/_index.js new file mode 100644 index 0000000..168926a --- /dev/null +++ b/site/js/manuals/_index.js @@ -0,0 +1,272 @@ +// Generated by tools/site-build. Do not edit by hand. +window.LW_MANUAL_INDEX = { + "languages": [ + "en", + "tr" + ], + "default": "en", + "sections": [ + { + "id": "getting-started", + "icon": "rocket", + "title": { + "en": "Getting Started", + "tr": "Başlarken" + }, + "pages": [ + { + "id": "introduction", + "title": { + "en": "Introduction", + "tr": "Tanıtım" + } + }, + { + "id": "installation", + "title": { + "en": "Installation", + "tr": "Kurulum" + } + }, + { + "id": "quick-start", + "title": { + "en": "Quick Start", + "tr": "Hızlı Başlangıç" + } + }, + { + "id": "how-it-works", + "title": { + "en": "How It Works", + "tr": "Nasıl Çalışır" + } + } + ] + }, + { + "id": "scanning", + "icon": "scan", + "title": { + "en": "Scanning Sources", + "tr": "Tarama Kaynakları" + }, + "pages": [ + { + "id": "filesystem", + "title": { + "en": "Filesystem", + "tr": "Dosya Sistemi" + } + }, + { + "id": "git-history", + "title": { + "en": "Git History", + "tr": "Git Geçmişi" + } + }, + { + "id": "container-images", + "title": { + "en": "Container Images", + "tr": "Konteyner İmajları" + } + }, + { + "id": "cloud-storage", + "title": { + "en": "Cloud Storage (S3 \u0026 GCS)", + "tr": "Bulut Depolama (S3 \u0026 GCS)" + } + }, + { + "id": "slack", + "title": { + "en": "Slack Workspace", + "tr": "Slack Çalışma Alanı" + } + }, + { + "id": "multiple-repos", + "title": { + "en": "Multiple Repositories", + "tr": "Çoklu Depo" + } + } + ] + }, + { + "id": "verification", + "icon": "shield", + "title": { + "en": "Verification", + "tr": "Doğrulama" + }, + "pages": [ + { + "id": "how-verification-works", + "title": { + "en": "How Verification Works", + "tr": "Doğrulama Nasıl Çalışır" + } + }, + { + "id": "verification-coverage", + "title": { + "en": "Verification Coverage", + "tr": "Doğrulama Kapsamı" + } + } + ] + }, + { + "id": "detectors", + "icon": "key", + "title": { + "en": "Detectors", + "tr": "Dedektörler" + }, + "pages": [ + { + "id": "detector-catalog", + "title": { + "en": "Detector Catalog", + "tr": "Dedektör Kataloğu" + } + }, + { + "id": "custom-rules", + "title": { + "en": "Custom Rules", + "tr": "Özel Kurallar" + } + } + ] + }, + { + "id": "configuration", + "icon": "sliders", + "title": { + "en": "Configuration", + "tr": "Yapılandırma" + }, + "pages": [ + { + "id": "config-file", + "title": { + "en": "Configuration File", + "tr": "Yapılandırma Dosyası" + } + }, + { + "id": "ignoring-findings", + "title": { + "en": "Ignoring Findings", + "tr": "Bulguları Yok Sayma" + } + }, + { + "id": "severity-and-filtering", + "title": { + "en": "Severity \u0026 Filtering", + "tr": "Önem Derecesi \u0026 Filtreleme" + } + } + ] + }, + { + "id": "output", + "icon": "output", + "title": { + "en": "Output \u0026 Remediation", + "tr": "Çıktı \u0026 Düzeltme" + }, + "pages": [ + { + "id": "output-formats", + "title": { + "en": "Output Formats", + "tr": "Çıktı Formatları" + } + }, + { + "id": "remediation", + "title": { + "en": "Remediation Guidance", + "tr": "Düzeltme Rehberi" + } + } + ] + }, + { + "id": "ci-cd", + "icon": "ci", + "title": { + "en": "CI/CD Integration", + "tr": "CI/CD Entegrasyonu" + }, + "pages": [ + { + "id": "github-action", + "title": { + "en": "GitHub Action", + "tr": "GitHub Action" + } + }, + { + "id": "pre-commit", + "title": { + "en": "Pre-commit Hook", + "tr": "Pre-commit Kancası" + } + }, + { + "id": "docker-usage", + "title": { + "en": "Docker Usage", + "tr": "Docker Kullanımı" + } + }, + { + "id": "other-ci", + "title": { + "en": "Other CI Systems", + "tr": "Diğer CI Sistemleri" + } + } + ] + }, + { + "id": "reference", + "icon": "book", + "title": { + "en": "Reference", + "tr": "Başvuru" + }, + "pages": [ + { + "id": "cli-reference", + "title": { + "en": "CLI Reference", + "tr": "CLI Başvurusu" + } + }, + { + "id": "exit-codes", + "title": { + "en": "Exit Codes", + "tr": "Çıkış Kodları" + } + }, + { + "id": "environment-variables", + "title": { + "en": "Environment Variables", + "tr": "Ortam Değişkenleri" + } + } + ] + } + ] +}; diff --git a/site/js/manuals/en.js b/site/js/manuals/en.js new file mode 100644 index 0000000..148ac68 --- /dev/null +++ b/site/js/manuals/en.js @@ -0,0 +1,3 @@ +// Generated by tools/site-build. Do not edit by hand. +window.LW_MANUAL = window.LW_MANUAL || {}; +window.LW_MANUAL["en"] = {"ci-cd/docker-usage":{"title":"Docker Usage","description":"Run Leakwatch scans inside a container using the official Docker image.","html":"\u003ch1 id=\"docker-usage\"\u003eDocker Usage\u003c/h1\u003e\n\u003cp\u003eThe official Leakwatch container image lets you run scans without installing anything on the host machine. Because the image is statically compiled with \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e and runs as a non-root user, it is safe to use in locked-down CI environments and on shared machines where you do not want to modify the host system.\u003c/p\u003e\n\u003ch2 id=\"image-reference\"\u003eImage reference\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe image is based on Alpine, runs as the non-root user \u003ccode\u003eleakwatch\u003c/code\u003e, uses \u003ccode\u003e/scan\u003c/code\u003e as the working directory, and has \u003ccode\u003eleakwatch\u003c/code\u003e as its entrypoint.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause the entrypoint is \u003ccode\u003eleakwatch\u003c/code\u003e, you append the subcommand and flags directly after the image name — for example, \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. There is no need to repeat the binary name.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"scanning-a-local-directory\"\u003eScanning a local directory\u003c/h2\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo write results to a file on the host, write the output file into the mounted volume:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe file \u003ccode\u003eleakwatch.sarif\u003c/code\u003e appears in the current directory on your host after the container exits.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-remote-git-repository\"\u003eScanning a remote Git repository\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo volume mount is required for remote Git repositories — Leakwatch clones them into a temporary directory inside the container.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-container-image\"\u003eScanning a container image\u003c/h2\u003e\n\u003cp\u003eLeakwatch is daemonless: it pulls image layers directly from the registry without a Docker daemon. This means you can scan a remote image from within the Leakwatch container without mounting the host Docker socket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor private registries, pass the credentials as environment variables consumed by the registry client (for example, \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e pointing to a mounted credentials file, or the standard registry environment variables your registry supports).\u003c/p\u003e\n\u003ch2 id=\"passing-a-configuration-file\"\u003ePassing a configuration file\u003c/h2\u003e\n\u003cp\u003eMount \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e into \u003ccode\u003e/scan\u003c/code\u003e so Leakwatch picks it up automatically:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAs long as \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is in the mounted directory, Leakwatch finds it because \u003ccode\u003e/scan\u003c/code\u003e is both the working directory and the path passed to the scan. If your config file lives elsewhere, mount it explicitly and use \u003ccode\u003e--config\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-environment-variables\"\u003ePassing environment variables\u003c/h2\u003e\n\u003cp\u003eEnvironment variables for cloud scanning and token-based authentication can be injected with \u003ccode\u003e-e\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# S3 scan with AWS credentials\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor CI environments, prefer injecting secrets as masked CI variables rather than embedding them in the command line.\u003c/p\u003e\n\u003ch2 id=\"output-file-pattern\"\u003eOutput file pattern\u003c/h2\u003e\n\u003cp\u003eA common Docker pattern in CI is to write results into the mounted volume and then upload or archive the file as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install the native binary instead of using Docker.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e flags and behavior.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eContainer Images\u003c/a\u003e — scanning OCI/Docker image layers for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — using the Docker image in GitLab CI and other pipelines.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — complete flag reference for all subcommands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"Use the official Leakwatch GitHub Action to scan for secrets in your GitHub workflows.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eEvery push to your repository is an opportunity for a secret to slip through. The official \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e) integrates Leakwatch directly into your GitHub workflow — it installs the tool, runs a scan, maps exit codes, and optionally uploads SARIF results to GitHub Code Scanning, all without any external service dependency.\u003c/p\u003e\n\u003ch2 id=\"quick-start\"\u003eQuick start\u003c/h2\u003e\n\u003cp\u003eThe minimal configuration blocks the workflow when secrets are found:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Secret scan (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith only the defaults, the action scans the filesystem (\u003ccode\u003escan-type: fs\u003c/code\u003e), produces SARIF output, skips live verification (\u003ccode\u003eno-verify: true\u003c/code\u003e), and fails the job if any finding is reported.\u003c/p\u003e\n\u003ch2 id=\"full-example-with-sarif-upload\"\u003eFull example with SARIF upload\u003c/h2\u003e\n\u003cp\u003eThe following workflow enables SARIF upload to GitHub Code Scanning, which surfaces findings as security alerts inside the repository:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Secret scan\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # required for SARIF upload\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Scan for secrets\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF upload requires the job to declare \u003ccode\u003epermissions: security-events: write\u003c/code\u003e. Without it, the upload step fails with a 403 error. The \u003ccode\u003econtents: read\u003c/code\u003e permission is also needed for \u003ccode\u003eactions/checkout@v4\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inputs\"\u003eInputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eInput\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan type to run: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e, or \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to scan (for \u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e) or image reference (for \u003ccode\u003eimage\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification (no outbound calls to providers).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUpload SARIF results to GitHub Code Scanning after the scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFail the workflow step when findings are reported (exit code 1). When \u003ccode\u003efalse\u003c/code\u003e, a \u003ccode\u003e::warning::\u003c/code\u003e annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code 2) always fail the step regardless of this setting.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLeakwatch version to install. Use a tag such as \u003ccode\u003ev1.5.0\u003c/code\u003e to pin a specific release.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"outputs\"\u003eOutputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eOutput\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e if no findings were reported; \u003ccode\u003e1\u003c/code\u003e if findings were reported. Mirrors the Leakwatch exit code.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the SARIF output file on the runner (set when \u003ccode\u003eformat: sarif\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"verification-in-ci\"\u003eVerification in CI\u003c/h2\u003e\n\u003cp\u003eBy default, \u003ccode\u003eno-verify\u003c/code\u003e is \u003ccode\u003etrue\u003c/code\u003e — live verification is \u003cstrong\u003eoff\u003c/strong\u003e in CI. This keeps the scan fast and avoids making outbound network calls to provider APIs from CI runners, which may be behind a firewall or have rate-limited credentials.\u003c/p\u003e\n\u003cp\u003eTo enable verification in CI, set \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnabling verification in CI causes Leakwatch to make authenticated API calls to providers (AWS, GitHub, Stripe, etc.) for each candidate finding. Be aware of provider rate limits and ensure the runner has outbound internet access.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"how-sarif-upload-works\"\u003eHow SARIF upload works\u003c/h2\u003e\n\u003cp\u003eWhen \u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e and \u003ccode\u003eformat: sarif\u003c/code\u003e, the action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTells Leakwatch to write output to \u003ccode\u003eresults.sarif\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter the scan, calls \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e with \u003ccode\u003ecategory: leakwatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGitHub processes the file and surfaces findings as \u003cstrong\u003eCode Scanning alerts\u003c/strong\u003e under the repository's \u003cstrong\u003eSecurity\u003c/strong\u003e tab.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe upload step runs with \u003ccode\u003eif: always()\u003c/code\u003e, so results are uploaded even when \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e causes the scan step to set a failure.\u003c/p\u003e\n\u003ch2 id=\"using-action-outputs\"\u003eUsing action outputs\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Scan for secrets\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # let the workflow continue\n\n- name: Print result\n run: echo \u0026quot;Findings reported: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"pinning-a-specific-version\"\u003ePinning a specific version\u003c/h2\u003e\n\u003cp\u003eFor reproducible builds, pin \u003ccode\u003eversion\u003c/code\u003e to a specific tag:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis installs exactly \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e via \u003ccode\u003ego install\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — understanding JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — when and how Leakwatch calls provider APIs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Hook\u003c/a\u003e — catch secrets before they are committed.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — GitLab CI, Jenkins, and generic shell integration.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Other CI Systems","description":"Integrate Leakwatch into GitLab CI, Jenkins, Bitbucket Pipelines, and any other CI system.","html":"\u003ch1 id=\"other-ci-systems\"\u003eOther CI Systems\u003c/h1\u003e\n\u003cp\u003eBecause Leakwatch is a single static binary with no runtime dependencies, it runs in any CI environment that can execute a shell command — GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps, and others. There is no built-in integration for these systems beyond what is described on this page; the pattern is always: install the binary, run the scan, act on the exit code.\u003c/p\u003e\n\u003ch2 id=\"installing-leakwatch-in-ci\"\u003eInstalling Leakwatch in CI\u003c/h2\u003e\n\u003cp\u003eChoose the method that best suits your runner environment:\u003c/p\u003e\n\u003ch3 id=\"via-go-install-requires-go-on-the-runner\"\u003evia \u003ccode\u003ego install\u003c/code\u003e (requires Go on the runner)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePin to a specific version for reproducible builds:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"via-the-docker-image-no-go-required\"\u003evia the Docker image (no Go required)\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e as a job image or run it with \u003ccode\u003edocker run\u003c/code\u003e. See \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e for the full pattern.\u003c/p\u003e\n\u003ch3 id=\"via-a-prebuilt-release-binary\"\u003evia a prebuilt release binary\u003c/h3\u003e\n\u003cp\u003eDownload the appropriate tarball from \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e, extract, and place on \u003ccode\u003ePATH\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch exits with one of three codes, which is the primary mechanism for failing a CI build:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended CI action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo findings\u003c/td\u003e\n\u003ctd\u003ePass the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSecrets found\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHard error (bad config, unreadable path, etc.)\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA generic shell snippet that branches on the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;No secrets found.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Secrets found — failing build.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Scan error (exit $EXIT_CODE) — failing build.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-example\"\u003eGitLab CI example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e job installs Leakwatch, runs a filesystem scan, and stores the JSON report as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 days\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (the default) means exit code \u003ccode\u003e1\u003c/code\u003e fails the pipeline stage. Set \u003ccode\u003eallow_failure: true\u003c/code\u003e if you want the scan to report without blocking the merge.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab supports SAST report artifacts. Leakwatch produces SARIF (\u003ccode\u003e--format sarif\u003c/code\u003e), not GitLab's native SAST JSON schema, so use the \u003ccode\u003epaths:\u003c/code\u003e artifact approach rather than the \u003ccode\u003ereports: sast:\u003c/code\u003e key.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"recommendations-for-ci-runners\"\u003eRecommendations for CI runners\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eUse \u003ccode\u003e--no-verify\u003c/code\u003e on runners without outbound internet access.\u003c/strong\u003e Verification makes live API calls to providers (AWS, GitHub, Stripe, etc.). On air-gapped or firewall-restricted runners, these calls time out and slow the scan. Pass \u003ccode\u003e--no-verify\u003c/code\u003e to skip verification entirely:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSave output as an artifact.\u003c/strong\u003e Use \u003ccode\u003e--format sarif\u003c/code\u003e or \u003ccode\u003e--format json\u003c/code\u003e with \u003ccode\u003e--output\u003c/code\u003e to write a file that can be stored, uploaded to a vulnerability management platform, or reviewed after the job completes.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSet \u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e to focus on the secrets that matter most. In a noisy codebase, start with \u003ccode\u003e--min-severity high\u003c/code\u003e and lower the threshold once you have cleared the backlog.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-example\"\u003eAzure DevOps example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch secret scan\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-results\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-example\"\u003eJenkins example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Secret scan') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — full reference for all exit code meanings.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e — use the container image instead of installing the binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — the official action for GitHub workflows.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Hook","description":"Use the Leakwatch pre-commit hook to scan for secrets before every commit.","html":"\u003ch1 id=\"pre-commit-hook\"\u003ePre-commit Hook\u003c/h1\u003e\n\u003cp\u003eThe cheapest time to catch a secret is before it enters the repository at all. Leakwatch ships a native \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e hook that runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e automatically on every \u003ccode\u003egit commit\u003c/code\u003e, so a leaked API key or password fails the commit rather than appearing in history.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eYou need:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit is a Python tool).\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e installed globally (\u003ccode\u003epip install pre-commit\u003c/code\u003e or \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGo 1.25+ on \u003ccode\u003ePATH\u003c/code\u003e — the hook language is \u003ccode\u003egolang\u003c/code\u003e, so pre-commit compiles Leakwatch from source on first run.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"configuration\"\u003eConfiguration\u003c/h2\u003e\n\u003cp\u003eAdd a \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e file to the root of your repository (or extend an existing one):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInstall the hooks into the local Git repo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThat is all. From this point on, every \u003ccode\u003egit commit\u003c/code\u003e triggers a filesystem scan. If Leakwatch finds any secrets, the commit is blocked and the findings are printed to the terminal.\u003c/p\u003e\n\u003ch2 id=\"running-manually\"\u003eRunning manually\u003c/h2\u003e\n\u003cp\u003eTo scan the entire repository (not just staged files) at any time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo run only the Leakwatch hook without triggering others:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-extra-arguments\"\u003ePassing extra arguments\u003c/h2\u003e\n\u003cp\u003eThe hook's default behavior matches \u003ccode\u003eleakwatch scan fs\u003c/code\u003e with no additional flags. You can pass extra arguments via the \u003ccode\u003eargs:\u003c/code\u003e key:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis example reports only high-severity secrets that Leakwatch has confirmed are still active — a strict policy suitable for teams that want to avoid false-positive noise without sacrificing coverage.\u003c/p\u003e\n\u003cp\u003eOther useful arguments:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # skip live verification for faster commits\n - --min-severity\n - medium # suppress low-severity noise\n - --format\n - table # human-readable output in the terminal\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003epass_filenames: false\u003c/code\u003e is set in the hook definition, which means the hook always scans the full working tree rather than only the files staged for the current commit. This guarantees that secrets already present in unstaged files are also detected.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-the-hook-scans\"\u003eWhat the hook scans\u003c/h2\u003e\n\u003cp\u003eThe hook runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e against the repository working directory. It uses the same detection pipeline as the CLI: Aho-Corasick pre-filtering, regex validation, entropy calculation, and (unless \u003ccode\u003e--no-verify\u003c/code\u003e is set) live verification.\u003c/p\u003e\n\u003cp\u003eConfiguration in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is respected automatically — exclusion patterns, entropy thresholds, and verification settings all apply without any extra hook configuration.\u003c/p\u003e\n\u003ch2 id=\"skipping-the-hook-temporarily\"\u003eSkipping the hook temporarily\u003c/h2\u003e\n\u003cp\u003eTo commit without running the hook (for example, when committing a controlled test fixture that contains a redacted secret):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: add test fixture\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUsing \u003ccode\u003eSKIP=leakwatch\u003c/code\u003e bypasses all secret scanning for that commit. Use it only when you have confirmed the content is safe, and prefer \u003ccode\u003e.leakwatchignore\u003c/code\u003e or inline \u003ccode\u003eleakwatch:ignore\u003c/code\u003e comments for permanent suppressions instead.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"keeping-the-hook-version-pinned\"\u003eKeeping the hook version pinned\u003c/h2\u003e\n\u003cp\u003ePin \u003ccode\u003erev:\u003c/code\u003e to a specific tag rather than a branch name. This ensures all developers on the team use the same detector set and the hook does not silently upgrade mid-sprint:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # pin; do not use 'main' or 'HEAD'\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUpdate by running:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ewhich bumps \u003ccode\u003erev\u003c/code\u003e to the latest tag and lets you review the change before committing it.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — the underlying scan command the hook runs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — control exclusions, entropy, and verification in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — scan on every push and pull request in GitHub CI.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Configuration File","description":"How to configure Leakwatch with .leakwatch.yaml — full schema, defaults, validation rules, environment overrides, and the leakwatch init command.","html":"\u003ch1 id=\"configuration-file\"\u003eConfiguration File\u003c/h1\u003e\n\u003cp\u003eLeakwatch's behaviour across every scan command is driven by a single YAML file named \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e. Understanding this file lets you tune concurrency, verification, output format, and path filtering once — and have every scan pick it up automatically.\u003c/p\u003e\n\u003ch2 id=\"file-discovery\"\u003eFile discovery\u003c/h2\u003e\n\u003cp\u003eLeakwatch resolves the config file in the following order:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e flag\u003c/strong\u003e — use an explicit path regardless of the working directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCurrent directory\u003c/strong\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the directory where the command is run.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHome directory\u003c/strong\u003e — \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e as a fallback.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf no file is found, built-in defaults are used for every setting.\u003c/p\u003e\n\u003ch2 id=\"generating-a-starter-file\"\u003eGenerating a starter file\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003eleakwatch init\u003c/code\u003e command writes a ready-to-edit file with recommended defaults:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default the file is written to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory. Use \u003ccode\u003e--output\u003c/code\u003e to choose a different path:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the target file already exists, \u003ccode\u003eleakwatch init\u003c/code\u003e will refuse to overwrite it and exit with an error. Pass \u003ccode\u003e--force\u003c/code\u003e to overwrite:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"environment-variable-overrides\"\u003eEnvironment variable overrides\u003c/h2\u003e\n\u003cp\u003eEvery config key can be overridden with an environment variable. The naming rule is:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrefix: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eReplace \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eUppercase\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eExamples:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003cth\u003eEnvironment variable\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence\"\u003ePrecedence\u003c/h2\u003e\n\u003cp\u003eWhen the same setting is specified in multiple places, the highest-priority source wins:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCommand-line flag (highest)\u003c/li\u003e\n\u003cli\u003eEnvironment variable\u003c/li\u003e\n\u003cli\u003eConfig file value\u003c/li\u003e\n\u003cli\u003eBuilt-in default (lowest)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"full-schema\"\u003eFull schema\u003c/h2\u003e\n\u003cp\u003eThe annotated schema below shows every supported key, its default value, and valid range.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Scan engine ──────────────────────────────────────────────────────────────\n\nscan:\n # Number of concurrent file-processing workers.\n # Defaults to the number of logical CPU cores on the host.\n # Must be \u0026gt;= 1.\n concurrency: 8\n\n # Maximum file size to scan, in bytes. Files larger than this limit are\n # skipped entirely. Default is 10 MB (10485760). Must be \u0026gt;= 1.\n max-file-size: 10485760\n\n# ── Detection ─────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Enable Shannon entropy calculation for each candidate match.\n enabled: true\n\n # Entropy threshold used for display and custom-rule gating.\n # Range: 0–8. Default: 4.0.\n # See note below about built-in findings.\n threshold: 4.0\n\n# ── Verification ─────────────────────────────────────────────────────────────\n\nverification:\n # Enable live verification against provider APIs.\n enabled: true\n\n # Per-request HTTP timeout. Must be \u0026gt;= 1ms when verification is enabled.\n # Use a duration string (e.g. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — a bare integer is\n # treated as nanoseconds and will fail validation.\n timeout: 10s\n\n # Number of concurrent verification workers. Must be \u0026gt;= 1.\n concurrency: 4\n\n # Maximum verification requests per second (token-bucket rate limiter).\n # Must be \u0026gt; 0.\n rate-limit: 10.0\n\n# ── Filtering ─────────────────────────────────────────────────────────────────\n\nfilter:\n # Glob patterns for paths to exclude from scanning.\n # Supported glob styles: filepath.Match patterns, ** double-star spanning\n # zero or more path segments, and trailing-slash dir/ patterns that match\n # the named directory at any depth. Each pattern is tested against both the\n # full path and the base filename, so simple patterns like \u0026quot;*.min.js\u0026quot; match\n # nested files without a leading path prefix.\n # Applies to all scan sources. (On `scan fs` the --exclude flag also sets this.)\n # Default: [] (no exclusions beyond the built-in binary/lock-file skips).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Detector IDs to disable entirely. Findings from listed detectors are never\n # produced regardless of other settings. Default: [].\n exclude-detectors: []\n\n# ── Output ────────────────────────────────────────────────────────────────────\n\noutput:\n # Output format. One of: json, sarif, csv, table. Default: json.\n # The --format / -f flag overrides this at run time.\n format: json\n\n # Write output to this file path instead of stdout. Default: \u0026quot;\u0026quot; (stdout).\n # The --output / -o flag overrides this at run time.\n file: \u0026quot;\u0026quot;\n\n # Drop findings below this severity level.\n # One of: low, medium, high, critical. Default: \u0026quot;\u0026quot; (show all).\n # The --min-severity flag overrides this at run time.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Include the unredacted secret value in output.\n # Default: false. The --show-raw flag overrides this at run time.\n show-raw: false\n\n# ── Custom rules ──────────────────────────────────────────────────────────────\n\n# Define your own detectors as YAML rules. See the custom rules page for the\n# full rule schema.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e controls which entropy value is displayed alongside a finding and acts as a gate for custom rules (a custom rule match whose entropy falls below the threshold is suppressed). It does \u003cstrong\u003enot\u003c/strong\u003e suppress findings from built-in detectors — built-in detectors have their own match criteria and are never dropped by this setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"validation\"\u003eValidation\u003c/h2\u003e\n\u003cp\u003eLeakwatch validates the loaded configuration before starting a scan and exits with an error for any of the following:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCondition\u003c/th\u003e\n\u003cth\u003eError\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid concurrency value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid max-file-size value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e not in \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnsupported output format\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e outside 0–8\u003c/td\u003e\n\u003ctd\u003eInvalid entropy threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e not a valid level (when non-empty)\u003c/td\u003e\n\u003ctd\u003eInvalid severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification timeout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification concurrency\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Ignoring Findings","description":"Suppress false positives with .leakwatchignore files, inline ignore markers, and built-in binary and lock-file skips.","html":"\u003ch1 id=\"ignoring-findings\"\u003eIgnoring Findings\u003c/h1\u003e\n\u003cp\u003eNo scanner has zero false positives. Leakwatch gives you three layered mechanisms to suppress the noise: a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file for path-based exclusions, inline markers for line-level suppression, and a set of always-on built-in skips for binary files and common lock files.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-file\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e file\u003c/h2\u003e\n\u003cp\u003eCreate a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your repository root (or in the current directory) to exclude paths from the scan results. It uses a gitignore-style syntax:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLines starting with \u003ccode\u003e#\u003c/code\u003e are comments.\u003c/li\u003e\n\u003cli\u003eBlank lines are skipped.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003e!\u003c/code\u003e prefix \u003cstrong\u003enegates\u003c/strong\u003e a pattern, re-including a path that a previous pattern would have excluded.\u003c/li\u003e\n\u003cli\u003eThe \u003cstrong\u003elast matching pattern wins\u003c/strong\u003e — order matters.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"loading-order\"\u003eLoading order\u003c/h3\u003e\n\u003cp\u003eLeakwatch loads \u003ccode\u003e.leakwatchignore\u003c/code\u003e from the scan root first, then from the current working directory. If both exist and contain patterns for the same path, the current-directory file's patterns take precedence because they are evaluated last.\u003c/p\u003e\n\u003ch3 id=\"glob-syntax\"\u003eGlob syntax\u003c/h3\u003e\n\u003cp\u003eThree pattern styles are supported:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStyle\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003cth\u003eExample\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandard glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e-style, matched against both the full path and the base filename\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDouble-star \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpans zero or more path segments\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTrailing slash \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMatches every file inside the named directory at any depth\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-leakwatchignore\"\u003eExample \u003ccode\u003e.leakwatchignore\u003c/code\u003e\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Ignore all test fixture files\ntest/fixtures/**\n\n# Ignore known placeholder keys in documentation\ndocs/examples/\n\n# Ignore files with a specific extension anywhere in the tree\n*.pem.example\n\n# Re-include a specific file excluded by the rule above\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtering is applied \u003cstrong\u003eafter\u003c/strong\u003e the scan completes, based on the file path of each finding. It does not prevent files from being read — it suppresses the findings they produce. To skip files before they are read at all, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file or \u003ccode\u003e--exclude\u003c/code\u003e on \u003ccode\u003escan fs\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inline-ignore-markers\"\u003eInline ignore markers\u003c/h2\u003e\n\u003cp\u003ePlace a marker directly on any source line to suppress detectors for that specific line. The marker can appear anywhere on the line — typically inside a comment — and is applied by the engine \u003cstrong\u003ebefore\u003c/strong\u003e verification, so an ignored line never triggers a network call.\u003c/p\u003e\n\u003ch3 id=\"suppress-all-detectors-on-a-line\"\u003eSuppress all detectors on a line\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Payment processing configuration\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"suppress-a-specific-detector-on-a-line\"\u003eSuppress a specific detector on a line\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e to suppress only one detector while leaving others active:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// This token is intentionally a placeholder for documentation\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# CI environment variable set by the platform — not a real secret\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePrefer the detector-specific form (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) over the generic one whenever possible. It documents which detector you are suppressing and keeps all other detectors active on that line.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"built-in-skips-always-applied\"\u003eBuilt-in skips (always applied)\u003c/h2\u003e\n\u003cp\u003eLeakwatch unconditionally skips the following before running any detector:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary file extensions\u003c/strong\u003e — files with extensions such as \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e, and others are never scanned.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary content detection\u003c/strong\u003e — any file whose first 8 KB contains a null byte is treated as binary and skipped, regardless of extension.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCommon lock files\u003c/strong\u003e — the following filenames are always skipped because they contain hashes and checksums that produce high rates of false positives:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFile\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThese built-in skips cannot be disabled. They are separate from the \u003ccode\u003efilter.exclude-paths\u003c/code\u003e setting and run before any config-based filtering.\u003c/p\u003e\n\u003ch2 id=\"path-based-exclusion-before-scanning\"\u003ePath-based exclusion before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before they are even read by the scan engine, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in your config file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis setting applies to \u003cstrong\u003eall scan sources\u003c/strong\u003e (filesystem, Git history, container images, cloud storage, Slack). On the \u003ccode\u003escan fs\u003c/code\u003e command you can also pass \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e on the command line, which is the flag-equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full config schema and \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e for detector-level and severity-level filtering.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Severity \u0026 Filtering","description":"Control which findings reach your output using severity thresholds, verified-only mode, detector exclusions, and path exclusions.","html":"\u003ch1 id=\"severity--filtering\"\u003eSeverity \u0026amp; Filtering\u003c/h1\u003e\n\u003cp\u003eA busy codebase can produce many findings. Leakwatch provides several independent filters you can combine to focus on the signals that matter most: severity thresholds drop low-priority noise, verified-only mode surfaces only confirmed live secrets, detector exclusions silence known false-positive sources, and path exclusions remove entire directory trees from scope.\u003c/p\u003e\n\u003ch2 id=\"severity-levels\"\u003eSeverity levels\u003c/h2\u003e\n\u003cp\u003eEvery built-in detector ships with a default severity. The four levels, from lowest to highest priority, are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eLevel\u003c/th\u003e\n\u003cth\u003eTypical use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric patterns with a higher false-positive rate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRecognizable credential formats, unconfirmed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWell-structured secrets where exposure is likely significant\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLive secrets confirmed or formats with near-zero false-positive rates\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe severity assigned to each detector is listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-drop-findings-below-a-threshold\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: drop findings below a threshold\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e to discard findings whose severity is below the specified level. Only findings at or above the threshold reach the output.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Show only high and critical findings\nleakwatch scan fs . --min-severity high\n\n# Show medium, high, and critical findings\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYou can set a persistent default in the config file under \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e. The \u003ccode\u003e--min-severity\u003c/code\u003e flag overrides the config value at run time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-confirmed-active-secrets-only\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: confirmed active secrets only\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--only-verified\u003c/code\u003e to keep only findings whose verification status is \u003ccode\u003everified_active\u003c/code\u003e — secrets that Leakwatch confirmed are still valid by making a controlled read-only call to the provider API. All other findings (unverified, verified-inactive, or verify-error) are dropped.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis flag is most useful in CI pipelines where you want to fail the build \u003cstrong\u003eonly\u003c/strong\u003e on confirmed incidents, not on suspicious patterns that may be placeholders or already-rotated credentials.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for which detectors support live verification.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-disable-specific-detectors\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: disable specific detectors\u003c/h2\u003e\n\u003cp\u003eTo permanently disable one or more detectors, list their IDs under \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in the config file. Findings from listed detectors are never produced, regardless of any other setting:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDetector IDs are listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e. Use this setting when a detector consistently produces false positives for your codebase and other suppression mechanisms (inline ignores or \u003ccode\u003e.leakwatchignore\u003c/code\u003e) are not granular enough.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-skip-paths-before-scanning\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: skip paths before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before the scan engine reads them, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file. The patterns use the same glob syntax as \u003ccode\u003e.leakwatchignore\u003c/code\u003e (standard globs, \u003ccode\u003e**\u003c/code\u003e double-star, and trailing-slash directory patterns), and apply to \u003cstrong\u003eall scan sources\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOn the \u003ccode\u003escan fs\u003c/code\u003e command, the \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e flag is the command-line equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. The \u003ccode\u003e--exclude\u003c/code\u003e flag exists \u003cstrong\u003eonly\u003c/strong\u003e on \u003ccode\u003escan fs\u003c/code\u003e — for all other sources, use the config file setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"combining-filters-in-ci\"\u003eCombining filters in CI\u003c/h2\u003e\n\u003cp\u003eIn a CI pipeline you typically want a low-noise, high-signal run that fails only on real incidents. A recommended combination:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith a config file handling the persistent path exclusions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThen override just the format and destination at the command line for CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for verification details, \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for inline and file-based suppression, and \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full schema.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Custom Rules","description":"How to define your own secret detection patterns in YAML and add them to a Leakwatch scan alongside the 63 built-in detectors.","html":"\u003ch1 id=\"custom-rules\"\u003eCustom Rules\u003c/h1\u003e\n\u003cp\u003eThe 63 built-in detectors cover widely used credential formats, but every organisation has internal tokens, proprietary service keys, or environment-specific patterns that no generic tool can anticipate. Custom rules let you extend Leakwatch with your own patterns — defined in plain YAML, loaded at runtime — without modifying source code or rebuilding the binary.\u003c/p\u003e\n\u003ch2 id=\"where-custom-rules-live\"\u003eWhere custom rules live\u003c/h2\u003e\n\u003cp\u003eCustom rules are defined under a top-level \u003ccode\u003ecustom-rules:\u003c/code\u003e list in your \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe rules are registered at runtime when Leakwatch starts. They run alongside the built-in detectors using the same Aho-Corasick pre-filter pipeline.\u003c/p\u003e\n\u003ch2 id=\"rule-fields\"\u003eRule fields\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eRequired\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eUnique detector ID. Used in output and in \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e. Must not collide with a built-in detector ID or another custom rule ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eHuman-readable description shown in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2-compatible regular expression. Maximum 4096 characters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003elist of strings\u003c/td\u003e\n\u003ctd\u003eAho-Corasick pre-filter keywords. The regex only runs on chunks that contain at least one of these strings. Omitting this field causes the regex to run on every chunk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, or \u003ccode\u003elow\u003c/code\u003e. Defaults to \u003ccode\u003emedium\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropy threshold (0–8). Matches whose entropy is \u003cstrong\u003ebelow\u003c/strong\u003e this value are discarded. Useful for filtering low-randomness false positives.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eAlways supply \u003ccode\u003ekeywords\u003c/code\u003e. Even a single short keyword (like a token prefix) dramatically reduces the number of chunks the regex engine processes, keeping scans fast on large repositories. For example, if all your internal tokens begin with \u003ccode\u003eacme_\u003c/code\u003e, set \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003eentropy\u003c/code\u003e to suppress matches on placeholder values like \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e that satisfy the pattern but are clearly not real secrets. A threshold around 3.0–3.5 is a good starting point.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"collision-handling\"\u003eCollision handling\u003c/h2\u003e\n\u003cp\u003eIf a custom rule's \u003ccode\u003eid\u003c/code\u003e matches an already-registered detector — either a built-in detector or a previously loaded custom rule — the duplicate is \u003cstrong\u003eskipped\u003c/strong\u003e and an error is logged. Leakwatch does not crash; the rest of the rules load normally. Check the log output if a custom rule appears to have no effect.\u003c/p\u003e\n\u003ch2 id=\"verification\"\u003eVerification\u003c/h2\u003e\n\u003cp\u003eCustom rules have no paired verifier. Findings from custom rules are always reported with status \u003ccode\u003eunverified\u003c/code\u003e — they never become \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"complete-example\"\u003eComplete example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e defines two custom rules: one for an internal service token and one for a signing secret used in webhooks.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook signing secret (format: whsec_ + 40 base64url chars)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRun a scan with this config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSample JSON output for a custom-rule finding (secret value redacted):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe \u003ccode\u003eraw_redacted\u003c/code\u003e field always masks the actual secret. The raw value is never written to output unless you explicitly pass \u003ccode\u003e--show-raw\u003c/code\u003e (not recommended outside controlled environments).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"excluding-a-custom-rule\"\u003eExcluding a custom rule\u003c/h2\u003e\n\u003cp\u003eCustom rules participate in the same filtering as built-in detectors. To disable a custom rule without removing it from config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, including where \u003ccode\u003ecustom-rules:\u003c/code\u003e sits in the document structure.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the 63 built-in detectors, to check for ID conflicts before naming your custom rule.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the Aho-Corasick pre-filter pipeline that \u003ccode\u003ekeywords\u003c/code\u003e plugs into.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Detector Catalog","description":"All 63 built-in detectors grouped by category, with their IDs, what they detect, and their default severity.","html":"\u003ch1 id=\"detector-catalog\"\u003eDetector Catalog\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e that cover a wide range of credential types — from cloud provider access keys and AI API tokens to database connection strings and private cryptographic keys. Each detector has a stable ID, a default severity, and (for most) a paired verifier that can confirm whether a found secret is still live.\u003c/p\u003e\n\u003cp\u003eThis page lists every built-in detector. For verification coverage details see \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e. To add your own patterns, see \u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"how-to-read-this-catalog\"\u003eHow to read this catalog\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — the stable string identifier used in config and output. Pass it to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e to skip a detector, or use it with \u003ccode\u003e--min-severity\u003c/code\u003e filtering (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetects\u003c/strong\u003e — what the detector is looking for.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSeverity\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e, \u003ccode\u003eHigh\u003c/code\u003e, or \u003ccode\u003eMedium\u003c/code\u003e. This is the default; it feeds the \u003ccode\u003e--min-severity\u003c/code\u003e flag and the \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e config key.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"cloud-and-infrastructure\"\u003eCloud and Infrastructure\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Service Account Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID Client Secret\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Service Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ai--ml\"\u003eAI / ML\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"payments-and-commerce\"\u003ePayments and Commerce\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Live API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dev-tools-ci-and-packages\"\u003eDev Tools, CI, and Packages\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket App Password\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Personal API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"communication-and-collaboration\"\u003eCommunication and Collaboration\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/User Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Incoming Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Internal Integration Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"email-and-messaging-delivery\"\u003eEmail and Messaging Delivery\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Server API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"monitoring-and-observability\"\u003eMonitoring and Observability\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Auth Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"databases-and-connection-strings\"\u003eDatabases and Connection Strings\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabase Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Connection Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Service Role Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"identity-and-access\"\u003eIdentity and Access\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bind Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"generic-and-cryptographic\"\u003eGeneric and Cryptographic\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric API Key\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePrivate Key (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eTotal: 63 built-in detectors.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"filtering-by-severity\"\u003eFiltering by severity\u003c/h2\u003e\n\u003cp\u003eFindings are filterable by severity using \u003ccode\u003e--min-severity\u003c/code\u003e at the command line or \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e in config. Only findings at or above the specified level are included in the output. See \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"excluding-specific-detectors\"\u003eExcluding specific detectors\u003c/h2\u003e\n\u003cp\u003eTo skip one or more detectors entirely, add their IDs to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for the full filtering reference.\u003c/p\u003e\n\u003ch2 id=\"verification-coverage\"\u003eVerification coverage\u003c/h2\u003e\n\u003cp\u003eSome detectors have a live verifier; others are format-validated only; nine have no verifier at all. See \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e for the complete breakdown.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e — define your own detection patterns in YAML.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detectors can be live-verified.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e — filtering findings by severity or detector.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"How It Works","description":"Architecture of the Leakwatch scan pipeline: sources, detection, verification, and output.","html":"\u003ch1 id=\"how-it-works\"\u003eHow It Works\u003c/h1\u003e\n\u003cp\u003eUnderstanding the Leakwatch pipeline helps you tune performance, interpret results, and decide which flags to reach for. This page explains what happens from the moment you run a scan command to the moment a finding appears in your output.\u003c/p\u003e\n\u003ch2 id=\"the-pipeline-at-a-glance\"\u003eThe pipeline at a glance\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Source\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[Worker Pool\\n—concurrency workers]\n B --\u0026gt; C[Aho-Corasick\\nPre-filter]\n C --\u0026gt; D[Regex\\nDetectors]\n D --\u0026gt; E[Inline-ignore\\nCheck]\n E --\u0026gt; F[Verification\\nPool\\n4 workers / 10 rps]\n F --\u0026gt; G[Post-scan\\nFilters]\n G --\u0026gt; H([Output\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach stage is described in detail below.\u003c/p\u003e\n\u003ch2 id=\"1-source\"\u003e1. Source\u003c/h2\u003e\n\u003cp\u003eEvery scan starts with a \u003cstrong\u003eSource\u003c/strong\u003e — an abstraction that emits chunks of data for the engine to process. Leakwatch ships six sources:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it emits\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFile contents from a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLayer contents of an OCI/Docker image, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text from channels and DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e. The contents of files uploaded to Slack are not scanned.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eChunks flow into a buffered channel consumed by the worker pool.\u003c/p\u003e\n\u003ch2 id=\"2-worker-pool\"\u003e2. Worker pool\u003c/h2\u003e\n\u003cp\u003eThe engine maintains a fixed pool of \u003cstrong\u003egoroutines\u003c/strong\u003e — one per \u003ccode\u003e--concurrency\u003c/code\u003e value (default: number of CPUs). Each worker pulls a chunk from the channel and runs the detection pipeline independently. Because workers share no mutable state, the pool scales linearly with concurrency up to the limits of I/O and memory.\u003c/p\u003e\n\u003cp\u003eScans respond to \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e: when a cancellation signal arrives, the context is cancelled, workers drain their current chunk and stop, and partial results are collected before output is written.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-keyword-pre-filter\"\u003e3. Aho-Corasick keyword pre-filter\u003c/h2\u003e\n\u003cp\u003eRunning 63 regex patterns on every chunk would be slow. Instead, the engine builds a single \u003cstrong\u003eAho-Corasick multi-pattern automaton\u003c/strong\u003e at startup from the keyword lists declared by each detector. For each chunk, this automaton does a single linear pass and returns only the detectors whose keywords appeared in the chunk's bytes.\u003c/p\u003e\n\u003cp\u003eThis means most detectors never run their regex on most chunks. Detectors that declare no keywords always run (they skip the pre-filter and proceed directly to regex).\u003c/p\u003e\n\u003cp\u003eThe Aho-Corasick implementation comes from \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"4-regex-detectors\"\u003e4. Regex detectors\u003c/h2\u003e\n\u003cp\u003eEach shortlisted detector runs its compiled \u003cstrong\u003eregular expression\u003c/strong\u003e against the chunk bytes. When a pattern matches, the detector returns a \u003ccode\u003eRawFinding\u003c/code\u003e containing:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe raw secret bytes (held in memory only for verification; never logged or written to disk).\u003c/li\u003e\n\u003cli\u003eA \u003cstrong\u003eredacted\u003c/strong\u003e representation safe for output.\u003c/li\u003e\n\u003cli\u003eOptional extra metadata (e.g. account ID for an AWS key).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via \u003ca href=\"#/configuration/custom-rules\"\u003ecustom YAML rules\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eAll detectors are registered at compile time using Go's \u003ccode\u003einit()\u003c/code\u003e function and blank imports (ADR-0004). There is no plugin loader or dynamic discovery at runtime.\u003c/p\u003e\n\u003ch2 id=\"5-inline-ignore-check\"\u003e5. Inline-ignore check\u003c/h2\u003e\n\u003cp\u003eBefore a finding is sent to verification, the engine checks whether the source line contains an \u003cstrong\u003einline ignore marker\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eor a detector-scoped variant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the marker is present, the finding is silently dropped \u003cstrong\u003ebefore any network call is made\u003c/strong\u003e. This is intentional: ignored secrets should never trigger a live API request.\u003c/p\u003e\n\u003ch2 id=\"6-verification\"\u003e6. Verification\u003c/h2\u003e\n\u003cp\u003eAfter detection completes for all chunks, the engine passes findings to a separate \u003cstrong\u003everification worker pool\u003c/strong\u003e (default 4 workers). Verification:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIs guarded by a global \u003cstrong\u003erate limiter\u003c/strong\u003e (default 10 requests per second) shared across all workers.\u003c/li\u003e\n\u003cli\u003eApplies a \u003cstrong\u003eper-request timeout\u003c/strong\u003e (default 10 seconds) to every API call.\u003c/li\u003e\n\u003cli\u003eMakes only \u003cstrong\u003eread-only, non-destructive\u003c/strong\u003e calls to the provider (e.g. \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys).\u003c/li\u003e\n\u003cli\u003eMarks each finding with one of four statuses: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e54 verifiers\u003c/strong\u003e, covering 85.7% of the 63 built-in detector types. The remaining 9 types (such as JWTs and generic API keys) cannot be safely verified and are always reported as \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003ePass \u003ccode\u003e--no-verify\u003c/code\u003e to skip this stage entirely — useful for fast, offline scans.\u003c/p\u003e\n\u003cp\u003eFor a deep dive into verification behavior and status meanings, see \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"7-finding-id-and-entropy\"\u003e7. Finding ID and entropy\u003c/h2\u003e\n\u003cp\u003eEach finding receives a \u003cstrong\u003edeterministic ID\u003c/strong\u003e computed as:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(detectorID + redacted + filePath + line) → truncated to 16 hex characters\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe same secret at the same location always produces the same ID, making it safe to deduplicate findings across runs or track them in issue trackers.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropy\u003c/strong\u003e (range 0–8) is computed for each finding and exposed in output for informational purposes. At the engine level, entropy does \u003cstrong\u003enot\u003c/strong\u003e gate or drop built-in findings — a low-entropy match still appears in results. Entropy thresholds only apply inside custom rules, where each rule can declare its own minimum.\u003c/p\u003e\n\u003ch2 id=\"8-post-scan-filters\"\u003e8. Post-scan filters\u003c/h2\u003e\n\u003cp\u003eAfter verification, two filters apply:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — drops all findings that are not \u003ccode\u003everified:active\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — drops findings below the specified severity level (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; default \u003ccode\u003elow\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth filters run after verification so that verification status is available when \u003ccode\u003e--only-verified\u003c/code\u003e is evaluated.\u003c/p\u003e\n\u003ch2 id=\"9-output\"\u003e9. Output\u003c/h2\u003e\n\u003cp\u003eSurviving findings are passed to one of four \u003cstrong\u003eformatters\u003c/strong\u003e:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFormat\u003c/th\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eCommon use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (default)\u003c/td\u003e\n\u003ctd\u003eMachine-readable, pipeline-friendly\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, security dashboards\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpreadsheets, data analysis\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTable\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal review, color-coded by severity\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eOutput goes to stdout by default; use \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e to write to a file.\u003c/p\u003e\n\u003cp\u003eA \u003cstrong\u003escan summary\u003c/strong\u003e (date, source type, target, files scanned, duration, findings count, interrupted status) is always printed to \u003cstrong\u003estderr\u003c/strong\u003e after every scan, regardless of format or output destination.\u003c/p\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eLeakwatch is designed so that discovered secrets never leave the process boundary except for verification calls:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRaw secret bytes live only in memory during detection and verification.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e--show-raw\u003c/code\u003e flag is \u003ccode\u003efalse\u003c/code\u003e by default; without it, only the redacted representation appears in output.\u003c/li\u003e\n\u003cli\u003eSecrets are never written to disk, logged via \u003ccode\u003eslog\u003c/code\u003e, or cached between runs.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"design-decisions\"\u003eDesign decisions\u003c/h2\u003e\n\u003cp\u003eThe architecture reflects several deliberate choices documented as ADRs:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO disabled\u003c/strong\u003e (ADR-0001) — single static binary, no runtime dependencies, cross-compiles to all platforms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — hierarchical CLI with \u003ccode\u003eflag \u0026gt; env \u0026gt; config \u0026gt; default\u003c/code\u003e precedence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — pure Go Git library; no external \u003ccode\u003egit\u003c/code\u003e binary required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompile-time detector registration\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + blank imports; type-safe, no runtime plugin loader.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hybrid matching\u003c/strong\u003e (ADR-0005) — pre-filter eliminates most regex work on irrelevant chunks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonless layer analysis; no Docker daemon required to scan images.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWorker pool\u003c/strong\u003e (ADR-0008) — fixed goroutine count, channel-based fan-out; predictable memory and CPU usage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Installation","description":"Install Leakwatch via Homebrew, go install, Docker, or a prebuilt binary.","html":"\u003ch1 id=\"installation\"\u003eInstallation\u003c/h1\u003e\n\u003cp\u003eGetting Leakwatch onto your machine takes less than a minute. Choose the method that best fits your workflow: Homebrew is the simplest option on macOS and Linux, \u003ccode\u003ego install\u003c/code\u003e is ideal if you already have a Go toolchain, Docker keeps your host system clean, and prebuilt binaries work everywhere without any toolchain at all.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-and-linux\"\u003eHomebrew (macOS and Linux)\u003c/h2\u003e\n\u003cp\u003eThe official tap supports macOS and Linux on both amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe tap is hosted at \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e. Homebrew handles upgrades with \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003eGo install\u003c/h2\u003e\n\u003cp\u003eIf you have Go 1.25 or later installed, you can build and install the latest release directly from source:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe binary is placed in \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e. Make sure that directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e always fetches the latest tagged release. To pin a specific version, replace \u003ccode\u003e@latest\u003c/code\u003e with a tag such as \u003ccode\u003e@v1.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eA minimal, multi-stage Alpine image is published to the GitHub Container Registry. The image runs as a non-root user (\u003ccode\u003eleakwatch\u003c/code\u003e), has CGO disabled, and uses \u003ccode\u003e/scan\u003c/code\u003e as its working directory.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAvailable tags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container. Flags and options work identically to the native binary — see \u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e for the full list.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFor Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see \u003ca href=\"#/guides/docker\"\u003eUsing Docker\u003c/a\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"prebuilt-binary\"\u003ePrebuilt binary\u003c/h2\u003e\n\u003cp\u003eEvery release publishes tarballs for all supported platforms on the \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e page. Download the archive for your platform, extract it, and place the binary on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSupported platforms:\u003c/strong\u003e Linux, macOS, and Windows on amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Example for Linux amd64 — replace OS and ARCH to match your platform\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform naming follows the pattern \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e where \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e is \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e, or \u003ccode\u003eWindows\u003c/code\u003e and \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e is \u003ccode\u003eamd64\u003c/code\u003e or \u003ccode\u003earm64\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"verifying-your-installation\"\u003eVerifying your installation\u003c/h2\u003e\n\u003cp\u003eAfter any installation method, confirm the binary is reachable and check the version:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExpected output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the command is not found, check that the install directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind a Leakwatch scan.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — customize scan behavior with \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/guides/docker\"\u003eUsing Docker\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Introduction","description":"What Leakwatch is, what it scans, and how it detects and verifies leaked secrets.","html":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e is a high-performance, open-source (MIT) security tool that \u003cstrong\u003edetects, verifies, and reports leaked secrets\u003c/strong\u003e — API keys, tokens, passwords, connection strings, and private keys — across your codebases, Git history, container images, cloud storage, and Slack workspaces.\u003c/p\u003e\n\u003cp\u003eIt is written in Go, ships as a single static binary with no runtime dependencies (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e), and is built to run anywhere: a developer laptop, a pre-commit hook, or a CI/CD pipeline.\u003c/p\u003e\n\u003ch2 id=\"why-leakwatch\"\u003eWhy Leakwatch\u003c/h2\u003e\n\u003cp\u003eA leaked credential in a single commit — even one later deleted — can stay reachable in Git history forever and be exploited within minutes of being pushed. Leakwatch is designed to catch those secrets early and tell you which ones are \u003cem\u003eactually dangerous\u003c/em\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBroad detection\u003c/strong\u003e — 63 built-in detectors covering cloud providers, AI APIs, payment platforms, databases, messaging tools, and more, plus your own YAML custom rules.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification, not just detection\u003c/strong\u003e — for 54 detector types Leakwatch can confirm whether a found secret is \u003cem\u003estill live\u003c/em\u003e by making a controlled, read-only call to the provider. A verified-active key is an incident; an inactive one is noise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMany sources\u003c/strong\u003e — scan a local filesystem, a full Git history, an OCI/Docker image, AWS S3, Google Cloud Storage, and Slack messages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-native output\u003c/strong\u003e — JSON, SARIF (for GitHub Code Scanning), CSV, and a colorized terminal table.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecret-safe by design\u003c/strong\u003e — discovered secrets are redacted by default and are never logged, cached, or written to disk.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"what-it-scans\"\u003eWhat it scans\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it covers\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFiles in a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history (local or remote)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker image layers, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text in channels and (optionally) DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eMultiple repos\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSeveral Git repositories at once\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-detection-works-briefly\"\u003eHow detection works, briefly\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses a layered pipeline so it stays fast even on large inputs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick keyword pre-filter\u003c/strong\u003e — a single multi-pattern automaton quickly decides which detectors \u003cem\u003ecould\u003c/em\u003e match a chunk, so most detectors never run their regex.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex validation\u003c/strong\u003e — only the shortlisted detectors run their precise patterns.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropy\u003c/strong\u003e — Shannon entropy is computed for display (and used by custom rules to drop low-randomness matches).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification\u003c/strong\u003e — eligible findings are checked against the live provider API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYou don't have to understand the pipeline to use Leakwatch — but it explains why scans are fast and why some findings show a verification status while others don't. See \u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e for the full picture.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-leakwatch-is-not\"\u003eWhat Leakwatch is \u003cem\u003enot\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eTo set expectations accurately:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIt does \u003cstrong\u003enot\u003c/strong\u003e rewrite Git history or remove secrets for you — it finds and reports them, and (with \u003ccode\u003e--remediation\u003c/code\u003e) tells you how to rotate them.\u003c/li\u003e\n\u003cli\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e; scanning the \u003cem\u003econtents\u003c/em\u003e of uploaded files is not implemented.\u003c/li\u003e\n\u003cli\u003eVerification is available for many but not all secret types — 9 detector types (such as JWTs and generic API keys) cannot be safely verified and are always reported as unverified.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install via Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker, or a prebuilt binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind the scan.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Quick Start","description":"Run your first Leakwatch scan in under a minute.","html":"\u003ch1 id=\"quick-start\"\u003eQuick Start\u003c/h1\u003e\n\u003cp\u003eThe fastest way to understand what Leakwatch can do is to point it at a real directory. This page walks you through your first scan, explains what the output means, and shows the flags you will reach for most often.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eLeakwatch must be installed and accessible on your \u003ccode\u003ePATH\u003c/code\u003e. If you have not done that yet, see \u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"your-first-scan\"\u003eYour first scan\u003c/h2\u003e\n\u003cp\u003eScan the current directory with one command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default, output is JSON written to stdout. To get a human-readable, colorized table instead, add \u003ccode\u003e--format table\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHere is what a result looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe scan summary is always printed to \u003cstrong\u003estderr\u003c/strong\u003e, so it never interferes with piped or redirected output.\u003c/p\u003e\n\u003ch2 id=\"understanding-a-finding\"\u003eUnderstanding a finding\u003c/h2\u003e\n\u003cp\u003eEach row in the table (or object in JSON) represents one finding. The key fields are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHow critical the secret type is: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eThe detector that matched — identifies the secret type (e.g. \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the file where the secret was found, relative to the scan root\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eLine number of the match\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eA masked representation of the secret — never the raw value unless \u003ccode\u003e--show-raw\u003c/code\u003e is set\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eVerification outcome: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA \u003ccode\u003everified:active\u003c/code\u003e status means Leakwatch confirmed the secret is still live by making a read-only API call to the provider. \u003cstrong\u003eTreat every \u003ccode\u003everified:active\u003c/code\u003e finding as an open incident.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"common-scan-options\"\u003eCommon scan options\u003c/h2\u003e\n\u003ch3 id=\"focus-on-confirmed-secrets-only\"\u003eFocus on confirmed secrets only\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis hides unverified and inactive findings, leaving only those confirmed live. Useful for triage when you have many results.\u003c/p\u003e\n\u003ch3 id=\"skip-network-verification-for-a-fast-offline-scan\"\u003eSkip network verification for a fast offline scan\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVerification is skipped entirely — no outbound network calls are made. Results appear faster and work without internet access, but all findings are marked \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"add-remediation-guidance\"\u003eAdd remediation guidance\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach finding gains a \u003cstrong\u003eREMEDIATION\u003c/strong\u003e column explaining how to rotate or revoke the specific secret type. The same data is included in JSON, SARIF, and CSV output when the flag is set.\u003c/p\u003e\n\u003ch3 id=\"filter-by-minimum-severity\"\u003eFilter by minimum severity\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnly findings at \u003ccode\u003ehigh\u003c/code\u003e or \u003ccode\u003ecritical\u003c/code\u003e severity are reported.\u003c/p\u003e\n\u003ch3 id=\"save-results-to-a-file\"\u003eSave results to a file\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe \u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e flag writes to a file instead of stdout. SARIF output is compatible with \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"generate-a-configuration-file\"\u003eGenerate a configuration file\u003c/h2\u003e\n\u003cp\u003eRunning Leakwatch with defaults is fine for a first try, but for repeated use you will want a project-level configuration:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis writes \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory with recommended defaults for concurrency, entropy, verification, output format, and common path exclusions. Use \u003ccode\u003e--force\u003c/code\u003e to overwrite an existing file, or \u003ccode\u003e--output\u003c/code\u003e to write to a different path.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for a full explanation of every option.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses distinct exit codes so CI scripts can act on results without parsing output:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — no findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — one or more secrets found\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed due to an error\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA typical CI gate looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Active secrets found — failing build\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is returned whenever \u003cem\u003eany\u003c/em\u003e finding passes the active filters (including \u003ccode\u003e--min-severity\u003c/code\u003e and \u003ccode\u003e--only-verified\u003c/code\u003e). A clean exit code \u003ccode\u003e0\u003c/code\u003e means no findings matched — not that no secrets exist in the codebase.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cancelling-a-scan\"\u003eCancelling a scan\u003c/h2\u003e\n\u003cp\u003ePress \u003ccode\u003eCtrl+C\u003c/code\u003e (or send \u003ccode\u003eSIGTERM\u003c/code\u003e) to cancel a running scan. Leakwatch stops gracefully: in-flight chunks finish, partial results are written, and the summary indicates \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Output Formats","description":"The four output formats Leakwatch supports — JSON, SARIF, CSV, and table — with examples and guidance on when to use each.","html":"\u003ch1 id=\"output-formats\"\u003eOutput Formats\u003c/h1\u003e\n\u003cp\u003eLeakwatch supports four output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, and human-readable terminal review. Select a format with \u003ccode\u003e--format\u003c/code\u003e (or \u003ccode\u003e-f\u003c/code\u003e); write to a file instead of stdout with \u003ccode\u003e--output\u003c/code\u003e (or \u003ccode\u003e-o\u003c/code\u003e).\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe default format is \u003ccode\u003ejson\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON is the default format and the most complete representation. Leakwatch writes a JSON \u003cstrong\u003earray\u003c/strong\u003e of finding objects to stdout (or to the file given by \u003ccode\u003e--output\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003eThe raw secret value is \u003cstrong\u003enever\u003c/strong\u003e serialized unless \u003ccode\u003e--show-raw\u003c/code\u003e is explicitly set. With \u003ccode\u003e--show-raw\u003c/code\u003e, a \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e field is added to each object.\u003c/p\u003e\n\u003ch3 id=\"example-invocation\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-finding-object\"\u003eExample finding object\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--remediation\u003c/code\u003e is also set, a \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e object is nested inside each finding. See \u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003esarif\u003c/code\u003e format produces a SARIF v2.1.0 document, designed for upload to \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e. The tool name is \u003ccode\u003eLeakwatch\u003c/code\u003e and \u003ccode\u003einformationUri\u003c/code\u003e points to \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eEach detector that appears in the findings becomes a \u003cstrong\u003erule\u003c/strong\u003e in the SARIF driver, complete with \u003ccode\u003ehelp\u003c/code\u003e text (populated from remediation steps when \u003ccode\u003e--remediation\u003c/code\u003e is set) and a \u003ccode\u003ehelpUri\u003c/code\u003e pointing to the provider documentation. Results carry a \u003ccode\u003eleakwatch/v1\u003c/code\u003e partial fingerprint computed from the detector ID, redacted value, and file path — this lets GitHub Code Scanning track the same alert even when surrounding code shifts.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-1\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"uploading-to-github-code-scanning\"\u003eUploading to GitHub Code Scanning\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# In a GitHub Actions workflow step:\n- name: Upload SARIF results\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e for the full CI setup.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003ecsv\u003c/code\u003e format writes a header row followed by one row per finding, using standard comma-separated values. Every cell is sanitized against spreadsheet formula injection before writing.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns (default):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eraw\u003c/code\u003e column is appended.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003eremediation\u003c/code\u003e column contains the remediation title (e.g. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) when \u003ccode\u003e--remediation\u003c/code\u003e is set, and is empty otherwise.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-2\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"table\"\u003eTable\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003etable\u003c/code\u003e format writes a human-readable tab-aligned table, best suited for interactive terminal sessions where you want a quick visual scan of the results.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eRAW\u003c/code\u003e column is appended. A summary line is printed at the bottom of the table (e.g. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI color\u003c/strong\u003e is applied to the \u003ccode\u003eSEVERITY\u003c/code\u003e column automatically, but only when all four conditions are met:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e is selected\u003c/li\u003e\n\u003cli\u003eOutput goes to stdout (no \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003estdout is a TTY (not a pipe or redirect)\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNO_COLOR\u003c/code\u003e environment variable is unset\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003cth\u003eColor\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBold red\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYellow\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBlue\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-invocation-3\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output-1\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"common-output-flags\"\u003eCommon output flags\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (default \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite to file instead of stdout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eInclude unredacted secret value in output\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eDrop findings below this severity level\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eKeep only \u003ccode\u003everified_active\u003c/code\u003e findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eEnrich findings with provider remediation guidance\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Remediation Guidance","description":"Use --remediation to enrich findings with provider-specific rotation and revocation steps, urgency ratings, and official documentation links.","html":"\u003ch1 id=\"remediation-guidance\"\u003eRemediation Guidance\u003c/h1\u003e\n\u003cp\u003eKnowing a secret is leaked is only half the work — you also need to know what to do about it. Passing \u003ccode\u003e--remediation\u003c/code\u003e to any scan command enriches each finding with structured, provider-specific guidance: the steps to rotate or revoke the credential, a link to the provider's documentation, a link to the management console, an urgency rating, and a verification checklist.\u003c/p\u003e\n\u003ch2 id=\"how-to-enable-it\"\u003eHow to enable it\u003c/h2\u003e\n\u003cp\u003eAdd \u003ccode\u003e--remediation\u003c/code\u003e to any scan command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRemediation enrichment is disabled by default. When the flag is absent, the \u003ccode\u003eremediation\u003c/code\u003e field in each finding is \u003ccode\u003enull\u003c/code\u003e and no extra data is fetched or computed.\u003c/p\u003e\n\u003ch2 id=\"what-it-contains\"\u003eWhat it contains\u003c/h2\u003e\n\u003cp\u003eEach remediation entry includes the following fields:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShort name of the remediation action (e.g. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOrdered list of steps to rotate or revoke the secret\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLink to the provider's official credential-management documentation\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDirect link to the provider's management console page\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHow quickly to act: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e, or \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePost-rotation verification steps (e.g. review audit logs, notify the security team)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch ships 63 remediation entries — one for every built-in detector. All 63 entries are included in the binary; no network calls are made to fetch guidance.\u003c/p\u003e\n\u003ch2 id=\"how-it-appears-in-each-format\"\u003eHow it appears in each format\u003c/h2\u003e\n\u003cp\u003eEnrichment adds the guidance to the finding object in memory. How it surfaces depends on the output format:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — the full structured \u003ccode\u003eremediation\u003c/code\u003e object is nested inside each finding:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — the \u003ccode\u003esteps\u003c/code\u003e are embedded in the rule's \u003ccode\u003ehelp.text\u003c/code\u003e field, and \u003ccode\u003edoc_url\u003c/code\u003e is set as the rule's \u003ccode\u003ehelpUri\u003c/code\u003e. This surfaces directly in GitHub Code Scanning's alert details panel.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is written to the \u003ccode\u003eremediation\u003c/code\u003e column. The full structured guidance is not included in the CSV output.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is shown in the \u003ccode\u003eREMEDIATION\u003c/code\u003e column.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--remediation --format json\u003c/code\u003e when you need the full structured guidance for automated incident-response workflows. Use \u003ccode\u003e--remediation --format table\u003c/code\u003e for a quick human-readable triage session in the terminal.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnrichment runs only when \u003ccode\u003e--remediation\u003c/code\u003e is set. Without the flag, the \u003ccode\u003eremediation\u003c/code\u003e field is absent from JSON and SARIF output, and the CSV and table \u003ccode\u003eremediation\u003c/code\u003e columns are empty. The flag does not modify the original scan results — it adds a layer on top.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Reference","description":"Complete reference for every Leakwatch command, subcommand, and flag.","html":"\u003ch1 id=\"cli-reference\"\u003eCLI Reference\u003c/h1\u003e\n\u003cp\u003eThis page is the authoritative reference for all Leakwatch commands and flags. For conceptual explanations and worked examples, follow the cross-links to the relevant scanning or configuration pages.\u003c/p\u003e\n\u003ch2 id=\"global-flags\"\u003eGlobal flags\u003c/h2\u003e\n\u003cp\u003eThese flags are available on every command and subcommand.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eauto-discovered \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a configuration file. When omitted, Leakwatch searches the current directory and its parents for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLogging verbosity: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e, or \u003ccode\u003eerror\u003c/code\u003e. Log output goes to stderr and does not affect scan results.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003ePrints the binary version, commit hash, and build timestamp, then exits.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGenerates a \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file in the current directory with recommended defaults.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite the config file to this path instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOverwrite an existing config file. Without this flag, \u003ccode\u003einit\u003c/code\u003e exits with an error if the output file already exists.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Generate the default config\nleakwatch init\n\n# Overwrite an existing config\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eParent command for all scan subcommands. Has no behavior on its own; run a subcommand.\u003c/p\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003cp\u003eThe following flags are available on \u003cstrong\u003eall\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e subcommands.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file path instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files or blobs larger than this number of bytes.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw (unredacted) secret value in output. Use with caution.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable live secret verification. No outbound API calls are made.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings that Leakwatch has confirmed are active via live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to include in output: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance (rotation/revocation steps) to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans a local directory tree.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e defaults to \u003ccode\u003e.\u003c/code\u003e. Accepts at most one positional argument.\u003c/p\u003e\n\u003ch4 id=\"filesystem-specific-flags\"\u003eFilesystem-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob pattern for paths to exclude. Repeatable.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory, print a colorized table\nleakwatch scan fs . --format table\n\n# Save SARIF output, exclude test files and vendor\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the full commit history of a local or remote Git repository.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required: a local path or an HTTP/HTTPS/SSH URL.\u003c/p\u003e\n\u003ch4 id=\"git-specific-flags\"\u003eGit-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;name\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default branch.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eShallow clone depth for remote repositories. \u003ccode\u003e0\u003c/code\u003e fetches the full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-1\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan full local history\nleakwatch scan git . --format table\n\n# Scan only commits added by a pull request\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the layers of an OCI/Docker image for secrets. Leakwatch is daemonless and pulls directly from the registry — no Docker socket is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"examples-2\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a public image\nleakwatch scan image nginx:latest --format table\n\n# Scan a private registry image and save JSON output\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in an AWS S3 bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket. Falls back to \u003ccode\u003eAWS_REGION\u003c/code\u003e environment variable or the AWS SDK default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-3\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire bucket\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Scan only a specific prefix\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in a Google Cloud Storage bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID. Required when the bucket's project cannot be inferred from the default credentials.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-4\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire GCS bucket\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Scan a prefix\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans message text in a Slack workspace.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo positional arguments.\u003c/p\u003e\n\u003ch4 id=\"slack-specific-flags\"\u003eSlack-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token. Can also be set via \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to scan. Scans all accessible channels when omitted.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only messages posted after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude direct messages (requires additional OAuth scopes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-5\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan all accessible channels\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Scan specific channels since a date\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans multiple Git repositories in parallel.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRequires at least two positional arguments (repository URLs or local paths).\u003c/p\u003e\n\u003ch4 id=\"repos-specific-flags\"\u003eRepos-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan concurrently.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eWorker concurrency within each repository scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-6\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan two repositories in parallel\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Increase parallelism for a large set of repos\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e — configure Leakwatch without flags.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — detailed \u003ccode\u003escan fs\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — detailed \u003ccode\u003escan git\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Environment Variables","description":"Environment variables that configure Leakwatch behavior without flags.","html":"\u003ch1 id=\"environment-variables\"\u003eEnvironment Variables\u003c/h1\u003e\n\u003cp\u003eLeakwatch reads configuration from three sources in priority order: \u003cstrong\u003ecommand-line flags\u003c/strong\u003e override \u003cstrong\u003eenvironment variables\u003c/strong\u003e, which override the \u003cstrong\u003econfig file\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e), which falls back to built-in \u003cstrong\u003edefaults\u003c/strong\u003e. Environment variables are useful in CI environments where you cannot modify a config file or pass flags to every invocation.\u003c/p\u003e\n\u003ch2 id=\"configuration-variable-pattern\"\u003eConfiguration variable pattern\u003c/h2\u003e\n\u003cp\u003eAny key from \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e can be set as an environment variable by:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eUppercasing the key name.\u003c/li\u003e\n\u003cli\u003eReplacing \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrepending \u003ccode\u003eLEAKWATCH_\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor example, the config key \u003ccode\u003escan.concurrency\u003c/code\u003e becomes \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"variable-reference\"\u003eVariable reference\u003c/h2\u003e\n\u003ch3 id=\"leakwatch-specific-variables\"\u003eLeakwatch-specific variables\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack bot token for \u003ccode\u003escan slack\u003c/code\u003e. Equivalent to \u003ccode\u003e--token\u003c/code\u003e. Set this instead of passing the token as a flag to avoid it appearing in shell history or CI logs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers. Equivalent to \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSet to \u003ccode\u003efalse\u003c/code\u003e to disable live verification globally. Equivalent to \u003ccode\u003e--no-verify\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum verification requests per second across all verifiers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault output format (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e). Equivalent to \u003ccode\u003e--format\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum Shannon entropy for a match to be reported. Float value, e.g. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"display-variable\"\u003eDisplay variable\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWhen set to any non-empty value, disables ANSI color codes in the \u003ccode\u003etable\u003c/code\u003e output formatter. Follows the \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e convention.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-variables-for-scan-s3-and-aws-secret-verification\"\u003eAWS variables (for \u003ccode\u003escan s3\u003c/code\u003e and AWS secret verification)\u003c/h3\u003e\n\u003cp\u003eThese are standard AWS SDK environment variables. Leakwatch passes them through to the AWS SDK v2 default credential chain.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS access key ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS secret access key.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS session token (for temporary credentials).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault AWS region.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNamed profile from \u003ccode\u003e~/.aws/credentials\u003c/code\u003e to use.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-variable-for-scan-gcs\"\u003eGCS variable (for \u003ccode\u003escan gcs\u003c/code\u003e)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a Google service-account JSON key file. Used by Application Default Credentials when scanning a GCS bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence-example\"\u003ePrecedence example\u003c/h2\u003e\n\u003cp\u003eGiven this setup:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e sets \u003ccode\u003eoutput.format: table\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e is set in the environment\u003c/li\u003e\n\u003cli\u003eThe command is run as \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e (no \u003ccode\u003e--format\u003c/code\u003e flag)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe effective format is \u003ccode\u003ejson\u003c/code\u003e because the environment variable overrides the config file.\u003c/p\u003e\n\u003cp\u003eIf the command is run as \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e, the effective format is \u003ccode\u003esarif\u003c/code\u003e because the flag overrides everything.\u003c/p\u003e\n\u003ch2 id=\"credentials-for-verification-vs-credentials-for-scanning\"\u003eCredentials for verification vs. credentials for scanning\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe AWS and GCP variables above are consumed to \u003cstrong\u003eauthenticate Leakwatch itself\u003c/strong\u003e when it connects to S3 or GCS to retrieve objects for scanning. They are not used to verify found secrets. Verification of a discovered AWS key, for example, uses that discovered key itself to call AWS STS — not the runner's credentials.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"passing-secrets-safely-in-ci\"\u003ePassing secrets safely in CI\u003c/h2\u003e\n\u003cp\u003eIn GitHub Actions, use encrypted secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIn GitLab CI, use masked CI/CD variables:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # defined as a masked variable in project settings\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNever hard-code token values in workflow files or Dockerfiles.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — full \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e key reference.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eCloud Storage Scanning\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e and \u003ccode\u003escan gcs\u003c/code\u003e credentials.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Scanning\u003c/a\u003e — Slack token scopes and permissions.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — equivalent command-line flags.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Exit Codes","description":"Leakwatch exit code reference and how to use them in scripts and CI pipelines.","html":"\u003ch1 id=\"exit-codes\"\u003eExit Codes\u003c/h1\u003e\n\u003cp\u003eLeakwatch uses a small, well-defined set of exit codes so that CI pipelines and shell scripts can act on scan results without parsing output. Every scan subcommand exits with one of three codes.\u003c/p\u003e\n\u003ch2 id=\"code-reference\"\u003eCode reference\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eName\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eClean\u003c/td\u003e\n\u003ctd\u003eThe scan completed successfully and no findings passed the active filters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFindings\u003c/td\u003e\n\u003ctd\u003eThe scan completed and one or more secrets were found (and passed the active filters).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eError\u003c/td\u003e\n\u003ctd\u003eA hard error occurred — for example, an invalid flag, an unreadable path, or an authentication failure. An \u003ccode\u003eError: ...\u003c/code\u003e message and a usage hint are printed to stderr.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-filters-affect-exit-code-1\"\u003eHow filters affect exit code 1\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is only emitted when at least one finding survives all active output filters. The two most relevant filters are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — findings below the threshold are suppressed. If all findings are \u003ccode\u003elow\u003c/code\u003e severity and you run with \u003ccode\u003e--min-severity high\u003c/code\u003e, exit code \u003ccode\u003e0\u003c/code\u003e is returned even though secrets exist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — only findings confirmed active by live verification are reported. If no active secrets are found, exit code \u003ccode\u003e0\u003c/code\u003e is returned.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis means exit code \u003ccode\u003e0\u003c/code\u003e means \u0026quot;no findings matched your current filter settings\u0026quot; — not necessarily that the codebase contains no secrets at all.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eA clean \u003ccode\u003e0\u003c/code\u003e exit under \u003ccode\u003e--only-verified\u003c/code\u003e does not guarantee the codebase is secret-free. Secrets for which verification is unavailable (9 detector types) are always reported as unverified and are suppressed by \u003ccode\u003e--only-verified\u003c/code\u003e. Pair \u003ccode\u003e--only-verified\u003c/code\u003e with a separate unfiltered scan if you need full coverage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"using-exit-codes-in-shell-scripts\"\u003eUsing exit codes in shell scripts\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;No secrets found. Build continues.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Secrets found — review leakwatch.json and remediate before merging.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch encountered an error (exit $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eset +e\u003c/code\u003e before the scan prevents the shell from exiting on non-zero codes, giving you the chance to capture and handle the code yourself.\u003c/p\u003e\n\u003ch2 id=\"using-exit-codes-in-ci-pipelines\"\u003eUsing exit codes in CI pipelines\u003c/h2\u003e\n\u003cp\u003eMost CI systems treat any non-zero exit code as a step failure. Since Leakwatch exits \u003ccode\u003e1\u003c/code\u003e when secrets are found, the pipeline fails automatically without any extra configuration — simply run the scan command.\u003c/p\u003e\n\u003cp\u003eTo allow the pipeline to continue even when secrets are found (for example, to collect the report without blocking the build), explicitly ignore the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in GitLab CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in the GitHub Action, set \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"exit-code-2-in-practice\"\u003eExit code 2 in practice\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e2\u003c/code\u003e indicates a configuration or runtime error that prevented the scan from running at all. Common causes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn invalid flag value (for example, \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA path that does not exist or is not readable.\u003c/li\u003e\n\u003cli\u003eA missing required argument (for example, \u003ccode\u003escan git\u003c/code\u003e with no URL).\u003c/li\u003e\n\u003cli\u003eAn authentication error when connecting to a cloud source.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe error message is printed to stderr and includes context to help diagnose the problem:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — how to wire exit codes into GitLab CI, Jenkins, and others.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — how the official action maps exit codes to step outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Cloud Storage (S3 \u0026 GCS)","description":"Scan AWS S3 and Google Cloud Storage buckets for leaked secrets.","html":"\u003ch1 id=\"cloud-storage-s3--gcs\"\u003eCloud Storage (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSecrets regularly end up in cloud storage — exported database dumps, environment files, CI artefacts, and log archives all flow into buckets that may be readable by more people than intended. Leakwatch can scan AWS S3 and Google Cloud Storage buckets object-by-object and flag any secrets it finds before they become an incident.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"usage\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003es3://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses the standard \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS default credential chain\u003c/a\u003e:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eEnvironment variables (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared credentials file (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared configuration file (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIAM role attached to the instance or task (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNo additional configuration is required if you are already authenticated with the AWS CLI (\u003ccode\u003eaws configure\u003c/code\u003e or an assumed role).\u003c/p\u003e\n\u003ch3 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eFrom AWS config\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-examples\"\u003eS3 examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific key prefix in a given region:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--prefix\u003c/code\u003e to limit the scan to a relevant sub-path. Scanning a large bucket with millions of objects can be slow and may incur S3 GET request costs. Narrow the prefix to what actually matters — for example \u003ccode\u003econfigs/\u003c/code\u003e or \u003ccode\u003eexports/\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"usage-1\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003egs://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication-1\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e. The credential search order is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e environment variable pointing to a service-account key file.\u003c/li\u003e\n\u003cli\u003eUser credentials set up by \u003ccode\u003egcloud auth application-default login\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eService account attached to a Google Compute Engine instance, Cloud Run service, or GKE workload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID (required by some ADC configurations).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-examples\"\u003eGCS examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket with a specific GCP project:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific prefix:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOutput as CSV:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h2\u003e\n\u003cp\u003eBoth \u003ccode\u003es3\u003c/code\u003e and \u003ccode\u003egcs\u003c/code\u003e support the same common scan flags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip objects larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions (applied to object keys) are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (authentication error, bucket not found, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Container Images","description":"Scan OCI and Docker image layers for leaked secrets without a Docker daemon.","html":"\u003ch1 id=\"container-images\"\u003eContainer Images\u003c/h1\u003e\n\u003cp\u003eContainer images are a common hiding place for secrets: API keys baked into environment variables, credentials embedded in build layers, and configuration files copied into image layers and then forgotten. \u003ccode\u003eleakwatch scan image\u003c/code\u003e inspects every layer of an OCI or Docker image and surfaces those secrets before the image is deployed.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: an image reference in standard \u003ccode\u003ename:tag\u003c/code\u003e notation. Leakwatch uses \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e to pull and inspect images \u003cstrong\u003edaemonlessly\u003c/strong\u003e — no running Docker daemon is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a Docker Hub image\nleakwatch scan image nginx:latest\n\n# Scan a private GitHub Container Registry image\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Scan an Amazon ECR image\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"supported-registries\"\u003eSupported registries\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eRegistry\u003c/th\u003e\n\u003cth\u003eExample reference\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAny OCI-compatible registry\u003c/td\u003e\n\u003ctd\u003eStandard \u003ccode\u003eregistry/name:tag\u003c/code\u003e form\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses the standard credential keychain used by Docker and other OCI tools. If you are already authenticated via \u003ccode\u003edocker login\u003c/code\u003e (or an equivalent tool such as \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, or cloud-provider credential helpers), Leakwatch will use those credentials automatically.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Log in to GHCR first\ndocker login ghcr.io\n\n# Then scan — credentials are picked up automatically\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor Amazon ECR, configure the ECR credential helper or set \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e and related environment variables before scanning.\u003c/p\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch pulls the image manifest, iterates over each layer in order, and extracts the files within each layer. Each file's content is run through the same detection pipeline as a filesystem scan. Path exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply here, limiting which file paths inside layers are examined.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003cp\u003eThere are no image-specific flags. All common scan flags apply:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e for details.\u003c/p\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan a Docker Hub image and print results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a private registry image and save SARIF output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan and show only verified active secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInclude remediation guidance in JSON output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from an image scan includes layer metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe image reference that was scanned.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe layer digest where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe path of the file within the layer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIntegrate container image scanning into your CI/CD pipeline's build stage to catch secrets before the image is pushed to a registry. Use \u003ccode\u003e--format sarif\u003c/code\u003e to upload results directly to GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (image not found, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Filesystem","description":"Scan a local directory tree for leaked secrets with leakwatch scan fs.","html":"\u003ch1 id=\"filesystem\"\u003eFilesystem\u003c/h1\u003e\n\u003cp\u003eLocal source code is where secrets most often appear first. The \u003ccode\u003eleakwatch scan fs\u003c/code\u003e command walks every file in a directory tree, runs the full detection pipeline on each one, and reports any findings before they can be committed — or after the fact on an existing codebase.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e is optional. When omitted, Leakwatch scans the current working directory (\u003ccode\u003e.\u003c/code\u003e). Only one path argument is accepted.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory\nleakwatch scan fs\n\n# Scan a specific project folder\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"what-the-filesystem-source-skips-automatically\"\u003eWhat the filesystem source skips automatically\u003c/h2\u003e\n\u003cp\u003eTo keep scans fast and noise-free, the filesystem source skips the following without any configuration:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBinary files\u003c/strong\u003e — detected by the presence of a null byte in the first 8 KB of the file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKnown binary extensions\u003c/strong\u003e — common compiled, image, audio, video, and archive formats.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLock files\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e, and similar.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"filesystem-specific\"\u003eFilesystem-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (repeatable)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob patterns for paths to exclude. Can be repeated or comma-separated.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the current directory and print a colorized table to the terminal:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude test files and vendor directories, then save SARIF output for GitHub Code Scanning:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eLimit file size to 5 MB and increase worker count for a large monorepo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eShow only high-severity findings and include rotation instructions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"excluding-paths\"\u003eExcluding paths\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003e--exclude\u003c/code\u003e flag accepts glob patterns and can be specified multiple times or as a comma-separated list:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Two separate flags\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Comma-separated\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor permanent exclusion rules shared across your team, add them to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Those rules apply to every source, not just filesystem scans. You can also create a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your project root. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e and \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (configuration error, unreadable path, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary (source type, target, file count, duration, and finding count) is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eRun \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e during development to get a quick visual overview. Switch to \u003ccode\u003e--format sarif\u003c/code\u003e in CI pipelines to integrate with GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure default format, exclusions, and more.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e and inline suppression.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history, not just the working tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git History","description":"Scan the full commit history of a local or remote Git repository for leaked secrets.","html":"\u003ch1 id=\"git-history\"\u003eGit History\u003c/h1\u003e\n\u003cp\u003eA secret that was committed and then deleted is still present in every earlier commit, reachable to anyone with repository access. \u003ccode\u003eleakwatch scan git\u003c/code\u003e walks the \u003cem\u003eentire\u003c/em\u003e commit history of a repository — local or remote — and surfaces those secrets before they can be exploited.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: either a \u003cstrong\u003elocal filesystem path\u003c/strong\u003e to a repository (\u003ccode\u003e.\u003c/code\u003e for the current directory) or a \u003cstrong\u003eremote HTTP/HTTPS or SSH URL\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e for all Git operations — a pure Go implementation with no dependency on a system \u003ccode\u003egit\u003c/code\u003e binary.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the local repository in the current directory\nleakwatch scan git .\n\n# Scan a remote repository over HTTPS\nleakwatch scan git https://github.com/org/repo.git\n\n# Scan over SSH\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch walks every commit in the history and examines the blobs introduced by each commit. \u003cstrong\u003eBlob-hash deduplication\u003c/strong\u003e ensures that identical file content is scanned only once, no matter how many commits reference it. This keeps scan time proportional to the \u003cem\u003eunique content\u003c/em\u003e in the repository rather than to the raw commit count.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause Leakwatch examines commit-by-commit diffs, it finds secrets that were introduced and later deleted — content that is invisible in the current working tree.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"git-specific\"\u003eGit-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD (diff-based).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eClone depth for \u003cstrong\u003eremote repositories only\u003c/strong\u003e. \u003ccode\u003e0\u003c/code\u003e means full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the full history of the local repository and print a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only commits made after a specific date on the \u003ccode\u003edevelop\u003c/code\u003e branch:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan changes introduced since a specific commit (useful in CI to check only new commits):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDo a shallow clone of a large remote repository to speed up the initial scan:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a remote repository and save verified findings only as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Git scan includes commit metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eURL or path of the scanned repository (credentials stripped).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit hash where the secret was introduced.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit author name and email.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit timestamp.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBranch context (when available).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--since-commit\u003c/code\u003e in pull-request CI jobs to scan only the commits added by the PR. Use \u003ccode\u003e--since \u0026lt;date\u0026gt;\u003c/code\u003e for scheduled nightly scans covering recent activity.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eWhen a repository URL contains embedded credentials (for example \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch strips those credentials before writing anything to logs or output, so the token never appears in scan results or CI traces.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (invalid URL, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eMultiple Repositories\u003c/a\u003e — scan several repositories in one command.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan the working tree instead of history.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Multiple Repositories","description":"Scan several Git repositories concurrently and combine results into a single report.","html":"\u003ch1 id=\"multiple-repositories\"\u003eMultiple Repositories\u003c/h1\u003e\n\u003cp\u003eWhen an organization grows, secrets can land in any of dozens or hundreds of repositories. Checking them one by one is impractical. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e accepts multiple repository URLs and scans them concurrently, merging all findings into a single output — one command, one report.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command requires \u003cstrong\u003eat least two\u003c/strong\u003e repository URLs. All repositories are cloned, scanned, and cleaned up automatically. The combined finding count and a single scan summary are reported at the end.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-works\"\u003eHow it works\u003c/h2\u003e\n\u003cp\u003eLeakwatch spawns up to \u003ccode\u003e--parallel\u003c/code\u003e repository scans at once. Each repository is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCloned from the provided URL (credentials are stripped from logs and output for safety).\u003c/li\u003e\n\u003cli\u003eScanned with the full detection pipeline, using \u003ccode\u003e--concurrency\u003c/code\u003e workers for that repository.\u003c/li\u003e\n\u003cli\u003eCleaned up (the temporary clone is deleted) once the scan completes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAll findings from all repositories are collected and written as a single output, as if the scan had been a single-source run. The displayed target is \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"multi-repo-specific\"\u003eMulti-repo-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan in parallel.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers \u003cstrong\u003eper repository\u003c/strong\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply to all repositories. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan two repositories and display results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan five repositories with higher parallelism and save the combined results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan with more workers per repository and show only verified findings:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tuning-parallelism\"\u003eTuning parallelism\u003c/h2\u003e\n\u003cp\u003eTwo knobs control throughput:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e controls how many repository clones and scans run simultaneously. The default of \u003ccode\u003e3\u003c/code\u003e is appropriate for most workloads. Raise it when network bandwidth and CPU headroom allow; lower it on constrained machines.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e) controls how many worker goroutines process file blobs \u003cem\u003ewithin\u003c/em\u003e each individual repository. This is the same flag available on all scan commands.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTotal concurrent operations at peak = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf one or more repository scans fail (for example, due to a network error or authentication failure), Leakwatch logs the error and continues scanning the remaining repositories. The exit code will be \u003ccode\u003e2\u003c/code\u003e if any individual repo scan failed, even if other repos produced findings.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eAny embedded credentials in repository URLs (e.g. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e) are stripped before the URL is written to logs, output, or the scan summary.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOne or more repository scans failed, or a configuration error occurred.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan a single repository in depth.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure shared defaults for all sources.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Workspace","description":"Scan Slack channel and DM message text for leaked secrets.","html":"\u003ch1 id=\"slack-workspace\"\u003eSlack Workspace\u003c/h1\u003e\n\u003cp\u003eDevelopers frequently share credentials in chat — a token pasted into a channel for a quick test, a password sent in a DM, or an API key mentioned in an incident thread. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e reads message text across your Slack workspace and flags any secrets it finds.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch scans \u003cstrong\u003emessage text only\u003c/strong\u003e. Scanning the contents of uploaded files (attachments, snippets) is not implemented. Only the text body of messages is analysed.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis command takes \u003cstrong\u003eno positional arguments\u003c/strong\u003e. All configuration is provided through flags or environment variables.\u003c/p\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eA Slack Bot Token is required. Provide it via the \u003ccode\u003e--token\u003c/code\u003e flag or the \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e environment variable. Using an environment variable is recommended so the token never appears in shell history or process listings.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"required-bot-token-scopes\"\u003eRequired bot token scopes\u003c/h3\u003e\n\u003cp\u003eThe bot token must be associated with a Slack app that has the following OAuth scopes:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eScope\u003c/th\u003e\n\u003cth\u003ePurpose\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in public channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in private channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead group direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"slack-specific\"\u003eSlack-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. Prefer \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e env var.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eall channels\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan messages posted on or after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAlso scan direct messages and group DMs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eInternal chunk size limit (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan all channels the bot has access to, using an environment variable for the token:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan specific channels and limit to messages since the start of the year:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude noisy channels and include direct messages:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eReduce the API request rate to avoid Slack rate-limit errors on large workspaces:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave only verified active findings to a JSON file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Slack scan includes message and channel metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe channel name where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack message timestamp (unique message ID).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack user ID of the message author.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performance-considerations\"\u003ePerformance considerations\u003c/h2\u003e\n\u003cp\u003eSlack API requests are subject to rate limits enforced by Slack. The \u003ccode\u003e--rate-limit\u003c/code\u003e flag (default \u003ccode\u003e20\u003c/code\u003e requests/second) controls how aggressively Leakwatch makes requests. Lower this value if you see \u003ccode\u003e429 Too Many Requests\u003c/code\u003e errors, especially on large workspaces.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003e--channels\u003c/code\u003e to target specific channels rather than scanning the entire workspace on every run. Combine with \u003ccode\u003e--since\u003c/code\u003e to scan only recent messages incrementally.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (missing token, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure defaults in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"How Verification Works","description":"How Leakwatch confirms whether a detected secret is still active, which verification modes it uses, and how to configure or disable verification.","html":"\u003ch1 id=\"how-verification-works\"\u003eHow Verification Works\u003c/h1\u003e\n\u003cp\u003eFinding a secret in a codebase is only half the story. A key that was rotated six months ago is noise; a key that is still live is an active incident. Verification is the step that draws that line — it takes each detected finding and, where possible, confirms whether the secret is currently valid at the provider.\u003c/p\u003e\n\u003ch2 id=\"from-detection-to-verification\"\u003eFrom detection to verification\u003c/h2\u003e\n\u003cp\u003eAfter the scan engine collects findings, the verifier pool picks them up. Each finding carries a \u003ccode\u003edetector_id\u003c/code\u003e; Leakwatch looks up whether a verifier is registered for that ID:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIf a verifier exists, it runs and returns a status.\u003c/li\u003e\n\u003cli\u003eIf no verifier is registered for that detector type, the finding passes through unchanged with status \u003ccode\u003eunverified\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"two-verification-modes\"\u003eTwo verification modes\u003c/h2\u003e\n\u003cp\u003eNot all secrets can be verified the same way. Leakwatch uses two distinct approaches depending on what is safe for each credential type.\u003c/p\u003e\n\u003ch3 id=\"live-api-verification\"\u003eLive API verification\u003c/h3\u003e\n\u003cp\u003eFor approximately 49 detector types, Leakwatch makes a \u003cstrong\u003econtrolled, read-only API call\u003c/strong\u003e to the provider — for example, calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys or \u003ccode\u003eGET /user\u003c/code\u003e for GitHub tokens. The call uses only the minimum endpoint required to confirm identity; it never modifies data, creates resources, or triggers billing events.\u003c/p\u003e\n\u003cp\u003eIf the provider returns a success response, the finding is marked \u003ccode\u003everified_active\u003c/code\u003e. If the provider rejects the credential (for example with HTTP 401 or 403), the finding is marked \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"format-validation-only\"\u003eFormat validation only\u003c/h3\u003e\n\u003cp\u003eFor five credential types, no safe live check exists — the provider has no anonymous identity endpoint, or a real call would have side effects. For these, Leakwatch validates the structure of the credential without making any network request:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e fields present\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check only — a valid format proves nothing, result is always \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEven when the format check passes, the result remains \u003ccode\u003eunverified\u003c/code\u003e. A structurally valid credential may be expired or revoked. These findings always require manual triage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"verification-statuses\"\u003eVerification statuses\u003c/h2\u003e\n\u003cp\u003eEvery finding in Leakwatch output carries one of four statuses:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStatus\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe secret was confirmed live by the provider.\u003c/td\u003e\n\u003ctd\u003eTreat as an active incident. Rotate immediately.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe provider rejected the credential.\u003c/td\u003e\n\u003ctd\u003eLikely already rotated. Review context and close.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo verifier exists for this type, or format validation returned no result, or verification was disabled.\u003c/td\u003e\n\u003ctd\u003eTriage manually; context determines risk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe verifier ran but encountered a network error, timeout, or unexpected response.\u003c/td\u003e\n\u003ctd\u003eTreat as potentially active. Retry or triage manually.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"the-verification-engine\"\u003eThe verification engine\u003c/h2\u003e\n\u003cp\u003eVerification runs in a dedicated concurrent worker pool, isolated from the scan worker pool. The defaults are conservative to avoid triggering provider rate limits:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSetting\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eWorker count\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal rate limit\u003c/td\u003e\n\u003ctd\u003e10 requests/second\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003ePer-request timeout\u003c/td\u003e\n\u003ctd\u003e10 s\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eAll three values are tunable under the \u003ccode\u003everification:\u003c/code\u003e block in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # requests per second (global)\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf you are scanning a repository that triggers hundreds of findings, consider lowering \u003ccode\u003erate-limit\u003c/code\u003e to 5 or enabling \u003ccode\u003e--only-verified\u003c/code\u003e to keep the verified-active set small and actionable.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"controlling-verification-at-the-command-line\"\u003eControlling verification at the command line\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eDisable verification entirely\u003c/strong\u003e with \u003ccode\u003e--no-verify\u003c/code\u003e (or set \u003ccode\u003everification.enabled: false\u003c/code\u003e in config). Every finding passes through as \u003ccode\u003eunverified\u003c/code\u003e. Use this for offline or air-gapped environments, or when you want the fastest possible scan without touching any provider API.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eShow only confirmed-live secrets\u003c/strong\u003e with \u003ccode\u003e--only-verified\u003c/code\u003e. Everything that is not \u003ccode\u003everified_active\u003c/code\u003e is dropped from the output. This is the fastest way to triage a large result set — you see only the keys you must act on now.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e silently drops \u003ccode\u003eunverified\u003c/code\u003e and \u003ccode\u003everify_error\u003c/code\u003e findings. Do not use it as your sole filter in a compliance context — some credential types (JWTs, generic API keys, private keys) can never be verified and would always be excluded.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eVerification is designed so that the raw secret value never leaves the process boundary in an unsafe way:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eVerifiers pass the secret directly to the provider's HTTP endpoint over TLS — it is never written to disk, emitted to a log, or cached between runs.\u003c/li\u003e\n\u003cli\u003eA verifier that fails to initialise or encounters a panic is caught by the engine, which marks the finding \u003ccode\u003everify_error\u003c/code\u003e and continues rather than crashing the scan.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detector types are live-verified, format-validated, or not verifiable at all.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for the \u003ccode\u003everification:\u003c/code\u003e block.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — how the verification status appears in JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Verification Coverage","description":"Which of the 63 built-in detectors are live-verified, format-validated only, or not verifiable — and what that means for triage.","html":"\u003ch1 id=\"verification-coverage\"\u003eVerification Coverage\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships 63 built-in detectors and 54 verifiers, giving a coverage rate of \u003cstrong\u003e85.7%\u003c/strong\u003e (54 of 63 detector types have some form of verification). This page maps every detector to its verification status so you know what to expect in your output.\u003c/p\u003e\n\u003ch2 id=\"live-verified-49-detector-types\"\u003eLive-verified (49 detector types)\u003c/h2\u003e\n\u003cp\u003eFor these types, Leakwatch makes a controlled, read-only API call to the provider and returns \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e. No data is created or modified; the call uses the minimum endpoint needed to confirm identity.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector type\u003c/th\u003e\n\u003cth\u003eProvider\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"format-validated-only-5-detector-types\"\u003eFormat-validated only (5 detector types)\u003c/h2\u003e\n\u003cp\u003eThese verifiers run entirely offline. No network request is made. Because a valid format does not prove a credential is active, all five always return \u003ccode\u003eunverified\u003c/code\u003e regardless of whether the format check passes or fails.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003cth\u003eWhy no live check\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eLive check requires a GCP OAuth2 token exchange, which has side effects\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003ctd\u003eNo public unauthenticated health endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePassword length and host substring check\u003c/td\u003e\n\u003ctd\u003eLive check requires a JDBC/ODBC database connection\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eRequires per-account HMAC signing; no generic identity endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eClient credential flow would create sessions\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"not-verifiable-9-detector-types\"\u003eNot verifiable (9 detector types)\u003c/h2\u003e\n\u003cp\u003eThese detector types have no verifier at all. Findings from them are always \u003ccode\u003eunverified\u003c/code\u003e. This is \u003cstrong\u003enot\u003c/strong\u003e because they are unimportant — they are detected and reported in full — but because no public verification API exists, or because any verification attempt would have side effects.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eReason\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eA JWT can be issued by any party; there is no universal validation endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo provider to call; active use cannot be detected remotely\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnknown provider by definition\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would create sessions on the target database\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would open a live connection to the Redis instance\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo safe read-only FTP probe\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind would create an authenticated session\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConfirming a webhook is active requires sending a message\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token validation requires knowing the Vault endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Not verifiable\u0026quot; does not mean \u0026quot;not found\u0026quot;. All 9 of these types are still detected and appear in your output. They require manual triage to determine whether the credential is live and whether it needs rotation.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"coverage-summary\"\u003eCoverage summary\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCategory\u003c/th\u003e\n\u003cth\u003eCount\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eLive-verified\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eFormat-validated only\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eNot verifiable\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eTotal detectors\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eVerifiers (any coverage)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (85.7%)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — the two verification modes, statuses, and the verification engine.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the full list of built-in detectors with severities.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; diff --git a/site/js/manuals/tr.js b/site/js/manuals/tr.js new file mode 100644 index 0000000..8153453 --- /dev/null +++ b/site/js/manuals/tr.js @@ -0,0 +1,3 @@ +// Generated by tools/site-build. Do not edit by hand. +window.LW_MANUAL = window.LW_MANUAL || {}; +window.LW_MANUAL["tr"] = {"ci-cd/docker-usage":{"title":"Docker Kullanımı","description":"Resmi Docker imajını kullanarak Leakwatch taramalarını bir konteyner içinde çalıştırın.","html":"\u003ch1 id=\"docker-kullanm\"\u003eDocker Kullanımı\u003c/h1\u003e\n\u003cp\u003eResmi Leakwatch konteyner imajı, ana makineye herhangi bir şey kurmadan tarama yapmanızı sağlar. İmaj \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e ile statik olarak derlenmiş ve root olmayan bir kullanıcı olarak çalışır; bu nedenle kilitli CI ortamlarında ve ana sistemi değiştirmek istemediğiniz paylaşımlı makinelerde güvenle kullanılabilir.\u003c/p\u003e\n\u003ch2 id=\"maj-referans\"\u003eİmaj referansı\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eİmaj Alpine tabanlıdır, root olmayan \u003ccode\u003eleakwatch\u003c/code\u003e kullanıcısı olarak çalışır, çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır ve giriş noktası olarak \u003ccode\u003eleakwatch\u003c/code\u003e'ı ayarlar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGiriş noktası \u003ccode\u003eleakwatch\u003c/code\u003e olduğundan alt komutu ve bayrakları doğrudan imaj adının ardına eklersiniz — örneğin \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. İkili dosya adını tekrar yazmanıza gerek yoktur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerel-dizin-tarama\"\u003eYerel dizin tarama\u003c/h2\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAna makinedeki bir dosyaya sonuç yazmak için çıktı dosyasını bağlı birime yazın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch.sarif\u003c/code\u003e dosyası, konteyner çıktıktan sonra ana makinedeki geçerli dizinde görünür.\u003c/p\u003e\n\u003ch2 id=\"uzak-git-deposu-tarama\"\u003eUzak Git deposu tarama\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak Git depoları için birim bağlaması gerekli değildir — Leakwatch bunları konteyner içindeki geçici bir dizine klonlar.\u003c/p\u003e\n\u003ch2 id=\"konteyner-imaj-tarama\"\u003eKonteyner imajı tarama\u003c/h2\u003e\n\u003cp\u003eLeakwatch daemonsuz çalışır: imaj katmanlarını Docker daemon'ına ihtiyaç duymadan doğrudan kayıt defterinden çeker. Bu, Leakwatch konteynerinden, ana makine Docker soketini bağlamadan uzak bir imajı tarayabileceğiniz anlamına gelir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt defterleri için kimlik bilgilerini, kayıt defterinizin desteklediği standart ortam değişkenleri aracılığıyla geçirin (örneğin, bağlı bir kimlik bilgisi dosyasına işaret eden \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e).\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-geirme\"\u003eYapılandırma dosyası geçirme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasını \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın; Leakwatch onu otomatik olarak bulur:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e bağlanan dizinde olduğu sürece Leakwatch onu bulur çünkü \u003ccode\u003e/scan\u003c/code\u003e hem çalışma dizini hem de taramaya geçirilen yoldur. Yapılandırma dosyanız başka bir yerdeyse onu ayrıca bağlayın ve \u003ccode\u003e--config\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikenleri-geirme\"\u003eOrtam değişkenleri geçirme\u003c/h2\u003e\n\u003cp\u003eBulut taraması ve token tabanlı kimlik doğrulama için ortam değişkenleri \u003ccode\u003e-e\u003c/code\u003e ile enjekte edilebilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# AWS kimlik bilgileriyle S3 taraması\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCI ortamlarında, kimlik bilgilerini komut satırına gömmek yerine maskelenmiş CI değişkenleri olarak enjekte etmeyi tercih edin.\u003c/p\u003e\n\u003ch2 id=\"kt-dosyas-kalb\"\u003eÇıktı dosyası kalıbı\u003c/h2\u003e\n\u003cp\u003eCI'da yaygın bir Docker kalıbı, sonuçları bağlı birime yazmak ve ardından dosyayı bir pipeline artifact'i olarak yüklemek veya arşivlemektir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Docker kullanmak yerine yerel ikili dosyayı kurma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e bayrakları ve davranışı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eKonteyner İmajları\u003c/a\u003e — OCI/Docker imaj katmanlarını sır açısından tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI ve diğer pipeline'larda Docker imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm alt komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"GitHub iş akışlarında sır taraması yapmak için resmi Leakwatch GitHub Action'ını kullanın.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eDeponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. Resmi \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e), Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder — aracı kurar, taramayı çalıştırır, çıkış kodlarını işler ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler; bunların hepsini harici bir servis bağımlılığı olmadan yapar.\u003c/p\u003e\n\u003ch2 id=\"hzl-balang\"\u003eHızlı başlangıç\u003c/h2\u003e\n\u003cp\u003eSır bulunduğunda iş akışını engelleyen minimal yapılandırma:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Sır taraması (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca varsayılan değerlerle action, dosya sistemi taraması yapar (\u003ccode\u003escan-type: fs\u003c/code\u003e), SARIF çıktısı üretir, canlı doğrulamayı atlar (\u003ccode\u003eno-verify: true\u003c/code\u003e) ve herhangi bir bulgu raporlandığında işi başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"sarif-ykleme-ile-tam-rnek\"\u003eSARIF yükleme ile tam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki iş akışı, GitHub Code Scanning'e SARIF yüklemeyi etkinleştirir ve bulguları depo içinde güvenlik uyarıları olarak gösterir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Sır taraması\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # SARIF yüklemesi için gerekli\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Sırları tara\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF yüklemesi, işin \u003ccode\u003epermissions: security-events: write\u003c/code\u003e bildirmesini gerektirir. Bu olmadan yükleme adımı 403 hatasıyla başarısız olur. \u003ccode\u003eactions/checkout@v4\u003c/code\u003e için \u003ccode\u003econtents: read\u003c/code\u003e izni de gereklidir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"girdiler\"\u003eGirdiler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eGirdi\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇalıştırılacak tarama türü: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e veya \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranacak yol (\u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e için) veya imaj referansı (\u003ccode\u003eimage\u003c/code\u003e için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak (sağlayıcılara giden ağ çağrısı yapılmaz).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. \u003ccode\u003efalse\u003c/code\u003e olarak ayarlandığında adım başarısız olmak yerine \u003ccode\u003e::warning::\u003c/code\u003e ek açıklaması yayar. Ciddi hatalar (çıkış kodu 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKurulacak Leakwatch sürümü. Belirli bir sürümü sabitlemek için \u003ccode\u003ev1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ktlar\"\u003eÇıktılar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÇıktı\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu raporlanmadıysa \u003ccode\u003e0\u003c/code\u003e; bulgu raporlandıysa \u003ccode\u003e1\u003c/code\u003e. Leakwatch çıkış kodunu yansıtır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRunner üzerindeki SARIF çıktı dosyasının yolu (\u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda ayarlanır).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"cida-dorulama\"\u003eCI'da doğrulama\u003c/h2\u003e\n\u003cp\u003eVarsayılan olarak \u003ccode\u003eno-verify\u003c/code\u003e değeri \u003ccode\u003etrue\u003c/code\u003e'dur — CI'da canlı doğrulama \u003cstrong\u003ekapalıdır\u003c/strong\u003e. Bu, taramayı hızlı tutar ve CI runner'larından sağlayıcı API'lerine giden ağ çağrılarını önler; runner'lar güvenlik duvarı arkasında olabilir veya hız sınırlı kimlik bilgilerine sahip olabilir.\u003c/p\u003e\n\u003cp\u003eCI'da doğrulamayı etkinleştirmek için \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eCI'da doğrulamayı etkinleştirmek, Leakwatch'ın her aday bulgu için sağlayıcılara (AWS, GitHub, Stripe vb.) kimlik doğrulamalı API çağrıları yapmasına neden olur. Sağlayıcı hız limitlerinden haberdar olun ve runner'ın giden internet erişimine sahip olduğundan emin olun.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sarif-yklemesi-nasl-alr\"\u003eSARIF yüklemesi nasıl çalışır\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e ve \u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLeakwatch'a çıktıyı \u003ccode\u003eresults.sarif\u003c/code\u003e dosyasına yazmasını söyler.\u003c/li\u003e\n\u003cli\u003eTaramanın ardından \u003ccode\u003ecategory: leakwatch\u003c/code\u003e ile \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e'ü çağırır.\u003c/li\u003e\n\u003cli\u003eGitHub dosyayı işler ve bulguları deponun \u003cstrong\u003eSecurity\u003c/strong\u003e sekmesinde \u003cstrong\u003eCode Scanning uyarıları\u003c/strong\u003e olarak gösterir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eYükleme adımı \u003ccode\u003eif: always()\u003c/code\u003e ile çalışır; dolayısıyla \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e tarama adımını başarısız kılsa bile sonuçlar yüklenir.\u003c/p\u003e\n\u003ch2 id=\"action-ktlarn-kullanmak\"\u003eAction çıktılarını kullanmak\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Sırları tara\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # iş akışının devam etmesine izin ver\n\n- name: Sonucu yazdır\n run: echo \u0026quot;Raporlanan bulgular: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"belirli-bir-srm-sabitleme\"\u003eBelirli bir sürümü sabitleme\u003c/h2\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için \u003ccode\u003eversion\u003c/code\u003e değerini belirli bir etikete sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu, \u003ccode\u003ego install\u003c/code\u003e aracılığıyla tam olarak \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e'ı kurar.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısını anlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — Leakwatch'ın sağlayıcı API'lerini ne zaman ve nasıl çağırdığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Kancası\u003c/a\u003e — commit edilmeden önce sırları yakalama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI, Jenkins ve genel kabuk entegrasyonu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Diğer CI Sistemleri","description":"Leakwatch'ı GitLab CI, Jenkins, Bitbucket Pipelines ve diğer CI sistemlerine entegre edin.","html":"\u003ch1 id=\"dier-ci-sistemleri\"\u003eDiğer CI Sistemleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olduğundan, kabuk komutu çalıştırabilen herhangi bir CI ortamında çalışır: GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps ve diğerleri. Bu sayfada açıklananların ötesinde bu sistemler için yerleşik bir entegrasyon yoktur; kalıp her zaman aynıdır: ikili dosyayı kur, taramayı çalıştır, çıkış koduna göre hareket et.\u003c/p\u003e\n\u003ch2 id=\"cida-leakwatch-kurma\"\u003eCI'da Leakwatch kurma\u003c/h2\u003e\n\u003cp\u003eRunner ortamınıza en uygun yöntemi seçin:\u003c/p\u003e\n\u003ch3 id=\"go-install-araclyla-runnerda-go-gerektirir\"\u003e\u003ccode\u003ego install\u003c/code\u003e aracılığıyla (runner'da Go gerektirir)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için belirli bir sürüme sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"docker-imaj-araclyla-go-gerekmez\"\u003eDocker imajı aracılığıyla (Go gerekmez)\u003c/h3\u003e\n\u003cp\u003e\u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e'i iş imajı olarak kullanın veya \u003ccode\u003edocker run\u003c/code\u003e ile çalıştırın. Tam kalıp için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch3 id=\"hazr-bir-srm-ikili-dosyas-araclyla\"\u003eHazır bir sürüm ikili dosyası aracılığıyla\u003c/h3\u003e\n\u003cp\u003eUygun tar arşivini \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasından indirin, çıkarın ve \u003ccode\u003ePATH\u003c/code\u003e'e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için iyi tanımlanmış üç çıkış kodu kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen CI eylemi\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu yok\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını geç\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırlar bulundu\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCiddi hata (hatalı yapılandırma, okunamaz yol vb.)\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıkış koduna göre dallanma yapan genel bir kabuk parçacığı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;Sır bulunamadı.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Sırlar bulundu — derlemeyi başarısız kılıyorum.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Tarama hatası (çıkış $EXIT_CODE) — derlemeyi başarısız kılıyorum.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-rnei\"\u003eGitLab CI örneği\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e işi Leakwatch'ı kurar, dosya sistemi taraması çalıştırır ve JSON raporunu pipeline artifact'i olarak saklar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 gün\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (varsayılan) değeri, çıkış kodu \u003ccode\u003e1\u003c/code\u003e'in pipeline aşamasını başarısız kılması anlamına gelir. Taramanın merge işlemini engellemeden raporlamasını istiyorsanız \u003ccode\u003eallow_failure: true\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab, SAST raporu artifact'larını destekler. Leakwatch SARIF üretir (\u003ccode\u003e--format sarif\u003c/code\u003e) ancak GitLab'ın yerel SAST JSON şemasını değil; bu nedenle \u003ccode\u003ereports: sast:\u003c/code\u003e anahtarı yerine \u003ccode\u003epaths:\u003c/code\u003e artifact yaklaşımını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ci-runnerlar-iin-neriler\"\u003eCI runner'ları için öneriler\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eGiden internet erişimi olmayan runner'larda \u003ccode\u003e--no-verify\u003c/code\u003e kullanın.\u003c/strong\u003e Doğrulama, sağlayıcılara (AWS, GitHub, Stripe vb.) canlı API çağrıları yapar. Hava boşluklu veya güvenlik duvarıyla kısıtlanmış runner'larda bu çağrılar zaman aşımına uğrar ve taramayı yavaşlatır. Doğrulamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eÇıktıyı artifact olarak kaydedin.\u003c/strong\u003e İşi tamamlandıktan sonra saklanabilecek, bir güvenlik açığı yönetim platformuna yüklenebilecek veya incelenebilecek bir dosya yazmak için \u003ccode\u003e--format sarif\u003c/code\u003e ya da \u003ccode\u003e--format json\u003c/code\u003e ile birlikte \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e değerini en çok önem taşıyan sırlara odaklanmak için ayarlayın. Gürültülü bir kod tabanında \u003ccode\u003e--min-severity high\u003c/code\u003e ile başlayın ve birikmiş öğeleri temizledikten sonra eşiği düşürün.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-rnei\"\u003eAzure DevOps örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch sır taraması\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-sonuclari\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-rnei\"\u003eJenkins örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Sır taraması') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — tüm çıkış kodlarının tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e — ikili dosyayı kurmak yerine konteyner imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub iş akışları için resmi action.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Kancası","description":"Her commit'ten önce sır taraması yapmak için Leakwatch pre-commit kancasını kullanın.","html":"\u003ch1 id=\"pre-commit-kancas\"\u003ePre-commit Kancası\u003c/h1\u003e\n\u003cp\u003eBir sırrı yakalamak için en ucuz an, onu depoya girmeden önce durdurmaktır. Leakwatch, her \u003ccode\u003egit commit\u003c/code\u003e işleminde \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutunu otomatik olarak çalıştıran yerel bir \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e kancası sunar; böylece sızan bir API anahtarı veya parola, geçmişte yer almak yerine commit işlemini başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eŞunlara ihtiyacınız var:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit bir Python aracıdır).\u003c/li\u003e\n\u003cli\u003eGenel olarak kurulmuş \u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e (\u003ccode\u003epip install pre-commit\u003c/code\u003e veya \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePATH\u003c/code\u003e üzerinde Go 1.25+ — kanca dili \u003ccode\u003egolang\u003c/code\u003e olduğundan pre-commit, ilk çalıştırmada Leakwatch'ı kaynaktan derler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"yaplandrma\"\u003eYapılandırma\u003c/h2\u003e\n\u003cp\u003eDeponuzun köküne bir \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e dosyası ekleyin (veya mevcut olanı genişletin):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKancaları yerel Git deposuna kurun:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHepsi bu kadar. Bundan itibaren her \u003ccode\u003egit commit\u003c/code\u003e işlemi bir dosya sistemi taraması tetikler. Leakwatch herhangi bir sır bulursa commit engellenir ve bulgular terminale yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"elle-altrma\"\u003eElle çalıştırma\u003c/h2\u003e\n\u003cp\u003eTüm depoyu (yalnızca staged dosyaları değil) istediğiniz zaman taramak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDiğerlerini tetiklemeden yalnızca Leakwatch kancasını çalıştırmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ek-argmanlar-geirme\"\u003eEk argümanlar geçirme\u003c/h2\u003e\n\u003cp\u003eKancanın varsayılan davranışı, ek bayrak olmadan \u003ccode\u003eleakwatch scan fs\u003c/code\u003e'e karşılık gelir. \u003ccode\u003eargs:\u003c/code\u003e anahtarı aracılığıyla ek argümanlar geçirebilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu örnek, yalnızca Leakwatch'ın hâlâ etkin olduğunu doğruladığı yüksek önem dereceli sırları raporlar — yanlış pozitif gürültüsünden kaçınmak isteyen ancak kapsam kaybetmek istemeyen ekipler için uygun katı bir politika.\u003c/p\u003e\n\u003cp\u003eDiğer kullanışlı argümanlar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # daha hızlı commit'ler için canlı doğrulamayı atla\n - --min-severity\n - medium # düşük önem dereceli gürültüyü bastır\n - --format\n - table # terminalde insan tarafından okunabilir çıktı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eKanca tanımında \u003ccode\u003epass_filenames: false\u003c/code\u003e ayarlandığından kanca, yalnızca mevcut commit için staged dosyaları değil her zaman tam çalışma ağacını tarar. Bu, staged olmayan dosyalarda halihazırda bulunan sırların da tespit edileceğini garanti eder.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kancann-taradklar\"\u003eKancanın taradıkları\u003c/h2\u003e\n\u003cp\u003eKanca, depo çalışma dizinine karşı \u003ccode\u003eleakwatch scan fs\u003c/code\u003e çalıştırır. CLI ile aynı tespit hattını kullanır: Aho-Corasick ön filtreleme, regex doğrulama, entropi hesaplama ve (\u003ccode\u003e--no-verify\u003c/code\u003e ayarlanmadıkça) canlı doğrulama.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki yapılandırma otomatik olarak uygulanır — dışlama kalıpları, entropi eşikleri ve doğrulama ayarları, herhangi bir ek kanca yapılandırması olmadan geçerli olur.\u003c/p\u003e\n\u003ch2 id=\"kancay-geici-olarak-atlama\"\u003eKancayı geçici olarak atlama\u003c/h2\u003e\n\u003cp\u003eKancayı çalıştırmadan commit yapmak için (örneğin, maskelenmiş sır içeren bir test sabiti commit edilirken):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: test sabiti ekle\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eSKIP=leakwatch\u003c/code\u003e kullanmak, o commit için tüm sır taramasını devre dışı bırakır. Yalnızca içeriğin güvenli olduğunu teyit ettiğinizde kullanın; kalıcı bastırmalar için bunun yerine \u003ccode\u003e.leakwatchignore\u003c/code\u003e veya satır içi \u003ccode\u003eleakwatch:ignore\u003c/code\u003e yorumlarını tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kanca-srmn-sabitli-tutma\"\u003eKanca sürümünü sabitli tutma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003erev:\u003c/code\u003e değerini dal adı yerine belirli bir etikete sabitleyin. Bu, ekipteki tüm geliştiricilerin aynı dedektör setini kullandığını ve kancanın sprint ortasında sessizce yükseltilmediğini garantiler:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # sabitle; 'main' veya 'HEAD' kullanmayın\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGüncellemek için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003ccode\u003erev\u003c/code\u003e değerini en son etikete yükseltir ve siz onu commit etmeden önce değişikliği inceleme fırsatı tanır.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — kancanın çalıştırdığı temel tarama komutu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'da dışlamaları, entropiyi ve doğrulamayı kontrol etme.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub CI'da her push ve pull request'te tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Yapılandırma Dosyası","description":"Leakwatch'ı .leakwatch.yaml ile yapılandırma — tam şema, varsayılanlar, doğrulama kuralları, ortam değişkeni geçersiz kılmaları ve leakwatch init komutu.","html":"\u003ch1 id=\"yaplandrma-dosyas\"\u003eYapılandırma Dosyası\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın her tarama komutundaki davranışı, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e adlı tek bir YAML dosyasıyla yönetilir. Bu dosyayı anlamak; eşzamanlılık, doğrulama, çıktı biçimi ve yol filtrelemeyi bir kez ayarlamanızı ve her taramanın bu ayarları otomatik olarak almasını sağlar.\u003c/p\u003e\n\u003ch2 id=\"dosya-kefi\"\u003eDosya keşfi\u003c/h2\u003e\n\u003cp\u003eLeakwatch, yapılandırma dosyasını aşağıdaki sırayla çözer:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e bayrağı\u003c/strong\u003e — çalışma dizininden bağımsız olarak açık bir yol kullanır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGeçerli dizin\u003c/strong\u003e — komutun çalıştırıldığı dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAna dizin\u003c/strong\u003e — yedek olarak \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eHiçbir dosya bulunamazsa, her ayar için yerleşik varsayılanlar kullanılır.\u003c/p\u003e\n\u003ch2 id=\"balang-dosyas-oluturma\"\u003eBaşlangıç dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e komutu, önerilen varsayılanlarla düzenlemeye hazır bir dosya yazar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak dosya, geçerli dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e konumuna yazılır. Farklı bir yol seçmek için \u003ccode\u003e--output\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHedef dosya zaten mevcutsa, \u003ccode\u003eleakwatch init\u003c/code\u003e üzerine yazmayı reddeder ve hata vererek çıkar. Üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikeni-geersiz-klmalar\"\u003eOrtam değişkeni geçersiz kılmaları\u003c/h2\u003e\n\u003cp\u003eHer yapılandırma anahtarı bir ortam değişkeniyle geçersiz kılınabilir. İsimlendirme kuralı şudur:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eÖnek: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştirin\u003c/li\u003e\n\u003cli\u003eBüyük harfe çevirin\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eÖrnekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003cth\u003eOrtam değişkeni\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-sras\"\u003eÖncelik sırası\u003c/h2\u003e\n\u003cp\u003eAynı ayar birden fazla yerde belirtildiğinde, en yüksek öncelikli kaynak kazanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eKomut satırı bayrağı (en yüksek)\u003c/li\u003e\n\u003cli\u003eOrtam değişkeni\u003c/li\u003e\n\u003cli\u003eYapılandırma dosyası değeri\u003c/li\u003e\n\u003cli\u003eYerleşik varsayılan (en düşük)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"tam-ema\"\u003eTam şema\u003c/h2\u003e\n\u003cp\u003eAşağıdaki açıklamalı şema, desteklenen her anahtarı, varsayılan değerini ve geçerli aralığını göstermektedir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Tarama motoru ─────────────────────────────────────────────────────────────\n\nscan:\n # Eşzamanlı dosya işleme worker sayısı.\n # Varsayılan olarak ana makinedeki mantıksal CPU çekirdeği sayısı kullanılır.\n # \u0026gt;= 1 olmalıdır.\n concurrency: 8\n\n # Taranacak maksimum dosya boyutu (bayt cinsinden). Bu sınırı aşan dosyalar\n # tamamen atlanır. Varsayılan: 10 MB (10485760). \u0026gt;= 1 olmalıdır.\n max-file-size: 10485760\n\n# ── Tespit ────────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Her aday eşleşme için Shannon entropi hesaplamasını etkinleştirir.\n enabled: true\n\n # Gösterim ve özel kural kapısı için kullanılan entropi eşiği.\n # Aralık: 0–8. Varsayılan: 4.0.\n # Yerleşik bulgular hakkındaki nota bakın.\n threshold: 4.0\n\n# ── Doğrulama ─────────────────────────────────────────────────────────────────\n\nverification:\n # Sağlayıcı API'lerine karşı canlı doğrulamayı etkinleştirir.\n enabled: true\n\n # İstek başına HTTP zaman aşımı. Doğrulama etkinleştirildiğinde \u0026gt;= 1ms olmalıdır.\n # Süre dizesi kullanın (örn. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — tam sayı nanosaniye olarak\n # yorumlanır ve doğrulama başarısız olur.\n timeout: 10s\n\n # Eşzamanlı doğrulama worker sayısı. \u0026gt;= 1 olmalıdır.\n concurrency: 4\n\n # Saniyedeki maksimum doğrulama isteği (token-bucket hız sınırlayıcı).\n # \u0026gt; 0 olmalıdır.\n rate-limit: 10.0\n\n# ── Filtreleme ────────────────────────────────────────────────────────────────\n\nfilter:\n # Taramadan hariç tutulacak yollar için glob desenleri.\n # Desteklenen glob stilleri: filepath.Match desenleri, sıfır veya daha fazla\n # yol segmentini kapsayan ** çift yıldız ve herhangi bir derinlikte adlandırılmış\n # dizini eşleştiren sondaki eğik çizgili dir/ desenleri. Her desen hem tam yol\n # hem de temel dosya adına karşı test edilir.\n # Tüm tarama kaynaklarına uygulanır. (`scan fs` komutunda --exclude bayrağı da bunu ayarlar.)\n # Varsayılan: [] (yerleşik ikili/kilit dosya atlamalarının ötesinde hariç tutma yok).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Tamamen devre dışı bırakılacak dedektör ID'leri. Listelenen dedektörlerden\n # gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez.\n # Varsayılan: [].\n exclude-detectors: []\n\n# ── Çıktı ─────────────────────────────────────────────────────────────────────\n\noutput:\n # Çıktı biçimi. Şunlardan biri: json, sarif, csv, table. Varsayılan: json.\n # --format / -f bayrağı bunu çalışma zamanında geçersiz kılar.\n format: json\n\n # Çıktıyı stdout yerine bu dosya yoluna yaz. Varsayılan: \u0026quot;\u0026quot; (stdout).\n # --output / -o bayrağı bunu çalışma zamanında geçersiz kılar.\n file: \u0026quot;\u0026quot;\n\n # Bu önem seviyesinin altındaki bulguları bırak.\n # Şunlardan biri: low, medium, high, critical. Varsayılan: \u0026quot;\u0026quot; (tümünü göster).\n # --min-severity bayrağı bunu çalışma zamanında geçersiz kılar.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Çıktıda maskelenmemiş sır değerini dahil et.\n # Varsayılan: false. --show-raw bayrağı bunu çalışma zamanında geçersiz kılar.\n show-raw: false\n\n# ── Özel kurallar ─────────────────────────────────────────────────────────────\n\n# Kendi dedektörlerinizi YAML kuralları olarak tanımlayın. Tam kural şeması\n# için özel kurallar sayfasına bakın.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e, bir bulgunun yanında gösterilen entropi değerini kontrol eder ve özel kurallar için bir kapı görevi görür (entropisi eşiğin altına düşen özel kural eşleşmeleri bastırılır). Yerleşik dedektörlerin bulgularını \u003cstrong\u003ebastırmaz\u003c/strong\u003e — yerleşik dedektörlerin kendi eşleşme kriterleri vardır ve bu ayar tarafından hiçbir zaman bırakılmazlar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, taramaya başlamadan önce yüklenen yapılandırmayı doğrular ve aşağıdaki durumların herhangi birinde hata vererek çıkar:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKoşul\u003c/th\u003e\n\u003cth\u003eHata\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz eşzamanlılık değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz max-file-size değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e içinde değil\u003c/td\u003e\n\u003ctd\u003eDesteklenmeyen çıktı biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e 0–8 dışında\u003c/td\u003e\n\u003ctd\u003eGeçersiz entropi eşiği\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e geçerli bir seviye değil (boş değilse)\u003c/td\u003e\n\u003ctd\u003eGeçersiz severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama zaman aşımı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama eşzamanlılığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Bulguları Yok Sayma","description":".leakwatchignore dosyaları, satır içi yok sayma işaretçileri ve yerleşik ikili dosya ve kilit dosyası atlamaları ile yanlış pozitifleri bastırın.","html":"\u003ch1 id=\"bulgular-yok-sayma\"\u003eBulguları Yok Sayma\u003c/h1\u003e\n\u003cp\u003eHiçbir tarayıcının yanlış pozitif oranı sıfır değildir. Leakwatch, gürültüyü bastırmak için size üç katmanlı mekanizma sunar: yol tabanlı dışlamalar için bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası, satır düzeyinde bastırma için satır içi işaretçiler ve ikili dosyalar ile yaygın kilit dosyaları için her zaman etkin olan yerleşik atlamalar.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-dosyas\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası\u003c/h2\u003e\n\u003cp\u003eTarama sonuçlarından yolları hariç tutmak için depo kökünüze (veya geçerli dizine) bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası oluşturun. Gitignore stilinde söz dizimi kullanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e#\u003c/code\u003e ile başlayan satırlar yorum satırlarıdır.\u003c/li\u003e\n\u003cli\u003eBoş satırlar atlanır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e!\u003c/code\u003e öneki bir deseni \u003cstrong\u003egeçersiz kılar\u003c/strong\u003e; önceki bir desen tarafından dışlanmış olacak bir yolu yeniden dahil eder.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSon eşleşen desen kazanır\u003c/strong\u003e — sıra önemlidir.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"ykleme-sras\"\u003eYükleme sırası\u003c/h3\u003e\n\u003cp\u003eLeakwatch, \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyasını önce tarama kökünden, ardından geçerli çalışma dizininden yükler. Her ikisi de aynı yol için desen içeriyorsa, geçerli dizin dosyasının desenleri öncelik kazanır çünkü son değerlendirilenler bunlardır.\u003c/p\u003e\n\u003ch3 id=\"glob-sz-dizimi\"\u003eGlob söz dizimi\u003c/h3\u003e\n\u003cp\u003eÜç desen stili desteklenir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStil\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003cth\u003eÖrnek\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandart glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e stili, hem tam yola hem de temel dosya adına karşı eşleştirilen\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇift yıldız \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSıfır veya daha fazla yol segmentini kapsar\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSondaki eğik çizgi \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAdlandırılmış dizinin herhangi bir derinliğindeki her dosyayla eşleşir\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"leakwatchignore-rnei\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e örneği\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Tüm test fixture dosyalarını yok say\ntest/fixtures/**\n\n# Dokümantasyondaki bilinen yer tutucu anahtarları yok say\ndocs/examples/\n\n# Ağaçtaki herhangi bir yerdeki belirli uzantılı dosyaları yok say\n*.pem.example\n\n# Yukarıdaki kural tarafından dışlanan belirli bir dosyayı yeniden dahil et\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtrelemesi, her bulgunun dosya yoluna göre tarama tamamlandıktan \u003cstrong\u003esonra\u003c/strong\u003e uygulanır. Dosyaların okunmasını engellemez — ürettikleri bulguları bastırır. Dosyaları okunmadan önce atlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e veya \u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"satr-ii-yok-sayma-iaretileri\"\u003eSatır içi yok sayma işaretçileri\u003c/h2\u003e\n\u003cp\u003eSöz konusu satırdaki dedektörleri bastırmak için herhangi bir kaynak satırına doğrudan bir işaretçi koyun. İşaretçi satırın herhangi bir yerine yerleştirilebilir — genellikle bir yorum içinde — ve motor tarafından doğrulamadan \u003cstrong\u003eönce\u003c/strong\u003e uygulanır; böylece yok sayılan bir satır hiçbir zaman ağ çağrısını tetiklemez.\u003c/p\u003e\n\u003ch3 id=\"bir-satrdaki-tm-dedektrleri-bastr\"\u003eBir satırdaki tüm dedektörleri bastır\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Ödeme işleme yapılandırması\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"bir-satrdaki-belirli-bir-dedektr-bastr\"\u003eBir satırdaki belirli bir dedektörü bastır\u003c/h3\u003e\n\u003cp\u003eYalnızca bir dedektörü bastırırken diğerlerini etkin bırakmak için \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// Bu token dokümantasyon için kasıtlı olarak bir yer tutucudur\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Platform tarafından ayarlanan CI ortam değişkeni — gerçek bir sır değil\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eMümkün olduğunda genel form yerine dedektöre özgü formu (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) tercih edin. Hangi dedektörü bastırdığınızı belgeler ve diğer tüm dedektörleri o satırda etkin bırakır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerleik-atlamalar-her-zaman-uygulanr\"\u003eYerleşik atlamalar (her zaman uygulanır)\u003c/h2\u003e\n\u003cp\u003eLeakwatch, herhangi bir dedektörü çalıştırmadan önce aşağıdakileri koşulsuz olarak atlar:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili dosya uzantıları\u003c/strong\u003e — \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e ve diğerleri gibi uzantılara sahip dosyalar hiçbir zaman taranmaz.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili içerik tespiti\u003c/strong\u003e — ilk 8 KB'ı null bayt içeren herhangi bir dosya, uzantısından bağımsız olarak ikili olarak kabul edilir ve atlanır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eYaygın kilit dosyaları\u003c/strong\u003e — aşağıdaki dosya adları, yüksek oranda yanlış pozitif üreten hash ve sağlama toplamları içerdikleri için her zaman atlanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDosya\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eBu yerleşik atlamalar devre dışı bırakılamaz. \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ayarından ayrıdır ve yapılandırma tabanlı filtrelemeden önce çalışır.\u003c/p\u003e\n\u003ch2 id=\"tarama-ncesi-yol-tabanl-dlama\"\u003eTarama öncesi yol tabanlı dışlama\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru tarafından okunmadan önce dışlamak için yapılandırma dosyanızda \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu ayar \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır (dosya sistemi, Git geçmişi, konteyner imajları, bulut depolama, Slack). \u003ccode\u003escan fs\u003c/code\u003e komutunda ayrıca komut satırında \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e parametresi de geçirebilirsiniz; bu, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile eşdeğer bir bayraktır.\u003c/p\u003e\n\u003cp\u003eTam yapılandırma şeması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e, dedektör düzeyinde ve önem derecesi düzeyinde filtreleme için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Önem Derecesi \u0026 Filtreleme","description":"Önem eşikleri, yalnızca doğrulanmış mod, dedektör dışlamaları ve yol dışlamaları kullanarak hangi bulguların çıktınıza ulaşacağını kontrol edin.","html":"\u003ch1 id=\"nem-derecesi--filtreleme\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/h1\u003e\n\u003cp\u003eYoğun bir kod tabanı çok sayıda bulgu üretebilir. Leakwatch, en önemli sinyallere odaklanmak için birleştirebileceğiniz birkaç bağımsız filtre sunar: önem eşikleri düşük öncelikli gürültüyü eler, yalnızca doğrulanmış mod yalnızca onaylanmış canlı sırları ortaya çıkarır, dedektör dışlamaları bilinen yanlış pozitif kaynakları susturur ve yol dışlamaları tüm dizin ağaçlarını kapsamın dışında bırakır.\u003c/p\u003e\n\u003ch2 id=\"nem-seviyeleri\"\u003eÖnem seviyeleri\u003c/h2\u003e\n\u003cp\u003eHer yerleşik dedektör, varsayılan bir önem derecesiyle birlikte gelir. En düşükten en yüksek önceliğe doğru dört seviye şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeviye\u003c/th\u003e\n\u003cth\u003eTipik kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDaha yüksek yanlış pozitif oranına sahip genel desenler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanınabilir kimlik bilgisi biçimleri, doğrulanmamış\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaruziyetin büyük olasılıkla önemli olduğu iyi yapılandırılmış sırlar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOnaylanmış canlı sırlar veya neredeyse sıfır yanlış pozitif oranlı biçimler\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer dedektöre atanan önem derecesi \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-eiin-altndaki-bulgular-brak\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: eşiğin altındaki bulguları bırak\u003c/h2\u003e\n\u003cp\u003eBelirtilen seviyenin altındaki önem derecesine sahip bulguları atmak için \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e parametresini kullanın. Yalnızca eşik değerinde veya üzerindeki bulgular çıktıya ulaşır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Yalnızca high ve critical bulguları göster\nleakwatch scan fs . --min-severity high\n\n# medium, high ve critical bulguları göster\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e altında yapılandırma dosyasında kalıcı bir varsayılan ayarlayabilirsiniz. \u003ccode\u003e--min-severity\u003c/code\u003e bayrağı, çalışma zamanında yapılandırma değerini geçersiz kılar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-yalnzca-onaylanm-aktif-srlar\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: yalnızca onaylanmış aktif sırlar\u003c/h2\u003e\n\u003cp\u003eYalnızca doğrulama durumu \u003ccode\u003everified_active\u003c/code\u003e olan bulguları, yani Leakwatch'ın sağlayıcı API'sine kontrollü bir salt-okunur çağrı yaparak hâlâ geçerli olduğunu doğruladığı sırları tutmak için \u003ccode\u003e--only-verified\u003c/code\u003e parametresini kullanın. Diğer tüm bulgular (doğrulanmamış, doğrulanmış-etkin değil veya doğrulama hatası) bırakılır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu bayrak, derlemeyi yalnızca onaylanmış olaylar üzerinde, yer tutucu veya zaten döndürülmüş kimlik bilgileri olabilecek şüpheli desenler üzerinde değil, başarısız kılmak istediğiniz CI hatlarında en kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eHangi dedektörlerin canlı doğrulamayı desteklediği için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-belirli-dedektrleri-devre-d-brak\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: belirli dedektörleri devre dışı bırak\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü kalıcı olarak devre dışı bırakmak için ID'lerini yapılandırma dosyasındaki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e altında listeleyin. Listelenen dedektörlerden gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDedektör ID'leri \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir. Bir dedektör sürekli olarak kod tabanınız için yanlış pozitifler ürettiğinde ve diğer bastırma mekanizmaları (satır içi yok saymalar veya \u003ccode\u003e.leakwatchignore\u003c/code\u003e) yeterince ayrıntılı olmadığında bu ayarı kullanın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-tarama-ncesi-yollar-atla\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: tarama öncesi yolları atla\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru okumadan önce dışlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın. Desenler, \u003ccode\u003e.leakwatchignore\u003c/code\u003e ile aynı glob söz dizimini kullanır (standart globlar, \u003ccode\u003e**\u003c/code\u003e çift yıldız ve sondaki eğik çizgili dizin desenleri) ve \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e bayrağı, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile komut satırı eşdeğeridir. \u003ccode\u003e--exclude\u003c/code\u003e bayrağı \u003cstrong\u003eyalnızca\u003c/strong\u003e \u003ccode\u003escan fs\u003c/code\u003e komutunda mevcuttur — diğer tüm kaynaklar için yapılandırma dosyası ayarını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-filtreleri-birletirme\"\u003eCI'da filtreleri birleştirme\u003c/h2\u003e\n\u003cp\u003eBir CI hattında genellikle yalnızca gerçek olaylarda başarısız olan, düşük gürültülü ve yüksek sinyalli bir çalışma istersiniz. Önerilen bir kombinasyon:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYapılandırma dosyasının kalıcı yol dışlamalarını yönetmesiyle:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eArdından CI için yalnızca biçimi ve hedefi komut satırında geçersiz kılın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama ayrıntıları için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e, satır içi ve dosya tabanlı bastırma için \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e ve tam şema için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Özel Kurallar","description":"YAML ile kendi sır tespit kalıplarınızı nasıl tanımlayacağınız ve 63 yerleşik dedektörün yanında bir Leakwatch taramasına nasıl ekleyeceğiniz.","html":"\u003ch1 id=\"zel-kurallar\"\u003eÖzel Kurallar\u003c/h1\u003e\n\u003cp\u003e63 yerleşik dedektör yaygın kullanılan kimlik bilgisi formatlarını kapsar; ancak her kuruluşun dahili token'ları, özel servis anahtarları veya hiçbir genel aracın önceden tahmin edemeyeceği ortama özgü kalıpları vardır. Özel kurallar, kaynak kodu değiştirmeden veya ikili dosyayı yeniden derlemeden kendi kalıplarınızı düz YAML ile tanımlamanıza ve çalışma zamanında yüklemenize olanak tanıyarak Leakwatch'ı genişletmenizi sağlar.\u003c/p\u003e\n\u003ch2 id=\"zel-kurallar-nerede-tanmlanr\"\u003eÖzel kurallar nerede tanımlanır\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyanızda en üst düzey bir \u003ccode\u003ecustom-rules:\u003c/code\u003e listesi altında tanımlanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKurallar, Leakwatch başladığında çalışma zamanında kaydedilir. Aynı Aho-Corasick ön-filtre hattını kullanarak yerleşik dedektörlerle birlikte çalışırlar.\u003c/p\u003e\n\u003ch2 id=\"kural-alanlar\"\u003eKural alanları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eZorunlu\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eBenzersiz dedektör ID'si. Çıktıda ve \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e içinde kullanılır. Yerleşik dedektör ID'si veya başka bir özel kural ID'si ile çakışmamalıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eÇıktıda gösterilen insan tarafından okunabilir açıklama.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2 uyumlu düzenli ifade. Maksimum 4096 karakter.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring listesi\u003c/td\u003e\n\u003ctd\u003eAho-Corasick ön-filtre anahtar kelimeleri. Regex yalnızca bu dizelerden en az birini içeren parçalar üzerinde çalışır. Bu alanın atlanması regex'in her parça üzerinde çalışmasına neden olur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e veya \u003ccode\u003elow\u003c/code\u003e. Varsayılan \u003ccode\u003emedium\u003c/code\u003e'dur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropi eşiği (0–8). Entropisi bu değerin \u003cstrong\u003ealtında\u003c/strong\u003e olan eşleşmeler atılır. Düşük rastgelelikli yanlış pozitifleri filtrelemek için kullanışlıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eHer zaman \u003ccode\u003ekeywords\u003c/code\u003e belirtin. Tek kısa bir anahtar kelime bile (token ön eki gibi) regex motorunun işlediği parça sayısını önemli ölçüde azaltır ve büyük depolarda taramaların hızlı kalmasını sağlar. Örneğin tüm dahili token'larınız \u003ccode\u003eacme_\u003c/code\u003e ile başlıyorsa \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e ayarlayın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eentropy\u003c/code\u003e kullanarak \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e gibi kalıbı karşılayan ancak açıkça gerçek sır olmayan yer tutucu değerlerdeki eşleşmeleri bastırın. 3,0–3,5 civarı bir eşik iyi bir başlangıç noktasıdır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"akma-ynetimi\"\u003eÇakışma yönetimi\u003c/h2\u003e\n\u003cp\u003eBir özel kuralın \u003ccode\u003eid\u003c/code\u003e'si zaten kayıtlı bir dedektörle eşleşirse — yerleşik dedektör veya daha önce yüklenen özel kural olsun fark etmez — yinelenen kural \u003cstrong\u003eatlanır\u003c/strong\u003e ve bir hata loglanır. Leakwatch çökmez; geri kalan kurallar normal şekilde yüklenir. Bir özel kuralın etkisiz göründüğü durumlarda log çıktısını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eÖzel kuralların eşleştirilmiş doğrulayıcısı yoktur. Özel kurallardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e durumuyla raporlanır — hiçbir zaman \u003ccode\u003everified_active\u003c/code\u003e veya \u003ccode\u003everified_inactive\u003c/code\u003e olmaz.\u003c/p\u003e\n\u003ch2 id=\"tam-rnek\"\u003eTam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, iki özel kural tanımlar: biri dahili servis token'ı, diğeri webhook'larda kullanılan imzalama sırrı için.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook imzalama sırrı (format: whsec_ + 40 base64url karakter)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu yapılandırmayla bir tarama çalıştırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kural bulgusu için örnek JSON çıktısı (sır değeri maskelenmiştir):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eraw_redacted\u003c/code\u003e alanı gerçek sırrı her zaman maskeler. Ham değer, açıkça \u003ccode\u003e--show-raw\u003c/code\u003e geçilmedikçe çıktıya asla yazılmaz (kontrollü ortamlar dışında önerilmez).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kural-hari-tutma\"\u003eÖzel kuralı hariç tutma\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, yerleşik dedektörlerle aynı filtrelemeye katılır. Bir özel kuralı yapılandırmadan kaldırmadan devre dışı bırakmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003ecustom-rules:\u003c/code\u003e öğesinin belge yapısındaki yeri dahil \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e için tam referans.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — özel kuralınızı adlandırmadan önce ID çakışmalarını kontrol etmek için 63 yerleşik dedektör.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — \u003ccode\u003ekeywords\u003c/code\u003e öğesinin bağlandığı Aho-Corasick ön-filtre hattı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Dedektör Kataloğu","description":"Kategorilere göre gruplanmış tüm 63 yerleşik dedektör; ID'leri, ne tespit ettikleri ve varsayılan şiddet seviyeleri ile.","html":"\u003ch1 id=\"dedektr-katalou\"\u003eDedektör Kataloğu\u003c/h1\u003e\n\u003cp\u003eLeakwatch, bulut sağlayıcısı erişim anahtarlarından ve yapay zekâ API token'larından veritabanı bağlantı dizelerine ve özel kriptografik anahtarlara kadar geniş bir kimlik bilgisi türü yelpazesini kapsayan \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile gelir. Her dedektörün kararlı bir ID'si, varsayılan bir şiddet seviyesi ve (çoğu için) bulunan sırrın hâlâ canlı olup olmadığını teyit edebilen eşleştirilmiş bir doğrulayıcısı vardır.\u003c/p\u003e\n\u003cp\u003eBu sayfa her yerleşik dedektörü listeler. Doğrulama kapsamı ayrıntıları için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın. Kendi kalıplarınızı eklemek için \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"bu-katalogu-nasl-okuyacaksnz\"\u003eBu katalogu nasıl okuyacaksınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — yapılandırma ve çıktıda kullanılan kararlı dize tanımlayıcısı. Bir dedektörü atlamak için \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin veya \u003ccode\u003e--min-severity\u003c/code\u003e filtrelemesiyle birlikte kullanın (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTespit eder\u003c/strong\u003e — dedektörün ne aradığı.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eŞiddet\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e (Kritik), \u003ccode\u003eHigh\u003c/code\u003e (Yüksek) veya \u003ccode\u003eMedium\u003c/code\u003e (Orta). Bu varsayılandır; \u003ccode\u003e--min-severity\u003c/code\u003e bayrağını ve \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e yapılandırma anahtarını besler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"bulut-ve-altyap\"\u003eBulut ve Altyapı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Servis Hesabı Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID İstemci Sırrı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Servis Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yapay-zek--makine-renimi\"\u003eYapay Zekâ / Makine Öğrenimi\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"demeler-ve-ticaret\"\u003eÖdemeler ve Ticaret\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Canlı API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"gelitirme-aralar-ci-ve-paketler\"\u003eGeliştirme Araçları, CI ve Paketler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket Uygulama Parolası\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Kişisel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"letiim-ve-birlii\"\u003eİletişim ve İşbirliği\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/Kullanıcı Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Gelen Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Dahili Entegrasyon Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"e-posta-ve-mesajlama-teslimat\"\u003eE-posta ve Mesajlaşma Teslimatı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Sunucu API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"zleme-ve-gzlemlenebilirlik\"\u003eİzleme ve Gözlemlenebilirlik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Kimlik Doğrulama Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"veritabanlar-ve-balant-dizeleri\"\u003eVeritabanları ve Bağlantı Dizeleri\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVeritabanı Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Bağlantı Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Servis Rolü Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-ve-eriim\"\u003eKimlik ve Erişim\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Yönetim API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bağlama Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"genel-ve-kriptografik\"\u003eGenel ve Kriptografik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGenel API Anahtarı\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÖzel Anahtar (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eToplam: 63 yerleşik dedektör.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"iddete-gre-filtreleme\"\u003eŞiddete göre filtreleme\u003c/h2\u003e\n\u003cp\u003eBulgular, komut satırında \u003ccode\u003e--min-severity\u003c/code\u003e veya yapılandırmada \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e kullanılarak şiddet seviyesine göre filtrelenebilir. Yalnızca belirtilen seviyede veya üzerindeki bulgular çıktıya dahil edilir. Ayrıntılar için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"belirli-dedektrleri-hari-tutma\"\u003eBelirli dedektörleri hariç tutma\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü tamamen atlamak için ID'lerini \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam filtreleme referansı için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kapsam\"\u003eDoğrulama kapsamı\u003c/h2\u003e\n\u003cp\u003eBazı dedektörlerin canlı doğrulayıcısı vardır; bazıları yalnızca format doğrulamasına tabi tutulur; dokuzu ise hiç doğrulayıcıya sahip değildir. Tam döküm için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e — YAML ile kendi tespit kalıplarınızı tanımlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektörlerin canlı doğrulanabileceği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e — bulguları şiddet seviyesine veya dedektöre göre filtreleme.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"Nasıl Çalışır","description":"Leakwatch tarama hattının mimarisi: kaynaklar, tespit, doğrulama ve çıktı.","html":"\u003ch1 id=\"nasl-alr\"\u003eNasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eLeakwatch hattını anlamak, performansı ayarlamanıza, sonuçları yorumlamanıza ve hangi bayrakları kullanacağınıza karar vermenize yardımcı olur. Bu sayfa, bir tarama komutunu çalıştırdığınız andan bir bulgunun çıktınızda göründüğü ana kadar neler olduğunu açıklar.\u003c/p\u003e\n\u003ch2 id=\"hatta-genel-bak\"\u003eHatta genel bakış\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Kaynak\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[İşçi Havuzu\\n—concurrency işçi]\n B --\u0026gt; C[Aho-Corasick\\nÖn-Filtre]\n C --\u0026gt; D[Regex\\nDedektörler]\n D --\u0026gt; E[Satır İçi İgnore\\nKontrolü]\n E --\u0026gt; F[Doğrulama\\nHavuzu\\n4 işçi / 10 rps]\n F --\u0026gt; G[Tarama Sonrası\\nFiltreler]\n G --\u0026gt; H([Çıktı\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer aşama aşağıda ayrıntılı olarak açıklanmaktadır.\u003c/p\u003e\n\u003ch2 id=\"1-kaynak\"\u003e1. Kaynak\u003c/h2\u003e\n\u003cp\u003eHer tarama, motorun işlemesi için veri parçaları yayan bir soyutlama olan \u003cstrong\u003eKaynak\u003c/strong\u003e ile başlar. Leakwatch altı kaynak ile birlikte gelir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNe yayar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosya içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir OCI/Docker imajının katman içerikleri, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanal ve DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar. Slack'e yüklenen dosyaların içerikleri taranmaz.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eParçalar, işçi havuzu tarafından tüketilen tamponlu bir kanala akar.\u003c/p\u003e\n\u003ch2 id=\"2-i-havuzu\"\u003e2. İşçi havuzu\u003c/h2\u003e\n\u003cp\u003eMotor, sabit sayıda \u003cstrong\u003egoroutine\u003c/strong\u003e içeren bir havuz yönetir — her biri \u003ccode\u003e--concurrency\u003c/code\u003e değerine karşılık gelir (varsayılan: CPU sayısı). Her işçi kanaldan bir parça alır ve tespit hattını bağımsız olarak çalıştırır. İşçiler değişebilir durum paylaşmadığından havuz, I/O ve bellek sınırlarına kadar eşzamanlılıkla doğrusal ölçeklenir.\u003c/p\u003e\n\u003cp\u003eTaramalar \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e'e yanıt verir: iptal sinyali geldiğinde bağlam iptal edilir, işçiler mevcut parçalarını tamamlayıp durur ve kısmi sonuçlar çıktı yazılmadan önce toplanır.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-anahtar-kelime-n-filtresi\"\u003e3. Aho-Corasick anahtar kelime ön-filtresi\u003c/h2\u003e\n\u003cp\u003eHer parça üzerinde 63 regex desenini çalıştırmak yavaş olur. Bunun yerine motor, başlangıçta her dedektörün bildirdiği anahtar kelime listelerinden tek bir \u003cstrong\u003eAho-Corasick çok-desenli otomat\u003c/strong\u003e oluşturur. Her parça için bu otomat tek bir doğrusal geçiş yapar ve yalnızca anahtar kelimeleri parçanın baytlarında görünen dedektörleri döndürür.\u003c/p\u003e\n\u003cp\u003eBu, çoğu dedektörün çoğu parça üzerinde regex'ini hiç çalıştırmadığı anlamına gelir. Anahtar kelime bildirmeyen dedektörler her zaman çalışır (ön filtreyi atlayarak doğrudan regex'e geçerler).\u003c/p\u003e\n\u003cp\u003eAho-Corasick uygulaması \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e kütüphanesinden gelmektedir.\u003c/p\u003e\n\u003ch2 id=\"4-regex-dedektrler\"\u003e4. Regex dedektörler\u003c/h2\u003e\n\u003cp\u003eKısa listeye alınan her dedektör, derlenmiş \u003cstrong\u003edüzenli ifadesini\u003c/strong\u003e parça baytları üzerinde çalıştırır. Bir desen eşleştiğinde dedektör şunları içeren bir \u003ccode\u003eRawFinding\u003c/code\u003e döndürür:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları (yalnızca doğrulama için bellekte tutulur; asla loglanmaz veya diske yazılmaz).\u003c/li\u003e\n\u003cli\u003eÇıktı için güvenli olan \u003cstrong\u003emaskelenmiş\u003c/strong\u003e bir gösterim.\u003c/li\u003e\n\u003cli\u003eİsteğe bağlı ek meta veri (örneğin bir AWS anahtarı için hesap kimliği).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch, 60 paket genelinde \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. \u003ca href=\"#/configuration/custom-rules\"\u003eÖzel YAML kuralları\u003c/a\u003e aracılığıyla kendi desenlerinizi ekleyebilirsiniz.\u003c/p\u003e\n\u003cp\u003eTüm dedektörler, Go'nun \u003ccode\u003einit()\u003c/code\u003e işlevi ve boş importlar kullanılarak derleme zamanında kaydedilir (ADR-0004). Çalışma zamanında eklenti yükleyici veya dinamik keşif yoktur.\u003c/p\u003e\n\u003ch2 id=\"5-satr-ii-ignore-kontrol\"\u003e5. Satır içi ignore kontrolü\u003c/h2\u003e\n\u003cp\u003eBir bulgu doğrulamaya gönderilmeden önce motor, kaynak satırın bir \u003cstrong\u003esatır içi ignore işareti\u003c/strong\u003e içerip içermediğini kontrol eder:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eveya dedektöre özgü bir varyant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİşaret mevcutsa bulgu, \u003cstrong\u003eherhangi bir ağ çağrısı yapılmadan önce\u003c/strong\u003e sessizce bırakılır. Bu kasıtlıdır: yoksayılan sırlar asla canlı bir API isteğini tetiklememeli.\u003c/p\u003e\n\u003ch2 id=\"6-dorulama\"\u003e6. Doğrulama\u003c/h2\u003e\n\u003cp\u003eTüm parçalar için tespit tamamlandıktan sonra motor, bulguları ayrı bir \u003cstrong\u003edoğrulama işçi havuzuna\u003c/strong\u003e geçirir (varsayılan 4 işçi). Doğrulama:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eTüm işçiler arasında paylaşılan global bir \u003cstrong\u003ehız sınırlayıcı\u003c/strong\u003e (varsayılan saniyede 10 istek) ile korunur.\u003c/li\u003e\n\u003cli\u003eHer API çağrısına \u003cstrong\u003eistek başına zaman aşımı\u003c/strong\u003e (varsayılan 10 saniye) uygular.\u003c/li\u003e\n\u003cli\u003eSağlayıcıya yalnızca \u003cstrong\u003esalt-okunur, yıkıcı olmayan\u003c/strong\u003e çağrılar yapar (örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHer bulguyu dört durumdan biriyle işaretler: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch \u003cstrong\u003e54 doğrulayıcı\u003c/strong\u003e ile birlikte gelir; 63 yerleşik dedektör türünün %85,7'sini kapsar. Kalan 9 tür (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman \u003ccode\u003eunverified\u003c/code\u003e olarak raporlanır.\u003c/p\u003e\n\u003cp\u003eBu aşamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin — hızlı, çevrimdışı taramalar için kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eDoğrulama davranışı ve durum anlamları hakkında derinlemesine bilgi için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"7-bulgu-kimlii-ve-entropi\"\u003e7. Bulgu kimliği ve entropi\u003c/h2\u003e\n\u003cp\u003eHer bulgu, şu şekilde hesaplanan \u003cstrong\u003edeterministik bir kimlik\u003c/strong\u003e alır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(dedektörID + maskelendi + dosyaYolu + satır) → 16 hex karaktere kısaltıldı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAynı konumdaki aynı sır her zaman aynı kimliği üretir; bu da bulguları çalıştırmalar arasında yinelenenleri kaldırmayı veya sorun izleyicilerde takip etmeyi güvenli kılar.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropisi\u003c/strong\u003e (aralık 0–8) her bulgu için hesaplanır ve bilgilendirme amacıyla çıktıda gösterilir. Motor düzeyinde entropi, yerleşik bulguları \u003cstrong\u003eengellemez veya düşürmez\u003c/strong\u003e — düşük entropili bir eşleşme yine de sonuçlarda görünür. Entropi eşikleri yalnızca özel kuralların içinde geçerlidir; her kural kendi minimumunu bildirebilir.\u003c/p\u003e\n\u003ch2 id=\"8-tarama-sonras-filtreler\"\u003e8. Tarama sonrası filtreler\u003c/h2\u003e\n\u003cp\u003eDoğrulamadan sonra iki filtre uygulanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — \u003ccode\u003everified:active\u003c/code\u003e olmayan tüm bulguları bırakır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — belirtilen önem düzeyinin (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; varsayılan \u003ccode\u003elow\u003c/code\u003e) altındaki bulguları bırakır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHer iki filtre de doğrulama sonrasında çalışır; böylece \u003ccode\u003e--only-verified\u003c/code\u003e değerlendirildiğinde doğrulama durumu kullanılabilir olur.\u003c/p\u003e\n\u003ch2 id=\"9-kt\"\u003e9. Çıktı\u003c/h2\u003e\n\u003cp\u003eHayatta kalan bulgular dört \u003cstrong\u003ebiçimleyiciden\u003c/strong\u003e birine iletilir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBiçim\u003c/th\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eYaygın kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (varsayılan)\u003c/td\u003e\n\u003ctd\u003eMakine tarafından okunabilir, hat dostu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, güvenlik panoları\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eElektronik tablolar, veri analizi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTablo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal incelemesi, önem derecesine göre renklendirilmiş\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıktı varsayılan olarak stdout'a gider; bir dosyaya yazmak için \u003ccode\u003e--output \u0026lt;dosya\u0026gt;\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eBiçim veya çıktı hedefi ne olursa olsun, her taramadan sonra bir \u003cstrong\u003etarama özeti\u003c/strong\u003e (tarih, kaynak türü, hedef, taranan dosyalar, süre, bulgu sayısı, kesme durumu) her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eLeakwatch, bulunan sırların doğrulama çağrıları dışında süreç sınırını asla terk etmemesi için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları yalnızca tespit ve doğrulama sırasında bellekte yaşar.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--show-raw\u003c/code\u003e bayrağı varsayılan olarak \u003ccode\u003efalse\u003c/code\u003e'tur; bu olmadan çıktıda yalnızca maskelenmiş gösterim görünür.\u003c/li\u003e\n\u003cli\u003eSırlar asla diske yazılmaz, \u003ccode\u003eslog\u003c/code\u003e aracılığıyla loglanmaz veya çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"tasarm-kararlar\"\u003eTasarım kararları\u003c/h2\u003e\n\u003cp\u003eMimari, ADR'ler olarak belgelenmiş çeşitli bilinçli seçimleri yansıtır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO devre dışı\u003c/strong\u003e (ADR-0001) — tek statik ikili dosya, çalışma zamanı bağımlılığı yok, tüm platformlara çapraz derlenir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — \u003ccode\u003ebayrak \u0026gt; env \u0026gt; yapılandırma \u0026gt; varsayılan\u003c/code\u003e önceliğiyle hiyerarşik CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — saf Go Git kütüphanesi; harici \u003ccode\u003egit\u003c/code\u003e ikili dosyası gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDerleme zamanı dedektör kaydı\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + boş importlar; tür güvenli, çalışma zamanı eklenti yükleyicisi yok.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hibrit eşleştirme\u003c/strong\u003e (ADR-0005) — ön filtre, alakasız parçalardaki regex çalışmasının çoğunu ortadan kaldırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonsuz katman analizi; imajları taramak için Docker daemon gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eİşçi havuzu\u003c/strong\u003e (ADR-0008) — sabit goroutine sayısı, kanal tabanlı fan-out; öngörülebilir bellek ve CPU kullanımı.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Kurulum","description":"Leakwatch'ı Homebrew, go install, Docker veya hazır bir ikili dosya ile kurun.","html":"\u003ch1 id=\"kurulum\"\u003eKurulum\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ı makinenize kurmak bir dakikadan az sürer. İş akışınıza en uygun yöntemi seçin: Homebrew macOS ve Linux'ta en basit seçenektir, \u003ccode\u003ego install\u003c/code\u003e halihazırda bir Go araç zinciriniz varsa idealdir, Docker ana sisteminizi temiz tutar ve hazır ikili dosyalar herhangi bir araç zinciri gerektirmeden her yerde çalışır.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-ve-linux\"\u003eHomebrew (macOS ve Linux)\u003c/h2\u003e\n\u003cp\u003eResmi tap, amd64 ve arm64 mimarilerinde macOS ve Linux'u destekler.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTap, \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e adresinde barındırılmaktadır. Homebrew ile yükseltmek için \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e komutunu kullanın.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003ego install\u003c/h2\u003e\n\u003cp\u003eGo 1.25 veya daha yeni bir sürümü yüklüyse, en son sürümü doğrudan kaynaktan derleyip kurabilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİkili dosya \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e dizinine yerleştirilir. Bu dizinin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olduğundan emin olun.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e her zaman en son etiketli sürümü getirir. Belirli bir sürüme sabitlemek için \u003ccode\u003e@latest\u003c/code\u003e yerine \u003ccode\u003e@v1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eMinimal, çok aşamalı bir Alpine imajı GitHub Container Registry'de yayımlanmaktadır. İmaj, root olmayan bir kullanıcı (\u003ccode\u003eleakwatch\u003c/code\u003e) olarak çalışır, CGO devre dışıdır ve çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKullanılabilir etiketler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın. Bayraklar ve seçenekler yerel ikili dosyayla tamamen aynı şekilde çalışır — tam liste için \u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için \u003ca href=\"#/guides/docker\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"hazr-ikili-dosya\"\u003eHazır ikili dosya\u003c/h2\u003e\n\u003cp\u003eHer sürüm, desteklenen tüm platformlar için \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasında tar arşivleri yayımlar. Platformunuza ait arşivi indirin, açın ve ikili dosyayı \u003ccode\u003ePATH\u003c/code\u003e değişkeninizdeki bir dizine taşıyın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDesteklenen platformlar:\u003c/strong\u003e amd64 ve arm64 mimarilerinde Linux, macOS ve Windows.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Linux amd64 örneği — OS ve ARCH değerlerini platformunuza göre değiştirin\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform adlandırması \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e kalıbını izler; \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e değeri \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e veya \u003ccode\u003eWindows\u003c/code\u003e, \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e değeri ise \u003ccode\u003eamd64\u003c/code\u003e veya \u003ccode\u003earm64\u003c/code\u003e olabilir.\u003c/p\u003e\n\u003ch2 id=\"kurulumu-dorulama\"\u003eKurulumu doğrulama\u003c/h2\u003e\n\u003cp\u003eHerhangi bir kurulum yönteminin ardından ikili dosyanın erişilebilir olduğunu doğrulayın ve sürümü kontrol edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeklenen çıktı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut bulunamazsa kurulum dizininin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olup olmadığını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — Leakwatch taramasının arkasındaki mimari.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile tarama davranışını özelleştirin.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/guides/docker\"\u003eDocker Kullanımı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Tanıtım","description":"Leakwatch nedir, neyi tarar ve sızan sırları nasıl tespit edip doğrular.","html":"\u003ch1 id=\"tantm\"\u003eTanıtım\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e, sızan sırları — API anahtarları, token'lar, parolalar, bağlantı dizeleri ve özel anahtarlar — kod tabanlarınızda, Git geçmişinizde, konteyner imajlarınızda, bulut depolamanızda ve Slack çalışma alanlarınızda \u003cstrong\u003etespit eden, doğrulayan ve raporlayan\u003c/strong\u003e yüksek performanslı, açık kaynaklı (MIT) bir güvenlik aracıdır.\u003c/p\u003e\n\u003cp\u003eGo ile yazılmıştır, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olarak dağıtılır (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e) ve her yerde çalışacak şekilde tasarlanmıştır: bir geliştirici dizüstü bilgisayarı, bir pre-commit kancası veya bir CI/CD hattı.\u003c/p\u003e\n\u003ch2 id=\"neden-leakwatch\"\u003eNeden Leakwatch\u003c/h2\u003e\n\u003cp\u003eTek bir commit'te sızan bir kimlik bilgisi — sonradan silinse bile — Git geçmişinde sonsuza dek erişilebilir kalabilir ve push edildikten dakikalar sonra istismar edilebilir. Leakwatch, bu sırları erken yakalamak ve hangilerinin \u003cem\u003egerçekten tehlikeli\u003c/em\u003e olduğunu söylemek için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGeniş tespit\u003c/strong\u003e — bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını ve daha fazlasını kapsayan 63 yerleşik dedektör; ayrıca kendi YAML özel kurallarınız.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eYalnızca tespit değil, doğrulama\u003c/strong\u003e — 54 dedektör türü için Leakwatch, bulunan bir sırrın \u003cem\u003ehâlâ etkin\u003c/em\u003e olup olmadığını sağlayıcıya kontrollü, salt-okunur bir çağrı yaparak teyit edebilir. Etkin olduğu doğrulanmış bir anahtar bir olaydır; etkin olmayan bir anahtar ise gürültüdür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eÇok sayıda kaynak\u003c/strong\u003e — yerel dosya sistemi, eksiksiz bir Git geçmişi, bir OCI/Docker imajı, AWS S3, Google Cloud Storage ve Slack mesajları.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-uyumlu çıktı\u003c/strong\u003e — JSON, SARIF (GitHub Code Scanning için), CSV ve renklendirilmiş terminal tablosu.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTasarımı gereği sır-güvenli\u003c/strong\u003e — bulunan sırlar varsayılan olarak maskelenir ve asla loglanmaz, önbelleğe alınmaz veya diske yazılmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"neleri-tarar\"\u003eNeleri tarar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNeyi kapsar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosyalar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob (yerel veya uzak)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker imaj katmanları, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanallardaki ve (isteğe bağlı) DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇoklu depo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAynı anda birden fazla Git deposu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"tespit-ksaca-nasl-alr\"\u003eTespit kısaca nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch, büyük girdilerde bile hızlı kalmak için katmanlı bir hat kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick anahtar kelime ön-filtresi\u003c/strong\u003e — tek bir çok-desenli otomat, bir parçayı hangi dedektörlerin eşleştirebileceğine hızla karar verir; böylece dedektörlerin çoğu regex'ini hiç çalıştırmaz.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex doğrulaması\u003c/strong\u003e — yalnızca kısa listeye alınan dedektörler kesin desenlerini çalıştırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropi\u003c/strong\u003e — Shannon entropisi gösterim için hesaplanır (ve özel kurallar tarafından düşük rastgelelikteki eşleşmeleri elemek için kullanılır).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDoğrulama\u003c/strong\u003e — uygun bulgular canlı sağlayıcı API'sine karşı kontrol edilir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch'ı kullanmak için bu hattı anlamanız gerekmez — ancak taramaların neden hızlı olduğunu ve bazı bulguların neden bir doğrulama durumu gösterirken bazılarının göstermediğini açıklar. Tam tablo için \u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"leakwatch-ne-deildir\"\u003eLeakwatch \u003cem\u003ene değildir\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eBeklentileri doğru belirlemek için:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGit geçmişini yeniden yazmaz veya sırları sizin için \u003cstrong\u003ekaldırmaz\u003c/strong\u003e — onları bulup raporlar ve (\u003ccode\u003e--remediation\u003c/code\u003e ile) nasıl döndüreceğinizi söyler.\u003c/li\u003e\n\u003cli\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar; yüklenen dosyaların \u003cem\u003eiçeriğini\u003c/em\u003e taramak uygulanmamıştır.\u003c/li\u003e\n\u003cli\u003eDoğrulama, birçok sır türü için mevcuttur ancak hepsi için değil — 9 dedektör türü (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman doğrulanmamış olarak raporlanır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker veya hazır bir ikili dosya ile kurun.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — taramanın arkasındaki mimari.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Hızlı Başlangıç","description":"İlk Leakwatch taramanızı bir dakikadan kısa sürede çalıştırın.","html":"\u003ch1 id=\"hzl-balang\"\u003eHızlı Başlangıç\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın neler yapabileceğini anlamanın en hızlı yolu, onu gerçek bir dizine yönlendirmektir. Bu sayfa ilk taramanızda size rehberlik eder, çıktının ne anlama geldiğini açıklar ve en sık kullanacağınız bayrakları gösterir.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eLeakwatch kurulu ve \u003ccode\u003ePATH\u003c/code\u003e değişkeninizde erişilebilir olmalıdır. Henüz yapmadıysanız \u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"lk-taramanz\"\u003eİlk taramanız\u003c/h2\u003e\n\u003cp\u003eMevcut dizini tek bir komutla tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak çıktı JSON biçiminde stdout'a yazılır. Bunun yerine okunabilir, renklendirilmiş bir tablo almak için \u003ccode\u003e--format table\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBir sonucun nasıl göründüğü aşağıdadır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTarama özeti her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır; bu nedenle pipe veya yeniden yönlendirilen çıktıyla hiçbir zaman çakışmaz.\u003c/p\u003e\n\u003ch2 id=\"bulguyu-anlamak\"\u003eBulguyu anlamak\u003c/h2\u003e\n\u003cp\u003eTablodaki her satır (veya JSON'daki her nesne) bir bulguyu temsil eder. Temel alanlar şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSır türünün ne kadar kritik olduğu: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşen dedektör — sır türünü tanımlar (örneğin \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın bulunduğu dosyanın tarama köküne göreli yolu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşmenin satır numarası\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın maskelenmiş gösterimi — \u003ccode\u003e--show-raw\u003c/code\u003e ayarlanmadıkça ham değer hiçbir zaman gösterilmez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulama sonucu: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003everified:active\u003c/code\u003e durumu, Leakwatch'ın sağlayıcıya salt-okunur bir API çağrısı yaparak sırrın hâlâ etkin olduğunu doğruladığı anlamına gelir. \u003cstrong\u003eHer \u003ccode\u003everified:active\u003c/code\u003e bulgusunu açık bir olay olarak değerlendirin.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"yaygn-tarama-seenekleri\"\u003eYaygın tarama seçenekleri\u003c/h2\u003e\n\u003ch3 id=\"yalnzca-onaylanm-srlara-odaklann\"\u003eYalnızca onaylanmış sırlara odaklanın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu seçenek doğrulanmamış ve etkin olmayan bulguları gizler; yalnızca etkin olduğu onaylananları bırakır. Çok sayıda sonucunuz olduğunda önceliklendirme için kullanışlıdır.\u003c/p\u003e\n\u003ch3 id=\"hzl-evrimd-tarama-iin-a-dorulamasn-atlayn\"\u003eHızlı çevrimdışı tarama için ağ doğrulamasını atlayın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama tamamen atlanır — hiçbir giden ağ çağrısı yapılmaz. Sonuçlar daha hızlı görünür ve internet bağlantısı olmadan çalışır, ancak tüm bulgular \u003ccode\u003eunverified\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"dzeltme-klavuzu-ekleyin\"\u003eDüzeltme kılavuzu ekleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer bulgu, söz konusu sır türünü nasıl döndüreceğinizi veya iptal edeceğinizi açıklayan bir \u003cstrong\u003eREMEDIATION\u003c/strong\u003e sütunu kazanır. Bayrak ayarlandığında aynı veriler JSON, SARIF ve CSV çıktısına da dahil edilir.\u003c/p\u003e\n\u003ch3 id=\"minimum-nem-derecesine-gre-filtreleyin\"\u003eMinimum önem derecesine göre filtreleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e önem derecesindeki bulgular raporlanır.\u003c/p\u003e\n\u003ch3 id=\"sonular-dosyaya-kaydedin\"\u003eSonuçları dosyaya kaydedin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e bayrağı stdout yerine bir dosyaya yazar. SARIF çıktısı \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e ile uyumludur.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-oluturma\"\u003eYapılandırma dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003eİlk denemede varsayılanlarla çalıştırmak uygundur; ancak tekrarlayan kullanım için proje düzeyinde bir yapılandırma isteyeceksiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut, eşzamanlılık, entropi, doğrulama, çıktı biçimi ve yaygın yol dışlamaları için önerilen varsayılanlarla mevcut dizine \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yazar. Mevcut bir dosyanın üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e, farklı bir yola yazmak için \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eHer seçeneğin tam açıklaması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI betiklerinin çıktıyı ayrıştırmadan sonuçlara göre hareket edebilmesi için farklı çıkış kodları kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bulgu yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bir veya daha fazla sır bulundu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama bir hata nedeniyle başarısız oldu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTipik bir CI kapısı şöyle görünür:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Etkin sırlar bulundu — derleme başarısız\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, etkin filtreleri geçen (\u003ccode\u003e--min-severity\u003c/code\u003e ve \u003ccode\u003e--only-verified\u003c/code\u003e dahil) \u003cem\u003eherhangi bir\u003c/em\u003e bulgu olduğunda döndürülür. Temiz çıkış kodu \u003ccode\u003e0\u003c/code\u003e, hiçbir bulgunun eşleşmediği anlamına gelir — kod tabanında sır olmadığı anlamına gelmez.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"taramay-iptal-etme\"\u003eTaramayı iptal etme\u003c/h2\u003e\n\u003cp\u003eÇalışan bir taramayı iptal etmek için \u003ccode\u003eCtrl+C\u003c/code\u003e tuşuna basın (veya \u003ccode\u003eSIGTERM\u003c/code\u003e gönderin). Leakwatch düzgün biçimde durur: işlemdeki parçalar tamamlanır, kısmi sonuçlar yazılır ve özet \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Çıktı Formatları","description":"Leakwatch'ın desteklediği dört çıktı formatı — JSON, SARIF, CSV ve tablo — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik.","html":"\u003ch1 id=\"kt-formatlar\"\u003eÇıktı Formatları\u003c/h1\u003e\n\u003cp\u003eLeakwatch dört çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları ve insan tarafından okunabilir terminal incelemesi. \u003ccode\u003e--format\u003c/code\u003e (veya \u003ccode\u003e-f\u003c/code\u003e) ile bir format seçin; stdout yerine bir dosyaya yazmak için \u003ccode\u003e--output\u003c/code\u003e (veya \u003ccode\u003e-o\u003c/code\u003e) kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan format \u003ccode\u003ejson\u003c/code\u003e'dur.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON varsayılan format ve en eksiksiz temsil biçimidir. Leakwatch, stdout'a (veya \u003ccode\u003e--output\u003c/code\u003e ile verilen dosyaya) bulgu nesnelerinden oluşan bir JSON \u003cstrong\u003edizisi\u003c/strong\u003e yazar.\u003c/p\u003e\n\u003cp\u003eHam sır değeri, \u003ccode\u003e--show-raw\u003c/code\u003e açıkça ayarlanmadıkça \u003cstrong\u003ehiçbir zaman\u003c/strong\u003e serileştirilmez. \u003ccode\u003e--show-raw\u003c/code\u003e ile her nesneye bir \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e alanı eklenir.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-bulgu-nesnesi\"\u003eÖrnek bulgu nesnesi\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--remediation\u003c/code\u003e de ayarlandığında her bulgunun içine iç içe bir \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e nesnesi yerleştirilir. Bkz. \u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif\u003c/code\u003e formatı, \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e'e yüklenmek üzere tasarlanmış bir SARIF v2.1.0 belgesi üretir. Araç adı \u003ccode\u003eLeakwatch\u003c/code\u003e'tır ve \u003ccode\u003einformationUri\u003c/code\u003e \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e adresine işaret eder.\u003c/p\u003e\n\u003cp\u003eBulgularda görünen her dedektör, SARIF sürücüsünde bir \u003cstrong\u003ekural\u003c/strong\u003e haline gelir; \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme adımlarından doldurulan \u003ccode\u003ehelp\u003c/code\u003e metni ve sağlayıcı belgelerine işaret eden bir \u003ccode\u003ehelpUri\u003c/code\u003e ile birlikte. Sonuçlar, dedektör ID'si, maskelenmiş değer ve dosya yolundan hesaplanan bir \u003ccode\u003eleakwatch/v1\u003c/code\u003e kısmi parmak izi taşır — bu, çevresindeki kod kaydığında bile GitHub Code Scanning'in aynı uyarıyı takip etmesini sağlar.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-1\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"github-code-scanninge-ykleme\"\u003eGitHub Code Scanning'e yükleme\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Bir GitHub Actions iş akışı adımında:\n- name: SARIF sonuçlarını yükle\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam CI kurulumu için \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003ecsv\u003c/code\u003e formatı, bir başlık satırı ve ardından bulgu başına bir satır yazar; standart virgülle ayrılmış değerler kullanır. Her hücre yazılmadan önce elektronik tablo formül enjeksiyonuna karşı sterilize edilir.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar (varsayılan):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eraw\u003c/code\u003e sütunu eklenir.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eremediation\u003c/code\u003e sütunu, \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme başlığını (örn. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) içerir, aksi hâlde boş kalır.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-2\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tablo\"\u003eTablo\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003etable\u003c/code\u003e formatı, insan tarafından okunabilir sekme hizalı bir tablo yazar; sonuçların hızlı görsel taramasını istediğiniz etkileşimli terminal oturumları için en uygun formattır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eRAW\u003c/code\u003e sütunu eklenir. Tablonun altına bir özet satırı yazdırılır (örn. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI rengi\u003c/strong\u003e, \u003ccode\u003eSEVERITY\u003c/code\u003e sütununa otomatik olarak uygulanır, ancak yalnızca dört koşulun tamamı sağlandığında:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e seçilmiş\u003c/li\u003e\n\u003cli\u003eÇıktı stdout'a gidiyor (\u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e yok)\u003c/li\u003e\n\u003cli\u003estdout bir TTY (pipe veya yönlendirme değil)\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e ortam değişkeni ayarlanmamış\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÖnem derecesi\u003c/th\u003e\n\u003cth\u003eRenk\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKalın kırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSarı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMavi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"rnek-ar-3\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt-1\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yaygn-kt-bayraklar\"\u003eYaygın çıktı bayrakları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı formatı: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (varsayılan \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout yerine dosyaya yaz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya maskelenmemiş sır değerini dahil et\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBu önem seviyesinin altındaki bulguları bırak\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca \u003ccode\u003everified_active\u003c/code\u003e bulgularını tut\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBulguları sağlayıcı düzeltme rehberiyle zenginleştir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Düzeltme Rehberi","description":"Bulguları sağlayıcıya özgü döndürme ve iptal adımları, aciliyet dereceleri ve resmi dokümantasyon bağlantılarıyla zenginleştirmek için --remediation kullanın.","html":"\u003ch1 id=\"dzeltme-rehberi\"\u003eDüzeltme Rehberi\u003c/h1\u003e\n\u003cp\u003eBir sırrın sızdığını bilmek işin yalnızca yarısıdır — ayrıca ne yapacağınızı da bilmeniz gerekir. Herhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e eklemek, her bulguyu yapılandırılmış, sağlayıcıya özgü rehberlikle zenginleştirir: kimlik bilgisini döndürme veya iptal etme adımları, sağlayıcının belgelerine bağlantı, yönetim konsoluna bağlantı, aciliyet derecelendirmesi ve bir doğrulama kontrol listesi.\u003c/p\u003e\n\u003ch2 id=\"nasl-etkinletirilir\"\u003eNasıl etkinleştirilir\u003c/h2\u003e\n\u003cp\u003eHerhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDüzeltme zenginleştirmesi varsayılan olarak devre dışıdır. Bayrak yoksa, her bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı \u003ccode\u003enull\u003c/code\u003e olur ve fazladan veri alınmaz veya hesaplanmaz.\u003c/p\u003e\n\u003ch2 id=\"ne-ierir\"\u003eNe içerir\u003c/h2\u003e\n\u003cp\u003eHer düzeltme girişi aşağıdaki alanları içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDüzeltme eyleminin kısa adı (örn. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrı döndürmek veya iptal etmek için sıralı adımlar listesi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının resmi kimlik bilgisi yönetimi belgelerine bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının yönetim konsolu sayfasına doğrudan bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNe kadar hızlı harekete geçileceği: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e veya \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDöndürme sonrası doğrulama adımları (örn. denetim günlüklerini inceleyin, güvenlik ekibini bilgilendirin)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch, her yerleşik dedektör için bir tane olmak üzere 63 düzeltme girişiyle birlikte gelir. 63 girişin tamamı ikili dosyaya dahildir; rehberliği almak için herhangi bir ağ çağrısı yapılmaz. Bu, çevrimdışı ortamlarda veya hava boşluklu ağlarda bile düzeltme rehberliğinin sorunsuz çalışması anlamına gelir.\u003c/p\u003e\n\u003ch2 id=\"her-formatta-nasl-grnr\"\u003eHer formatta nasıl görünür\u003c/h2\u003e\n\u003cp\u003eZenginleştirme, rehberliği bellekteki bulgu nesnesine ekler. Nasıl göründüğü çıktı formatına bağlıdır:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — tam yapılandırılmış \u003ccode\u003eremediation\u003c/code\u003e nesnesi her bulgunun içine yerleştirilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — \u003ccode\u003esteps\u003c/code\u003e alanları, kuralın \u003ccode\u003ehelp.text\u003c/code\u003e alanına yerleştirilir ve \u003ccode\u003edoc_url\u003c/code\u003e, kuralın \u003ccode\u003ehelpUri\u003c/code\u003e'si olarak ayarlanır. Bu, GitHub Code Scanning'in uyarı ayrıntıları panelinde doğrudan görünür.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı \u003ccode\u003eremediation\u003c/code\u003e sütununa yazılır. Tam yapılandırılmış rehberlik CSV çıktısına dahil edilmez.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTablo\u003c/strong\u003e — \u003ccode\u003eREMEDIATION\u003c/code\u003e sütununda yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı gösterilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOtomatik olay müdahale iş akışları için tam yapılandırılmış rehberliğe ihtiyaç duyduğunuzda \u003ccode\u003e--remediation --format json\u003c/code\u003e kullanın. Terminalde hızlı, insan tarafından okunabilir bir önceliklendirme oturumu için \u003ccode\u003e--remediation --format table\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eZenginleştirme yalnızca \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında çalışır. Bayrak olmadan, \u003ccode\u003eremediation\u003c/code\u003e alanı JSON ve SARIF çıktısında yoktur ve CSV ile tablo \u003ccode\u003eremediation\u003c/code\u003e sütunları boştur. Bayrak, orijinal tarama sonuçlarını değiştirmez — bunların üzerine bir katman ekler.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kurallar-ve-dzeltme\"\u003eÖzel kurallar ve düzeltme\u003c/h2\u003e\n\u003cp\u003eÖzel kural tanımları bir \u003ccode\u003eremediation\u003c/code\u003e bloğunu desteklemez — düzeltme rehberliği yalnızca yerleşik dedektörler için mevcuttur. Özel bir kural tarafından tetiklenen bulgu için \u003ccode\u003e--remediation\u003c/code\u003e bayrağı geçildiğinde, o bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı boş kalır; diğer alanlar etkilenmez.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Başvurusu","description":"Her Leakwatch komutu, alt komutu ve bayrağı için tam başvuru kaynağı.","html":"\u003ch1 id=\"cli-bavurusu\"\u003eCLI Başvurusu\u003c/h1\u003e\n\u003cp\u003eBu sayfa, tüm Leakwatch komutları ve bayrakları için yetkili başvuru kaynağıdır. Kavramsal açıklamalar ve çalışma örnekleri için ilgili tarama veya yapılandırma sayfalarındaki çapraz bağlantıları takip edin.\u003c/p\u003e\n\u003ch2 id=\"global-bayraklar\"\u003eGlobal bayraklar\u003c/h2\u003e\n\u003cp\u003eBu bayraklar her komut ve alt komut üzerinde kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOtomatik olarak bulunan \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasının yolu. Atlandığında Leakwatch, geçerli dizinde ve üst dizinlerinde \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e arar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGünlük ayrıntı düzeyi: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e veya \u003ccode\u003eerror\u003c/code\u003e. Günlük çıktısı stderr'e gider ve tarama sonuçlarını etkilemez.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eİkili dosya sürümünü, commit karmasını ve derleme zaman damgasını yazdırır, ardından çıkar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGeçerli dizinde önerilen varsayılanlarla bir \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyası oluşturur.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasını varsayılan yerine bu yola yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMevcut bir yapılandırma dosyasının üzerine yaz. Bu bayrak olmadan, çıktı dosyası zaten mevcutsa \u003ccode\u003einit\u003c/code\u003e hatayla çıkar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Varsayılan yapılandırmayı oluştur\nleakwatch init\n\n# Mevcut yapılandırmanın üzerine yaz\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eTüm tarama alt komutları için üst komut. Kendi başına davranışı yoktur; bir alt komut çalıştırın.\u003c/p\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003cp\u003eAşağıdaki bayraklar \u003cstrong\u003etüm\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e alt komutlarında kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosya yoluna yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu bayt sayısından büyük dosyaları veya blob'ları atla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya ham (maskelenmemiş) sır değerini dahil et. Dikkatli kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı sır doğrulamasını devre dışı bırak. Giden API çağrısı yapılmaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya dahil edilecek minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi (dönüşüm/iptal adımları) ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel bir dizin ağacını tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e varsayılan olarak \u003ccode\u003e.\u003c/code\u003e'dır. En fazla bir konumsal argüman kabul eder.\u003c/p\u003e\n\u003ch4 id=\"dosya-sistemine-zg-bayraklar\"\u003eDosya sistemine özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;kalıp\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob kalıbı. Tekrarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara, renklendirilmiş tablo yazdır\nleakwatch scan fs . --format table\n\n# SARIF çıktısını kaydet, test dosyalarını ve vendor'ı dışla\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel veya uzak bir Git deposunun tam commit geçmişini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir: yerel bir yol veya HTTP/HTTPS/SSH URL'si.\u003c/p\u003e\n\u003ch4 id=\"gite-zg-bayraklar\"\u003eGit'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit karmasından HEAD'e kadar olan değişiklikleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;ad\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan dal yerine belirli bir dalı hedefle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003eUzak depolar için sığ klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi getirir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-1\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tam yerel geçmişi tara\nleakwatch scan git . --format table\n\n# Bir pull request tarafından eklenen commit'leri tara\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir OCI/Docker imajının katmanlarını sırlar açısından tarar. Leakwatch daemonsuz çalışır ve kayıt defterinden doğrudan çeker — Docker soketi gerekmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"rnekler-2\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Genel bir imajı tara\nleakwatch scan image nginx:latest --format table\n\n# Özel kayıt defteri imajını tara, JSON çıktısını kaydet\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir AWS S3 kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, anahtarı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi. \u003ccode\u003eAWS_REGION\u003c/code\u003e ortam değişkenine veya AWS SDK varsayılanına geri döner.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-3\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm kovayı tara\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Belirli bir ön eki tara\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Google Cloud Storage kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"gcsye-zg-bayraklar\"\u003eGCS'ye özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, adı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği. Varsayılan kimlik bilgilerinden proje çıkarılamadığında gereklidir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-4\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm GCS kovasını tara\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Ön ek tara\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Slack çalışma alanındaki mesaj metnini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKonumsal argüman yoktur.\u003c/p\u003e\n\u003ch4 id=\"slacke-zg-bayraklar\"\u003eSlack'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token'ı. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni ile de ayarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adları veya kimliklerinin virgülle ayrılmış listesi. Atlandığında erişilebilir tüm kanalları tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adları veya kimliklerinin virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonra gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları dahil et (ek OAuth kapsamları gerektirir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-5\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Erişilebilir tüm kanalları tara\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Belirli kanalları belirli bir tarihten itibaren tara\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBirden fazla Git deposunu paralel olarak tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEn az iki konumsal argüman (depo URL'leri veya yerel yollar) gereklidir.\u003c/p\u003e\n\u003ch4 id=\"reposa-zg-bayraklar\"\u003eRepos'a özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eHer depo taramasındaki çalışan eşzamanlılığı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-6\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki depoyu paralel olarak tara\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Büyük bir depo seti için paralellizmi artır\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e — Leakwatch'ı bayrak kullanmadan yapılandırma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — ayrıntılı \u003ccode\u003escan fs\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — ayrıntılı \u003ccode\u003escan git\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Ortam Değişkenleri","description":"Leakwatch davranışını bayrak kullanmadan yapılandıran ortam değişkenleri.","html":"\u003ch1 id=\"ortam-deikenleri\"\u003eOrtam Değişkenleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, yapılandırmayı öncelik sırasına göre üç kaynaktan okur: \u003cstrong\u003ekomut satırı bayrakları\u003c/strong\u003e, \u003cstrong\u003eortam değişkenlerini\u003c/strong\u003e geçersiz kılar; ortam değişkenleri \u003cstrong\u003eyapılandırma dosyasını\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e) geçersiz kılar; yapılandırma dosyası yerleşik \u003cstrong\u003evarsayılanlara\u003c/strong\u003e geri döner. Ortam değişkenleri, bir yapılandırma dosyasını değiştiremeyeceğiniz veya her çağrıya bayrak geçiremeyeceğiniz CI ortamlarında kullanışlıdır.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-deikeni-kalb\"\u003eYapılandırma değişkeni kalıbı\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki herhangi bir anahtar, ortam değişkeni olarak şu şekilde ayarlanabilir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAnahtar adını büyük harfe çevir.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştir.\u003c/li\u003e\n\u003cli\u003eBaşına \u003ccode\u003eLEAKWATCH_\u003c/code\u003e ekle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eÖrneğin, \u003ccode\u003escan.concurrency\u003c/code\u003e yapılandırma anahtarı \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"deiken-bavurusu\"\u003eDeğişken başvurusu\u003c/h2\u003e\n\u003ch3 id=\"leakwatcha-zg-deikenler\"\u003eLeakwatch'a özgü değişkenler\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e için Slack bot token'ı. \u003ccode\u003e--token\u003c/code\u003e'a eşdeğer. Token'ın kabuk geçmişinde veya CI günlüklerinde görünmesini önlemek için bayrak olarak geçirmek yerine bunu ayarlayın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı. \u003ccode\u003e--concurrency\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı doğrulamayı genel olarak devre dışı bırakmak için \u003ccode\u003efalse\u003c/code\u003e olarak ayarlayın. \u003ccode\u003e--no-verify\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm doğrulayıcılar genelinde saniye başına maksimum doğrulama isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan çıktı biçimi (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e). \u003ccode\u003e--format\u003c/code\u003e'a eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir eşleşmenin raporlanması için gereken minimum Shannon entropisi. Float değer, örn. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"grntleme-deikeni\"\u003eGörüntüleme değişkeni\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBoş olmayan herhangi bir değere ayarlandığında, \u003ccode\u003etable\u003c/code\u003e çıktı biçimlendiricisindeki ANSI renk kodlarını devre dışı bırakır. \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e kuralını izler.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-deikenleri-scan-s3-ve-aws-sr-dorulamas-iin\"\u003eAWS değişkenleri (\u003ccode\u003escan s3\u003c/code\u003e ve AWS sır doğrulaması için)\u003c/h3\u003e\n\u003cp\u003eBunlar standart AWS SDK ortam değişkenleridir. Leakwatch bunları AWS SDK v2 varsayılan kimlik bilgisi zincirine aktarır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS erişim anahtarı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS gizli erişim anahtarı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS oturum token'ı (geçici kimlik bilgileri için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKullanılacak \u003ccode\u003e~/.aws/credentials\u003c/code\u003e dosyasından adlandırılmış profil.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-deikeni-scan-gcs-iin\"\u003eGCS değişkeni (\u003ccode\u003escan gcs\u003c/code\u003e için)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGoogle hizmet hesabı JSON anahtar dosyasının yolu. Bir GCS kovasını tararken Uygulama Varsayılan Kimlik Bilgileri tarafından kullanılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-rnei\"\u003eÖncelik örneği\u003c/h2\u003e\n\u003cp\u003eŞu kurulumu varsayın:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, \u003ccode\u003eoutput.format: table\u003c/code\u003e olarak ayarlıyor\u003c/li\u003e\n\u003cli\u003eOrtamda \u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e ayarlanmış\u003c/li\u003e\n\u003cli\u003eKomut \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e olarak çalıştırılıyor (\u003ccode\u003e--format\u003c/code\u003e bayrağı yok)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOrtam değişkeni yapılandırma dosyasını geçersiz kıldığından geçerli biçim \u003ccode\u003ejson\u003c/code\u003e'dır.\u003c/p\u003e\n\u003cp\u003eKomut \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e olarak çalıştırılırsa, bayrak her şeyi geçersiz kıldığından geçerli biçim \u003ccode\u003esarif\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kimlik-bilgileri-ve-tarama-kimlik-bilgileri\"\u003eDoğrulama kimlik bilgileri ve tarama kimlik bilgileri\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYukarıdaki AWS ve GCP değişkenleri, Leakwatch'ın \u003cstrong\u003ekendisinin\u003c/strong\u003e nesneleri taramak için S3 veya GCS'ye bağlanırken kimliğini doğrulaması için kullanılır. Bulunan sırları doğrulamak için kullanılmazlar. Keşfedilen bir AWS anahtarının doğrulanması, örneğin, runner'ın kimlik bilgilerini değil, keşfedilen anahtarın kendisini kullanarak AWS STS'yi çağırır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-srlar-gvenli-biimde-geirme\"\u003eCI'da sırları güvenli biçimde geçirme\u003c/h2\u003e\n\u003cp\u003eGitHub Actions'ta şifrelenmiş sırları kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGitLab CI'da maskelenmiş CI/CD değişkenlerini kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # proje ayarlarında maskelenmiş değişken olarak tanımlanmış\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eToken değerlerini hiçbir zaman iş akışı dosyalarına veya Dockerfile'lara sabit olarak kodlamayın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tam \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e anahtar başvurusu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eBulut Depolama Taraması\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e ve \u003ccode\u003escan gcs\u003c/code\u003e kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Taraması\u003c/a\u003e — Slack token kapsamları ve izinleri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — eşdeğer komut satırı bayrakları.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Çıkış Kodları","description":"Leakwatch çıkış kodu başvurusu ve bunların betiklerde ve CI pipeline'larında nasıl kullanılacağı.","html":"\u003ch1 id=\"k-kodlar\"\u003eÇıkış Kodları\u003c/h1\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için küçük, iyi tanımlanmış bir çıkış kodu seti kullanır. Her tarama alt komutu üç koddan biriyle çıkar.\u003c/p\u003e\n\u003ch2 id=\"kod-bavurusu\"\u003eKod başvurusu\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAd\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTemiz\u003c/td\u003e\n\u003ctd\u003eTarama başarıyla tamamlandı ve etkin filtrelerden hiçbir bulgu geçmedi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular var\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı ve etkin filtrelerden geçen bir veya daha fazla sır bulundu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHata\u003c/td\u003e\n\u003ctd\u003eTaramanın hiç çalışamamasına neden olan ciddi bir hata oluştu — örneğin geçersiz bir bayrak, okunamaz bir yol veya kimlik doğrulama hatası. Stderr'e bir \u003ccode\u003eError: ...\u003c/code\u003e mesajı ve kullanım ipucu yazdırılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"filtrelerin-k-kodu-1i-nasl-etkiledii\"\u003eFiltrelerin çıkış kodu 1'i nasıl etkilediği\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, yalnızca en az bir bulgu etkin çıktı filtrelerinin tümünden geçtiğinde yayılır. En ilgili iki filtre şunlardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — eşiğin altındaki bulgular bastırılır. Tüm bulgular \u003ccode\u003elow\u003c/code\u003e önem derecesindeyse ve \u003ccode\u003e--min-severity high\u003c/code\u003e ile çalışıyorsanız, sırlar mevcut olmasına rağmen çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulgular raporlanır. Etkin sır bulunamazsa çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBu, çıkış kodu \u003ccode\u003e0\u003c/code\u003e'ın \u0026quot;mevcut filtre ayarlarınızla eşleşen bulgu yok\u0026quot; anlamına geldiği anlamına gelir — kod tabanının hiçbir sır içermediği değil.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e altında temiz \u003ccode\u003e0\u003c/code\u003e çıkışı, kod tabanının sırdan arındırılmış olduğunu garanti etmez. Doğrulamanın mevcut olmadığı sır türleri (9 dedektör türü) her zaman doğrulanmamış olarak raporlanır ve \u003ccode\u003e--only-verified\u003c/code\u003e tarafından bastırılır. Tam kapsam için \u003ccode\u003e--only-verified\u003c/code\u003e ile birlikte ayrı bir filtresiz tarama yapın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kabuk-betiklerinde-k-kodlarn-kullanma\"\u003eKabuk betiklerinde çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;Sır bulunamadı. Derleme devam ediyor.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Sırlar bulundu — birleştirmeden önce leakwatch.json'u inceleyin ve düzeltin.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch bir hatayla karşılaştı (çıkış $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTaramadan önce \u003ccode\u003eset +e\u003c/code\u003e kullanmak, kabuğun sıfır dışı kodlarda çıkmasını engeller ve kodu kendiniz yakalayıp işlemenize olanak tanır.\u003c/p\u003e\n\u003ch2 id=\"ci-pipelinelarnda-k-kodlarn-kullanma\"\u003eCI pipeline'larında çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cp\u003eÇoğu CI sistemi, sıfır dışı herhangi bir çıkış kodunu adım başarısızlığı olarak değerlendirir. Leakwatch sırlar bulunduğunda \u003ccode\u003e1\u003c/code\u003e ile çıktığından, ek yapılandırma olmadan pipeline otomatik olarak başarısız olur — yalnızca tarama komutunu çalıştırın.\u003c/p\u003e\n\u003cp\u003eSırlar bulunsa bile pipeline'ın devam etmesine izin vermek için (örneğin, derlemeyi engellemeden raporu toplamak amacıyla) çıkış kodunu açıkça yoksayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitLab CI'da:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitHub Action'da \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"uygulamada-k-kodu-2\"\u003eUygulamada çıkış kodu 2\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e2\u003c/code\u003e, taramanın hiç çalışamamasına neden olan bir yapılandırma veya çalışma zamanı hatasını gösterir. Yaygın nedenler:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGeçersiz bir bayrak değeri (örneğin \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMevcut olmayan veya okunamaz bir yol.\u003c/li\u003e\n\u003cli\u003eEksik gerekli argüman (örneğin, URL olmadan \u003ccode\u003escan git\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBir bulut kaynağına bağlanırken kimlik doğrulama hatası.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHata mesajı stderr'e yazdırılır ve sorunu teşhis etmeye yardımcı olacak bağlam içerir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — çıkış kodlarını GitLab CI, Jenkins ve diğerlerine bağlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — resmi action'ın çıkış kodlarını adım sonuçlarıyla nasıl eşlediği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — tam bayrak başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Bulut Depolama (S3 \u0026 GCS)","description":"AWS S3 ve Google Cloud Storage kovalarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"bulut-depolama-s3--gcs\"\u003eBulut Depolama (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSırlar sıklıkla bulut depolamaya taşınır — dışa aktarılan veritabanı dökümleri, ortam dosyaları, CI artefaktları ve günlük arşivleri, düşünüldüğünden çok daha fazla kişinin erişebildiği kovalara akar. Leakwatch, AWS S3 ve Google Cloud Storage kovalarını nesne nesne tarayabilir ve bulduğu sırları bir olaya dönüşmeden işaretler.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"kullanm\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003es3://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch standart \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS varsayılan kimlik bilgisi zincirini\u003c/a\u003e kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOrtam değişkenleri (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan kimlik bilgileri dosyası (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan yapılandırma dosyası (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eÖrneğe veya göreve atanmış IAM rolü (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAWS CLI ile zaten kimlik doğrulaması yaptıysanız (\u003ccode\u003eaws configure\u003c/code\u003e veya üstlenilmiş bir rol) ek yapılandırma gerekmez.\u003c/p\u003e\n\u003ch3 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca anahtarı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eAWS yapılandırmasından\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-rnekleri\"\u003eS3 örnekleri\u003c/h3\u003e\n\u003cp\u003eTüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir bölgede belirli bir anahtar öneki altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eTaramayı ilgili bir alt yola sınırlamak için \u003ccode\u003e--prefix\u003c/code\u003e kullanın. Milyonlarca nesne içeren büyük bir kovayı taramak yavaş olabilir ve S3 GET istek maliyeti doğurabilir. Öneki gerçekten önemli olana — örneğin \u003ccode\u003econfigs/\u003c/code\u003e veya \u003ccode\u003eexports/\u003c/code\u003e — daraltın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"kullanm-1\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003egs://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama-1\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e kullanır. Kimlik bilgisi arama sırası şu şekildedir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eHizmet hesabı anahtar dosyasına işaret eden \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e ortam değişkeni.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egcloud auth application-default login\u003c/code\u003e ile yapılandırılmış kullanıcı kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003eGoogle Compute Engine örneğine, Cloud Run hizmetine veya GKE iş yüküne atanmış hizmet hesabı.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcse-zg-bayraklar\"\u003eGCS'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca adı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği (bazı ADC yapılandırmalarında gereklidir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-rnekleri\"\u003eGCS örnekleri\u003c/h3\u003e\n\u003cp\u003eBelirli bir GCP projesiyle tüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca belirli bir önek altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCSV olarak çıktı alın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h2\u003e\n\u003cp\u003eHem \u003ccode\u003es3\u003c/code\u003e hem de \u003ccode\u003egcs\u003c/code\u003e aynı ortak tarama bayraklarını destekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan nesneleri atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eNesne anahtarlarına uygulanan yol dışlamaları \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (kimlik doğrulama hatası, kova bulunamadı, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Konteyner İmajları","description":"Docker daemon gerektirmeksizin OCI ve Docker imaj katmanlarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"konteyner-majlar\"\u003eKonteyner İmajları\u003c/h1\u003e\n\u003cp\u003eKonteyner imajları sırların sıklıkla gizlendiği yerlerden biridir: ortam değişkenlerine gömülen API anahtarları, derleme katmanlarına yerleştirilmiş kimlik bilgileri ve imaj katmanlarına kopyalanıp unutulan yapılandırma dosyaları. \u003ccode\u003eleakwatch scan image\u003c/code\u003e, bir OCI veya Docker imajının her katmanını inceler ve bu sırları dağıtım öncesinde gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: standart \u003ccode\u003ename:tag\u003c/code\u003e gösteriminde bir imaj referansı. Leakwatch imajları çekmek ve incelemek için \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e kullanır — herhangi bir Docker daemon \u003cstrong\u003egerekmez\u003c/strong\u003e.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Docker Hub imajını tara\nleakwatch scan image nginx:latest\n\n# Özel GitHub Container Registry imajını tara\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Amazon ECR imajını tara\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"desteklenen-kayt-sunucular\"\u003eDesteklenen kayıt sunucuları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKayıt Sunucusu\u003c/th\u003e\n\u003cth\u003eÖrnek referans\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eOCI uyumlu herhangi bir kayıt sunucusu\u003c/td\u003e\n\u003ctd\u003eStandart \u003ccode\u003eregistry/name:tag\u003c/code\u003e biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, Docker ve diğer OCI araçları tarafından kullanılan standart kimlik bilgisi anahtarlığını kullanır. \u003ccode\u003edocker login\u003c/code\u003e (veya \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, bulut sağlayıcısı kimlik bilgisi yardımcıları gibi eşdeğer araçlar) ile oturum açtıysanız, Leakwatch bu kimlik bilgilerini otomatik olarak kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Önce GHCR'a giriş yapın\ndocker login ghcr.io\n\n# Ardından tarayın — kimlik bilgileri otomatik olarak alınır\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAmazon ECR için, taramadan önce ECR kimlik bilgisi yardımcısını yapılandırın ya da \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e ve ilgili ortam değişkenlerini ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch imaj manifestini çeker, her katmanı sırayla işler ve her katmandaki dosyaları çıkarır. Her dosyanın içeriği, dosya sistemi taramasıyla aynı tespit hattından geçirilir. \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları burada da geçerlidir ve katmanlar içinde hangi dosya yollarının inceleneceğini sınırlar.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003cp\u003eİmaja özgü bayrak yoktur. Tüm ortak tarama bayrakları geçerlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eYol tabanlı dışlamalar \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eDocker Hub imajını tarayın ve sonuçları tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt sunucusu imajını tarayın ve SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif sırları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eJSON çıktısına düzeltme rehberi dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eİmaj taramasından elde edilen her bulgu katman meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan imaj referansı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği katman özeti.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKatman içindeki dosyanın yolu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGizli bilgilerin bir kayıt sunucusuna push edilmeden önce yakalanması için konteyner imaj taramasını CI/CD hattınızın derleme aşamasına entegre edin. Sonuçları doğrudan GitHub Code Scanning'e yüklemek için \u003ccode\u003e--format sarif\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (imaj bulunamadı, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Dosya Sistemi","description":"leakwatch scan fs komutuyla yerel bir dizin ağacını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"dosya-sistemi\"\u003eDosya Sistemi\u003c/h1\u003e\n\u003cp\u003eSırlar çoğu zaman önce yerel kaynak kodda ortaya çıkar. \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutu, bir dizin ağacındaki tüm dosyaları dolaşır, her biri üzerinde tam tespit hattını çalıştırır ve bulguları raporlar — henüz commit edilmeden önce yakalamak ya da mevcut bir kod tabanını sonradan taramak için kullanabilirsiniz.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e isteğe bağlıdır. Belirtilmediğinde Leakwatch geçerli çalışma dizinini (\u003ccode\u003e.\u003c/code\u003e) tarar. Yalnızca tek bir path argümanı kabul edilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara\nleakwatch scan fs\n\n# Belirli bir proje klasörünü tara\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"dosya-sistemi-kaynann-otomatik-olarak-atladklar\"\u003eDosya sistemi kaynağının otomatik olarak atladıkları\u003c/h2\u003e\n\u003cp\u003eTaramaları hızlı ve gürültüsüz tutmak için dosya sistemi kaynağı herhangi bir yapılandırma gerekmeksizin şunları atlar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eİkili dosyalar\u003c/strong\u003e — dosyanın ilk 8 KB'ında null byte bulunmasıyla tespit edilir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBilinen ikili uzantılar\u003c/strong\u003e — yaygın derlenmiş, görsel, ses, video ve arşiv biçimleri.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKilit dosyaları\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e ve benzerleri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"dosya-sistemine-zg\"\u003eDosya sistemine özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (tekrarlanabilir)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob desenleri. Birden fazla kez belirtilebilir veya virgülle ayrılabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eGeçerli dizini tarayın ve terminalde renklendirilmiş bir tablo yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTest dosyalarını ve vendor dizinlerini dışlayıp GitHub Code Scanning için SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir monorepo için dosya boyutunu sınırlayın ve çalışan sayısını artırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca yüksek önem dereceli bulguları gösterip rotasyon talimatlarını dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yollar-dlama\"\u003eYolları dışlama\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--exclude\u003c/code\u003e bayrağı glob desenlerini kabul eder ve birden fazla kez belirtilebilir ya da virgülle ayrılmış liste olarak kullanılabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki ayrı bayrak\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Virgülle ayrılmış\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTakımınızla paylaşılan kalıcı dışlama kuralları için \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasına \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında ekleyin. Bu kurallar yalnızca dosya sistemi taramalarına değil, tüm kaynaklara uygulanır. Proje kök dizininizde bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası da oluşturabilirsiniz. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e ve \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e sayfalarına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (yapılandırma hatası, okunamayan yol, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti (kaynak türü, hedef, dosya sayısı, süre ve bulgu sayısı) yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGeliştirme sırasında \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e komutunu çalıştırarak hızlı bir görsel genel bakış elde edin. CI hatlarında GitHub Code Scanning ile entegrasyon için \u003ccode\u003e--format sarif\u003c/code\u003e seçeneğine geçin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — varsayılan biçimi, dışlamaları ve daha fazlasını yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e ve satır içi baskılama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — çalışma ağacı yerine commit edilmiş geçmişi tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git Geçmişi","description":"Yerel veya uzak bir Git deposunun tüm commit geçmişini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"git-gemii\"\u003eGit Geçmişi\u003c/h1\u003e\n\u003cp\u003eCommit edilip sonradan silinen bir sır, önceki her commit'te hâlâ mevcuttur ve depoya erişimi olan herkes tarafından ulaşılabilir durumdadır. \u003ccode\u003eleakwatch scan git\u003c/code\u003e, bir deponun — yerel veya uzak — \u003cem\u003etüm\u003c/em\u003e commit geçmişini dolaşarak bu sırları, istismar edilmeden önce gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: depoya giden \u003cstrong\u003eyerel dosya sistemi yolu\u003c/strong\u003e (geçerli dizin için \u003ccode\u003e.\u003c/code\u003e) ya da \u003cstrong\u003euzak HTTP/HTTPS veya SSH URL'si\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch tüm Git işlemleri için \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e kullanır; bu, sistem \u003ccode\u003egit\u003c/code\u003e ikili dosyasına bağımlılığı olmayan saf bir Go uygulamasıdır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizindeki yerel depoyu tara\nleakwatch scan git .\n\n# HTTPS üzerinden uzak bir depoyu tara\nleakwatch scan git https://github.com/org/repo.git\n\n# SSH üzerinden tara\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch geçmişteki her commit'i dolaşır ve her commit tarafından eklenen blob'ları inceler. \u003cstrong\u003eBlob-hash tekilleştirmesi\u003c/strong\u003e, aynı dosya içeriğinin kaç commit tarafından referans alındığından bağımsız olarak yalnızca bir kez taranmasını sağlar. Bu, tarama süresini ham commit sayısı yerine depodaki \u003cem\u003ebenzersiz içerik\u003c/em\u003e miktarıyla orantılı tutar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch commit-bazlı diff'leri incelediğinden, sonradan silinen — yani mevcut çalışma ağacında görünmeyen — sırları da bulur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"gite-zg\"\u003eGit'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit hash'inden HEAD'e kadar olan değişiklikleri tara (diff tabanlı).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan yerine belirli bir dalı hedef al.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eYalnızca uzak depolar\u003c/strong\u003e için klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eYerel deponun tam geçmişini tarayın ve tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003edevelop\u003c/code\u003e dalında belirli bir tarihten sonraki commit'leri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir commit'ten bu yana tanıtılan değişiklikleri tarayın (CI'da yeni commit'leri kontrol etmek için kullanışlıdır):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir uzak depoyu hızlandırmak için sığ klonlama yapın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak depoyu tarayıp yalnızca doğrulanmış bulguları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eGit taramasından elde edilen her bulgu commit meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan deponun URL'si veya yolu (kimlik bilgileri ayıklanmış).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın tanıtıldığı commit hash'i.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit yazarının adı ve e-postası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit zaman damgası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDal bağlamı (kullanılabilir olduğunda).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePull request CI işlerinde yalnızca PR tarafından eklenen commit'leri taramak için \u003ccode\u003e--since-commit\u003c/code\u003e kullanın. Son aktiviteyi kapsayan zamanlanmış gece taramaları için \u003ccode\u003e--since \u0026lt;tarih\u0026gt;\u003c/code\u003e tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'leri gömülü kimlik bilgileri içeriyorsa (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch bu bilgileri günlüklere veya çıktıya yazmadan önce URL'den ayırır; bu sayede token tarama sonuçlarında veya CI izlerinde hiçbir zaman görünmez.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (geçersiz URL, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eÇoklu Depo\u003c/a\u003e — tek komutla birden fazla depoyu tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — geçmiş yerine çalışma ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Çoklu Depo","description":"Birden fazla Git deposunu eşzamanlı olarak tarayın ve sonuçları tek bir raporda birleştirin.","html":"\u003ch1 id=\"oklu-depo\"\u003eÇoklu Depo\u003c/h1\u003e\n\u003cp\u003eBir kuruluş büyüdükçe sırlar düzinelerce hatta yüzlerce deponun herhangi birine yerleşebilir. Bunları tek tek kontrol etmek pratik değildir. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e, birden fazla depo URL'sini alır, bunları eşzamanlı olarak tarar ve tüm bulguları tek bir çıktıda birleştirir — tek komut, tek rapor.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut \u003cstrong\u003een az iki\u003c/strong\u003e depo URL'si gerektirir. Tüm depolar otomatik olarak klonlanır, taranır ve temizlenir. Sonunda birleşik bulgu sayısı ve tek bir tarama özeti raporlanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"nasl-alr\"\u003eNasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch aynı anda en fazla \u003ccode\u003e--parallel\u003c/code\u003e sayıda depo taraması başlatır. Her depo:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSağlanan URL'den klonlanır (güvenlik açısından kimlik bilgileri günlüklerden ve çıktıdan ayıklanır).\u003c/li\u003e\n\u003cli\u003eTam tespit hattıyla taranır; bu depo için \u003ccode\u003e--concurrency\u003c/code\u003e sayıda çalışan kullanılır.\u003c/li\u003e\n\u003cli\u003eTarama tamamlandığında temizlenir (geçici klon silinir).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eTüm depolardan elde edilen bulgular toplanır ve tek bir kaynaktan yapılmış tarama gibi tek bir çıktı olarak yazılır. Görüntülenen hedef \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e (N depo) şeklindedir.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"oklu-depoya-zg\"\u003eÇoklu depoya özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eDepo başına\u003c/strong\u003e eşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasındaki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları tüm depolara uygulanır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eİki depoyu tarayın ve sonuçları tablo olarak görüntüleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeş depoyu daha yüksek paralellik ile tarayın ve birleşik sonuçları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDepo başına daha fazla çalışan kullanarak yalnızca doğrulanmış bulguları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"paralellii-ayarlama\"\u003eParalelliği ayarlama\u003c/h2\u003e\n\u003cp\u003eVerimi kontrol eden iki parametre vardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e, kaç depo klonlama ve taramasının aynı anda çalışacağını kontrol eder. Varsayılan \u003ccode\u003e3\u003c/code\u003e, çoğu iş yükü için uygundur. Ağ bant genişliği ve CPU kapasitesi izin verdiğinde artırın; kısıtlı makinelerde düşürün.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e), her bir depodaki dosya blob'larını işleyen çalışan goroutine sayısını kontrol eder. Bu, tüm tarama komutlarında bulunan aynı bayraktır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTepe noktasındaki toplam eşzamanlı işlem = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBir veya daha fazla depo taraması başarısız olursa (örneğin ağ hatası veya kimlik doğrulama sorunu nedeniyle), Leakwatch hatayı günlüğe kaydeder ve kalan depoları taramaya devam eder. Diğer depolar bulgu üretmiş olsa bile herhangi bir depo taraması başarısız olursa çıkış kodu \u003ccode\u003e2\u003c/code\u003e olur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'lerindeki gömülü kimlik bilgileri (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), URL günlüklere, çıktıya veya tarama özetine yazılmadan önce ayıklanır.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir veya daha fazla depo taraması başarısız oldu ya da yapılandırma hatası oluştu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — tek bir depoyu derinlemesine tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tüm kaynaklar için paylaşılan varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Çalışma Alanı","description":"Slack kanal ve DM mesaj metinlerini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"slack-alma-alan\"\u003eSlack Çalışma Alanı\u003c/h1\u003e\n\u003cp\u003eGeliştiriciler çoğu zaman kimlik bilgilerini sohbet üzerinden paylaşır — hızlı bir test için bir kanala yapıştırılan token, DM ile gönderilen parola ya da bir olay başlığında söz edilen API anahtarı. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e, Slack çalışma alanınızdaki mesaj metinlerini okur ve bulduğu sırları işaretler.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e tarar. Yüklenen dosyaların (ekler, snippet'ler) içeriğini taramak uygulanmamıştır. Yalnızca mesajların metin gövdesi analiz edilir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003cstrong\u003ekonumsal argüman almaz\u003c/strong\u003e. Tüm yapılandırma bayraklar veya ortam değişkenleri aracılığıyla sağlanır.\u003c/p\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eBir Slack Bot Token gereklidir. \u003ccode\u003e--token\u003c/code\u003e bayrağı veya \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni aracılığıyla sağlayın. Ortam değişkeni kullanmak önerilir; böylece token kabuk geçmişinde veya süreç listelerinde asla görünmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"gerekli-bot-token-kapsamlar\"\u003eGerekli bot token kapsamları\u003c/h3\u003e\n\u003cp\u003eBot token'ı, aşağıdaki OAuth kapsamlarına sahip bir Slack uygulamasıyla ilişkilendirilmiş olmalıdır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKapsam\u003c/th\u003e\n\u003cth\u003eAmaç\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı genel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı özel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrup doğrudan mesajlarını oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"slacke-zg\"\u003eSlack'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni tercih edilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003etüm kanallar\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eBu tarihte veya sonrasında gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları ve grup DM'lerini de tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API istek sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eDahili parça boyutu sınırı (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eToken için ortam değişkeni kullanarak botun erişebildiği tüm kanalları tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli kanalları tarayın ve yılın başından bu yana gönderilen mesajlarla sınırlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGürültülü kanalları dışlayın ve doğrudan mesajları dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük çalışma alanlarında Slack hız sınırı hatalarını önlemek için API istek hızını düşürün:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif bulguları bir JSON dosyasına kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eSlack taramasından elde edilen her bulgu mesaj ve kanal meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği kanal adı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack mesaj zaman damgası (benzersiz mesaj kimliği).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMesaj yazarının Slack kullanıcı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performans-deerlendirmeleri\"\u003ePerformans değerlendirmeleri\u003c/h2\u003e\n\u003cp\u003eSlack API istekleri, Slack tarafından uygulanan hız sınırlarına tabidir. \u003ccode\u003e--rate-limit\u003c/code\u003e bayrağı (varsayılan saniyede \u003ccode\u003e20\u003c/code\u003e istek), Leakwatch'ın istekleri ne kadar agresif yapacağını kontrol eder. Özellikle büyük çalışma alanlarında \u003ccode\u003e429 Too Many Requests\u003c/code\u003e hatası alıyorsanız bu değeri düşürün.\u003c/p\u003e\n\u003cp\u003eHer çalıştırmada tüm çalışma alanını taramak yerine belirli kanalları hedeflemek için \u003ccode\u003e--channels\u003c/code\u003e kullanın. Mesajları artımlı biçimde taramak için \u003ccode\u003e--since\u003c/code\u003e ile birleştirin.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (eksik token, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — commit edilmiş geçmişi sırlara karşı tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"Doğrulama Nasıl Çalışır","description":"Leakwatch'ın tespit edilen bir sırrın hâlâ aktif olup olmadığını nasıl teyit ettiği, hangi doğrulama modlarını kullandığı ve doğrulamanın nasıl yapılandırılacağı veya devre dışı bırakılacağı.","html":"\u003ch1 id=\"dorulama-nasl-alr\"\u003eDoğrulama Nasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eBir kod tabanında sır bulmak hikayenin yalnızca yarısıdır. Altı ay önce döndürülen bir anahtar gürültüdür; hâlâ canlı olan bir anahtar ise aktif bir olayı temsil eder. Doğrulama, bu çizgiyi çizen adımdır — tespit edilen her bulguyu alır ve mümkün olan durumlarda sırrın sağlayıcıda hâlâ geçerli olup olmadığını teyit eder.\u003c/p\u003e\n\u003ch2 id=\"tespiten-dorulamaya\"\u003eTespiten doğrulamaya\u003c/h2\u003e\n\u003cp\u003eTarama motoru bulguları topladıktan sonra doğrulayıcı havuzu onları işlemeye alır. Her bulgu bir \u003ccode\u003edetector_id\u003c/code\u003e taşır; Leakwatch bu ID için kayıtlı bir doğrulayıcı olup olmadığını arar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBir doğrulayıcı mevcutsa çalışır ve bir durum döndürür.\u003c/li\u003e\n\u003cli\u003eO dedektör türü için kayıtlı bir doğrulayıcı yoksa bulgu değiştirilmeden \u003ccode\u003eunverified\u003c/code\u003e durumuyla geçer.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ki-dorulama-modu\"\u003eİki doğrulama modu\u003c/h2\u003e\n\u003cp\u003eTüm sırlar aynı şekilde doğrulanamaz. Leakwatch, her kimlik bilgisi türü için güvenli olan yaklaşıma göre iki farklı yöntem kullanır.\u003c/p\u003e\n\u003ch3 id=\"canl-api-dorulamas\"\u003eCanlı API doğrulaması\u003c/h3\u003e\n\u003cp\u003eYaklaşık 49 dedektör türü için Leakwatch, sağlayıcıya \u003cstrong\u003ekontrollü, salt-okunur bir API çağrısı\u003c/strong\u003e yapar — örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, GitHub token'ları için \u003ccode\u003eGET /user\u003c/code\u003e. Çağrı yalnızca kimliği doğrulamak için gereken minimum uç noktayı kullanır; hiçbir zaman veri değiştirmez, kaynak oluşturmaz veya faturalandırma olayı tetiklemez.\u003c/p\u003e\n\u003cp\u003eSağlayıcı başarılı bir yanıt döndürürse bulgu \u003ccode\u003everified_active\u003c/code\u003e olarak işaretlenir. Sağlayıcı kimlik bilgisini reddederse (örneğin HTTP 401 veya 403 ile) bulgu \u003ccode\u003everified_inactive\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"yalnzca-format-dorulamas\"\u003eYalnızca format doğrulaması\u003c/h3\u003e\n\u003cp\u003eBeş kimlik bilgisi türü için güvenli bir canlı kontrol mevcut değildir — sağlayıcının anonim bir kimlik uç noktası yoktur ya da gerçek bir çağrı yan etkiye yol açar. Bu durumlar için Leakwatch, herhangi bir ağ isteği yapmadan kimlik bilgisinin yapısını doğrular:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e alanlarının varlığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca format kontrolü — geçerli bir format hiçbir şeyi kanıtlamaz, sonuç her zaman \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFormat kontrolü geçse bile sonuç \u003ccode\u003eunverified\u003c/code\u003e olarak kalır. Yapısal olarak geçerli bir kimlik bilgisi süresi dolmuş veya iptal edilmiş olabilir. Bu bulgular her zaman manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama-durumlar\"\u003eDoğrulama durumları\u003c/h2\u003e\n\u003cp\u003eLeakwatch çıktısındaki her bulgu dört durumdan birini taşır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDurum\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen eylem\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın sağlayıcı tarafından canlı olduğu teyit edildi.\u003c/td\u003e\n\u003ctd\u003eAktif bir olay olarak ele alın. Hemen döndürün.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcı kimlik bilgisini reddetti.\u003c/td\u003e\n\u003ctd\u003eMuhtemelen zaten döndürülmüş. Bağlamı gözden geçirin ve kapatın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBu tür için doğrulayıcı yok, format doğrulaması sonuç vermedi veya doğrulama devre dışı bırakıldı.\u003c/td\u003e\n\u003ctd\u003eManuel olarak inceleyin; risk bağlama göre belirlenir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulayıcı çalıştı ancak ağ hatası, zaman aşımı veya beklenmedik yanıtla karşılaştı.\u003c/td\u003e\n\u003ctd\u003ePotansiyel olarak aktif kabul edin. Yeniden deneyin veya manuel olarak inceleyin.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulama-motoru\"\u003eDoğrulama motoru\u003c/h2\u003e\n\u003cp\u003eDoğrulama, tarama çalışan havuzundan yalıtılmış ayrı bir eşzamanlı çalışan havuzunda çalışır. Sağlayıcı hız sınırlarını tetiklememek için varsayılanlar temkinlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAyar\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇalışan sayısı\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal hız sınırı\u003c/td\u003e\n\u003ctd\u003e10 istek/saniye\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eİstek başına zaman aşımı\u003c/td\u003e\n\u003ctd\u003e10 sn\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer üç değer de \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003everification:\u003c/code\u003e bloğu altında ayarlanabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # global, saniye başına istek sayısı\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYüzlerce bulgu tetikleyen bir depoyu tarıyorsanız \u003ccode\u003erate-limit\u003c/code\u003e değerini 5'e düşürmeyi veya \u003ccode\u003e--only-verified\u003c/code\u003e etkinleştirmeyi düşünün; bu, doğrulanmış-aktif kümesini küçük ve uygulanabilir tutar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"komut-satrndan-dorulamay-kontrol-etme\"\u003eKomut satırından doğrulamayı kontrol etme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--no-verify\u003c/code\u003e ile \u003cstrong\u003edoğrulamayı tamamen devre dışı bırakın\u003c/strong\u003e (ya da yapılandırmada \u003ccode\u003everification.enabled: false\u003c/code\u003e ayarlayın). Her bulgu \u003ccode\u003eunverified\u003c/code\u003e olarak geçer. Bunu çevrimdışı veya hava boşluklu ortamlar için ya da herhangi bir sağlayıcı API'sine dokunmadan mümkün olan en hızlı taramayı istediğinizde kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eYalnızca canlı olduğu doğrulanan sırları görmek\u003c/strong\u003e için \u003ccode\u003e--only-verified\u003c/code\u003e kullanın. \u003ccode\u003everified_active\u003c/code\u003e olmayan her şey çıktıdan düşürülür. Bu, büyük bir sonuç kümesini önceliklendirmenin en hızlı yoludur — yalnızca hemen harekete geçmeniz gereken anahtarları görürsünüz.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e ve \u003ccode\u003everify_error\u003c/code\u003e bulgularını sessizce düşürür. Bunu uyumluluk bağlamında tek filtreniz olarak kullanmayın — bazı kimlik bilgisi türleri (JWT'ler, genel API anahtarları, özel anahtarlar) hiçbir zaman doğrulanamaz ve her zaman dışarıda kalır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eDoğrulama, ham sır değerinin süreç sınırını güvensiz biçimde asla terk etmeyecek şekilde tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDoğrulayıcılar sırrı TLS üzerinden doğrudan sağlayıcının HTTP uç noktasına iletir — diske yazılmaz, bir loga gönderilmez ve çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003cli\u003eBaşlatılamayan veya panikle karşılaşan bir doğrulayıcı motor tarafından yakalanır; motor, bulguyu \u003ccode\u003everify_error\u003c/code\u003e olarak işaretler ve taramayı çökertmeden devam eder.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektör türlerinin canlı doğrulandığı, format doğrulandığı veya hiç doğrulanamadığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003everification:\u003c/code\u003e bloğunun tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e — doğrulama durumunun JSON, SARIF, CSV ve tablo çıktısında nasıl göründüğü.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Doğrulama Kapsamı","description":"63 yerleşik dedektörün hangilerinin canlı doğrulandığı, yalnızca format doğrulandığı veya doğrulanamaz olduğu ve bunun önceliklendirme açısından ne anlama geldiği.","html":"\u003ch1 id=\"dorulama-kapsam\"\u003eDoğrulama Kapsamı\u003c/h1\u003e\n\u003cp\u003eLeakwatch 63 yerleşik dedektör ve 54 doğrulayıcı ile gelir; bu, \u003cstrong\u003e%85,7\u003c/strong\u003e kapsama oranı sağlar (63 dedektör türünün 54'ünün bir tür doğrulaması mevcuttur). Bu sayfa, çıktınızda ne beklemeniz gerektiğini bilmeniz için her dedektörü doğrulama durumuna göre eşler.\u003c/p\u003e\n\u003ch2 id=\"canl-dorulanan-49-dedektr-tr\"\u003eCanlı doğrulanan (49 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu türler için Leakwatch, sağlayıcıya kontrollü, salt-okunur bir API çağrısı yapar ve \u003ccode\u003everified_active\u003c/code\u003e ya da \u003ccode\u003everified_inactive\u003c/code\u003e döndürür. Hiçbir veri oluşturulmaz veya değiştirilmez; çağrı, kimliği doğrulamak için gereken minimum uç noktayı kullanır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör türü\u003c/th\u003e\n\u003cth\u003eSağlayıcı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yalnzca-format-dorulamas-5-dedektr-tr\"\u003eYalnızca format doğrulaması (5 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu doğrulayıcılar tamamen çevrimdışı çalışır. Hiçbir ağ isteği yapılmaz. Geçerli bir format kimlik bilgisinin aktif olduğunu kanıtlamadığından, beşi de format kontrolünün geçip geçmediğinden bağımsız olarak her zaman \u003ccode\u003eunverified\u003c/code\u003e döndürür.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003cth\u003eNeden canlı kontrol yok\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol, yan etkileri olan GCP OAuth2 token değişimi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003ctd\u003eHerkese açık kimlik doğrulamasız sağlık uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eParola uzunluğu ve host alt dize kontrolü\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol bir JDBC/ODBC veritabanı bağlantısı gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eHesap başına HMAC imzalama gerektirir; genel kimlik uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eİstemci kimlik bilgisi akışı oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulanamaz-9-dedektr-tr\"\u003eDoğrulanamaz (9 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu dedektör türlerinin hiç doğrulayıcısı yoktur. Bunlardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e olur. Bu durum önemsiz oldukları anlamına \u003cstrong\u003egelmez\u003c/strong\u003e — tam olarak tespit edilip raporlanırlar — ancak herkese açık bir doğrulama API'si bulunmamakta ya da herhangi bir doğrulama girişimi yan etkiye yol açmaktadır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eNeden\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJWT herhangi bir tarafça yayınlanabilir; evrensel bir doğrulama uç noktası yoktur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇağrılacak sağlayıcı yok; aktif kullanım uzaktan tespit edilemez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanım gereği bilinmeyen sağlayıcı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak hedef veritabanında oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak Redis örneğinde canlı bağlantı açar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGüvenli, salt-okunur FTP yoklama yöntemi yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind kimliği doğrulanmış bir oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWebhook'un aktif olduğunu doğrulamak mesaj göndermeyi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token doğrulaması, Vault uç noktasının bilinmesini gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Doğrulanamaz\u0026quot; \u0026quot;bulunamaz\u0026quot; anlamına gelmez. Bu 9 türün tamamı yine de tespit edilir ve çıktınızda görünür. Kimlik bilgisinin canlı olup olmadığını ve döndürülmesi gerekip gerekmediğini belirlemek için manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kapsam-zeti\"\u003eKapsam özeti\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKategori\u003c/th\u003e\n\u003cth\u003eSayı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eCanlı doğrulanan\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eYalnızca format doğrulaması\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDoğrulanamaz\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eToplam dedektör\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDoğrulayıcı (herhangi bir kapsam)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (%85,7)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — iki doğrulama modu, durumlar ve doğrulama motoru.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — yerleşik dedektörlerin tam listesi ve şiddet seviyeleri.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; diff --git a/site/js/translations.js b/site/js/translations.js new file mode 100644 index 0000000..8a2c4e2 --- /dev/null +++ b/site/js/translations.js @@ -0,0 +1,295 @@ +/* UI translation tables for the Leakwatch site (marketing chrome, contact page, + and docs shell). Manual page content is translated separately in + js/manuals/.js. Keys are dot-paths referenced via + data-i18n / data-i18n-html / data-i18n-attr. */ +window.LW_T = { + en: { + "meta.home.title": "Leakwatch — Detect, verify & report leaked secrets", + "meta.home.desc": "Leakwatch is a fast, open-source security tool that detects, verifies, and reports leaked secrets across code, Git history, containers, and the cloud.", + "meta.docs.title": "Documentation — Leakwatch", + "meta.docs.desc": "Leakwatch user manual: installation, scanning sources, verification, detectors, configuration, output, and CI/CD integration.", + "meta.contact.title": "Contact — Leakwatch", + "meta.contact.desc": "Get in touch with the Leakwatch team — questions, bug reports, feature requests, and security disclosures.", + "a11y.skip": "Skip to content", + + "classbar.left": "⬤ Classified — Leakwatch field report", + "classbar.right": "Declassify on scan", + + "nav.howitworks": "How it works", + "nav.sources": "Sources", + "nav.detectors": "Detectors", + "nav.docs": "Docs", + "nav.contact": "Contact", + "nav.runscan": "▸ Run scan", + "nav.getstarted": "Get started", + + "hero.eyebrow": "Open-source secret scanner · MIT", + "hero.title": "Some secrets shouldn't be visible.
Leakwatch finds the ones that are.", + "hero.lede": "Detect, verify, and report leaked API keys, tokens, and credentials across code, Git history, containers, and the cloud — then watch the redactions lift.", + "hero.cta.run": "▸ Run the scan", + "hero.cta.docs": "Read the dossier", + "hero.kv": "63 detectors · 54 live verifiers · 6 sources · exit-code aware", + "hero.doc.redacted": "3 REDACTED", + "hero.doc.hint": "hover a redaction to reveal it", + + "stats.detectors": "secret detectors", + "stats.verifiers": "live verifiers", + "stats.sources": "scan sources", + "stats.formats": "output formats", + + "case.title": "The case file", + "case.intro": "Every finding is logged like evidence: what it is, where it was found, how severe it is, and whether the key is still live. Verified-active keys are incidents — the rest is triage.", + "case.col.sev": "Severity", + "case.col.det": "Detector / location", + "case.col.status": "Status", + "case.col.action": "Action", + "case.rotate": "rotate now", + "case.review": "review", + + "points.title": "Six watch points", + "points.intro": "Secrets leak through more than source files. Leakwatch reaches into history, build artifacts, the cloud, and chat.", + "points.fs.t": "Filesystem", + "points.fs.d": "Walk a directory tree; skip binaries and lock files automatically.", + "points.git.t": "Git history", + "points.git.d": "Every commit — recover secrets that were committed and later deleted.", + "points.image.t": "Container images", + "points.image.d": "Inspect OCI/Docker image layers directly. No Docker daemon required.", + "points.s3.t": "AWS S3", + "points.s3.d": "Bucket objects via your existing AWS credential chain.", + "points.gcs.t": "Google Cloud", + "points.gcs.d": "Cloud Storage objects with Application Default Credentials.", + "points.slack.t": "Slack", + "points.slack.d": "Message text across channels and DMs for pasted credentials.", + + "chain.title": "Chain of custody", + "chain.intro": "A keyword pre-filter shortlists candidate detectors before any regex runs, so scans stay fast even across full Git history.", + "chain.s1.t": "Source", + "chain.s1.d": "Stream chunks from files, Git, images, cloud, or Slack.", + "chain.s2.t": "Pre-filter", + "chain.s2.d": "Aho-Corasick keyword matching shortlists detectors.", + "chain.s3.t": "Match", + "chain.s3.d": "Shortlisted detectors run precise regex patterns.", + "chain.s4.t": "Verify", + "chain.s4.d": "Eligible findings are checked against the live provider API.", + "chain.s5.t": "Report", + "chain.s5.d": "Filter by severity; emit JSON, SARIF, CSV, or a table.", + + "verify.title": "Is it still live?", + "verify.intro": "Detection is half the job. For most secret types, Leakwatch makes a controlled, read-only API call to the provider to confirm whether a key is active — separating real incidents from noise.", + "verify.live.k": "Live verified", + "verify.live.d": "A read-only API call confirms the key is active or inactive.", + "verify.fmt.k": "Format checked", + "verify.fmt.d": "Validated by structure where no safe live check exists.", + "verify.no.k": "Not verifiable", + "verify.no.d": "No public verification API (e.g. JWTs, private keys) — still detected, triaged manually.", + + "formats.title": "Reports that fit your workflow", + "formats.json": "Structured findings for tooling and automation.", + "formats.sarif": "v2.1.0 — upload straight to GitHub Code Scanning.", + "formats.csv": "Spreadsheet-ready, sanitized against formula injection.", + "formats.table": "Colorized terminal output for local triage.", + + "index.title": "Redacted index — 63 detectors", + "index.intro": "A sample of the catalog. 54 of these can be verified against the live provider. Add your own with YAML custom rules.", + "index.more": "+ 45 more · view full catalog →", + + "cta.title": "Declassify your repo", + "cta.subtitle": "One static binary. No daemon, no runtime dependencies. Install it your way.", + "cta.button": "Read the documentation", + + "footer.tagline": "Open-source secret scanning that detects, verifies, and reports leaked credentials before they're abused.", + "footer.product": "Product", + "footer.docs": "Documentation", + "footer.project": "Project", + "footer.intro": "Introduction", + "footer.quickstart": "Quick Start", + "footer.cli": "CLI Reference", + "footer.action": "GitHub Action", + "footer.releases": "Releases", + "footer.issues": "Issues", + "footer.license": "License (MIT)", + "footer.copyright": "© 2026 Leakwatch Contributors. Released under the MIT License.", + + "docs.search": "Search the manual…", + "docs.loading": "Loading documentation…", + "docs.notfound": "Page not found. Pick a topic from the sidebar.", + "docs.prev": "Previous", + "docs.next": "Next", + "docs.searchempty": "No pages match your search.", + "docs.onthispage": "On this page", + + "contact.classbar": "Secure channel · open", + "contact.title": "Open a secure channel", + "contact.intro": "Questions about Leakwatch, a bug to report, or an idea to share? Send a message below, or use one of the channels on the right. We never ask for secrets — please don't paste real credentials.", + "contact.f.name": "Name", + "contact.f.name.ph": "Your name", + "contact.f.email": "Email", + "contact.f.email.ph": "you@example.com", + "contact.f.subject": "Subject", + "contact.s.general": "General question", + "contact.s.bug": "Bug report", + "contact.s.feature": "Feature request", + "contact.s.other": "Other", + "contact.f.message": "Message", + "contact.f.message.ph": "How can we help?", + "contact.f.submit": "▸ Transmit message", + "contact.f.note": "We use your email only to reply. No tracking, no newsletter.", + "contact.f.sending": "Transmitting…", + "contact.f.ok": "Message sent. We'll get back to you soon.", + "contact.f.err": "Something went wrong. Please email us via GitHub instead.", + "contact.ch.issues.t": "Bugs & feature requests", + "contact.ch.issues.d": "Open an issue on GitHub — the fastest way to reach maintainers.", + "contact.ch.issues.a": "github.com/HodeTech/Leakwatch/issues →", + "contact.ch.sec.t": "Security disclosure", + "contact.ch.sec.d": "Found a vulnerability? Report it privately via a GitHub security advisory.", + "contact.ch.sec.a": "Open a private advisory →", + "contact.ch.docs.t": "Read the docs first", + "contact.ch.docs.d": "Most questions are answered in the bilingual user manual.", + "contact.ch.docs.a": "Browse the documentation →" + }, + + tr: { + "meta.home.title": "Leakwatch — Sızan sırları tespit edin, doğrulayın ve raporlayın", + "meta.home.desc": "Leakwatch; kod, Git geçmişi, konteynerler ve bulut genelinde sızan sırları tespit eden, doğrulayan ve raporlayan hızlı, açık kaynaklı bir güvenlik aracıdır.", + "meta.docs.title": "Dokümantasyon — Leakwatch", + "meta.docs.desc": "Leakwatch kullanıcı kılavuzu: kurulum, tarama kaynakları, doğrulama, dedektörler, yapılandırma, çıktı ve CI/CD entegrasyonu.", + "meta.contact.title": "İletişim — Leakwatch", + "meta.contact.desc": "Leakwatch ekibiyle iletişime geçin — sorular, hata bildirimleri, özellik istekleri ve güvenlik açığı bildirimleri.", + "a11y.skip": "İçeriğe geç", + + "classbar.left": "⬤ Gizli — Leakwatch saha raporu", + "classbar.right": "Taramada ifşa olur", + + "nav.howitworks": "Nasıl çalışır", + "nav.sources": "Kaynaklar", + "nav.detectors": "Dedektörler", + "nav.docs": "Dokümanlar", + "nav.contact": "İletişim", + "nav.runscan": "▸ Taramayı çalıştır", + "nav.getstarted": "Başlayın", + + "hero.eyebrow": "Açık kaynak sır tarayıcı · MIT", + "hero.title": "Bazı sırlar görünür olmamalı.
Leakwatch görünür olanları bulur.", + "hero.lede": "Sızan API anahtarlarını, token'ları ve kimlik bilgilerini kodda, Git geçmişinde, konteynerlerde ve bulutta tespit edin, doğrulayın ve raporlayın — sonra sansürlerin kalkışını izleyin.", + "hero.cta.run": "▸ Taramayı çalıştır", + "hero.cta.docs": "Dosyayı okuyun", + "hero.kv": "63 dedektör · 54 canlı doğrulayıcı · 6 kaynak · çıkış-kodu duyarlı", + "hero.doc.redacted": "3 REDAKTE", + "hero.doc.hint": "bir redaksiyonun üzerine gelin, açılsın", + + "stats.detectors": "sır dedektörü", + "stats.verifiers": "canlı doğrulayıcı", + "stats.sources": "tarama kaynağı", + "stats.formats": "çıktı formatı", + + "case.title": "Vaka dosyası", + "case.intro": "Her bulgu bir kanıt gibi kaydedilir: ne olduğu, nerede bulunduğu, ne kadar ciddi olduğu ve anahtarın hâlâ etkin olup olmadığı. Etkin olduğu doğrulanmış anahtarlar birer olaydır — gerisi triyajdır.", + "case.col.sev": "Önem", + "case.col.det": "Dedektör / konum", + "case.col.status": "Durum", + "case.col.action": "Eylem", + "case.rotate": "hemen döndür", + "case.review": "incele", + + "points.title": "Altı gözetleme noktası", + "points.intro": "Sırlar yalnızca kaynak dosyalardan sızmaz. Leakwatch geçmişe, derleme çıktılarına, buluta ve sohbete uzanır.", + "points.fs.t": "Dosya sistemi", + "points.fs.d": "Bir dizin ağacını gezer; ikili dosyaları ve kilit dosyalarını otomatik atlar.", + "points.git.t": "Git geçmişi", + "points.git.d": "Her commit — eklenip sonradan silinmiş sırları kurtarır.", + "points.image.t": "Konteyner imajları", + "points.image.d": "OCI/Docker imaj katmanlarını doğrudan inceler. Docker daemon'u gerekmez.", + "points.s3.t": "AWS S3", + "points.s3.d": "Mevcut AWS kimlik zincirinizle kova nesnelerini tarar.", + "points.gcs.t": "Google Cloud", + "points.gcs.d": "Application Default Credentials ile Cloud Storage nesnelerini tarar.", + "points.slack.t": "Slack", + "points.slack.d": "Kanallar ve DM'lerdeki mesaj metnini yapıştırılmış kimlik bilgileri için tarar.", + + "chain.title": "Delil zinciri", + "chain.intro": "Bir anahtar kelime ön-filtresi, herhangi bir regex çalışmadan önce aday dedektörleri kısa listeler; böylece taramalar tüm Git geçmişinde bile hızlı kalır.", + "chain.s1.t": "Kaynak", + "chain.s1.d": "Dosyalardan, Git'ten, imajlardan, buluttan veya Slack'ten parçalar akıtır.", + "chain.s2.t": "Ön-filtre", + "chain.s2.d": "Aho-Corasick anahtar kelime eşleştirmesi dedektörleri kısa listeler.", + "chain.s3.t": "Eşleştirme", + "chain.s3.d": "Kısa listedeki dedektörler kesin regex desenlerini çalıştırır.", + "chain.s4.t": "Doğrulama", + "chain.s4.d": "Uygun bulgular canlı sağlayıcı API'sine karşı kontrol edilir.", + "chain.s5.t": "Raporlama", + "chain.s5.d": "Önem derecesine göre filtreler; JSON, SARIF, CSV veya tablo üretir.", + + "verify.title": "Hâlâ etkin mi?", + "verify.intro": "Tespit işin yarısıdır. Çoğu sır türü için Leakwatch, bir anahtarın etkin olup olmadığını teyit etmek üzere sağlayıcıya kontrollü, salt-okunur bir API çağrısı yapar — gerçek olayları gürültüden ayırır.", + "verify.live.k": "Canlı doğrulanan", + "verify.live.d": "Salt-okunur bir API çağrısı anahtarın etkin veya etkisiz olduğunu teyit eder.", + "verify.fmt.k": "Format kontrollü", + "verify.fmt.d": "Güvenli bir canlı kontrolün olmadığı yerlerde yapısına göre doğrulanır.", + "verify.no.k": "Doğrulanamayan", + "verify.no.d": "Genel bir doğrulama API'si yok (örn. JWT'ler, özel anahtarlar) — yine de tespit edilir, elle triyaj yapılır.", + + "formats.title": "İş akışınıza uyan raporlar", + "formats.json": "Araçlar ve otomasyon için yapılandırılmış bulgular.", + "formats.sarif": "v2.1.0 — doğrudan GitHub Code Scanning'e yükleyin.", + "formats.csv": "Hesap tablosuna hazır, formül enjeksiyonuna karşı temizlenmiş.", + "formats.table": "Yerel triyaj için renklendirilmiş terminal çıktısı.", + + "index.title": "Redakteli indeks — 63 dedektör", + "index.intro": "Kataloğun bir örneği. Bunların 54'ü canlı sağlayıcıya karşı doğrulanabilir. YAML özel kurallarıyla kendi dedektörlerinizi ekleyin.", + "index.more": "+ 45 tane daha · tüm kataloğu görüntüle →", + + "cta.title": "Deponuzun gizliliğini kaldırın", + "cta.subtitle": "Tek bir statik ikili dosya. Daemon yok, çalışma zamanı bağımlılığı yok. İstediğiniz yöntemle kurun.", + "cta.button": "Dokümantasyonu okuyun", + + "footer.tagline": "Sızan kimlik bilgilerini kötüye kullanılmadan önce tespit eden, doğrulayan ve raporlayan açık kaynaklı sır taraması.", + "footer.product": "Ürün", + "footer.docs": "Dokümantasyon", + "footer.project": "Proje", + "footer.intro": "Tanıtım", + "footer.quickstart": "Hızlı Başlangıç", + "footer.cli": "CLI Başvurusu", + "footer.action": "GitHub Action", + "footer.releases": "Sürümler", + "footer.issues": "Sorunlar", + "footer.license": "Lisans (MIT)", + "footer.copyright": "© 2026 Leakwatch Katkıda Bulunanlar. MIT Lisansı altında yayımlanmıştır.", + + "docs.search": "Kılavuzda ara…", + "docs.loading": "Dokümantasyon yükleniyor…", + "docs.notfound": "Sayfa bulunamadı. Kenar çubuğundan bir konu seçin.", + "docs.prev": "Önceki", + "docs.next": "Sonraki", + "docs.searchempty": "Aramanızla eşleşen sayfa yok.", + "docs.onthispage": "Bu sayfada", + + "contact.classbar": "Güvenli kanal · açık", + "contact.title": "Güvenli bir kanal açın", + "contact.intro": "Leakwatch hakkında sorular, bildirilecek bir hata veya paylaşılacak bir fikir mi var? Aşağıdan bir mesaj gönderin ya da sağdaki kanallardan birini kullanın. Asla sır istemeyiz — lütfen gerçek kimlik bilgileri yapıştırmayın.", + "contact.f.name": "Ad", + "contact.f.name.ph": "Adınız", + "contact.f.email": "E-posta", + "contact.f.email.ph": "siz@ornek.com", + "contact.f.subject": "Konu", + "contact.s.general": "Genel soru", + "contact.s.bug": "Hata bildirimi", + "contact.s.feature": "Özellik isteği", + "contact.s.other": "Diğer", + "contact.f.message": "Mesaj", + "contact.f.message.ph": "Size nasıl yardımcı olabiliriz?", + "contact.f.submit": "▸ Mesajı ilet", + "contact.f.note": "E-postanızı yalnızca yanıt vermek için kullanırız. Takip yok, bülten yok.", + "contact.f.sending": "İletiliyor…", + "contact.f.ok": "Mesaj gönderildi. En kısa sürede size döneceğiz.", + "contact.f.err": "Bir şeyler ters gitti. Lütfen bunun yerine GitHub üzerinden ulaşın.", + "contact.ch.issues.t": "Hatalar & özellik istekleri", + "contact.ch.issues.d": "GitHub'da bir issue açın — sürdürücülere ulaşmanın en hızlı yolu.", + "contact.ch.issues.a": "github.com/HodeTech/Leakwatch/issues →", + "contact.ch.sec.t": "Güvenlik açığı bildirimi", + "contact.ch.sec.d": "Bir güvenlik açığı mı buldunuz? GitHub güvenlik danışmanlığı (advisory) ile özel olarak bildirin.", + "contact.ch.sec.a": "Özel bir advisory açın →", + "contact.ch.docs.t": "Önce dokümanları okuyun", + "contact.ch.docs.d": "Soruların çoğu çift dilli kullanıcı kılavuzunda yanıtlanıyor.", + "contact.ch.docs.a": "Dokümantasyona göz atın →" + } +}; diff --git a/tools/site-build/.gitignore b/tools/site-build/.gitignore new file mode 100644 index 0000000..26fd08b --- /dev/null +++ b/tools/site-build/.gitignore @@ -0,0 +1,2 @@ +# build output of this tool +/leakwatch-site-build diff --git a/tools/site-build/go.mod b/tools/site-build/go.mod new file mode 100644 index 0000000..d1d043b --- /dev/null +++ b/tools/site-build/go.mod @@ -0,0 +1,14 @@ +// Isolated module for the documentation site build tool. +// +// This tool compiles the Markdown user manuals under docs/user-manuals/ into +// the JavaScript "bags" consumed by the static website (site/). It lives in a +// separate module on purpose so its Markdown/YAML dependencies never leak into +// the main Leakwatch module (which deliberately stays dependency-light). +module leakwatch-site-build + +go 1.25 + +require ( + github.com/yuin/goldmark v1.7.8 + gopkg.in/yaml.v3 v3.0.1 +) diff --git a/tools/site-build/go.sum b/tools/site-build/go.sum new file mode 100644 index 0000000..3ca28b4 --- /dev/null +++ b/tools/site-build/go.sum @@ -0,0 +1,6 @@ +github.com/yuin/goldmark v1.7.8 h1:iERMLn0/QJeHFhxSt3p6PeN9mGnvIKSpG9YYorDMnic= +github.com/yuin/goldmark v1.7.8/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/tools/site-build/main.go b/tools/site-build/main.go new file mode 100644 index 0000000..c40ffa9 --- /dev/null +++ b/tools/site-build/main.go @@ -0,0 +1,319 @@ +// Command site-build compiles the Leakwatch user manuals into the JavaScript +// data files consumed by the static documentation website. +// +// Source layout: +// +// docs/user-manuals/_meta.yaml navigation metadata +// docs/user-manuals//
/.md one Markdown page per topic +// +// Generated output (committed so the site needs no runtime build step): +// +// site/js/manuals/_index.js window.LW_MANUAL_INDEX (navigation tree) +// site/js/manuals/.js window.LW_MANUAL[lang] (rendered page HTML) +// +// The tool locates the repository root automatically by walking up from the +// current working directory until it finds docs/user-manuals/_meta.yaml, so it +// can be run from anywhere in the tree. +package main + +import ( + "encoding/json" + "flag" + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/yuin/goldmark" + "github.com/yuin/goldmark/extension" + "github.com/yuin/goldmark/parser" + gmhtml "github.com/yuin/goldmark/renderer/html" + "gopkg.in/yaml.v3" +) + +// meta mirrors docs/user-manuals/_meta.yaml. +type meta struct { + Languages []string `yaml:"languages"` + DefaultLanguage string `yaml:"default_language"` + Sections []struct { + ID string `yaml:"id"` + Icon string `yaml:"icon"` + Title map[string]string `yaml:"title"` + Pages []struct { + ID string `yaml:"id"` + Title map[string]string `yaml:"title"` + } `yaml:"pages"` + } `yaml:"sections"` +} + +// frontMatter is the YAML header of each Markdown page. +type frontMatter struct { + Title string `yaml:"title"` + Description string `yaml:"description"` +} + +// idx is the JSON shape written to _index.js. +type idx struct { + Languages []string `json:"languages"` + Default string `json:"default"` + Sections []idxSection `json:"sections"` +} + +type idxSection struct { + ID string `json:"id"` + Icon string `json:"icon"` + Title map[string]string `json:"title"` + Pages []idxPage `json:"pages"` +} + +type idxPage struct { + ID string `json:"id"` + Title map[string]string `json:"title"` +} + +// pageDoc is one entry in a per-language bag. +type pageDoc struct { + Title string `json:"title"` + Description string `json:"description"` + HTML string `json:"html"` +} + +func main() { + if err := run(); err != nil { + fmt.Fprintf(os.Stderr, "site-build: %v\n", err) + os.Exit(1) + } +} + +func run() error { + strict := flag.Bool("strict", false, "fail if any manual page is missing for a declared language") + flag.Parse() + + root, err := findRoot() + if err != nil { + return err + } + + metaPath := filepath.Join(root, "docs", "user-manuals", "_meta.yaml") + metaBytes, err := os.ReadFile(metaPath) + if err != nil { + return fmt.Errorf("read meta: %w", err) + } + var m meta + if err := yaml.Unmarshal(metaBytes, &m); err != nil { + return fmt.Errorf("parse meta: %w", err) + } + if len(m.Languages) == 0 { + return fmt.Errorf("no languages declared in _meta.yaml") + } + + outDir := filepath.Join(root, "site", "js", "manuals") + if err := os.MkdirAll(outDir, 0o755); err != nil { + return fmt.Errorf("create output dir: %w", err) + } + + // Navigation index (language-independent). + index := idx{Languages: m.Languages, Default: m.DefaultLanguage} + for _, s := range m.Sections { + sec := idxSection{ID: s.ID, Icon: s.Icon, Title: s.Title} + for _, p := range s.Pages { + sec.Pages = append(sec.Pages, idxPage{ID: p.ID, Title: p.Title}) + } + index.Sections = append(index.Sections, sec) + } + if err := writeJSON(filepath.Join(outDir, "_index.js"), "window.LW_MANUAL_INDEX", index, true); err != nil { + return err + } + + md := newMarkdown() + manualsDir := filepath.Join(root, "docs", "user-manuals") + missing := 0 + + for _, lang := range m.Languages { + bag := map[string]pageDoc{} + for _, s := range m.Sections { + for _, p := range s.Pages { + key := s.ID + "/" + p.ID + src := filepath.Join(manualsDir, lang, s.ID, p.ID+".md") + raw, err := os.ReadFile(src) + if err != nil { + missing++ + fmt.Fprintf(os.Stderr, "site-build: WARNING missing page %s [%s]\n", key, lang) + continue + } + fm, body, err := splitFrontMatter(raw) + if err != nil { + return fmt.Errorf("front matter %s [%s]: %w", key, lang, err) + } + htmlOut, err := renderMarkdown(md, body, lang) + if err != nil { + return fmt.Errorf("render %s [%s]: %w", key, lang, err) + } + bag[key] = pageDoc{Title: fm.Title, Description: fm.Description, HTML: htmlOut} + } + } + target := filepath.Join(outDir, lang+".js") + assign := fmt.Sprintf("window.LW_MANUAL = window.LW_MANUAL || {};\nwindow.LW_MANUAL[%q]", lang) + if err := writeJSON(target, assign, bag, false); err != nil { + return err + } + fmt.Printf("site-build: wrote %s (%d pages)\n", filepath.Base(target), len(bag)) + } + + if missing > 0 && *strict { + return fmt.Errorf("%d manual page(s) missing (strict mode)", missing) + } + return nil +} + +// findRoot walks up from the working directory to the repository root. +func findRoot() (string, error) { + dir, err := os.Getwd() + if err != nil { + return "", err + } + for { + if _, err := os.Stat(filepath.Join(dir, "docs", "user-manuals", "_meta.yaml")); err == nil { + return dir, nil + } + parent := filepath.Dir(dir) + if parent == dir { + return "", fmt.Errorf("could not locate docs/user-manuals/_meta.yaml from working directory") + } + dir = parent + } +} + +func newMarkdown() goldmark.Markdown { + return goldmark.New( + goldmark.WithExtensions(extension.GFM), + goldmark.WithParserOptions(parser.WithAutoHeadingID()), + goldmark.WithRendererOptions(gmhtml.WithUnsafe()), + ) +} + +// splitFrontMatter separates an optional leading YAML front-matter block from +// the Markdown body. +func splitFrontMatter(b []byte) (frontMatter, string, error) { + var fm frontMatter + s := strings.ReplaceAll(string(b), "\r\n", "\n") + if !strings.HasPrefix(s, "---\n") { + return fm, s, nil + } + end := strings.Index(s[4:], "\n---") + if end < 0 { + return fm, s, nil + } + header := s[4 : 4+end] + body := strings.TrimPrefix(s[4+end+4:], "\n") + if err := yaml.Unmarshal([]byte(header), &fm); err != nil { + return fm, "", err + } + return fm, body, nil +} + +// renderMarkdown converts Markdown to HTML, supporting fenced callout blocks of +// the form: +// +// :::tip +// Body markdown. +// ::: +// +// Supported types: tip, note, warn, danger. Labels are localized per language. +func renderMarkdown(md goldmark.Markdown, source, lang string) (string, error) { + lines := strings.Split(source, "\n") + out := make([]string, 0, len(lines)) + callouts := map[string]string{} + n := 0 + + for i := 0; i < len(lines); i++ { + trimmed := strings.TrimSpace(lines[i]) + if strings.HasPrefix(trimmed, ":::") && len(trimmed) > 3 { + typ := strings.ToLower(strings.TrimSpace(trimmed[3:])) + var body []string + i++ + for i < len(lines) && strings.TrimSpace(lines[i]) != ":::" { + body = append(body, lines[i]) + i++ + } + inner, err := toHTML(md, strings.Join(body, "\n")) + if err != nil { + return "", err + } + placeholder := fmt.Sprintf("@@LWCALLOUT_%d@@", n) + callouts[placeholder] = fmt.Sprintf( + `
%s
%s
`, + calloutType(typ), calloutLabel(typ, lang), inner, + ) + out = append(out, "", placeholder, "") + n++ + continue + } + out = append(out, lines[i]) + } + + rendered, err := toHTML(md, strings.Join(out, "\n")) + if err != nil { + return "", err + } + for ph, h := range callouts { + rendered = strings.ReplaceAll(rendered, "

"+ph+"

", h) + } + return rendered, nil +} + +func toHTML(md goldmark.Markdown, source string) (string, error) { + var buf strings.Builder + if err := md.Convert([]byte(source), &buf); err != nil { + return "", err + } + return buf.String(), nil +} + +func calloutType(typ string) string { + switch typ { + case "tip", "note", "warn", "danger": + return typ + case "warning": + return "warn" + case "info": + return "note" + default: + return "note" + } +} + +func calloutLabel(typ, lang string) string { + t := calloutType(typ) + labels := map[string]map[string]string{ + "en": {"tip": "Tip", "note": "Note", "warn": "Warning", "danger": "Danger"}, + "tr": {"tip": "İpucu", "note": "Not", "warn": "Uyarı", "danger": "Tehlike"}, + } + if m, ok := labels[lang]; ok { + if l, ok := m[t]; ok { + return l + } + } + return labels["en"][t] +} + +// writeJSON marshals v and writes it as a JavaScript assignment. +func writeJSON(path, assign string, v any, indent bool) error { + var ( + data []byte + err error + ) + if indent { + data, err = json.MarshalIndent(v, "", " ") + } else { + data, err = json.Marshal(v) + } + if err != nil { + return fmt.Errorf("marshal %s: %w", filepath.Base(path), err) + } + content := fmt.Sprintf("// Generated by tools/site-build. Do not edit by hand.\n%s = %s;\n", assign, data) + if err := os.WriteFile(path, []byte(content), 0o644); err != nil { + return fmt.Errorf("write %s: %w", filepath.Base(path), err) + } + return nil +} From 89b834279dfb4f28db7b6e2fcc7c5dfd4b7c93d7 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Sat, 23 May 2026 20:51:16 +0300 Subject: [PATCH 3/7] feat(contact): update form action URL for contact submissions --- site/contact.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/contact.html b/site/contact.html index 1e25ff5..71ec33b 100644 --- a/site/contact.html +++ b/site/contact.html @@ -56,7 +56,7 @@

-
+
From 31423275cf809a23961b60a502dadc3d358bceb8 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Sat, 23 May 2026 20:55:34 +0300 Subject: [PATCH 4/7] fix(site): job-scoped Pages permissions and self-hosted fonts Address SonarCloud findings on the website: - site-deploy.yml: move GITHUB_TOKEN permissions from workflow level to the jobs that need them (build: contents:read; deploy: pages:write, id-token:write) and drop the unused configure-pages step (least privilege). - Self-host JetBrains Mono + Space Grotesk (latin + latin-ext) under site/assets/fonts with css/fonts.css; remove the Google Fonts s and preconnects from index/docs/contact. No third-party requests, no missing-SRI hotspot, and the site works offline. latin-ext keeps Turkish glyphs correct. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/site-deploy.yml | 15 +++++----- site/README.md | 27 ++++++++++++++++++ .../fonts/jetbrains-mono-400-latin-ext.woff2 | Bin 0 -> 11624 bytes .../fonts/jetbrains-mono-400-latin.woff2 | Bin 0 -> 31432 bytes .../fonts/jetbrains-mono-500-latin-ext.woff2 | Bin 0 -> 11624 bytes .../fonts/jetbrains-mono-500-latin.woff2 | Bin 0 -> 31432 bytes .../fonts/jetbrains-mono-700-latin-ext.woff2 | Bin 0 -> 11624 bytes .../fonts/jetbrains-mono-700-latin.woff2 | Bin 0 -> 31432 bytes .../fonts/jetbrains-mono-800-latin-ext.woff2 | Bin 0 -> 11624 bytes .../fonts/jetbrains-mono-800-latin.woff2 | Bin 0 -> 31432 bytes .../fonts/space-grotesk-500-latin-ext.woff2 | Bin 0 -> 18940 bytes .../fonts/space-grotesk-500-latin.woff2 | Bin 0 -> 22288 bytes .../fonts/space-grotesk-600-latin-ext.woff2 | Bin 0 -> 18940 bytes .../fonts/space-grotesk-600-latin.woff2 | Bin 0 -> 22288 bytes .../fonts/space-grotesk-700-latin-ext.woff2 | Bin 0 -> 18940 bytes .../fonts/space-grotesk-700-latin.woff2 | Bin 0 -> 22288 bytes site/contact.html | 4 +-- site/css/fonts.css | 16 +++++++++++ site/docs.html | 4 +-- site/index.html | 4 +-- 20 files changed, 53 insertions(+), 17 deletions(-) create mode 100644 site/assets/fonts/jetbrains-mono-400-latin-ext.woff2 create mode 100644 site/assets/fonts/jetbrains-mono-400-latin.woff2 create mode 100644 site/assets/fonts/jetbrains-mono-500-latin-ext.woff2 create mode 100644 site/assets/fonts/jetbrains-mono-500-latin.woff2 create mode 100644 site/assets/fonts/jetbrains-mono-700-latin-ext.woff2 create mode 100644 site/assets/fonts/jetbrains-mono-700-latin.woff2 create mode 100644 site/assets/fonts/jetbrains-mono-800-latin-ext.woff2 create mode 100644 site/assets/fonts/jetbrains-mono-800-latin.woff2 create mode 100644 site/assets/fonts/space-grotesk-500-latin-ext.woff2 create mode 100644 site/assets/fonts/space-grotesk-500-latin.woff2 create mode 100644 site/assets/fonts/space-grotesk-600-latin-ext.woff2 create mode 100644 site/assets/fonts/space-grotesk-600-latin.woff2 create mode 100644 site/assets/fonts/space-grotesk-700-latin-ext.woff2 create mode 100644 site/assets/fonts/space-grotesk-700-latin.woff2 create mode 100644 site/css/fonts.css diff --git a/.github/workflows/site-deploy.yml b/.github/workflows/site-deploy.yml index 9a506a6..6839c3d 100644 --- a/.github/workflows/site-deploy.yml +++ b/.github/workflows/site-deploy.yml @@ -10,11 +10,6 @@ on: - ".github/workflows/site-deploy.yml" workflow_dispatch: -permissions: - contents: read - pages: write - id-token: write - # Allow one concurrent deployment; cancel in-progress runs for the same ref. concurrency: group: pages @@ -23,6 +18,9 @@ concurrency: jobs: build: runs-on: ubuntu-latest + # Least privilege: the build job only needs to read the repo. + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v4 @@ -37,9 +35,6 @@ jobs: working-directory: tools/site-build run: go run . -strict - - name: Configure Pages - uses: actions/configure-pages@v5 - - name: Upload site artifact uses: actions/upload-pages-artifact@v3 with: @@ -48,6 +43,10 @@ jobs: deploy: needs: build runs-on: ubuntu-latest + # Only the deploy job needs write access to Pages and an OIDC token. + permissions: + pages: write + id-token: write environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/site/README.md b/site/README.md index ec02c13..8cf2d7c 100644 --- a/site/README.md +++ b/site/README.md @@ -70,6 +70,33 @@ cd tools/site-build go run . # add -strict to fail on any missing translation ``` +## Fonts + +Web fonts (JetBrains Mono + Space Grotesk) are **self-hosted** under +`assets/fonts/` and declared in `css/fonts.css` — no third-party requests, no +subresource-integrity concerns, and the site works offline. Only the `latin` +and `latin-ext` subsets are bundled (latin-ext covers Turkish: ş, ğ, ı, İ, …). + +To regenerate after changing weights, run this from the repo root (Python 3): + +```bash +python3 - <<'PY' +import re, os, urllib.request +UA = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120 Safari/537.36"} +url = "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;700;800&family=Space+Grotesk:wght@500;600;700&display=swap" +css = urllib.request.urlopen(urllib.request.Request(url, headers=UA), timeout=30).read().decode() +os.makedirs("site/assets/fonts", exist_ok=True); faces=[] +for sub, block in re.findall(r"/\*\s*([\w-]+)\s*\*/\s*(@font-face\s*\{[^}]+\})", css): + if sub not in ("latin", "latin-ext"): continue + fam=re.search(r"font-family:\s*'([^']+)'",block)[1]; w=re.search(r"font-weight:\s*(\d+)",block)[1] + u=re.search(r"src:\s*url\((https://[^)]+\.woff2)\)",block)[1]; ur=re.search(r"unicode-range:\s*([^;]+);",block)[1] + fn=f"{fam.lower().replace(' ','-')}-{w}-{sub}.woff2" + open(f"site/assets/fonts/{fn}","wb").write(urllib.request.urlopen(urllib.request.Request(u, headers=UA), timeout=30).read()) + faces.append(f"@font-face{{font-family:'{fam}';font-style:normal;font-weight:{w};font-display:swap;src:url(../assets/fonts/{fn}) format('woff2');unicode-range:{ur};}}") +open("site/css/fonts.css","w").write("/* Self-hosted web fonts (latin + latin-ext). */\n"+"\n".join(faces)+"\n") +PY +``` + ## Local preview Serve the folder over HTTP (the docs portal loads JS files, so `file://` will diff --git a/site/assets/fonts/jetbrains-mono-400-latin-ext.woff2 b/site/assets/fonts/jetbrains-mono-400-latin-ext.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..82f96681c0762d98ec703df7836829d0ab44a785 GIT binary patch literal 11624 zcmV-uEtk@FPew8T0RR9104-<$6951J0CXGx04)Ci0RR9100000000000000000000 z0000Qf=e5UE*yhC24Fu^R6$gMASWIGg*q=x5eN$4WX?GYgbV;M#YzD-0we>75(FRx zheijHRSX9klV=yu+c!eotx8J>VEK+hVB?^G4WAoDt(v6t+5i7%Bo#R-DU!Cs-nb9t zOfFScwz{iToK6j#O;zI(Doak1Pn~zsm@b{-%$d^s>;2AXW^j>qxS|Oi?ZLB$wQVlJ z8EPNXt6+%*!4NA@Ad+uWLLXE@4>C+IB|lPdL6%Jxj2=0-jBx&8xx>Yw{wTr8=WDg~6vS*Dao z<=LIoSskoyAMF6Q|Ep^Lj}MR_D2lR=E=^WSsoQ?TnwdpT`mkiq%a*m)xprP@@|~dq zk^)IUeT=c++e7?;H-?s|gp8*`jtnJ;m%#r{kd2YEPk;`ots+SZP!U-I+xYrw1YOIL zSOMRVbJZ9U?q)W4A;+S<`s=S6W%rBbivGV1DHtOx&JYv_6wm=2U5?y^d3t0{=B4>^ z^BW+6WSE(#L4w;C_w$;(J2c%r??2wx%xE3jMuj%BK%&dDnR z2-5)W?gwmUs(})lwFLqNs9AACFxlg$z|%j2h@k7<2=KNlKC^*&_J`IV$~^&xJ%pQf zGpPzxp`wT-;gU-lN)sdvekH+XRE#-$Q(m;&s~RtE%cgcO`^o~%1(~E^{QLr8YF;S) z>CGoKra@uLS(c%x(u9L}l&S8(C|v19I21uXFOet^(qbJ#NdDebv;7aiN>GL}c;^6( z51w^~Dz^YgIfl;Fx#(Q|{U5-`CUUU^#3caAph)SK;)P|p0WV?!K>|Qn15=k$SY=91 zbcneRA(XCSC_1;Tr%%&+T-1f(|Nr-EdD!S1Oe2X>4}N3BFK*E^PKERq>C-f_I+-LI zJtab+1VTYYbcO7=g)MM8_pN{b9j4~t5VyBGFQS`;R^&0~=Z8^Bh(j)Ro|kPoIh7im zCwO5uVi1@#G&=U5)evfkgmw z1kfY|5WM+Jd~P7p-3K9%lLG-nYW1seAD)Z0X$-h=8>eYUNhT~}ND0^tV+ zo5xlbSvU%qpS~*%OWPlc!oC36Pc4N11Xar8rTSpAX<>`aB(UKOAi4l_M31>B6D|~GT)X_r(_1pJle{FdzGpql=%5F8{i+S@ z3Wzj%l0n3S0rZ;Wa5|2|m*LUp^?>brvN$@IA$QctTUyB_ewQkX0dBjjyQT0Tj_n69 zUAcMUNhi-OL$=)m@DQPi1VfCmz!E8TIN*vKp7;?&1TiF&MnC$aBAY_glv6_ktqf)u zqZ!XM+OFr*2IRO@QhIaNBv}-jkOP9MsG7GF+TrRZ&Rs53U_yqh6)-?s*S2-(Yj1Mz zechr?>^TIAOu167fO8U_V^*CdOBqqV1XU(;)>9T8&u+P_s)fmX%#NDEO6Wo1Sx*9s zZ@%WY>{a!NQI?gNd^|Qzs%<(5C&oyz#qMFhNX&?^h%E{c00MBa0P+LUK>!XS^yi|) z5{F^x^L?=^t{v$tvhElLL*Myf0RdhDg7DEm3muFw!4j#gBEDoe;VzFz0&ju{BZh>b z!X39xmpr_#GBJF^K3U)ysxR;q__wXU;uh}09(xA+p23TviI0FMw@(Rm$npnRO;6eA)Cxrw5>5G-+BdG9VU%dyh9@pJKYh z9h#e_tckuMbhOYjn1P{mwK6rDv60M;Wo8Vi2`r5#GnK8$tW9EP3L6fl zb23vK7qhvU%heq2=J7C}mxX*R;cc-+d@U7ZC4cP#tq^XV2ph<)7iE)JTgBKS+GZ(s zOSVgrod!Crp92*38sHG6{rWp7-7(ot$x-a0QkRvuWV-;%^|cR2ITNDK)Z%Dv94=@D)4uD28&^`=!%K_&A0Kj5W6YF|JC$qXDRx#AY zHX#Tq*t09O2E-;<({h!tAT6U}rjohsMOnRvesC;9E9R<(xhhNDqM|~*b#=QTSb|x{ zuu4q~V@;05p-C8&u(K~$@Lp4n8G5n*Y4G{LaKhsRSH1St~c%)jF z>PVs#(-5t~T5F0Sc9F-j8nrOVF<2dyZAuVwQD!Pd5E{tbB(`T0EWcP8IJ(B^Gwwj? zvBMT31UaL-cc+}cJ+HU9tMz&>C%xMu)kac|rCQlB0-+;I_mrBlaRA%fXV?G#?0)|W z>K~eqSk;%^zq0!Lp*s?-T1P|??fF}cT#Y15FWrikbQDpipTD0lF zhSkxrGIIOXqSA#Lfx}wLB`ADPWP6Q6CzhN^iVQ;QM2?YI`(@xHboJI%SZnB@ePz5A zD!XsJ)F6e3%s60jkfIsmL@PDbBPHkOI*NRhgIlP*TG>p&X8pEhT-9gUug~sNJRVmW z*B%aXz^i1dK$xMhDA@ZmSWU$TH{Bfk)%|k0#2e z*kxa4W!vtVZMLo~yCIjB-Aow=D!Y(>CzbS0YR$(9|KFg{nE~7MoDD!=(8nU!1JWb~bY~Qta6a+e?n1iYlo{ zo**N~(yZPCykB#8<;qQWt!JGL(43E}BN&=+2c|-(+F?;y;Xx*Zl56Mk!udSY$$6s23 z?CPp1=T}Ti!nhrtk|V)2j0TA6nGJTj053_z_iX*_aC_ZYhntT)69o?M__^uzjXvk` z1PX~dHEyCmC|pXQMgoH@HcizP*Ng58Bx=zEROqv8ugSd(ylj{oHX3OBOoxR5i6tOC zp=$ueX>Bnu1oDI+ir=2nKqy%ObC2U^Q^U)L|MWHopFXX<__ThrJACpaDw4+x!@CYIvYbo0i8_fhZi)J?jf7pP>4e4JJLOd4u@t-OqPxs zDgD+!U4S-tGYz?mu9`cKa za;_^j=%j{O}ZQ~HC_UW7-J&U%t3d-9*IZt^W*sI)lX}bMIU;RTC?Z90anKYPH zB(P>BX<*re(WD>@8I~kj1VzY}xHUV78IzhYf~?|waa%0*6xYGo)7Zsm+Mi*CF}4H6 z`#uBKrHb|9W4`q7!lvS-O7WxazTGR5WN<(H)+?XhRf!BZ#0{Pye|If9YjzO_d=-$9 zeL0G+B&^faM#LX9@5g54Gp+OFqsdNyvFVqqdpgmvMA+}zu?2H3H^cY`lDqu|d7Yry zy#vIHIB@zRd%>;h{d>1wHJ+70u81cIGN^j0sQXi)^Zt!9F7Ez!-e_g~az*Fak*4jR zdBYX^)SV69?^YtqJ3hbj_hMv~tMhf}+v$xwLwZFfh9GbjMyduQ=RTvNk}C{NL<1~E zNFpH%1sJm=LB|+B@W9DKP<45GxhP6~M+^@;vYfnE3b(fO_*gN^=QrcY-dOgD4NKLt zlXELd4|SP-Y|!7&xDHLNf5#aweiV^!wkWjV$)c(Qba}zjWIg6sdz6bHIo^IOa2LjJ z8M4JnGHe3P(JrU0e-Pc9)(W-K)EH?FCx%fnHwmKH%1|W1*o*^1=(&ugyVgG=P`216 z1Gs$AKeqPr5{cT_t~xxYhMgQ6H&E^aU=tUw!8#l#5E z!K1@}AD)5;9{fM~U-^}M{y0?W#eL#e`s>>7!YuxC*Lv^MX$N-}mQ2m3Dsd%6@J@>4 zsrppu$vJTILS(d#ogcY4Lpdk#DF%apwV;zFNQ#B6WH*^Ts0zFl_G_wvJ*DQ3J{{Mj zIGc37u@bG;d%MQoB!}Kw2-Ve!mJJ#Lsb_VdSMu6m+K5a+CRN7`|T$s7=Yaa zBk~2=rz#+WzlBjI>hWeGp{s4)j|X_7ZWgbN%>^QfnN)CZG+XvAB#XDYm~qD+a8(VmcS z>U&u`ueNo3{89WKq-!|xb-%4P@U$MJ%eq@CwUnmq_GOck^q#gBO5bhy(gsUliM1%{ znG?Cq%Ln03#%?Eh7Vd{J!D?q59eDYm(V4)%b{%-#ZuO8SIyG@kJRZ~o-D9x2dfBiG zaS^L4tJ_5_UZa(zE~Jn(8f-DfD*+pXZem8=oKR;1BmT^ucbsUyTj#Yqd59tSb_c~V znAx)StCl0$p)YAN7nT^aQcCFR?N*pn*n-fA)BH@0O zJtsvN8x&?~gGip{?@~KNy@eO=&BH8=e7gg3OqL;m`IkdSwyG0(U3?(5Il73qk&v<48J zencdaK0m%c)~c^YE4Q`DTFp2J-V!(rMzhY_K9l8Z@^>w428kkGFnPg8TlcRzWU0R3 zm+~uGhDUW>{Lr@tlvQ+lxb+4ZWCnuibKa+(Q(TY1iQfgpkwF3ILOMw?125zioDD>j z=*$cYS$<@qSA^3bA+#{e(~((CXsDk=h&hcxNMd6gEue56SyzyZuej5PCcIfr&XLEi zJxNO}&qXX9Z$EU!SLKwaomq}YLCg{Z5s7iUw_srJ)WjWA*H;yc4GI=N#f~_ag27Rg z8*s_ldA-4$KANp*W?~-fiENox+HeDcBZNbPf5aR40m}BWBpgTmy%wUgY|;&*f-Hx+ANYUZ4YsqNHjQSNlz#e4_v z73MC?r&O#$dcJ@KfzwBLKlkok<5SYJl3{l(l|`gsDzi3pNHOtIQN zt ze!sLUkScwE3~budFQ1AXdw3b7^!Q`dZ&2ruK}qot4qYi;DP@Z>tBmgUCORruQaO9ktl}TNqC>lGg>B~(-JRs&mI-}OnP=s z+fj~4&Oxk40qom8loZwv6)mstyp`6IcI)AXyRM<9s`&=#hR^Ub{FI$w+$89`M-5lG zB0=|9I4~OGd{cbG51HoDPpaiF^bP2+w72mcSLr5o8glncb3I2skEEdPC2jw6wpWxu z#{y{wD!Omdr5_$#hBepyeup1sMZ$q-xR9jREV>noCuyuS+IEemU0cR~FHZvJp!kOF zaf^jbGX-#KoVt*jEr6IKZ~gK9(E8VJgTr>h-2;GkrW%hBX$pC%1Rs>BZAF)Q6!6sm4w#?LYS$1WBy5q$82UC}cj0l#E zv$(0HCzViE|Cx<+RRd`FT$}dQL8HF{&bM(N?EC2#VI3Io5o`2krJL6qnEY;Tvfj{O zJ&wFr+p^nE0mi!xa@f#0B3%f>ZJGK)Frp^S3nZCL)rC4z!!CwejCQ{0$=m0YEef8)rJR1$0hC zDr{VAnl5 z!jqQl8tE`EvdnXI)2uJ`g?96X;pR!BdHGLY=yQFS>R!shRidGBsaXF!m9t`a;`Ll9 zsPql5nHHYcGh^~2aAkN_Fr!bxJX80v3NZXB{rS#<=_j4&GB$ink!>n^k?o1dviPOY zr@V<*M$4 ze!@S*aj;sC*xY;>0o=3ipp!tpTP6KI6m-M<4?P6@VPhxZ$s! zh_Nb30gq&nFS%${6OANQmrx(}PiM6Psj@5tNF0L%CO5^YNL^YoJYzFEYqBW^ax7<(jghIEjE=TC>1&8lCa5si zCWkuOiEi+!wT4*{D{eyT+S0jQ+!bBdd*you5U#=%-pIrRkTBrkfFe}rT&ES9GM=gI z&*2t z_6d^5CMzrJTPIAPd*a_7n$fryvZ~BwD<^p>QAH|Ot(rAV?b<4<4z;VZw|n{xQE zC*R{5*Yia?+QX4nx!%*=_tal^O@kQ;b8BQMHlfI=*iR=duKlW z0)0yVz5njScV`674%jnj{K*bt3s#ScIr5-l_FmiC+gDy;Ni%J~(kx1vL~p-?BFT|7 zdbMmiMNY$7MW76UXe2|L-H*&E`$_(~VzB=8&uGz|?W0?u^EvqO=#Cpm-ltbdVu&Gz zVdEqYL$uGHbDJ{>zXiaaRNNoeCK*zmQJ7Rj0%aVVsRg-MoT)aH+<$0{R1n(M{SqG4 z*CkJiaMCXw!$K@(Iz}Q3ULjE6bmz~;++gT670T;Kgn@h1z6J&k+I_?5~A|3m*yW03$InO0$=Ac=T3PA=;h z=?M#+|4u=($?ekU&Xuk>U*)2?7(A(GwB@HY0|E413PZ^FgeYh25D`?$&zmz86qVXabDvd)S#E?DP zCBsw^^-vVYBvYi3CB%jZ2{jlBPzW2+oN|@srcLFR!gm@6v z6U_JVvukvUFMt6hZxt9rP@HINATx5ipuRy9pHYT9-r?dRWv{@?8GNyu5pqQWgsFA2 z(BzNZ->h72N*D-9N@%h2Wy*4C@V2{RF7lNX z>|NILhd>Bf#+ZP+3P;wD$7^vv$i&t)G6PFun+=0W4i{NETZqjQYZ3=mK>NM}jZ~Cd zAra-YL%+&i;5Gkpkvi!*`T2e zo*l?vnG@f?gYGN_#<{Q%elxA~EFB60;OJlL{o;<{5(jQMRuLNsQR;%kC!%juYY`4p0Rt=Jm5V?GK({H10>|OskE!iA!Za5ccMi9HU zkxVi_OZps{ZI=NJ;tG0Cy1U`SY#8#@h+lQ}jh2Y1yL@CTqf!K=YdX9-(3q`Kk|18E zC}-UpD$UqUeB=L>%XPz;b9C}|T{(A{QEw!v4B^w^*zv1fqvZX#0~@v)_Yqz-GGKyN z{_=gVJ;;2Vg<@ems!F0Wc@g}3@5B@t#)g@IOa<~lFg4BRLXLXWcwkS`*@katu zGxcZIb;A@EY42TpR?MEXC$J#h{zoSW5q?85-!;K8QRMMg!MiVj&W|(pV+^sSHC@fwCj;BlYLuh2NnHmWw zUQ)11^LVeAO7K!qj8U;82d6v%;q0ckva|_fSQjNG=raDAti{%o5^{%*Z)pcXuP$;HB3ekQOe5?`nK(BdobdLVzL8j zn9xG?d(M5S!Xv#Q$9HvAignlF1N(b%l8bl1!0xPBf66*qK#paj*81OqWYJ7*su%OP zSY{2*F|DfNEUoRPK{v5;g`O7?;r2ZKZAhys2>D(+34D2b{C3+vd2&HS!U{B21}gX0 z{QF_ma1@bzAtR&|NTg1Zk0sN4gNllZ~MVy+;l- zD2J2xiSl~W40KLLX9htKXhLIp$euHV5ERjz=XWuc@J|tsNB_cQBIK+5UcB4YX0cFO z5uqkjK2WvRxiSWXC(BrPrZBKiHLSJzSl5U(BZ)WiklnJ8n=ITJkR@%7SNNL-OzD=F_vyO*RL{eF`?}m zOr`}QGm6ZxjiiEP6P9%KBilucweP86jCxe8Dj(H~1n7Iy5i+iNLmr zBa;9r($U=^mExMUF=gKf5GyZ72XlBqoJ4nW8C~RKhVTR}Cr4st9`60mmOjb9PiJw8q<)$sgUK~E$IZo`ehUnW6A%@y(dDd} z0y&d4;mm1ow$$2BZ^uSDb0W7(`z3Z(7wLHKPt7XP8Cn;N>dGE+ou!k z9d@H0Ew@S8F3KD|8YivZr{8len`6Xy!=+)N7hkJrk|EB@Jom9gPMQx=GbE&@Jljl& z@AzfJ6~}!~DOtN6i?hzHWQzKGEr+S4QmG`l(rI18osIDSJ_Wk>^obJ&EL$>w`5os~ zaaDauv)naq4~7AYO}aUg*-ZyiEHfeYa7QA8at1#pkJYKmpzlG)(_n!~h^O*8FCv*M z&K0$Ty`2XMDsaj}slM;6cuy;trso%OMBn=HGW2}m6hm|6*BFzsxWiBy!2{>o{ARb> zVhLX_&aNOZF>t+GJaVciZ+#~lg(gG8G+kOtRk&H*diD#^zUfMQw84Eh;_)wI9ZS2(n_FLQ| zbsgdiCE?f1ChdBj`#+VNlEwgz5|?`)q&0Gl^Xa5?POS%xi)rY6|KWF?Qrr%u7PvoO z@C_MVSgm>od{v$1Q{~GLmnZEaZ@cF$7+q*km zl+I<)zh@74-!f$dz;1nV5G@TV_c~sg9VedrGC9zPXqq{=!zFT<%|>crtXzYB7lO?Y zw#Z~Mv2%U4oCcz=0v4g>-Y03cj{8fpi==)jH$5I+4();4CNh$;nTk_g-1xI3JyM#a+vYDz`@T`q$L*wFz5(dR%I$n1DRALErfDy4Nu_0_Rfbgi>(wd#p zsu~$DNon(rpq)N^jj0RUrpRY)@$rrpWOyYZ*^p#O z|H%4MY$uPuWApN1n^^0vlo-*&-0_#`Y@bAePGzzg~1A2?b~4vGWQ_kT}XKlV+=V<1yQ%*X)0+cgu7q|jMRQsBJmAE z!H_DPNEW5T2s<+6xQ}LsF|ZtHeN$6~uMACXx>(vQAvH}b*DD$u2-5w^Rc34~nZ6Iq z&=XBCUI#UyU=HZKUI7IK?5F|rT-!5JiprsVj2V@T#i*#G&=dOp2f#@!5isXIyo*D# zgvPUV%d@N-Aa2vnn`yf$q;epA7xRN{Q{1 z0`rNz@B?<^AD11)>u|yXnk%(3C55RQ65TJV_&~Y$#$v*y`Iinh7DOv6ZKgwQUVbP%p2B-kvAWj>q1#c&vJwl`5 zOr{zZ_Kp}iZF^BJ4(mIzsiRR))b*;FEVuzK4mo8j7@)d6+>t2P5iQ;kH^c$AXImHC zUcbnmF*aSZU&p((JEpBahfc)VU=1g0jX$OWxZlytp#0^s$0yb+PSvbhS2Wt z%VJVF3lj|Sp3QnP&N{Aq~c_YH;%yobiKl&EFply8PYCD%rZDZ zhIV`lvO?luki#Wr1i4J2G05W-iAQMj3%$o7Kr;jihmIo1g{D729t6Gw`OwiF)PRp| zK}~oW7Sw{9)Sxy37>IqqiGDZ5hyY48s^qJdpi#a`YK0ONYZR$oKDBBMQq-tcV>{MW zj8={Py^(4T?SP`$wzT|4k)l`;wI)^8pcG3Jv9dcwy@O2INMVquK9DQZ*y4m=t3eQV zp%^MuPdyMDQ_;N!1LFO+1VvU{<$k*fkw4Po^L9%<=_tb@B>|O3FRtRKKdG-k{OX z{dU*V)@j()(>G`|G_uQXd+fEZ-TNJI5Gv$wheV+SBB{`mJ);y&rO_F!kXmd#pfolI zTRfM?7YIcqiu;-F(*ht=5=Ocw7sCmXDpfP3S&kQaT;C|k7DgH-!7L4Nc_Khcsm3ONo*?#KcSR{B7XA-qlo0wE_* zrh&yES+$tbf@2RKh4_*N8j4(OXffqkniO|ch0vqmv0HkLOVgSv(Eusv9^jmE#SJHk zt6uF7nPGakc_NmJu=HfrVO6bezcxF=V(s~Q*M--nVErs3=5*6K$I|!kE~@)hTG^l| zcq(k<0n6gvqrqs7na%9$>KBJv$uF8w%$Iiv@VJA>fD4pB7I>L_B?w+kC6cD7?y%_U zdQ^?=uTaA?{`TT8EQ#S6SSci%__dNl$Plh`C8Slh7^ySV<*u}HBIojjc^zJcm7Yqe zt;kb{)m$B3_o0mS3V}9y`yBLYU0rzR>A9Zk-F=+nbGG+jRXO{NpD+^t|Mc=TO-8Sq z9Bf%$C-;&xbMi?f_+=bJ+qXH}QoYok)xAcpk?V7Yxq6O>V}-#P{nW?pOHZ=5a=BQ< z#nFlYa6=?;z=0b);CaHIxsT_G{ykR)A6Ia+;s^iSpQh%SJX#`1ie@~{Y!y>0RJ00)nm@L2l^Qa=>l2hHE zGP9K&!{2V*=TEjNVT{@FQ?1X}+LTN(C{ac~z{qdhj9B z8U!E(heijZ3=9WbP!@4Q(d&)~x|7`bT&-&Hs*sy!%I%P-;oo1;Y=qU7#TGc(|No!1 zbc}(6-Unc&W>x(v|6ijW{&ED~YM3;NqM5 zD<4T=wzMtYPh95^;}_`JX3AL0=NBm|MNs~INH-XEao=Y_!%kt?!D?ulQ*qD)i|;=0 zMyAsL)zobjez|7GMeZu8at$|Jo3^}sqW#2F7lDn-7+EK2-y_J)W;gi_;R_)kVhkb1 z@EBtRjEDgvMvOGZh?u5`h4a~06@o%&8UDS7oz}`%!%COc>2GbR=-fClBJSu z$%zAY6Al2JX6Z=RIUM)hBUiG^wKKuLGI!99r^Op>gURXk6BZ=U=9c!Uy= z(kU7ZShUpfU<4|*4i;_&W3j4#ci)e0^#z!WFkf7+C^}$IN-at)+PhLr)>vf-kRUJe zNJ3G!+YeIc%#aM)S>=F-{(CK_-vEs{rBDja+e4WX+tW#o>^Lo?1ppNQS_FPR@#}TI zziSz0_DII?^dF%DESi_(f^0po^f1JZ)L5BNal$OQ+^H zlbOHRZR(~&+NBbGYi`?s4bhza4?Q?Y>p*FdKuAcC05RLFWRs1P$tFP-k|2Q+AXtS8 z{41qSdsV0yv^}9>Q1dgRe)QgbPRyv{?pp>yapXY|Lk20<|Ns2uPHPkWedDd0E21dS zEXBYR??=1$Wlh@c_(6B04mE~F(@J7qo%VKH1In>wkS)s~$8lOtO8+iLFnyS4nEx`= z)xn=eeEXk)pmbEg98u<-t1n&b%wj3wLZE5Wv_so|#^=|VJ4ud&MB(n8Fr)zGmj{YS zo&M+hGqrtV0g^b%Rg=>Dnq|mKIy5{Sx_w`UI0-@5M5)^e@OHmxB_=0k-L+R#*ZNRy z*3dfbZrCjqD#nS}>v6y5rMdIR^ZsI9Q7olsLNYVSL?$LcyF|d>n`)K*hX$#psM`Xh zHQ-wCEHrZlvl}GN`25W8?hkbLZ-8htK&lB+5&%-GCM4Z7KuQ8QGgpM;03f+ba-7C_ zj`s~v1{@2y9iFi+8*|=f>ngt>obbZS!mHf7AV@C>uP#W>|1z~qyZ>}+-=NuY=Xiy^ zl{MkT4)Q+rLG~Ndvj8!Jhf`nn3h7f`*LAJl2@9+0jeG`z< zF8ibnC0L4riq7og{kOwd>-#~onxnVvHn%xtN=itAh)4*?IPUrX|I5v&BK`sv#n$HG z#1r)D071aYm)!F(HV{<$=?I5YMC5ek=Tz9_R8lzu1v=G&ojN+FUbr(_j5AiE^N>T% z!&2qH+liQUAlaV=1c^jZI1ivWXDUi_WT31gfdH^~G9cGOz)U5%bQT~wKrS47;&k{V z@XTMO1?ES4ljDF15dgT%_@9PhpaOvg5hSl)7tR|e1J-9Sh;FP196bU6ego_ICy%#^ zpTYiQKZ@mRkrXVJ30N({{PNXjRd$Rhd7fcUDf&zV5df|+5r5|;aPZ}Zi~xG7;WfR0 z@q6&GqcP&S;`lj%TGXtYx(cB0j^_n{;0sx$0g@PWVaz^86(ZB4FaZde5Dc0XA!{R40Q^A? zvUY!Ae*g*7s}k^GcZ~q-F#?-_M-ry&?^~|)Sak5>Bz+2pehg(^zOH;iXqwyn@5vRO z`f9o0IQzMk3l<$}^XG;DDPV};>{y%t?VkMR-q>W2&+R*y0A3#x|MwTq0+M;NFBV)C zfomlO%mIkgv4nRL01VH+^+JLM6HC@?*s`;jBOboxL|nO(SYxeqeE8W!X{&A2cGzhb zoe-hIM2L34K?x2yELFM;nX=_L!64shXPj58%te<}t5v7oRoC3qq}d(c`9Yg@4|VF& z?WsQfe)rNVe;6@p+=RbO`^TJx0CI?oXo!KB$P!s2HsTPh+##T5KsCj>+g` zODK)XQGx!Pey{#nOqO6`ZTHkr4!@JC#8O>+uvSmPS5`iy$J zdXj2X*_*g3Tt%}irBV5!;v3=y{j=gc@m%t7@fLLp!@_R0zIm0ktPG5Jh}Nv$j-R8!Xl%VMjL#f{}M zN@F=$=9g)ukjpIY74?OtP!t}HJ$ZAk%w+?Quf>v4(IwJF+%UzBeEiN~p3Y;g6|gxr zYCV`Kjs(3=8#tC3@VveJ21G?DDLK0gJy9%C%xsW|=W;1J( zZX_^Zecvuv&!DmVFK2DudSfk)sPSOe+G()V@_JjoncK=Nxfa*0XfxLoP+~s#?s})2 zhndrvldsHI7}LUR=Bl|2mpx;C*YCpZ!{9G!Jc~}nA`$)BYFUAFG3~`{n@O}_8ksuY zWu4hVDwA^Ws5*Qod~(ld9uZ^}X|4tmR4p@x_ z^d4aFpalSVq6O#6Z(+M&n`?)#ptkGsUpxUNq9k+(C8NVA#mkMq@DUKWM@rTXd1P~~!|BsJOsJ^E6fjeRl585QKN(dk9Ziu~1C`=XM_)e+Zdd2-y< zzVeyjQ6=A9OF@daGadc2CUkC|Poss?KqK=!rfr)uZ$zy_-8gnl1+KP6kDfVXXo%gm}fCn%C(u)Hm#Q)cWp#$|KVRzfkRO|QF4#OJi%n(G+f*~>14tJ zzZmhAnH{*e0Rd&JE?rHrvb!z@W&+oX3rQGz<4LEC{PKt{T$25he15NHzqoi69iC*Xl zlc-7p;i7T|m;+@v%ccf}$XlXmKsqr~u8rCNIob?~bqp{E@^WNF74jBOU@8zxaKg1s zOO)gAg;?i+bHMgKR*2P9AP)fMJHw|!at|}!SeOE6*vD|uzeFTV)srx4L|>!e5AYr^ z?(}sMNSoK?MgSe6^Bs|)S&r7}u+{5cefQOOIIn_cS+-=6IdIJFde%9k&MD3%o(!W0`yYHSO)0(V5r7m19QikDk6tzDmyf&$x1B z24$evA&b&uzs?Oa#YW}%Vc2d|jto7i(I)H4(25eo4HBvpuD2*witoMAt`t}NxNEc) za_cDX_Eh9?+12mKj7OicxhHg)u0tI$<|H!rLAtU>McU12o2K0GKa)X{P=RDn zLp<$F?!RyACG{@U;?m8$dtbw)-5g&k?{G}7dNJ)&#wp<465Zdz0ZC!pg zP4=R0wkf)LfHhq3?)&Tx&e@(6ABS_}WaXmKjCaqB#Rb^+{;rLPG)?G9*h@t>omk$0 zMobO;jfW_S3@+xB8(tAom~nywHozE6N&D+L=Rpk}szSfiderfm)`brXI7{lU>n1KK zT$sW7yqg%Lgz&t1U>(%I%83X zdVCzWM$iM}kW}DmJ9V`V^q`e`?cyRpm$6dq06M_>Ds--^sWg{$NeAq-nL~%L#SE&p zZd6ow#dIwtxj&dpbFSdH4iuplDWdZo#r~LW#`{LI4>iCRU!lmP9#P?gz8M|ySwcmq zqQ2LuBHG2O4&L9XY}%34`7mC^*&U@5@3>eswNfd?Gt_~@_XZH5dnStI3PqpM;pZr zFrwq|6rR?#eM6?gS^90z&%jMHt5V#U&DaZe+ubAAPZveY2O9CYh`X0m&7PQiNK`JV zx;E8TS6K=3bG(>xczU!DpsMpxd>9WX9CtMVn1%@-62p#*FsiEPE_nx?Z##_+R*mB_ z^#C4pBjOy^5Iy)8ix@a+uj}c-tSo{Yj<$sxFpI8U+QG%HOQuUyiL_nnn7hh*5L|_e z45k9jU>Gf>qEOR&8F~}2-uAr`igYlmre-U)NV+<3c60y z)->arNi&6JK%CEFMW*JF&ard#_wqzEc)^1^Qy%!j^k5SG_{Lzh0q-!t=>Z1V>nE}3 zrc$&ok^iP2CaTwnd+;avOf-&h69J=;hLMPDr23hWUDZ-8?s8=RR`gYjbBH7{TWQ5wW_rnYI*bj92Q_Srk2 zcPy?NN~NRc=>=TBr`hHOO8zEIFcEdAS>w>uhAmN7sJd#OSB!(1FIl_*ez|yr01d$D zebH>5qo`%LBKL|Sc8vZgkpZk;QxFj>u8Q;<+Lv2opv;+U{egiS^V{yv9OZR9EDv{4t3LUNTb>$5M;Oitbs2eXN*gn3nXw7=(?JNLO6qr<=T)PrHG!aw;sV3C%QO2&? z@j2LQ@fBkGl%hkEm4l;U^pn(6Vmu8rKS59PWMwL2(nC}Pp+a?72E--!7bJ9p!%6f2 zb*{&u<^i-paG+|7HceNtkLZf6W#hSYHMBoFVLIqX)DF-Rhi0gCv!>QmkA_SuG@TLD zRgsVZP_wLz?jflWD10=kZvwm2nwVdZA!ZDPs$;kkiY48LNryViN+<~Qy_g7xr|_JR zTy)E=1f!O4-X#Js4O6nl#K{H3s$DkTRNJf-Tkwe;W$+RYn*?bI&r}qE?m-VA&2dE< z-4)%@j4vY0U8H)p6dFaQG=K^pTgcyvIsE)(6m%{VQu^(r1@;Zyh7JU&H;`_NmL(i# zX>KFwdK1Zp08?^LPr@W2n|S5YqsqtP>jO!qBU1V=RJ$iU^Is(TO=4kFP={Kz2gJJd z)>S-tVXeW3%XuSVvbZYJw@{iK&oMxaqI}Hwc*NX7+`}F+GR60)FzZ5N)Q#uf6FJ>@ zfBEP=zWxeu`ma$ef&YUw_;9J%Ic92r8X&bknm7MJG{)@lK_Kd9xFYwWN9@$vMZt%5 zWr?WFB$X-!ak|LeA>Pq|C1B6zZDhmDpBv$|YE25!~K zJzoM;j=jmgw=!R$2WHQ5%ESK7Bw(@~m%W`qbl~FISe8er7^MAH_FDqTF2jD-P94aG zNnc{m?ETgQY~t}lIbge=k*!J=yS^gIT>~mSTSZt}q1Kwhyra-v%Z$|?T6!SCr<3$0 zL=A);+;7`=Fey|iay6ox4o^_YX726i?Qy>;0dAMbuy{l!+^BOLrMlb7GV7werXrjaAD-rI~t&K z5dQwO&YZ<*5fetV+Ro*I7hUnor*S4DPE`)&Q6cyS?|JR|@r7>`?;_b-qOf zzVI+|Q2C2710*}xiz`Ns>giO;?x`MkR79tQ)rIj#+2&M<=I8ZC%|s+Lrpzal995J7 zcS-el3)CptSSnB+m{-pFG(abX@y+H91=FMAvzkYElnw+h4?W#;yEe?_$ zs;4ZFJda9D77o;caue;5MWh3H$Hh>`YO#&bNt$bebgH&6{^bE^xVVR3yG9o*x@0i# zaA6T010L{UjyZ;Tjf6>w$n*1hbQp$n9<}1I5ew$`EM zUo$%AYu5N#YA-EOe>CpEWuVzOc=t1AeJrku^cm1-p0zSSX@Yvq_*sMb6tgn+kdbMY zM}=8k%ergAT4*Z;pk(SdDFYb z0yb^RyYVZNS>1R*;?seKrJAlt%!tlRb~=opBy3tBi*?BuCCbKpGd}4viO3Xep|q-Y z(@3cBF6H{7!{=PU{3xY-`THoz!SJdrZZB1R$3@!LPqY;6xwzif3D1fYFB_U>eBx^2 zke1C74kA*Tr*oW;wTQ)kKaJ{GBUQOIGR0#3h3}?KEK;F#L)0y(_((Zt@0mHJ>T1{8 zQbf+$WEko|J77buD=cDkl+7?PrL|lcn-OPg(4#y3o1stZr2JuN{Z42lq)4n8bH_q} zqGWBX8Q+14g!xE2&Lq@6ZnW#9pS7RHUgx;&(4zYiZN5Z-H$!L!X03r0Xdl)>&?fU_ zRiyp0rX)N~LbMVJpRGwGc&en?hbAYt5=NvZL2o6rj$HI!=A|2cYuNyR#{J&NBUXU+ zqPvO6bUvT^^i`&6?R_0)bC$#5c4J*X$)(3=`3Rx_Xxbw$7IORHj!;-hSJ&RFaj zTbS`~%H?sG&7V^Z8|-+b##yUJz`ocs$t^=@YcIxn?pzdTGy^@ztF97}W@S z$jDUnQejqy{pt=o{~Lu=QGzLX5nv@~E94#kcB5J#BmAf^B`ycbNE)0aQeXf`VWMkHiG6l!Nb%a@j2-T&%#%Y6mc( zJnNKLXcfoHl+~)Z>ts-aZ3vH(?$)zguP9NyxN}iDzC#mEup(H|b~F`e0!8OD+L`0V zz&#)x(TYmL>NUxs&zeuSkA%-`huARi9jU9-+|-8%^=#Ctd%fu#$D%FdFq&#^jPncsFcVX9n`dwQBt8!^U^m}9lv!q zSlaNbLw*06#vP}xk89Ql-(CSh&ck8VERBiN^n-`8!IF}CG;ETVpF?8K19GCOLg&!>WiNl zK8m)b^2-UY=z9gVj}$0%@M4#?(ncx$&G@vzY=o!s6l$3wlbfN!E1idR+yK9g3$C5T zHDnKbQ4C~vlS~ifQgoQvaOE4Y0nWf4vNmo~sW7X{pACV9U=1~RjA7ZyG(hW7XuJ~| zZ#Xt{Kcx-`HF-?#D0@01i-y4IgWsfbv*(~K4h6}O_jx2nwxVU%bykCnaO&J;p!f{8 zQX{sqxGItt^4J_37$8r{gU$F@W;_sc*+WLAm`sIP9sYLI!Rg?as=zhd9KAF^Qe?wE z3e0Lm786FaI!9z@{_W7mRIo+|@~jbVvbieKDr8AHlrunL$wJKdU@$8YQrJUArVvhr zS=}lZHB0_BG9b9R0OW>r!utv1hCn^z2Z{EdCEC zW+&7I5+HHdawNF}a^6g+6snh6;|!f8>@Z1*u7csiMvQdAVtk}~Aj9OD2<;yG$zV}$6LFrtTT z6)#x)a}IAJkB#-^1}AckPxc7dJFA!4zdEY#y12Q?;=50MDb}jZX$x`Si@aX7991D& zmKxJSJX9;5Cvg$PhUa+IjEOHnwGP;UIJ;nZ$w%9(7yG!U`h|k?GS#u!{$%fUq12vVx9# zB*qF%GNWJE*Mm14yg|k9rB%wH>iNE@Y|4o1=SZNV;9kPs%1@Jv#yn|L>1L`MS8W1W zT&oJKIHe==nYw@dy)fp68@Ou>r|hXJiS_fPmpXc_90CSxNG#9cqav9>>L5WZRz+e| zm+EaueJ7@0c=5GDRafxFbg zkil8@@DZ8Fq{bJ^{0$^G{_8za67l`XdCv(KD`{$LbLHjGs5A?gfN@qiD&wa%iV5 zH14thDBu?C1P&r9?7-gx?go?)xacXq#Vw6TQT*JVkB)$*qv%&~h-sqe74`x$(MdlO zfIV8U9u$M~$~nlz_YkftVRaII-b z=q$nvb69M!*>bRiqoufbL|nOXx02Wz9z1!GsZ^#aM7W$pSZ5;ze@fc~`iR;tyXkyP zFGPeW(PG3pD9Ito4oh_@)=&`)lg|3vKc>xwg%~ISnZc(TLV%huQ3|p^2y&fB5+b2R za3M$Fb7`(IIO&x0$Y6+2Awhu#18Wv6Sy_z3jy)#J2sq&rayD-{sZ}IaTg$}(8+cpK zmk&8Vo2YCNV5=Y+J7{h8i7sX&6igQR~1Aee<&a&V26NbZhG zu3gl+%DHvHe=+Rn29y@b)c9xTDB&tg)DOs^!Z1PUWc2T{hA1l@r%HZ0t zU|B^r7Fv~GGnl??&WDFYXg4-k1qy+^r_Dng^Y>DHg+(v&CB;jfV^UvbE9F)`YB6E2 z8r8%-^z@?gdVc7)+-()>xQc0fMl^1Hr`aXCJisH6mJNtB>qaI%bf?^PS9<6@-kOwZ zLh_cjn9t`^wOzl%&6YZWGI@OUBbJ|8@x}#FsS{W5of9$oDiz7#hDw-dW41<32-5IH zO!_J>B2LD@DSjKcAbKX87!@q+aCKB>42&7moTq->XBz!+yT18jd>?)p#B|PxfxtNq zXq4?|f`17K!j*lGuj3LH#E1%DF3n7T)M3dZA&}%iE+4%oM^Hd-g5~&`&HqjBDmI%P z7nIIe803c8{EeJ+`KiNJ&es{)2-=;pWSnP3Mtb%YTfB4ias-5@asmM-wjsS3b)w4- z*dsrcMIr2xqTGbIz{EXMy+uW~$#Y5{$>+D3~w6-w4IF}DEPLNLusXmpKB1u;yBSFVzSBP2L(j^|u zFNXB7v0Di{w1stW!$N+sL2^!GafKkQuvtOZGBler0OOt~S4U!bia>=bM*xBbX5mzg zm?nS_1VyT26Af!J{0!!o0|n%P@Q$hOBAOQ`ezq6`%r6#Mn2nL(V7!zRT-dh4!qB0k2XBgS*1n@IPD)1m5?_Y zR9Lol*(`CBY+>2K_#$L=6(DKmWr@eketXwn#qKYZ!x~!0~aVw>iA-S?#a|QfOp4U9DD)dSRb@tm%6v!bk!mc7n8UY^f8cZH!Q-ji~YXdR#GR?3>MO%unpC0*IW3F&SSj>7) zK`ll>ONn;h)b4#|os{iQ94gwj&U|Iqm{9CO zsQ%+qB~W8DgYj3bcOHB}x?^@K@{1K>?4PX;4*Huckt%j+FH@YjP{mFe~+5+!h$X)Nizs)C)Xq$Qq{?AX#`kgp2b%uLMznzVQbxh<`--H32; zo=iH&-?MMZVGwU?0YPB-HYn8Y`$sl*R-dq2u0_`tWA)W^kKQ`v#u0ys7lCWasAbVV$pcBS89V*Hpnf@NtO#CZL^HLC3 z{X3f>w$dS^y7EN+5ceQ@}2y<@|)R_ml3B((XdD2N#y-Bv`pOhHVsSD+U zQRwx>k;1yPP>N4->5vu;NPaisaD{Y8g#mn*mxaLSWn-bVyFBu;HPFf>X^M@Fb;BSC zAqjY-!76e&CcuMTLem#Jg4vjpA;f5>%oPX4W6mnqsCigj=LT0C2YXv*hngb{FPrKd z3-$R~_T+R2HA;Uhslu8idH@K&JaVkn{5E_vh@z1UB!U`##P z+wwaK6(oQXnmTyA$S;$5`FhL_BTK{~b)=z2OE$_B|r)_DxkKa(yh4{z{96PKjYX3{I+VH;#d`6{!NGpe!NcqRwoYnHPrKQJ1?ne-)U zj=8vnHXg|`;W@1YyC{m_BB7{^IEAogogLy^(V`(2h$x(%bww~`jH-N;<)aouUa>&C zEPiP1AS@xfzd~{I{B};D@nc&Q&PYXEql40zo}d$RLMp^k8=KV;Y70Bv$c1;9nq21k z9j=s6tk8aLP&iHBSTOMxb7jBz0XtgME<5#5>MPA|ef>mwA9kmju+Vil9rcxJn1xmg3RateS9*XE8Q~OFl4MKAW23iS@*dDQ?r8(pee1XHGNLb*M&j1;3kYaW~7G>(R$$JvnfT#f-~4~W~%=*ViJE{NFk+J>3=I; z4$0io7#Wa|4<|o1O>g_@Z0BT={Z~O zg$W}*)Ed@jEJD|{Yn{D_m`A49c+C|fe~;tf)1tQHFTP%bvkuOxXZE%n&aUT<4ie#s z?(L5xUA>&W{pto+^9_`4Bj#GN3f)b3*)kL&J|bPILS|VouY)+EP^>6F+$daJlN@UV zn?Wq(A=si}2^{YV@72=upv`5m7CGURj@e^|QeuXjqNELhp-pfLP1Z9E^=EfAgP>ep zLNRcVo7Wk)n`g!LjbEdq_Jd{Tmsii)mnRMRi#jeJ*c&$zP}Ab_?G;qW^&dTw*NRgs z7Rj8bc3!uax6o-%}2Pv}`xu&9GujFdDSf2gm@c?y%LsZ-25jxE4*K>B5S=LTd z+WGTL(+l{D1sdzEb>igp0qbe)h}-##spP?{Q~X9@lP}oXk5^0o9E^Ijpx3J{5Oyg( z%u5q?1eSzV%RQxFLUIZRr@3lM=EKMbXsXyMGmdhDIv|?QrvZ1hHl_f6^Gu=E^z1&w{pnj?IU0%krfo3j&5S*V4gB2<5^i1(`+0wdK=32bi6L&*~H0Xocw zDE5>1n{Jk}#3(wIM=ZM$?~z;*m1O08hcqImzYkCq`T(S>efz5uik0;d$5^Z-6w(6; zjzA0*XpGDR>WPLo6l$Q_b;K3&Xj+Wc$D4Cn)z*(vbn|S!JvdQR9cWcn`Y0bm(G*s$ zBs*GaR+m$izZN+bQu2}DBh)DeX-!viUv0?$&iMx~c(VO44Qpo5KDXx^>9fTz@6lTV zhi*8JT%B-Z$eCx_R7Z3#aWNm$C4mFNA_x=iHkpKDAW@XHCxIwh zc(>P@$S>C7VV=-YBV94Y(XfQJy9K}CaY_TD9E3_xz3E1L*1xZ)4nPiR^s+P1(-#gN z%&RlBa`IqmZCE_Kjdv7gXLn6HO5F$~CR%yLOBBCA3~_?ONW{2&0*ix6K}uuV9<2hQ z)TM;`(Aoc`kQI<-vg`5j{{MdDI)z9%@~ZNd`{~{pTMRsY%U4QzzLiHI`t+bRKifP5 zq&i?^Tvyp%%jV~&uSS_`TLL}Uy*VtjrJN_fVJ?syymp0t*+s&>oLx@^AIXy7Rl>EUFW+XnV% z-|odwx)LsN&im)1qQ$p2qX#&BYxmpQnjAn0T_5(^3`*Fv|Rn- z%75LvZ+!IG{~f+T@BQ-X`}tL~)>tcV{ytdvnq5$hn~*OpO@DSxfb`Ap_tNJ+-AC^O z=jf?#ev$pg8k=X@)xbaYZYZIqOqy$TWWyPoy#<9n9V#miipf>56SEk!h{c9=7A?{m z^a=%`*LHxFEJLV79w2N6xxZ3kFa)JCKf$25L8mhis2w##yf9D(mj&{Fa08=nsQik3>N{&-b_gF?SjUi*1;_PAIeG3R&5El_T?q7J%-W_wb@fQ#+R}ML?l27wjWKyP z8mPt=ZT;qCx)`6>Z2o#te<>}W)IwW8Z}42$6kOCqvFa%8q_$Nopc`BKqLmYE!H~bZ zWNh*8t+r3i}V6cd&68$d9l#1WkqS4j&*#M?DXElIA34N;YaB;d)XuhC<4$2uTn)g5T9if7^x ztx1pQOh`NvU)|6GCN974|Llj`vx1e%nWeXvzAL}?K8SeUFZM{Cjpj~guPEY^seXMb zzsNdmT5jNMbt>(9zimA~$*!0(#k5Xf;Deme#P)entq+$A7@J^u`@@>{s$V)HJHJ>i zu-o~|yS@ZZ+Q%LKLg9rwb8J6u-YE1xer*=`7)ybXKEPNCJT&;g`rB9PaMqOgj;Lg> zc&#FG3``t#$Ws!GRC$+{hG%^5tv4wt+>J?#UM!FZ3qOS+7OJ%42ufQhn=StjURoyG zhglp*w&pM=nsc7TS2%pOEgy!Ro#`Am+lRRv1V4EtCz{h6&316Q_+d*%d^*C;JQuaj zE^uUKAOc`#8Mj-o#P~2X##BUgvJz3+N_uJ{!NEXHq}8b*NW32>NR0|Nq5UXs0xMaD zFo_~S^cxiZYKb8@zjjiIE(=$ybtVJ412vI4HLl??lS&TNg6`e~u_mYR*L~4}4vz!| zgEbM4(QQQ&6QepSm@y_gJ`rJy)NH~Q=0lZjmd>OTtq$>|3v5$B|@!%3yTPq$pctFF86~H zdxjscDpovxj2iXwUqeisF&SnX_ylf3^@NFF$AE!-1N1eHJovGKMxKfRq@Br9J-(GQqj=p!B2HIgyH)=HK&wftJW2=s|)q*`^OmV}3 zkLNYVT+Rp|__gsj&>=SSvrVG!Zqo@Ex0rL127UsUA^xE|DbHO(qR-`J7xMGuYA1fs zbBO!0!{SeQHI_rXPaPaaxQ9W7fT@D~y#X@m5^LC_h+(TO$V%kuHe!Qg7U9wn1ilsb zF`d=`Fpdq}&NY^wZ#jBK4V_@9gvG?<#3*Ex7FyW z+#IZGqR*c-`iG#}P=p?Ayr48ZI}I;$FpiSCCVwWAOrS=shQ~jp>|@m$?hL!Gg2>NP zXtQ`<_E{G}vmzyB^TU9^6}0YW$|iCJvd;v(XP&oCDK&#zEso0KYM@U-WfcJ_jtBGP zG$PG&76}c7A1!)?KPV>*v>Gu{TCI`L=NILvQIkUZN z$dsC1m#q1J(T``M3qrE9yCk(awJERKu#?lWhcl)WEZQRi!YlHxR;oo`Nnb}im&n*q z2{>IKWZk?ZVq>nB8ytwm(W!b%@JBhi?-!%A#UOR~woHoxI{Fp;gL9$7OP8%ZNCSPv zhu?0H1@iRT=5qk9$$)u zg=9}7^av^YRp_p=ai1ylW)vZQW&_5 zpVgI)t23E3_4BkQ@>bQG=bh@W%+HFl?RZb#l44gS6%5zo;Op%rgNuV3k_5YXyxjt7 z67i7}H#!{zFV}2)CNPG>;`K(C9XIiI@pn=2pli5B4QRq^aAbi@sH|hVE0F5MM&0bo~5T z)$FuGsFI%8PMw5ZCrqoa%$#3_jJ85lkN>jH+N3pUL`bqTBi)(&Iy82=2BLeV4?Sb( zconG;iAr};O*tkZ^GdNF6D}DB@pi7KjQHoISXFHuCF;)??qwg zbZ)jLb5|zk2q#gwsV?}6mGoUQm3%d6&hf|Gg4L6K_gP zMB%(8mp>LP`*rf|t_(JiVhQ#AR{`q!x7JSHpU77Gfi03GI~LS+;P~c8 z+ov60aQD64H&SiczdBN$^?}V=+X;s9s zzj~x^-`n7RWSv(awDDMnvI0aiY$gI(Rux(^W?ca+5T&Ff*-zn{9C!@o?~J&^D@jz^ z2(*!O+=a22T``~qs2*p{>cE?wJfUrI@K)sNZ*b4lJrG=oyqSMH26{6g4(X#Oy0BXw zEQMfQjeXn>GO>i6|m^-t~t`I+zl+^H&H zPN}Of2w=lkb?LjU4WA3%2%@ik&nwLg;6Tj}Z}kx)FnT)wY0B%}kS8+o1b9B;LpVN8YLm9N6Rd0G*F7K3$ECX)ImR3V#>la5 zm_0RHeKOG#XtwnWmxHF1>skI$ zp&e~pWidD5(Ei72g>*0B+64trMszUo?;8FcJ;a^wDwh#2&|P%5|IR-*j+y}~lK8yR z4xg_(Fb(>)o?uvC2!}|Y35_{xpqG^NE~TC?>imt$^m;3`cPY7B$1>`L6~F(+1bW}f zTDwq}1JC~eo1t{`kCkg>A7++V8*gRFzY#3^jdh!n%cfQAK~{H_cCm)PeaBTL3pO=t zYsAb06n9<~x6U_Euop;AyYBOC;e#XHckOGrN?bUj@}I2_rIh1%K>YIB=83r8NtlSi zi>vL>zIA_Ap4HczsCjwGV!RE;wwTizw}AEH)8vuar$l>@*)GSqIGZQr?^&jRE7YlZ z^nuEd)X^|lSFJC5oKk7Eb|!Y_4l z7I;#p#-OKW#^vYBzX+PnGDU@g^9SKpfM#YKF!|?*RY7xE&e~Fg9N@YMo8kGt{8@&- z_gbSTB{eExSUUXZ-0?ZPb}+I&^Xh?6bSnxefxtG(2s|2T@}kvR@uSg8oSyKYWehNvi?PIA2X=@2Yg7*Eg2L_1uds z7klaUJgl=$I~OCAV$=nI*;N6JI&#G$Ic~xo(m;-VwO^>eP+i=__>71OF`2QP=ZNP* zFy&xIvtE_aeN59H-fs!mL+yz<$wKt@6SY7iql5Vd1Ai;Yyi!#TU?JxW62|09(za8VrD;L+{_1mQ{2H3NPw?WJsxf?fZ-pq4& zlw^xr1T_NtX8Y)S=} zLFvqtmam~6{FOLoSt{jQ3{qxYl1=LUo(K2dTG0XDx&vIEGpoF(R=HcE=C|dpy?4Al z3hW*pW5N+Nj$#@d2{EC{aAQz}&m~>aQA@*TOnx3r|NmnfGDAdcs~IC!{`Yj$NEir` zpwlsoyE1T&|NT3J1Goei08`3%Po2E~l?(gA+}}CBg)i=-kD4Z@xhBN{5i9Awte89% zk(jDgu4(^N1&U!`7iC;g>Sgfm#U`&KqSZzmC(Noeo?yS2Fcvu$JB&qycz^ai4$VZ; zI6E!bN~UIhy*Jd*?x*b0xhtyVEuzNUoKDeVQ73rKqV*-tE``!k82&1CbCx*Y3q0%dijny5BO)dLBg{{6gknU=7 zvG6@jJ=y89UIC}@{oPj7boWlZ*5X29Z@fDxD~d4H)9GK|T+8E)2&~iZKU&2VJf8%F z5l6cYYqa!Ru*PY9lINA@{mkO~xD| z6{Mts)D>!^fK)=hE*a(RH?0@jsWN0>>)GrEC#SZkUiCj~j(m!zCud2Wj59B1bjRYXoP_^@@a9I1iy*Y0 zG`a)EJsG9B33n6e z__pnJ6<21#L9{%e$`ja?l7Xqbfvq%g2p$@sz>|6mulc88^)=uS|7XoZ4+7aXK30zx@P%`mOY3UOYil<#2YvOjx)4M}#>)m`J?Bz*n-2{e1fkeUFwEgr)rFGoru? z#*U=ev#yzt0QhA9|EO{QTN2P{_v*LK<+t|*?s6MemvR8C;IK4NF%!VGkLE(=hCJBt zuptcdQlaIE#jxMm2aAi_`PpsU@ah`KM_u1KABJY1MPGHox?ju~8QKr;)LqiRh;`~1 zg!i2YY@PiJw=~~~!7wns$4lvaTXPzN^02VW2T!yn?qj}sA?CACO6BXAuj)&y#zT8= zFfYm!yqPiQvE?!0)dQj>4JI32d~gtq8AM$`GBeM(S0{dkKfgB7wJx~;$m`H+mn{m4v&J@C)SZSCi0Tc z&Bc}AQQEnRA$WKqbMUo^@aO!ID#`=dK7Zu}eoqm^$Ysx3FMbUsU?$uQuS2HQE+~H* zwpi%%V===o(-flH7_w|$>y=p*b=$Xv{NRYUZz^__ zaV_OUlR{tPl^MG5ZQE;gS7y(%X(9EN7P|Qi&OPWvq3`fvZ{C$zk*=l8Qb73h+-$L< zQobYX*G%@5Ic-0lsYtAfeZiXKZm^l|FWzK-4H0o{`o|t9Y)t21d@5 z%Zg?FxV#Pdi{r<|Hu4+V8xvtz|N4aNhUq;B>!P?8Vbur9ZT_7J&0bZK1^dcsJWbpu zpLASeyYDAZ;_mC3s*hUwQCk;p0RcuQgohq{?KI#y1(2dsVqb>0>-4Z66R#A1Mq0-E zHF1wGBfX;=;6(%+^M9*&J{Ns{*-5K8u38T=2g0kvU+~|k0eS$?f#0$Qks=^`^Id4* z+~NMT**T^jSp;kKXqg|JFoR<|A%Gs_FIn?b2B@3?T?XdIuq_}Wd09zDI!a8 z8GY9;a9&ZfTN|q<@7;Dj{NW#9_&HayPYD*0MuXs^58o#zmty~nc|g+7B+IM15p_w$ zAJr_oDP^~n2x#wDYxCPjY&+*TkL2Q)$_E1cELvUkG-Ij{2SSK+WUa^!2)?)QnmV;zRNUxQSPow_&}oDTPy# z9uuz~wDfd@NLYaj{*YX9? z=`HtW)1UrMAiQS>1U}<)J#d%%owK$0VRihRGa}oAg1Ed2y_g`mhzN{jzuzXm{rnyB zT6|^KtA6e7X(!=liw3tHPfB{bdf7PdT@r$pjn(e8>`Zn#m(Av;$I5?V0|?h zkguZ}?$5i>lLK^V2uG-Xpf6Z3H_9hC^8SS=i_{M|5tgg${&3z67yDqj)}0HUO#V5x zZ4!3uS77U@0h3=xTZ|~Z-E9#}9h}2LMUH=ul|};v-P!#}!8xMsVU26s(K0)eQ-llFtWEn=q#b&UA-m<(b~&*BK0jC{iTSvB+3}6WQ$q@MXrgmL+P@(57%OU?+O<~xGeI+L!C;3uWP7| zK(Uc@tJxH&$S=KL1gi1-S(of%eEJMp2^Tx3fyI!}y$SCyW;M=@{(D}1A)vAQevAu? z=O2dQCC628OIAc0Z$VCXxWp5V7*&UAmC}q4{(#o~k_QCc1-8lI6Z)?1-%Lm`BjAO9 z(^;H83x6X5YxH5YcFbF&3#3KxTYpZf@ef!_SmWLfyIVWSEyr-AQAFhVU+kDa$hQz~ zaZlR3v*`++Elwt2^vkE=;4VoGe%5xLFA8-kdz$x_!^m8x|`Kj^7m$b@6O82jSQ zcpKhe-hJn#|G)q0e|ljOXe^p1Z6_^?7Dr2_9iI)ebN;*N zbQk(|dKmrGy0PxBh0}4-%0+>T;ujrRRDX7!)0@m-GF%ycj6}w%UArIe_j~@L((-#9 zJ=2<~#H!u~J4AFyRy0PndhI%`M&MXVi_;&rmE<0XgtY`}(W=R6-RwG>#oSxPOVqWGvKYKsN$+4s_-IOMz zrRlHf^K?9&&n#_hZA3O=n{_rDfB*K1$}VNkpc$00wNMA6VLZ%+weTivhy8FIS=id! zy4Y?(NALcD-GXK?!de`U^Kmn7!=1PfzrdqJXm^@A+3%$XX%20qt+a#o(RU1(?P9@V z1>4Qa*)7(^Cb*4*kAsqHc^uE<4g6>Rn$HQlCEO)~C9)+t5h{|!7vh|_EbfX<@w=E1 z@AGAjiFs%KDxWPZmr9qW7VX7s$>DA)cbD;Hc3E0pFMldum2b+~idnIi>8cx&$MfRp zWw!jETH>TrKdOE;q~_ zFqY0v&Kr%&gqnDB*nDQP%n9>_IcG{u>CLx@1priV+U6i3-5vCwwp@^n*kUk7o^H%F z1eDs}|Mk<`U%uerfbeIiwG|`L7QY4vZxKqzsMc?1*Z5#&^OiOnlkm&j+GE^z-+}y( zIy4ICUtZ=(Bj`bVZWUvS@Y3x}t&2&OM1;74xi;9Muh;0>D|wU(JLQuOsUV3yQz63^ zCm$3|WJta;S|Do&#w3jCXQKIpVYZ@u5tAFYkECY5KQwuRGgqb(ldy!{awH#A1+52) zHp6lZgmChL54iLj5#0~~C_@H|Z9nv(<(v*vdCS?j76*N~PosU}rZC!3b$n&8mr&C@ zm7&M%Mv+{f8565g&`oUMp5BJgLXcNjI}e=188B%SEm_UWK^(8KL_Y&}2}b|!D_jAP zPOFYCCrx9S7DMbPXHAu0!|bW=o4^M9Jh$-#=aF@U(M6mNnBz2N#C~z^e~^wg&Ku`B zLYaWnjvlMBk=-O7I$T$6VS*o(8#`-jYdcHi2n#neeo+`8Qizf8z|Y{*2kL`_dd&l} zVa|Si&_$&XC%*68BK)@mgYp^$zo$UFq3mx#;C@#(_=#ZM=1g@bs zvyqubFmc-r9}+g;sTv_!Q|J}NJF-BP8HQ#z?~5m|EsME(8`L*ISAt`&u3@I5?eCsm zUGj1ITfJUA`Wq$U=RgW!;SqG#MqMMDSxw5sn$6xy6$?dyM{m{l;06T3u z9AW8(GE8lC1yDN@HFWz$Fs?8##4dxDE41Sd93LMF1vX!Y5$Z=K;12)2CmiHeoVB`c z0Th&4TjMYSYhjEK#r*^!M^=f|y)dQpp4k?ijP1zKveTPjm#d~CcRZD$*Ws57n~!l^ z)Q6LF%K=Xkg&3`f`Zc8d{WpvtT)P=A&OmK?E5H9=C+z7-i9`_P4~0`w(5g7JQ`*HP zzX`cOc*&!IF+khw0o`BiL4F%uoh}C8lLq%Qu7u(OP~$xar?r z9)u4q!_Y{aO^z8eqf6T=MCu3!RzK^n)S?7QPkWcT2ti`*P!xOUMdX1g{LecQInXL& z-extox__7%YxYH;$W>HwS>ZOY+j9C^GL;l*W6-Q4f$8LAv_wuSmb`!4M#9@jnB?{( z8rY)t6I4jK*4tTWw%l(vpc9s!+y-E$w3nVWP%$kMOIL%)LZd`Jj!pWW>I}a%`eFsk z;}~W+qs>8^yYp@(YY$G42({k9O(6ye1n#CNg1y;ZA@`e{;C?GuFHlyA|M{hk8^+<1VjE*h#X6w&AFtz>e7yU|m z|5up>>4A4p(SB4E6c&{J{caBb92V9QM$YomG7(R7=U1NV}*W5khFU>BoO9UY#5s`VxHn)Ex?pv{$q+ z*@@CaiRAoGoaKG@o^QPnZE$RNHzxi{xY2}j`^)+GQiz4?n!`pzB0*0ZMMm_r_eh53 z1uEnk6VV-_c3Z~9)NR=Jdt|(h-Zloe2IXb(KtA~Jz7rr8{p9Hh@BYPx+c+fXdmXJr$7 zM*2poBFMH<>#yQ<$sOh6&<)GyzV%2UBWX%=AvR0In-o$9!wFD==MdhE-s8rmQ^hb) zrxwRJDYk;L_yDGKJYxL^iAuIP2-Rd!Tnz(m6J*3UsLQp%@dGfmr`$_*3Z_kn+)9G_ zqZoFO+}?$K#(XAQL9{FhZOI7IIv8zR(d?h@nw6%d(Iw&zG&ITGMuPm#GaI^)(yzO4 zxjHg9z+y5xq9h$HeL^m*$JjOG;|mljg^*1&q6>In>)=Rc&Jv@K+$JJKyiGD*7nTgt zSHjX;y3Kh`9GNPcb}kfjUA)wScc@ASi2160acD8+x)5AUIU&*P0PH=Fh67Gj^VE_d zfAils&Fww)DXEvj8!vt84fJWVF8{v^*|Um}f>q3UNtto0ifg>?S5HSsV6Ya9xWJKB^N_?86(Cn94#gv~fICBY6Z z=i8>L8?=A+M&MX6y$756up`zi2u`{k8U9-D@<1IofF7va7b|ip1pdsDbB9zfrsI{m zTcN8Ar(%8Dz?JVnKSqf+S8=|8vV>yFO`}=T$;f>Kgp+f3Q`AXiTq=}+jljUCMDe#ErORXWa8Y+ngLDB>Q)}xM`sT7KKE$XH1 zP!vskRbTe2HlE~VAsol)jn@SSjB<Dn{eJ)9VjlkM-=J?(ogLNsEymklRhk!S~r_ zk{vx6ttoa;X#;KrKE$26TA9sOZrVVIP^sq`WY#sd6PZxDr-hCL3nRg@rb5$2=PEPR zC`sf&{5g#iPwc2tEfX(KS}Z-B?x%&=dOVGBHxGPZt{>b9Od1s+2kk68JpxnOJn!<= zMS~dEyprncpzU^T@gyMR)N+))p(i<{a1+>vqLLt@-?8+A;+**!Pcx%^Lc1;#jW^J0 zj|J3j7c>Dc3J!Ml*%e$AaE~p_#(Hkz&z{xGR6-yc6{h|kVE~IaVNM>;(YjIo-o>IH zb)K+qUdZ~jtB^nWD$^aUiwc}3UuSyazu)_%zv3sDtQm!d^aoxHb#p`f%~Blvmw`op z0;dRJ&u5O!c4m+D5c%RCSNTi6S^`INbf}=+2eLK|X0pFgIW)hWUuO_$@14-<+U1+B z4{3O8=TAc6%+KJP2OK5M47XM>I8FFaCp|=pBbDH3$#4i{^kfy@Gf&giwageB8t;_Y zOd*UZDqMtm^{Dd407;V}gOClm5+N32stT#I5wl#%5^14W=su+BS&NQ3KX9E;3~8RS zQW(PGVA}U05plHpOqsF=!;?)o1OKR%Spt>qA!d-cr6`6qD}p&ZJJW`2d9K(~@;T~o z6aC&XPY=VXxdX)qK0O}?F#xdE)NL5SwWc(rH(^=sXfy%l_iatg=PZk1^k4y|eDefS zx7&wbq_T28ts{K~8|w~CSAA_iGU|zGPK!m{;6K6Sygx#FQbBM{l~4S5g4_*GO#b&8 z|FX`iZ(DPlTrfE_V4rRF1VWnI2nDSBWEk93AE|?;=Up=&8w_V|_ee1{;m_`TkM?NU zNw@WtAW3PGL}=@+X`h6IR2_FDuzPX+51}o}*~vj_QeGRy!FRQ+?f`I&MeL z)P28U(O=d{pgf0LGB(jbd7NHmHzP!te{hVxi*m`k@r#EiL3 zm*UXM%Q8ChGe@Hi34l794#%RG*?$KW=TS-G~_OG`6|Xp)LLrRHbK~&PGAbWM>2R<^_60T;jS48 zI*mhQ)-ADKYAiErg3)m zG0UJkiPr#WO@L3{w3^`YtIDa}O*S>>wMt+5AqP{4_5G?cTK44p7XNiW|l(2+6G zPX#-ZQzI>Mt@d1%oXF5VQQkbUKyY~?RF1hBGs;-6sm%A>NaJHnd8S30%p}$#c zCPOIeflD+6a#JBcuWBnU{0vN&9I0GVGL6~s4Y|l29=bE*MbA4vS8&F%X&4GjzD{0= z8j#6aj67YPv00_Mt!QQ@9*aKH(Si$cx8A#MZ?QruJcA#U#&Fyg5Z=T~;Ud`^?|2Rm z^H4;kJ9I)fG`SY@9hl7|SFj;HflCGL7bR}S^(M^NycbU*>xi@o8pz2+4iVu<{_YV$ z8zL7%5v82h2+U@q^wwb|chKnQi5Yd#CI(}=h)eJASk^NuPF5oZpFJSph5>ivsJ>7oX;h43}qiqGK1Gh4L}mlIK^9)6->d= zs!X_@LV=3Or~RPr20&UsQm!G(_I3~@kl%%}wiYE)#N1~xaR!K?)9 zqDU~ZF?AG>v(TyaJZKD7+dvy$?x5{4%`U}x(TwtDgk&?DIgZK!+L0K@a1Rm%xk*YO z>eoW_jcrE!ESBcV2c`sJnZ0E_lQ}9v*3U|j-xsgF)by>7m!OU9jL|73w`i%k-_-_m zuSXn&ORs^DMVd5_1;wS{na_D}hES&>f?v`DDq>lxF_@d*go?pc;EZz-iepl=`jTzASH9`|#bQ^Z1}sju>4oa zs^pUo*sQ#SiT^I|bUl*1LIjG8rN93?IPlkY{F`f3H&zX=AVirH13p6!HRcK##J`xE=ttWNYa6@&%JP1~2gc?~M)E+2?$>oW2X~HBk$2uZ`$cDs`03#TxlOmza z>y@l&$i3})Y9yX6!KK%hoyCEg2kB%(J^FEul9!Psc;@rHx=QBNY8!#ZJQ0-3{!yhR zDNto|dm@Wek+zwg$TP2fzW=s*d@A{Wtp${;2@XbQjvpkSg2)DWzP9q5(#iwqa{@t| znA$@qvM4D%tzL9W<)%^?a1RsQm^c!$+P8WIH)qlIzh+`N6$WXX^LJah}vi9?JX5|gpn$o~5Sd>s#p zeIJ|3zL+Rl^y>x39b69>_K#S&Q)20KV|BU)d9DVs!cew9zCqPmDh|8_LgWY5o8gws z!X#&PwtL5wHY*A1cT~BGlpC_1l$lv0aa^Tv1{zE_;2Ed*iA%F%&6%h`yd=P;#PrXR z681C+UJo@BAR9K%JiZWyYHZ`B!LE4SYaQ70O`LjSN3WHAjVo%w=^8yF16cc<5Mo-VKI*p5#713-c!zRh|mTibkffUV)h>U0Xu@F-1A+q+6KOyEMz5*s@<_F_dbbc1Nb z4Cx%wRjLN}?HHI!iQvSlG$PtMeJYSly%J!T+l)xdXyFs88Sh{P_a9r>mTCHJm(ol7 zuk~~R9MMA5$F1j8k z)NM3?uvm+_Dl_X1dWFT5XZf7@@XssJ89KdNHUd%(V0;&gD=?Gj9F_wVR{f|{;bBhS zGoH?CHLVeA^2m6-j9^}mB+B>T3b~t?=0ih5h7v8jYHzkQzQu={8?`Q4d$J>>_(8!+ z)CL*^AqcvQ6Cm;dYHOC5%OxP65DKEQt5m#d`8(830mug;2chrbamP|dQBv~iW*a>D zd4E1Bf#Bpy`eFc2y)`OXnnashBj^NhJ(YLj%f1vJRjW0a)S8Gv&Hfq{uNef+@X*fd zNsQT<1EGg4;UWEENu@?qxeN!}*GlS0v)Q(|K>V~ z&Hzaz6mF8+c`H9v6-%v^nKP`Ci?cg!he!4V$ZkNFfY^b-?mkyuZ7jqS%AMi^(+!x4 zACmW9CEG&@&Kvk$k)c#sJHKFNt+@mcVPz_7Jw%KV6Rdjv0x`rG!MyO(bfYptIs7{s zWAwpkh7@-s9aKxMN~)|LQ3|gGqjZ3DcdpUs2xgpCgyaH95RxG}dnFngg%qhCgda0W zI%38wHj)WpCX=Lq8i%|8;QPOih4G+<8Y6^+l-;@6m7g`m(k;7;U0kfsXR?-Tq8^%x zG+CDSzua!?S$)4P01##@jAS86G|6^NBs~THNR!;qQmCyVs!E_@y{6$I+-xR>_7M@% zeBp<2{0szhPgX$KI1viJXb_)JI}5b6O-P_H5w@ES)(XDYgSD0bQ*C@(b{9uh#1&`F zDjq34xYqKkXrJk35H{orgy1Ue%41dgkk~LbK1F)lfsp@y)^tENx&%;-^YS>ekA} z^nBV51t-8zm6iG6bTcg`XFx`gH}|f~sl++9>$i&{ywx4EZy(Zq;Dq3uT`6#F;o}Ch{H#HFCH%j42=e=W+-dMY1B!o3XAC zyyyTm%@6`puoWyE)!^}-5)v%UY=)BF1--W=!0iDFPI&PxPX-h8TP2Y}OL0I{LbI%d z3L5vC_r_Qd1xZmnk}i%yT4Cv_?$eF=C9{7+19n&Id+XA=&%BAM{-Wdk)zaOmN#jCP zmeRhGLvM-*E8+t+DH8hwIP*~Bd4YBBOsm4BFz3=R&agOcF7gS=t;2no}gcqbEU~G~wpcD9$}HgrYe0vr7c{D zRTp7b+s$yNyzTdT&N`;k*$kR%CXp9SQD_5?e*@}z&1HmQ>sxHK7~0A*j1W-~+GHd5 zMBty~p^$m`X%u7M04ygmrBap~|3@L!wT_Tmc-)e*BU^FXHCjC+>RYzn>h?E5A z25wmZV_F%5NSa6i0DYtatdfaiOw_cXls}WNbdsl{YJ6KQbU2SH>pY=I(+DGx=%Q=H zreN2||3CWeFSq)ZR* zIMi^pqdC6(G7dFXCVl?-sj`0|07^wMZB2H&BKO<0-CdA6C(p7^_|B;62M1CL+Lec) zVP~W&6I2QR;!3N)bIY$a*lVK|ZqD}?-{d-P1f3h;oXTQ&r87b;`m6DBkX3BVSz+VP zv)&{=-N~33A+k0plOrU2c59@r)5YHy^vvf*eI*Nq`?Clk?wLJU(bF#L-^jjriqOQw zmWm)$^~c#U)7k+~&k2Gp^j{#Ywl@+|{Y}2ZBNK)tWCPB&>{oY>J_KP^-IPT^knuz8 z097qEVF*x$h5@jeI%X^HuhmbN<&(la{p6VQ&3o^?d%Y?iVig>xSE4-uvh|cIwKB^2D}R+r193(^64pF(cpsYve)s94(nUC+t{KX&uu^5i zugHpMt~m&A6(7>K!VV1IN?ajN6TnrOrRv&BYL_<_DNc0IR1~HJrX=$3Yb|2jga|@D zXsqKgyh*Y)*G_;q79HCJaYJI>!2>r|z$1+}q7$7B1HwTY)s*ox4R%63RUZ`TrfmA( zN}FIOlUDvbdBAT640}qA0Jx^ud!PP;!qn#DB=FHh(yne#XisNPkzR+lDcHYVM1lDL zUERHV=R~~5xQ))>yWe0HKfll<7OZk~eE6RJ=G`;?>OQ&j2Vq3|-&9dmka9%|Pga4e zIY;M|2D|FjzqU08A-Mm<%3W_h@IC?e;pcCE^x;SEJpIA?9%Yl$42jWd+C~TztobE& z4gOK6NlAC`V)gaC-m!1!#WT>NsFDQo>49ob-vIX;=bbn9+ZcED|M>uu`+0mwGd|t+M@08DCpX&IVH1-ll z4ADQ{@XSYuALiX+Sm-Ln)c5i=0DFV+tcy-p?PC>ehK_>hp~C@t@hE00QEK4uR4uN_ zI9@}CTv-=df8JgjUYf?D|$%J6;MEgM@3~FOd@wS2_B`h z8xm2u6D;=Vd8vF`nE+_GQ7-2W8g=~r57VFTiWjipZ}|4Y@WECYC^yWYZ%h|@VR|JTTH@EBWsDsxac@p0#uCn-k|a20v2U6IX>F28b}uXP z!lKm#*;*eAY9fij%f07o-X~>A&j$h6inDo5|NY^gWqG*TQ4(Es<~7SC$Kx)Soz6u0|aCoj_z5jw;`>o^GO4#MJ{X1x}b-~YQ(s@T)Z!>KiK#<{|z`3~!r z->9;N81sa$tkao;RSD)qzGxQ!Mg2}_y9vfjGb`2ga9fq7$%a@G(_eCH7d6K>uyI~M zoH1_pPOn|kTg%+%Nk|wbj6Lvld*fIiaWbL4bhCeYyxEF8<}WUrr0?Iu`41o)C&*5BJ7s0J5fblUxhFrt%=Twi%z#2cye{$e!gh%mU?jc zq2q3JEF(7SH0epZ7A{^H+AfCW0+m`I41%vM#wNM&{H7NXpl1z3sbU`*4k}=%iisL3 z?g_}*8_z_gVccENk|5Gjd&-MkXFDy&sav&=2pB?HKcP)e=XeDD)*H`sXXh4AoZ<1# zATq(r+{t#?EGQwFZ-#syg~+uX*8$SuQ-5|9Ot*9$&qh&i*z&jN>e z3u@Hy#u7uX?#BdU5~zYM zs;zALwCLIv2qcGp1VcjWlCRe;%Az-@oa6+s;Be=TZJFJRY_6e~0b;(;i(o7RT+i)Q z#|9ED*7B|&;=DOJAxOR3IwD0$v1ciaA~0EdoUN(E;NCba$gWdv;;GPPqd%v^@U#+x zR7h7%HQ+`Y)Z(!wO!`-*kL7RzZATEo+q!XBLM^C}fhnPrHGpW2sp zurK)pc_#wqKE*A(5!`o6-H`mR79?DOh@=q1h|F-?-4&I^^_O$UPMiQdO-L$hU0(RH zO$H_eZ_*hztnSfj<7Y-x@5It^(i&cOknE^Q!t=aY!3&0YKI$9D`iKhwV7*kCgkgK7AY2)XN2L%I}W6bL>m6^UCB1cmFbqxy!8s4P~86O#$lHdU+PX6Gy26jnDMdEpkrobEtw--(_{Fbz7E9P@cm2(m6yRe| zi%wfYNfvthrRZTQzT7g`5{ap`5&(TsqYwT<5s4r{rQJRiSO1jnE52*)~&MVN%SPF zB7|P*U`hA>CwCaJXK$l&VyDqcTt~{!U?eGeujTmo$=TRz)1*|dH>cKnyJ2H^>ED;+ z!fzREl0~Z1G;7Ov1K{Z7HBIz#gvN2cdX5fyhNCpm%aQPzyMeqLjZXi0Ng9wCkTf^1jCdW2zciXL|jt<3Hu~NMwEcg#3QT$ z0WgGGi0Kw0JvHVb1C?ngU}cC!Ak_c^B+@YhcY!d$3%femoHn{_@%iKj(1>@?UU9Za zwpXlZ`vll8nV%$kMT>LDHu2)b#~N-nNqr$aWWR^AAXfO9$&AFOyubBmhkG)jK_f?& z9J^1EENv{{B@WNOb!} zq^Hif=DOAXB$aD;w_d-B(q}E%<6dw7x1NIi2R<)GoP#QC;xFE2W0Vra5ffzwepcmw zlBGDpTZe56Q5xdiwo9e)sn4X(KUV3e8+MqWwNsFjb_tdtQ9{lpYogc!&SF_Ag4h~gy8Ai{()F7l$Rq|&CgP3t<}4~yk$y*V4F z3l}e4zH;^2^&2-43`j<%2>h8@%5hb!Eq$&(wwN`z1V^Rtma1wH>`|#Wb294{7sY*qVP3=iq}g8C0wrc>8< z)c<<`7#x8_p)pt-ouZ>JN`u=>%t|t9P%csZXMtwHiI@or!5fMWrR1nMYtBdcy4bcOK zneFcC8uxb79)db#{iS}_w{Qbo#dbQSp#Cs882D&6V&1_a5gvxQ+9haF%MxIif5Kmc z{r<8)igbTJ4)ivW>q&w6wG-LQLJ3&FK^+Jm zwhV9;A+AR{Yp8>QM#G2{Wx>fr>ZHpI?Kwdh+b}I<9U|yK2ZvNLMP=^Cn)wirSlpBg zJ?@ioX1<5@HXQk5b)a@Y*VOSgL8MTVh7A%j5(>sz$i_*rmb%y4_nSiNG^4ZXlGzBu zxRwNHEk^Iq%jzUQ1f@yrJn!fr-iL1}c_1l}<+mr&+^5Lac%f|J27Fzy1b78ZZ=G$vgdvKD`$4AI0rQ^NW zUpjkE`r~Q1<`+tJre*z+Z9GcTh_8bm7u5X~fhrZD(STO*N+~3_uJ%D^gr@CfDXip>}M{w@3~kWC+|NwYdy}rq^>-SWJOe?bb;Y ziGkPKNFSu?CQP2vljH5+2N7;A&WMZzL2w+5zZ(M7R7#6{n{O z#Gg2m_0_4i$&Rh`aPMho@_w~no*f+BY=4#a0l=5TrDx304-D6ZQe>7&SxLrA zEy%TZtdmJRCoLU{O+hlSe# n2(9rG{s=Adns=eIFL+JUL&fp`E2sX)l3(vv|4&*@ZUg`T;X1QK literal 0 HcmV?d00001 diff --git a/site/assets/fonts/jetbrains-mono-500-latin-ext.woff2 b/site/assets/fonts/jetbrains-mono-500-latin-ext.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..82f96681c0762d98ec703df7836829d0ab44a785 GIT binary patch literal 11624 zcmV-uEtk@FPew8T0RR9104-<$6951J0CXGx04)Ci0RR9100000000000000000000 z0000Qf=e5UE*yhC24Fu^R6$gMASWIGg*q=x5eN$4WX?GYgbV;M#YzD-0we>75(FRx zheijHRSX9klV=yu+c!eotx8J>VEK+hVB?^G4WAoDt(v6t+5i7%Bo#R-DU!Cs-nb9t zOfFScwz{iToK6j#O;zI(Doak1Pn~zsm@b{-%$d^s>;2AXW^j>qxS|Oi?ZLB$wQVlJ z8EPNXt6+%*!4NA@Ad+uWLLXE@4>C+IB|lPdL6%Jxj2=0-jBx&8xx>Yw{wTr8=WDg~6vS*Dao z<=LIoSskoyAMF6Q|Ep^Lj}MR_D2lR=E=^WSsoQ?TnwdpT`mkiq%a*m)xprP@@|~dq zk^)IUeT=c++e7?;H-?s|gp8*`jtnJ;m%#r{kd2YEPk;`ots+SZP!U-I+xYrw1YOIL zSOMRVbJZ9U?q)W4A;+S<`s=S6W%rBbivGV1DHtOx&JYv_6wm=2U5?y^d3t0{=B4>^ z^BW+6WSE(#L4w;C_w$;(J2c%r??2wx%xE3jMuj%BK%&dDnR z2-5)W?gwmUs(})lwFLqNs9AACFxlg$z|%j2h@k7<2=KNlKC^*&_J`IV$~^&xJ%pQf zGpPzxp`wT-;gU-lN)sdvekH+XRE#-$Q(m;&s~RtE%cgcO`^o~%1(~E^{QLr8YF;S) z>CGoKra@uLS(c%x(u9L}l&S8(C|v19I21uXFOet^(qbJ#NdDebv;7aiN>GL}c;^6( z51w^~Dz^YgIfl;Fx#(Q|{U5-`CUUU^#3caAph)SK;)P|p0WV?!K>|Qn15=k$SY=91 zbcneRA(XCSC_1;Tr%%&+T-1f(|Nr-EdD!S1Oe2X>4}N3BFK*E^PKERq>C-f_I+-LI zJtab+1VTYYbcO7=g)MM8_pN{b9j4~t5VyBGFQS`;R^&0~=Z8^Bh(j)Ro|kPoIh7im zCwO5uVi1@#G&=U5)evfkgmw z1kfY|5WM+Jd~P7p-3K9%lLG-nYW1seAD)Z0X$-h=8>eYUNhT~}ND0^tV+ zo5xlbSvU%qpS~*%OWPlc!oC36Pc4N11Xar8rTSpAX<>`aB(UKOAi4l_M31>B6D|~GT)X_r(_1pJle{FdzGpql=%5F8{i+S@ z3Wzj%l0n3S0rZ;Wa5|2|m*LUp^?>brvN$@IA$QctTUyB_ewQkX0dBjjyQT0Tj_n69 zUAcMUNhi-OL$=)m@DQPi1VfCmz!E8TIN*vKp7;?&1TiF&MnC$aBAY_glv6_ktqf)u zqZ!XM+OFr*2IRO@QhIaNBv}-jkOP9MsG7GF+TrRZ&Rs53U_yqh6)-?s*S2-(Yj1Mz zechr?>^TIAOu167fO8U_V^*CdOBqqV1XU(;)>9T8&u+P_s)fmX%#NDEO6Wo1Sx*9s zZ@%WY>{a!NQI?gNd^|Qzs%<(5C&oyz#qMFhNX&?^h%E{c00MBa0P+LUK>!XS^yi|) z5{F^x^L?=^t{v$tvhElLL*Myf0RdhDg7DEm3muFw!4j#gBEDoe;VzFz0&ju{BZh>b z!X39xmpr_#GBJF^K3U)ysxR;q__wXU;uh}09(xA+p23TviI0FMw@(Rm$npnRO;6eA)Cxrw5>5G-+BdG9VU%dyh9@pJKYh z9h#e_tckuMbhOYjn1P{mwK6rDv60M;Wo8Vi2`r5#GnK8$tW9EP3L6fl zb23vK7qhvU%heq2=J7C}mxX*R;cc-+d@U7ZC4cP#tq^XV2ph<)7iE)JTgBKS+GZ(s zOSVgrod!Crp92*38sHG6{rWp7-7(ot$x-a0QkRvuWV-;%^|cR2ITNDK)Z%Dv94=@D)4uD28&^`=!%K_&A0Kj5W6YF|JC$qXDRx#AY zHX#Tq*t09O2E-;<({h!tAT6U}rjohsMOnRvesC;9E9R<(xhhNDqM|~*b#=QTSb|x{ zuu4q~V@;05p-C8&u(K~$@Lp4n8G5n*Y4G{LaKhsRSH1St~c%)jF z>PVs#(-5t~T5F0Sc9F-j8nrOVF<2dyZAuVwQD!Pd5E{tbB(`T0EWcP8IJ(B^Gwwj? zvBMT31UaL-cc+}cJ+HU9tMz&>C%xMu)kac|rCQlB0-+;I_mrBlaRA%fXV?G#?0)|W z>K~eqSk;%^zq0!Lp*s?-T1P|??fF}cT#Y15FWrikbQDpipTD0lF zhSkxrGIIOXqSA#Lfx}wLB`ADPWP6Q6CzhN^iVQ;QM2?YI`(@xHboJI%SZnB@ePz5A zD!XsJ)F6e3%s60jkfIsmL@PDbBPHkOI*NRhgIlP*TG>p&X8pEhT-9gUug~sNJRVmW z*B%aXz^i1dK$xMhDA@ZmSWU$TH{Bfk)%|k0#2e z*kxa4W!vtVZMLo~yCIjB-Aow=D!Y(>CzbS0YR$(9|KFg{nE~7MoDD!=(8nU!1JWb~bY~Qta6a+e?n1iYlo{ zo**N~(yZPCykB#8<;qQWt!JGL(43E}BN&=+2c|-(+F?;y;Xx*Zl56Mk!udSY$$6s23 z?CPp1=T}Ti!nhrtk|V)2j0TA6nGJTj053_z_iX*_aC_ZYhntT)69o?M__^uzjXvk` z1PX~dHEyCmC|pXQMgoH@HcizP*Ng58Bx=zEROqv8ugSd(ylj{oHX3OBOoxR5i6tOC zp=$ueX>Bnu1oDI+ir=2nKqy%ObC2U^Q^U)L|MWHopFXX<__ThrJACpaDw4+x!@CYIvYbo0i8_fhZi)J?jf7pP>4e4JJLOd4u@t-OqPxs zDgD+!U4S-tGYz?mu9`cKa za;_^j=%j{O}ZQ~HC_UW7-J&U%t3d-9*IZt^W*sI)lX}bMIU;RTC?Z90anKYPH zB(P>BX<*re(WD>@8I~kj1VzY}xHUV78IzhYf~?|waa%0*6xYGo)7Zsm+Mi*CF}4H6 z`#uBKrHb|9W4`q7!lvS-O7WxazTGR5WN<(H)+?XhRf!BZ#0{Pye|If9YjzO_d=-$9 zeL0G+B&^faM#LX9@5g54Gp+OFqsdNyvFVqqdpgmvMA+}zu?2H3H^cY`lDqu|d7Yry zy#vIHIB@zRd%>;h{d>1wHJ+70u81cIGN^j0sQXi)^Zt!9F7Ez!-e_g~az*Fak*4jR zdBYX^)SV69?^YtqJ3hbj_hMv~tMhf}+v$xwLwZFfh9GbjMyduQ=RTvNk}C{NL<1~E zNFpH%1sJm=LB|+B@W9DKP<45GxhP6~M+^@;vYfnE3b(fO_*gN^=QrcY-dOgD4NKLt zlXELd4|SP-Y|!7&xDHLNf5#aweiV^!wkWjV$)c(Qba}zjWIg6sdz6bHIo^IOa2LjJ z8M4JnGHe3P(JrU0e-Pc9)(W-K)EH?FCx%fnHwmKH%1|W1*o*^1=(&ugyVgG=P`216 z1Gs$AKeqPr5{cT_t~xxYhMgQ6H&E^aU=tUw!8#l#5E z!K1@}AD)5;9{fM~U-^}M{y0?W#eL#e`s>>7!YuxC*Lv^MX$N-}mQ2m3Dsd%6@J@>4 zsrppu$vJTILS(d#ogcY4Lpdk#DF%apwV;zFNQ#B6WH*^Ts0zFl_G_wvJ*DQ3J{{Mj zIGc37u@bG;d%MQoB!}Kw2-Ve!mJJ#Lsb_VdSMu6m+K5a+CRN7`|T$s7=Yaa zBk~2=rz#+WzlBjI>hWeGp{s4)j|X_7ZWgbN%>^QfnN)CZG+XvAB#XDYm~qD+a8(VmcS z>U&u`ueNo3{89WKq-!|xb-%4P@U$MJ%eq@CwUnmq_GOck^q#gBO5bhy(gsUliM1%{ znG?Cq%Ln03#%?Eh7Vd{J!D?q59eDYm(V4)%b{%-#ZuO8SIyG@kJRZ~o-D9x2dfBiG zaS^L4tJ_5_UZa(zE~Jn(8f-DfD*+pXZem8=oKR;1BmT^ucbsUyTj#Yqd59tSb_c~V znAx)StCl0$p)YAN7nT^aQcCFR?N*pn*n-fA)BH@0O zJtsvN8x&?~gGip{?@~KNy@eO=&BH8=e7gg3OqL;m`IkdSwyG0(U3?(5Il73qk&v<48J zencdaK0m%c)~c^YE4Q`DTFp2J-V!(rMzhY_K9l8Z@^>w428kkGFnPg8TlcRzWU0R3 zm+~uGhDUW>{Lr@tlvQ+lxb+4ZWCnuibKa+(Q(TY1iQfgpkwF3ILOMw?125zioDD>j z=*$cYS$<@qSA^3bA+#{e(~((CXsDk=h&hcxNMd6gEue56SyzyZuej5PCcIfr&XLEi zJxNO}&qXX9Z$EU!SLKwaomq}YLCg{Z5s7iUw_srJ)WjWA*H;yc4GI=N#f~_ag27Rg z8*s_ldA-4$KANp*W?~-fiENox+HeDcBZNbPf5aR40m}BWBpgTmy%wUgY|;&*f-Hx+ANYUZ4YsqNHjQSNlz#e4_v z73MC?r&O#$dcJ@KfzwBLKlkok<5SYJl3{l(l|`gsDzi3pNHOtIQN zt ze!sLUkScwE3~budFQ1AXdw3b7^!Q`dZ&2ruK}qot4qYi;DP@Z>tBmgUCORruQaO9ktl}TNqC>lGg>B~(-JRs&mI-}OnP=s z+fj~4&Oxk40qom8loZwv6)mstyp`6IcI)AXyRM<9s`&=#hR^Ub{FI$w+$89`M-5lG zB0=|9I4~OGd{cbG51HoDPpaiF^bP2+w72mcSLr5o8glncb3I2skEEdPC2jw6wpWxu z#{y{wD!Omdr5_$#hBepyeup1sMZ$q-xR9jREV>noCuyuS+IEemU0cR~FHZvJp!kOF zaf^jbGX-#KoVt*jEr6IKZ~gK9(E8VJgTr>h-2;GkrW%hBX$pC%1Rs>BZAF)Q6!6sm4w#?LYS$1WBy5q$82UC}cj0l#E zv$(0HCzViE|Cx<+RRd`FT$}dQL8HF{&bM(N?EC2#VI3Io5o`2krJL6qnEY;Tvfj{O zJ&wFr+p^nE0mi!xa@f#0B3%f>ZJGK)Frp^S3nZCL)rC4z!!CwejCQ{0$=m0YEef8)rJR1$0hC zDr{VAnl5 z!jqQl8tE`EvdnXI)2uJ`g?96X;pR!BdHGLY=yQFS>R!shRidGBsaXF!m9t`a;`Ll9 zsPql5nHHYcGh^~2aAkN_Fr!bxJX80v3NZXB{rS#<=_j4&GB$ink!>n^k?o1dviPOY zr@V<*M$4 ze!@S*aj;sC*xY;>0o=3ipp!tpTP6KI6m-M<4?P6@VPhxZ$s! zh_Nb30gq&nFS%${6OANQmrx(}PiM6Psj@5tNF0L%CO5^YNL^YoJYzFEYqBW^ax7<(jghIEjE=TC>1&8lCa5si zCWkuOiEi+!wT4*{D{eyT+S0jQ+!bBdd*you5U#=%-pIrRkTBrkfFe}rT&ES9GM=gI z&*2t z_6d^5CMzrJTPIAPd*a_7n$fryvZ~BwD<^p>QAH|Ot(rAV?b<4<4z;VZw|n{xQE zC*R{5*Yia?+QX4nx!%*=_tal^O@kQ;b8BQMHlfI=*iR=duKlW z0)0yVz5njScV`674%jnj{K*bt3s#ScIr5-l_FmiC+gDy;Ni%J~(kx1vL~p-?BFT|7 zdbMmiMNY$7MW76UXe2|L-H*&E`$_(~VzB=8&uGz|?W0?u^EvqO=#Cpm-ltbdVu&Gz zVdEqYL$uGHbDJ{>zXiaaRNNoeCK*zmQJ7Rj0%aVVsRg-MoT)aH+<$0{R1n(M{SqG4 z*CkJiaMCXw!$K@(Iz}Q3ULjE6bmz~;++gT670T;Kgn@h1z6J&k+I_?5~A|3m*yW03$InO0$=Ac=T3PA=;h z=?M#+|4u=($?ekU&Xuk>U*)2?7(A(GwB@HY0|E413PZ^FgeYh25D`?$&zmz86qVXabDvd)S#E?DP zCBsw^^-vVYBvYi3CB%jZ2{jlBPzW2+oN|@srcLFR!gm@6v z6U_JVvukvUFMt6hZxt9rP@HINATx5ipuRy9pHYT9-r?dRWv{@?8GNyu5pqQWgsFA2 z(BzNZ->h72N*D-9N@%h2Wy*4C@V2{RF7lNX z>|NILhd>Bf#+ZP+3P;wD$7^vv$i&t)G6PFun+=0W4i{NETZqjQYZ3=mK>NM}jZ~Cd zAra-YL%+&i;5Gkpkvi!*`T2e zo*l?vnG@f?gYGN_#<{Q%elxA~EFB60;OJlL{o;<{5(jQMRuLNsQR;%kC!%juYY`4p0Rt=Jm5V?GK({H10>|OskE!iA!Za5ccMi9HU zkxVi_OZps{ZI=NJ;tG0Cy1U`SY#8#@h+lQ}jh2Y1yL@CTqf!K=YdX9-(3q`Kk|18E zC}-UpD$UqUeB=L>%XPz;b9C}|T{(A{QEw!v4B^w^*zv1fqvZX#0~@v)_Yqz-GGKyN z{_=gVJ;;2Vg<@ems!F0Wc@g}3@5B@t#)g@IOa<~lFg4BRLXLXWcwkS`*@katu zGxcZIb;A@EY42TpR?MEXC$J#h{zoSW5q?85-!;K8QRMMg!MiVj&W|(pV+^sSHC@fwCj;BlYLuh2NnHmWw zUQ)11^LVeAO7K!qj8U;82d6v%;q0ckva|_fSQjNG=raDAti{%o5^{%*Z)pcXuP$;HB3ekQOe5?`nK(BdobdLVzL8j zn9xG?d(M5S!Xv#Q$9HvAignlF1N(b%l8bl1!0xPBf66*qK#paj*81OqWYJ7*su%OP zSY{2*F|DfNEUoRPK{v5;g`O7?;r2ZKZAhys2>D(+34D2b{C3+vd2&HS!U{B21}gX0 z{QF_ma1@bzAtR&|NTg1Zk0sN4gNllZ~MVy+;l- zD2J2xiSl~W40KLLX9htKXhLIp$euHV5ERjz=XWuc@J|tsNB_cQBIK+5UcB4YX0cFO z5uqkjK2WvRxiSWXC(BrPrZBKiHLSJzSl5U(BZ)WiklnJ8n=ITJkR@%7SNNL-OzD=F_vyO*RL{eF`?}m zOr`}QGm6ZxjiiEP6P9%KBilucweP86jCxe8Dj(H~1n7Iy5i+iNLmr zBa;9r($U=^mExMUF=gKf5GyZ72XlBqoJ4nW8C~RKhVTR}Cr4st9`60mmOjb9PiJw8q<)$sgUK~E$IZo`ehUnW6A%@y(dDd} z0y&d4;mm1ow$$2BZ^uSDb0W7(`z3Z(7wLHKPt7XP8Cn;N>dGE+ou!k z9d@H0Ew@S8F3KD|8YivZr{8len`6Xy!=+)N7hkJrk|EB@Jom9gPMQx=GbE&@Jljl& z@AzfJ6~}!~DOtN6i?hzHWQzKGEr+S4QmG`l(rI18osIDSJ_Wk>^obJ&EL$>w`5os~ zaaDauv)naq4~7AYO}aUg*-ZyiEHfeYa7QA8at1#pkJYKmpzlG)(_n!~h^O*8FCv*M z&K0$Ty`2XMDsaj}slM;6cuy;trso%OMBn=HGW2}m6hm|6*BFzsxWiBy!2{>o{ARb> zVhLX_&aNOZF>t+GJaVciZ+#~lg(gG8G+kOtRk&H*diD#^zUfMQw84Eh;_)wI9ZS2(n_FLQ| zbsgdiCE?f1ChdBj`#+VNlEwgz5|?`)q&0Gl^Xa5?POS%xi)rY6|KWF?Qrr%u7PvoO z@C_MVSgm>od{v$1Q{~GLmnZEaZ@cF$7+q*km zl+I<)zh@74-!f$dz;1nV5G@TV_c~sg9VedrGC9zPXqq{=!zFT<%|>crtXzYB7lO?Y zw#Z~Mv2%U4oCcz=0v4g>-Y03cj{8fpi==)jH$5I+4();4CNh$;nTk_g-1xI3JyM#a+vYDz`@T`q$L*wFz5(dR%I$n1DRALErfDy4Nu_0_Rfbgi>(wd#p zsu~$DNon(rpq)N^jj0RUrpRY)@$rrpWOyYZ*^p#O z|H%4MY$uPuWApN1n^^0vlo-*&-0_#`Y@bAePGzzg~1A2?b~4vGWQ_kT}XKlV+=V<1yQ%*X)0+cgu7q|jMRQsBJmAE z!H_DPNEW5T2s<+6xQ}LsF|ZtHeN$6~uMACXx>(vQAvH}b*DD$u2-5w^Rc34~nZ6Iq z&=XBCUI#UyU=HZKUI7IK?5F|rT-!5JiprsVj2V@T#i*#G&=dOp2f#@!5isXIyo*D# zgvPUV%d@N-Aa2vnn`yf$q;epA7xRN{Q{1 z0`rNz@B?<^AD11)>u|yXnk%(3C55RQ65TJV_&~Y$#$v*y`Iinh7DOv6ZKgwQUVbP%p2B-kvAWj>q1#c&vJwl`5 zOr{zZ_Kp}iZF^BJ4(mIzsiRR))b*;FEVuzK4mo8j7@)d6+>t2P5iQ;kH^c$AXImHC zUcbnmF*aSZU&p((JEpBahfc)VU=1g0jX$OWxZlytp#0^s$0yb+PSvbhS2Wt z%VJVF3lj|Sp3QnP&N{Aq~c_YH;%yobiKl&EFply8PYCD%rZDZ zhIV`lvO?luki#Wr1i4J2G05W-iAQMj3%$o7Kr;jihmIo1g{D729t6Gw`OwiF)PRp| zK}~oW7Sw{9)Sxy37>IqqiGDZ5hyY48s^qJdpi#a`YK0ONYZR$oKDBBMQq-tcV>{MW zj8={Py^(4T?SP`$wzT|4k)l`;wI)^8pcG3Jv9dcwy@O2INMVquK9DQZ*y4m=t3eQV zp%^MuPdyMDQ_;N!1LFO+1VvU{<$k*fkw4Po^L9%<=_tb@B>|O3FRtRKKdG-k{OX z{dU*V)@j()(>G`|G_uQXd+fEZ-TNJI5Gv$wheV+SBB{`mJ);y&rO_F!kXmd#pfolI zTRfM?7YIcqiu;-F(*ht=5=Ocw7sCmXDpfP3S&kQaT;C|k7DgH-!7L4Nc_Khcsm3ONo*?#KcSR{B7XA-qlo0wE_* zrh&yES+$tbf@2RKh4_*N8j4(OXffqkniO|ch0vqmv0HkLOVgSv(Eusv9^jmE#SJHk zt6uF7nPGakc_NmJu=HfrVO6bezcxF=V(s~Q*M--nVErs3=5*6K$I|!kE~@)hTG^l| zcq(k<0n6gvqrqs7na%9$>KBJv$uF8w%$Iiv@VJA>fD4pB7I>L_B?w+kC6cD7?y%_U zdQ^?=uTaA?{`TT8EQ#S6SSci%__dNl$Plh`C8Slh7^ySV<*u}HBIojjc^zJcm7Yqe zt;kb{)m$B3_o0mS3V}9y`yBLYU0rzR>A9Zk-F=+nbGG+jRXO{NpD+^t|Mc=TO-8Sq z9Bf%$C-;&xbMi?f_+=bJ+qXH}QoYok)xAcpk?V7Yxq6O>V}-#P{nW?pOHZ=5a=BQ< z#nFlYa6=?;z=0b);CaHIxsT_G{ykR)A6Ia+;s^iSpQh%SJX#`1ie@~{Y!y>0RJ00)nm@L2l^Qa=>l2hHE zGP9K&!{2V*=TEjNVT{@FQ?1X}+LTN(C{ac~z{qdhj9B z8U!E(heijZ3=9WbP!@4Q(d&)~x|7`bT&-&Hs*sy!%I%P-;oo1;Y=qU7#TGc(|No!1 zbc}(6-Unc&W>x(v|6ijW{&ED~YM3;NqM5 zD<4T=wzMtYPh95^;}_`JX3AL0=NBm|MNs~INH-XEao=Y_!%kt?!D?ulQ*qD)i|;=0 zMyAsL)zobjez|7GMeZu8at$|Jo3^}sqW#2F7lDn-7+EK2-y_J)W;gi_;R_)kVhkb1 z@EBtRjEDgvMvOGZh?u5`h4a~06@o%&8UDS7oz}`%!%COc>2GbR=-fClBJSu z$%zAY6Al2JX6Z=RIUM)hBUiG^wKKuLGI!99r^Op>gURXk6BZ=U=9c!Uy= z(kU7ZShUpfU<4|*4i;_&W3j4#ci)e0^#z!WFkf7+C^}$IN-at)+PhLr)>vf-kRUJe zNJ3G!+YeIc%#aM)S>=F-{(CK_-vEs{rBDja+e4WX+tW#o>^Lo?1ppNQS_FPR@#}TI zziSz0_DII?^dF%DESi_(f^0po^f1JZ)L5BNal$OQ+^H zlbOHRZR(~&+NBbGYi`?s4bhza4?Q?Y>p*FdKuAcC05RLFWRs1P$tFP-k|2Q+AXtS8 z{41qSdsV0yv^}9>Q1dgRe)QgbPRyv{?pp>yapXY|Lk20<|Ns2uPHPkWedDd0E21dS zEXBYR??=1$Wlh@c_(6B04mE~F(@J7qo%VKH1In>wkS)s~$8lOtO8+iLFnyS4nEx`= z)xn=eeEXk)pmbEg98u<-t1n&b%wj3wLZE5Wv_so|#^=|VJ4ud&MB(n8Fr)zGmj{YS zo&M+hGqrtV0g^b%Rg=>Dnq|mKIy5{Sx_w`UI0-@5M5)^e@OHmxB_=0k-L+R#*ZNRy z*3dfbZrCjqD#nS}>v6y5rMdIR^ZsI9Q7olsLNYVSL?$LcyF|d>n`)K*hX$#psM`Xh zHQ-wCEHrZlvl}GN`25W8?hkbLZ-8htK&lB+5&%-GCM4Z7KuQ8QGgpM;03f+ba-7C_ zj`s~v1{@2y9iFi+8*|=f>ngt>obbZS!mHf7AV@C>uP#W>|1z~qyZ>}+-=NuY=Xiy^ zl{MkT4)Q+rLG~Ndvj8!Jhf`nn3h7f`*LAJl2@9+0jeG`z< zF8ibnC0L4riq7og{kOwd>-#~onxnVvHn%xtN=itAh)4*?IPUrX|I5v&BK`sv#n$HG z#1r)D071aYm)!F(HV{<$=?I5YMC5ek=Tz9_R8lzu1v=G&ojN+FUbr(_j5AiE^N>T% z!&2qH+liQUAlaV=1c^jZI1ivWXDUi_WT31gfdH^~G9cGOz)U5%bQT~wKrS47;&k{V z@XTMO1?ES4ljDF15dgT%_@9PhpaOvg5hSl)7tR|e1J-9Sh;FP196bU6ego_ICy%#^ zpTYiQKZ@mRkrXVJ30N({{PNXjRd$Rhd7fcUDf&zV5df|+5r5|;aPZ}Zi~xG7;WfR0 z@q6&GqcP&S;`lj%TGXtYx(cB0j^_n{;0sx$0g@PWVaz^86(ZB4FaZde5Dc0XA!{R40Q^A? zvUY!Ae*g*7s}k^GcZ~q-F#?-_M-ry&?^~|)Sak5>Bz+2pehg(^zOH;iXqwyn@5vRO z`f9o0IQzMk3l<$}^XG;DDPV};>{y%t?VkMR-q>W2&+R*y0A3#x|MwTq0+M;NFBV)C zfomlO%mIkgv4nRL01VH+^+JLM6HC@?*s`;jBOboxL|nO(SYxeqeE8W!X{&A2cGzhb zoe-hIM2L34K?x2yELFM;nX=_L!64shXPj58%te<}t5v7oRoC3qq}d(c`9Yg@4|VF& z?WsQfe)rNVe;6@p+=RbO`^TJx0CI?oXo!KB$P!s2HsTPh+##T5KsCj>+g` zODK)XQGx!Pey{#nOqO6`ZTHkr4!@JC#8O>+uvSmPS5`iy$J zdXj2X*_*g3Tt%}irBV5!;v3=y{j=gc@m%t7@fLLp!@_R0zIm0ktPG5Jh}Nv$j-R8!Xl%VMjL#f{}M zN@F=$=9g)ukjpIY74?OtP!t}HJ$ZAk%w+?Quf>v4(IwJF+%UzBeEiN~p3Y;g6|gxr zYCV`Kjs(3=8#tC3@VveJ21G?DDLK0gJy9%C%xsW|=W;1J( zZX_^Zecvuv&!DmVFK2DudSfk)sPSOe+G()V@_JjoncK=Nxfa*0XfxLoP+~s#?s})2 zhndrvldsHI7}LUR=Bl|2mpx;C*YCpZ!{9G!Jc~}nA`$)BYFUAFG3~`{n@O}_8ksuY zWu4hVDwA^Ws5*Qod~(ld9uZ^}X|4tmR4p@x_ z^d4aFpalSVq6O#6Z(+M&n`?)#ptkGsUpxUNq9k+(C8NVA#mkMq@DUKWM@rTXd1P~~!|BsJOsJ^E6fjeRl585QKN(dk9Ziu~1C`=XM_)e+Zdd2-y< zzVeyjQ6=A9OF@daGadc2CUkC|Poss?KqK=!rfr)uZ$zy_-8gnl1+KP6kDfVXXo%gm}fCn%C(u)Hm#Q)cWp#$|KVRzfkRO|QF4#OJi%n(G+f*~>14tJ zzZmhAnH{*e0Rd&JE?rHrvb!z@W&+oX3rQGz<4LEC{PKt{T$25he15NHzqoi69iC*Xl zlc-7p;i7T|m;+@v%ccf}$XlXmKsqr~u8rCNIob?~bqp{E@^WNF74jBOU@8zxaKg1s zOO)gAg;?i+bHMgKR*2P9AP)fMJHw|!at|}!SeOE6*vD|uzeFTV)srx4L|>!e5AYr^ z?(}sMNSoK?MgSe6^Bs|)S&r7}u+{5cefQOOIIn_cS+-=6IdIJFde%9k&MD3%o(!W0`yYHSO)0(V5r7m19QikDk6tzDmyf&$x1B z24$evA&b&uzs?Oa#YW}%Vc2d|jto7i(I)H4(25eo4HBvpuD2*witoMAt`t}NxNEc) za_cDX_Eh9?+12mKj7OicxhHg)u0tI$<|H!rLAtU>McU12o2K0GKa)X{P=RDn zLp<$F?!RyACG{@U;?m8$dtbw)-5g&k?{G}7dNJ)&#wp<465Zdz0ZC!pg zP4=R0wkf)LfHhq3?)&Tx&e@(6ABS_}WaXmKjCaqB#Rb^+{;rLPG)?G9*h@t>omk$0 zMobO;jfW_S3@+xB8(tAom~nywHozE6N&D+L=Rpk}szSfiderfm)`brXI7{lU>n1KK zT$sW7yqg%Lgz&t1U>(%I%83X zdVCzWM$iM}kW}DmJ9V`V^q`e`?cyRpm$6dq06M_>Ds--^sWg{$NeAq-nL~%L#SE&p zZd6ow#dIwtxj&dpbFSdH4iuplDWdZo#r~LW#`{LI4>iCRU!lmP9#P?gz8M|ySwcmq zqQ2LuBHG2O4&L9XY}%34`7mC^*&U@5@3>eswNfd?Gt_~@_XZH5dnStI3PqpM;pZr zFrwq|6rR?#eM6?gS^90z&%jMHt5V#U&DaZe+ubAAPZveY2O9CYh`X0m&7PQiNK`JV zx;E8TS6K=3bG(>xczU!DpsMpxd>9WX9CtMVn1%@-62p#*FsiEPE_nx?Z##_+R*mB_ z^#C4pBjOy^5Iy)8ix@a+uj}c-tSo{Yj<$sxFpI8U+QG%HOQuUyiL_nnn7hh*5L|_e z45k9jU>Gf>qEOR&8F~}2-uAr`igYlmre-U)NV+<3c60y z)->arNi&6JK%CEFMW*JF&ard#_wqzEc)^1^Qy%!j^k5SG_{Lzh0q-!t=>Z1V>nE}3 zrc$&ok^iP2CaTwnd+;avOf-&h69J=;hLMPDr23hWUDZ-8?s8=RR`gYjbBH7{TWQ5wW_rnYI*bj92Q_Srk2 zcPy?NN~NRc=>=TBr`hHOO8zEIFcEdAS>w>uhAmN7sJd#OSB!(1FIl_*ez|yr01d$D zebH>5qo`%LBKL|Sc8vZgkpZk;QxFj>u8Q;<+Lv2opv;+U{egiS^V{yv9OZR9EDv{4t3LUNTb>$5M;Oitbs2eXN*gn3nXw7=(?JNLO6qr<=T)PrHG!aw;sV3C%QO2&? z@j2LQ@fBkGl%hkEm4l;U^pn(6Vmu8rKS59PWMwL2(nC}Pp+a?72E--!7bJ9p!%6f2 zb*{&u<^i-paG+|7HceNtkLZf6W#hSYHMBoFVLIqX)DF-Rhi0gCv!>QmkA_SuG@TLD zRgsVZP_wLz?jflWD10=kZvwm2nwVdZA!ZDPs$;kkiY48LNryViN+<~Qy_g7xr|_JR zTy)E=1f!O4-X#Js4O6nl#K{H3s$DkTRNJf-Tkwe;W$+RYn*?bI&r}qE?m-VA&2dE< z-4)%@j4vY0U8H)p6dFaQG=K^pTgcyvIsE)(6m%{VQu^(r1@;Zyh7JU&H;`_NmL(i# zX>KFwdK1Zp08?^LPr@W2n|S5YqsqtP>jO!qBU1V=RJ$iU^Is(TO=4kFP={Kz2gJJd z)>S-tVXeW3%XuSVvbZYJw@{iK&oMxaqI}Hwc*NX7+`}F+GR60)FzZ5N)Q#uf6FJ>@ zfBEP=zWxeu`ma$ef&YUw_;9J%Ic92r8X&bknm7MJG{)@lK_Kd9xFYwWN9@$vMZt%5 zWr?WFB$X-!ak|LeA>Pq|C1B6zZDhmDpBv$|YE25!~K zJzoM;j=jmgw=!R$2WHQ5%ESK7Bw(@~m%W`qbl~FISe8er7^MAH_FDqTF2jD-P94aG zNnc{m?ETgQY~t}lIbge=k*!J=yS^gIT>~mSTSZt}q1Kwhyra-v%Z$|?T6!SCr<3$0 zL=A);+;7`=Fey|iay6ox4o^_YX726i?Qy>;0dAMbuy{l!+^BOLrMlb7GV7werXrjaAD-rI~t&K z5dQwO&YZ<*5fetV+Ro*I7hUnor*S4DPE`)&Q6cyS?|JR|@r7>`?;_b-qOf zzVI+|Q2C2710*}xiz`Ns>giO;?x`MkR79tQ)rIj#+2&M<=I8ZC%|s+Lrpzal995J7 zcS-el3)CptSSnB+m{-pFG(abX@y+H91=FMAvzkYElnw+h4?W#;yEe?_$ zs;4ZFJda9D77o;caue;5MWh3H$Hh>`YO#&bNt$bebgH&6{^bE^xVVR3yG9o*x@0i# zaA6T010L{UjyZ;Tjf6>w$n*1hbQp$n9<}1I5ew$`EM zUo$%AYu5N#YA-EOe>CpEWuVzOc=t1AeJrku^cm1-p0zSSX@Yvq_*sMb6tgn+kdbMY zM}=8k%ergAT4*Z;pk(SdDFYb z0yb^RyYVZNS>1R*;?seKrJAlt%!tlRb~=opBy3tBi*?BuCCbKpGd}4viO3Xep|q-Y z(@3cBF6H{7!{=PU{3xY-`THoz!SJdrZZB1R$3@!LPqY;6xwzif3D1fYFB_U>eBx^2 zke1C74kA*Tr*oW;wTQ)kKaJ{GBUQOIGR0#3h3}?KEK;F#L)0y(_((Zt@0mHJ>T1{8 zQbf+$WEko|J77buD=cDkl+7?PrL|lcn-OPg(4#y3o1stZr2JuN{Z42lq)4n8bH_q} zqGWBX8Q+14g!xE2&Lq@6ZnW#9pS7RHUgx;&(4zYiZN5Z-H$!L!X03r0Xdl)>&?fU_ zRiyp0rX)N~LbMVJpRGwGc&en?hbAYt5=NvZL2o6rj$HI!=A|2cYuNyR#{J&NBUXU+ zqPvO6bUvT^^i`&6?R_0)bC$#5c4J*X$)(3=`3Rx_Xxbw$7IORHj!;-hSJ&RFaj zTbS`~%H?sG&7V^Z8|-+b##yUJz`ocs$t^=@YcIxn?pzdTGy^@ztF97}W@S z$jDUnQejqy{pt=o{~Lu=QGzLX5nv@~E94#kcB5J#BmAf^B`ycbNE)0aQeXf`VWMkHiG6l!Nb%a@j2-T&%#%Y6mc( zJnNKLXcfoHl+~)Z>ts-aZ3vH(?$)zguP9NyxN}iDzC#mEup(H|b~F`e0!8OD+L`0V zz&#)x(TYmL>NUxs&zeuSkA%-`huARi9jU9-+|-8%^=#Ctd%fu#$D%FdFq&#^jPncsFcVX9n`dwQBt8!^U^m}9lv!q zSlaNbLw*06#vP}xk89Ql-(CSh&ck8VERBiN^n-`8!IF}CG;ETVpF?8K19GCOLg&!>WiNl zK8m)b^2-UY=z9gVj}$0%@M4#?(ncx$&G@vzY=o!s6l$3wlbfN!E1idR+yK9g3$C5T zHDnKbQ4C~vlS~ifQgoQvaOE4Y0nWf4vNmo~sW7X{pACV9U=1~RjA7ZyG(hW7XuJ~| zZ#Xt{Kcx-`HF-?#D0@01i-y4IgWsfbv*(~K4h6}O_jx2nwxVU%bykCnaO&J;p!f{8 zQX{sqxGItt^4J_37$8r{gU$F@W;_sc*+WLAm`sIP9sYLI!Rg?as=zhd9KAF^Qe?wE z3e0Lm786FaI!9z@{_W7mRIo+|@~jbVvbieKDr8AHlrunL$wJKdU@$8YQrJUArVvhr zS=}lZHB0_BG9b9R0OW>r!utv1hCn^z2Z{EdCEC zW+&7I5+HHdawNF}a^6g+6snh6;|!f8>@Z1*u7csiMvQdAVtk}~Aj9OD2<;yG$zV}$6LFrtTT z6)#x)a}IAJkB#-^1}AckPxc7dJFA!4zdEY#y12Q?;=50MDb}jZX$x`Si@aX7991D& zmKxJSJX9;5Cvg$PhUa+IjEOHnwGP;UIJ;nZ$w%9(7yG!U`h|k?GS#u!{$%fUq12vVx9# zB*qF%GNWJE*Mm14yg|k9rB%wH>iNE@Y|4o1=SZNV;9kPs%1@Jv#yn|L>1L`MS8W1W zT&oJKIHe==nYw@dy)fp68@Ou>r|hXJiS_fPmpXc_90CSxNG#9cqav9>>L5WZRz+e| zm+EaueJ7@0c=5GDRafxFbg zkil8@@DZ8Fq{bJ^{0$^G{_8za67l`XdCv(KD`{$LbLHjGs5A?gfN@qiD&wa%iV5 zH14thDBu?C1P&r9?7-gx?go?)xacXq#Vw6TQT*JVkB)$*qv%&~h-sqe74`x$(MdlO zfIV8U9u$M~$~nlz_YkftVRaII-b z=q$nvb69M!*>bRiqoufbL|nOXx02Wz9z1!GsZ^#aM7W$pSZ5;ze@fc~`iR;tyXkyP zFGPeW(PG3pD9Ito4oh_@)=&`)lg|3vKc>xwg%~ISnZc(TLV%huQ3|p^2y&fB5+b2R za3M$Fb7`(IIO&x0$Y6+2Awhu#18Wv6Sy_z3jy)#J2sq&rayD-{sZ}IaTg$}(8+cpK zmk&8Vo2YCNV5=Y+J7{h8i7sX&6igQR~1Aee<&a&V26NbZhG zu3gl+%DHvHe=+Rn29y@b)c9xTDB&tg)DOs^!Z1PUWc2T{hA1l@r%HZ0t zU|B^r7Fv~GGnl??&WDFYXg4-k1qy+^r_Dng^Y>DHg+(v&CB;jfV^UvbE9F)`YB6E2 z8r8%-^z@?gdVc7)+-()>xQc0fMl^1Hr`aXCJisH6mJNtB>qaI%bf?^PS9<6@-kOwZ zLh_cjn9t`^wOzl%&6YZWGI@OUBbJ|8@x}#FsS{W5of9$oDiz7#hDw-dW41<32-5IH zO!_J>B2LD@DSjKcAbKX87!@q+aCKB>42&7moTq->XBz!+yT18jd>?)p#B|PxfxtNq zXq4?|f`17K!j*lGuj3LH#E1%DF3n7T)M3dZA&}%iE+4%oM^Hd-g5~&`&HqjBDmI%P z7nIIe803c8{EeJ+`KiNJ&es{)2-=;pWSnP3Mtb%YTfB4ias-5@asmM-wjsS3b)w4- z*dsrcMIr2xqTGbIz{EXMy+uW~$#Y5{$>+D3~w6-w4IF}DEPLNLusXmpKB1u;yBSFVzSBP2L(j^|u zFNXB7v0Di{w1stW!$N+sL2^!GafKkQuvtOZGBler0OOt~S4U!bia>=bM*xBbX5mzg zm?nS_1VyT26Af!J{0!!o0|n%P@Q$hOBAOQ`ezq6`%r6#Mn2nL(V7!zRT-dh4!qB0k2XBgS*1n@IPD)1m5?_Y zR9Lol*(`CBY+>2K_#$L=6(DKmWr@eketXwn#qKYZ!x~!0~aVw>iA-S?#a|QfOp4U9DD)dSRb@tm%6v!bk!mc7n8UY^f8cZH!Q-ji~YXdR#GR?3>MO%unpC0*IW3F&SSj>7) zK`ll>ONn;h)b4#|os{iQ94gwj&U|Iqm{9CO zsQ%+qB~W8DgYj3bcOHB}x?^@K@{1K>?4PX;4*Huckt%j+FH@YjP{mFe~+5+!h$X)Nizs)C)Xq$Qq{?AX#`kgp2b%uLMznzVQbxh<`--H32; zo=iH&-?MMZVGwU?0YPB-HYn8Y`$sl*R-dq2u0_`tWA)W^kKQ`v#u0ys7lCWasAbVV$pcBS89V*Hpnf@NtO#CZL^HLC3 z{X3f>w$dS^y7EN+5ceQ@}2y<@|)R_ml3B((XdD2N#y-Bv`pOhHVsSD+U zQRwx>k;1yPP>N4->5vu;NPaisaD{Y8g#mn*mxaLSWn-bVyFBu;HPFf>X^M@Fb;BSC zAqjY-!76e&CcuMTLem#Jg4vjpA;f5>%oPX4W6mnqsCigj=LT0C2YXv*hngb{FPrKd z3-$R~_T+R2HA;Uhslu8idH@K&JaVkn{5E_vh@z1UB!U`##P z+wwaK6(oQXnmTyA$S;$5`FhL_BTK{~b)=z2OE$_B|r)_DxkKa(yh4{z{96PKjYX3{I+VH;#d`6{!NGpe!NcqRwoYnHPrKQJ1?ne-)U zj=8vnHXg|`;W@1YyC{m_BB7{^IEAogogLy^(V`(2h$x(%bww~`jH-N;<)aouUa>&C zEPiP1AS@xfzd~{I{B};D@nc&Q&PYXEql40zo}d$RLMp^k8=KV;Y70Bv$c1;9nq21k z9j=s6tk8aLP&iHBSTOMxb7jBz0XtgME<5#5>MPA|ef>mwA9kmju+Vil9rcxJn1xmg3RateS9*XE8Q~OFl4MKAW23iS@*dDQ?r8(pee1XHGNLb*M&j1;3kYaW~7G>(R$$JvnfT#f-~4~W~%=*ViJE{NFk+J>3=I; z4$0io7#Wa|4<|o1O>g_@Z0BT={Z~O zg$W}*)Ed@jEJD|{Yn{D_m`A49c+C|fe~;tf)1tQHFTP%bvkuOxXZE%n&aUT<4ie#s z?(L5xUA>&W{pto+^9_`4Bj#GN3f)b3*)kL&J|bPILS|VouY)+EP^>6F+$daJlN@UV zn?Wq(A=si}2^{YV@72=upv`5m7CGURj@e^|QeuXjqNELhp-pfLP1Z9E^=EfAgP>ep zLNRcVo7Wk)n`g!LjbEdq_Jd{Tmsii)mnRMRi#jeJ*c&$zP}Ab_?G;qW^&dTw*NRgs z7Rj8bc3!uax6o-%}2Pv}`xu&9GujFdDSf2gm@c?y%LsZ-25jxE4*K>B5S=LTd z+WGTL(+l{D1sdzEb>igp0qbe)h}-##spP?{Q~X9@lP}oXk5^0o9E^Ijpx3J{5Oyg( z%u5q?1eSzV%RQxFLUIZRr@3lM=EKMbXsXyMGmdhDIv|?QrvZ1hHl_f6^Gu=E^z1&w{pnj?IU0%krfo3j&5S*V4gB2<5^i1(`+0wdK=32bi6L&*~H0Xocw zDE5>1n{Jk}#3(wIM=ZM$?~z;*m1O08hcqImzYkCq`T(S>efz5uik0;d$5^Z-6w(6; zjzA0*XpGDR>WPLo6l$Q_b;K3&Xj+Wc$D4Cn)z*(vbn|S!JvdQR9cWcn`Y0bm(G*s$ zBs*GaR+m$izZN+bQu2}DBh)DeX-!viUv0?$&iMx~c(VO44Qpo5KDXx^>9fTz@6lTV zhi*8JT%B-Z$eCx_R7Z3#aWNm$C4mFNA_x=iHkpKDAW@XHCxIwh zc(>P@$S>C7VV=-YBV94Y(XfQJy9K}CaY_TD9E3_xz3E1L*1xZ)4nPiR^s+P1(-#gN z%&RlBa`IqmZCE_Kjdv7gXLn6HO5F$~CR%yLOBBCA3~_?ONW{2&0*ix6K}uuV9<2hQ z)TM;`(Aoc`kQI<-vg`5j{{MdDI)z9%@~ZNd`{~{pTMRsY%U4QzzLiHI`t+bRKifP5 zq&i?^Tvyp%%jV~&uSS_`TLL}Uy*VtjrJN_fVJ?syymp0t*+s&>oLx@^AIXy7Rl>EUFW+XnV% z-|odwx)LsN&im)1qQ$p2qX#&BYxmpQnjAn0T_5(^3`*Fv|Rn- z%75LvZ+!IG{~f+T@BQ-X`}tL~)>tcV{ytdvnq5$hn~*OpO@DSxfb`Ap_tNJ+-AC^O z=jf?#ev$pg8k=X@)xbaYZYZIqOqy$TWWyPoy#<9n9V#miipf>56SEk!h{c9=7A?{m z^a=%`*LHxFEJLV79w2N6xxZ3kFa)JCKf$25L8mhis2w##yf9D(mj&{Fa08=nsQik3>N{&-b_gF?SjUi*1;_PAIeG3R&5El_T?q7J%-W_wb@fQ#+R}ML?l27wjWKyP z8mPt=ZT;qCx)`6>Z2o#te<>}W)IwW8Z}42$6kOCqvFa%8q_$Nopc`BKqLmYE!H~bZ zWNh*8t+r3i}V6cd&68$d9l#1WkqS4j&*#M?DXElIA34N;YaB;d)XuhC<4$2uTn)g5T9if7^x ztx1pQOh`NvU)|6GCN974|Llj`vx1e%nWeXvzAL}?K8SeUFZM{Cjpj~guPEY^seXMb zzsNdmT5jNMbt>(9zimA~$*!0(#k5Xf;Deme#P)entq+$A7@J^u`@@>{s$V)HJHJ>i zu-o~|yS@ZZ+Q%LKLg9rwb8J6u-YE1xer*=`7)ybXKEPNCJT&;g`rB9PaMqOgj;Lg> zc&#FG3``t#$Ws!GRC$+{hG%^5tv4wt+>J?#UM!FZ3qOS+7OJ%42ufQhn=StjURoyG zhglp*w&pM=nsc7TS2%pOEgy!Ro#`Am+lRRv1V4EtCz{h6&316Q_+d*%d^*C;JQuaj zE^uUKAOc`#8Mj-o#P~2X##BUgvJz3+N_uJ{!NEXHq}8b*NW32>NR0|Nq5UXs0xMaD zFo_~S^cxiZYKb8@zjjiIE(=$ybtVJ412vI4HLl??lS&TNg6`e~u_mYR*L~4}4vz!| zgEbM4(QQQ&6QepSm@y_gJ`rJy)NH~Q=0lZjmd>OTtq$>|3v5$B|@!%3yTPq$pctFF86~H zdxjscDpovxj2iXwUqeisF&SnX_ylf3^@NFF$AE!-1N1eHJovGKMxKfRq@Br9J-(GQqj=p!B2HIgyH)=HK&wftJW2=s|)q*`^OmV}3 zkLNYVT+Rp|__gsj&>=SSvrVG!Zqo@Ex0rL127UsUA^xE|DbHO(qR-`J7xMGuYA1fs zbBO!0!{SeQHI_rXPaPaaxQ9W7fT@D~y#X@m5^LC_h+(TO$V%kuHe!Qg7U9wn1ilsb zF`d=`Fpdq}&NY^wZ#jBK4V_@9gvG?<#3*Ex7FyW z+#IZGqR*c-`iG#}P=p?Ayr48ZI}I;$FpiSCCVwWAOrS=shQ~jp>|@m$?hL!Gg2>NP zXtQ`<_E{G}vmzyB^TU9^6}0YW$|iCJvd;v(XP&oCDK&#zEso0KYM@U-WfcJ_jtBGP zG$PG&76}c7A1!)?KPV>*v>Gu{TCI`L=NILvQIkUZN z$dsC1m#q1J(T``M3qrE9yCk(awJERKu#?lWhcl)WEZQRi!YlHxR;oo`Nnb}im&n*q z2{>IKWZk?ZVq>nB8ytwm(W!b%@JBhi?-!%A#UOR~woHoxI{Fp;gL9$7OP8%ZNCSPv zhu?0H1@iRT=5qk9$$)u zg=9}7^av^YRp_p=ai1ylW)vZQW&_5 zpVgI)t23E3_4BkQ@>bQG=bh@W%+HFl?RZb#l44gS6%5zo;Op%rgNuV3k_5YXyxjt7 z67i7}H#!{zFV}2)CNPG>;`K(C9XIiI@pn=2pli5B4QRq^aAbi@sH|hVE0F5MM&0bo~5T z)$FuGsFI%8PMw5ZCrqoa%$#3_jJ85lkN>jH+N3pUL`bqTBi)(&Iy82=2BLeV4?Sb( zconG;iAr};O*tkZ^GdNF6D}DB@pi7KjQHoISXFHuCF;)??qwg zbZ)jLb5|zk2q#gwsV?}6mGoUQm3%d6&hf|Gg4L6K_gP zMB%(8mp>LP`*rf|t_(JiVhQ#AR{`q!x7JSHpU77Gfi03GI~LS+;P~c8 z+ov60aQD64H&SiczdBN$^?}V=+X;s9s zzj~x^-`n7RWSv(awDDMnvI0aiY$gI(Rux(^W?ca+5T&Ff*-zn{9C!@o?~J&^D@jz^ z2(*!O+=a22T``~qs2*p{>cE?wJfUrI@K)sNZ*b4lJrG=oyqSMH26{6g4(X#Oy0BXw zEQMfQjeXn>GO>i6|m^-t~t`I+zl+^H&H zPN}Of2w=lkb?LjU4WA3%2%@ik&nwLg;6Tj}Z}kx)FnT)wY0B%}kS8+o1b9B;LpVN8YLm9N6Rd0G*F7K3$ECX)ImR3V#>la5 zm_0RHeKOG#XtwnWmxHF1>skI$ zp&e~pWidD5(Ei72g>*0B+64trMszUo?;8FcJ;a^wDwh#2&|P%5|IR-*j+y}~lK8yR z4xg_(Fb(>)o?uvC2!}|Y35_{xpqG^NE~TC?>imt$^m;3`cPY7B$1>`L6~F(+1bW}f zTDwq}1JC~eo1t{`kCkg>A7++V8*gRFzY#3^jdh!n%cfQAK~{H_cCm)PeaBTL3pO=t zYsAb06n9<~x6U_Euop;AyYBOC;e#XHckOGrN?bUj@}I2_rIh1%K>YIB=83r8NtlSi zi>vL>zIA_Ap4HczsCjwGV!RE;wwTizw}AEH)8vuar$l>@*)GSqIGZQr?^&jRE7YlZ z^nuEd)X^|lSFJC5oKk7Eb|!Y_4l z7I;#p#-OKW#^vYBzX+PnGDU@g^9SKpfM#YKF!|?*RY7xE&e~Fg9N@YMo8kGt{8@&- z_gbSTB{eExSUUXZ-0?ZPb}+I&^Xh?6bSnxefxtG(2s|2T@}kvR@uSg8oSyKYWehNvi?PIA2X=@2Yg7*Eg2L_1uds z7klaUJgl=$I~OCAV$=nI*;N6JI&#G$Ic~xo(m;-VwO^>eP+i=__>71OF`2QP=ZNP* zFy&xIvtE_aeN59H-fs!mL+yz<$wKt@6SY7iql5Vd1Ai;Yyi!#TU?JxW62|09(za8VrD;L+{_1mQ{2H3NPw?WJsxf?fZ-pq4& zlw^xr1T_NtX8Y)S=} zLFvqtmam~6{FOLoSt{jQ3{qxYl1=LUo(K2dTG0XDx&vIEGpoF(R=HcE=C|dpy?4Al z3hW*pW5N+Nj$#@d2{EC{aAQz}&m~>aQA@*TOnx3r|NmnfGDAdcs~IC!{`Yj$NEir` zpwlsoyE1T&|NT3J1Goei08`3%Po2E~l?(gA+}}CBg)i=-kD4Z@xhBN{5i9Awte89% zk(jDgu4(^N1&U!`7iC;g>Sgfm#U`&KqSZzmC(Noeo?yS2Fcvu$JB&qycz^ai4$VZ; zI6E!bN~UIhy*Jd*?x*b0xhtyVEuzNUoKDeVQ73rKqV*-tE``!k82&1CbCx*Y3q0%dijny5BO)dLBg{{6gknU=7 zvG6@jJ=y89UIC}@{oPj7boWlZ*5X29Z@fDxD~d4H)9GK|T+8E)2&~iZKU&2VJf8%F z5l6cYYqa!Ru*PY9lINA@{mkO~xD| z6{Mts)D>!^fK)=hE*a(RH?0@jsWN0>>)GrEC#SZkUiCj~j(m!zCud2Wj59B1bjRYXoP_^@@a9I1iy*Y0 zG`a)EJsG9B33n6e z__pnJ6<21#L9{%e$`ja?l7Xqbfvq%g2p$@sz>|6mulc88^)=uS|7XoZ4+7aXK30zx@P%`mOY3UOYil<#2YvOjx)4M}#>)m`J?Bz*n-2{e1fkeUFwEgr)rFGoru? z#*U=ev#yzt0QhA9|EO{QTN2P{_v*LK<+t|*?s6MemvR8C;IK4NF%!VGkLE(=hCJBt zuptcdQlaIE#jxMm2aAi_`PpsU@ah`KM_u1KABJY1MPGHox?ju~8QKr;)LqiRh;`~1 zg!i2YY@PiJw=~~~!7wns$4lvaTXPzN^02VW2T!yn?qj}sA?CACO6BXAuj)&y#zT8= zFfYm!yqPiQvE?!0)dQj>4JI32d~gtq8AM$`GBeM(S0{dkKfgB7wJx~;$m`H+mn{m4v&J@C)SZSCi0Tc z&Bc}AQQEnRA$WKqbMUo^@aO!ID#`=dK7Zu}eoqm^$Ysx3FMbUsU?$uQuS2HQE+~H* zwpi%%V===o(-flH7_w|$>y=p*b=$Xv{NRYUZz^__ zaV_OUlR{tPl^MG5ZQE;gS7y(%X(9EN7P|Qi&OPWvq3`fvZ{C$zk*=l8Qb73h+-$L< zQobYX*G%@5Ic-0lsYtAfeZiXKZm^l|FWzK-4H0o{`o|t9Y)t21d@5 z%Zg?FxV#Pdi{r<|Hu4+V8xvtz|N4aNhUq;B>!P?8Vbur9ZT_7J&0bZK1^dcsJWbpu zpLASeyYDAZ;_mC3s*hUwQCk;p0RcuQgohq{?KI#y1(2dsVqb>0>-4Z66R#A1Mq0-E zHF1wGBfX;=;6(%+^M9*&J{Ns{*-5K8u38T=2g0kvU+~|k0eS$?f#0$Qks=^`^Id4* z+~NMT**T^jSp;kKXqg|JFoR<|A%Gs_FIn?b2B@3?T?XdIuq_}Wd09zDI!a8 z8GY9;a9&ZfTN|q<@7;Dj{NW#9_&HayPYD*0MuXs^58o#zmty~nc|g+7B+IM15p_w$ zAJr_oDP^~n2x#wDYxCPjY&+*TkL2Q)$_E1cELvUkG-Ij{2SSK+WUa^!2)?)QnmV;zRNUxQSPow_&}oDTPy# z9uuz~wDfd@NLYaj{*YX9? z=`HtW)1UrMAiQS>1U}<)J#d%%owK$0VRihRGa}oAg1Ed2y_g`mhzN{jzuzXm{rnyB zT6|^KtA6e7X(!=liw3tHPfB{bdf7PdT@r$pjn(e8>`Zn#m(Av;$I5?V0|?h zkguZ}?$5i>lLK^V2uG-Xpf6Z3H_9hC^8SS=i_{M|5tgg${&3z67yDqj)}0HUO#V5x zZ4!3uS77U@0h3=xTZ|~Z-E9#}9h}2LMUH=ul|};v-P!#}!8xMsVU26s(K0)eQ-llFtWEn=q#b&UA-m<(b~&*BK0jC{iTSvB+3}6WQ$q@MXrgmL+P@(57%OU?+O<~xGeI+L!C;3uWP7| zK(Uc@tJxH&$S=KL1gi1-S(of%eEJMp2^Tx3fyI!}y$SCyW;M=@{(D}1A)vAQevAu? z=O2dQCC628OIAc0Z$VCXxWp5V7*&UAmC}q4{(#o~k_QCc1-8lI6Z)?1-%Lm`BjAO9 z(^;H83x6X5YxH5YcFbF&3#3KxTYpZf@ef!_SmWLfyIVWSEyr-AQAFhVU+kDa$hQz~ zaZlR3v*`++Elwt2^vkE=;4VoGe%5xLFA8-kdz$x_!^m8x|`Kj^7m$b@6O82jSQ zcpKhe-hJn#|G)q0e|ljOXe^p1Z6_^?7Dr2_9iI)ebN;*N zbQk(|dKmrGy0PxBh0}4-%0+>T;ujrRRDX7!)0@m-GF%ycj6}w%UArIe_j~@L((-#9 zJ=2<~#H!u~J4AFyRy0PndhI%`M&MXVi_;&rmE<0XgtY`}(W=R6-RwG>#oSxPOVqWGvKYKsN$+4s_-IOMz zrRlHf^K?9&&n#_hZA3O=n{_rDfB*K1$}VNkpc$00wNMA6VLZ%+weTivhy8FIS=id! zy4Y?(NALcD-GXK?!de`U^Kmn7!=1PfzrdqJXm^@A+3%$XX%20qt+a#o(RU1(?P9@V z1>4Qa*)7(^Cb*4*kAsqHc^uE<4g6>Rn$HQlCEO)~C9)+t5h{|!7vh|_EbfX<@w=E1 z@AGAjiFs%KDxWPZmr9qW7VX7s$>DA)cbD;Hc3E0pFMldum2b+~idnIi>8cx&$MfRp zWw!jETH>TrKdOE;q~_ zFqY0v&Kr%&gqnDB*nDQP%n9>_IcG{u>CLx@1priV+U6i3-5vCwwp@^n*kUk7o^H%F z1eDs}|Mk<`U%uerfbeIiwG|`L7QY4vZxKqzsMc?1*Z5#&^OiOnlkm&j+GE^z-+}y( zIy4ICUtZ=(Bj`bVZWUvS@Y3x}t&2&OM1;74xi;9Muh;0>D|wU(JLQuOsUV3yQz63^ zCm$3|WJta;S|Do&#w3jCXQKIpVYZ@u5tAFYkECY5KQwuRGgqb(ldy!{awH#A1+52) zHp6lZgmChL54iLj5#0~~C_@H|Z9nv(<(v*vdCS?j76*N~PosU}rZC!3b$n&8mr&C@ zm7&M%Mv+{f8565g&`oUMp5BJgLXcNjI}e=188B%SEm_UWK^(8KL_Y&}2}b|!D_jAP zPOFYCCrx9S7DMbPXHAu0!|bW=o4^M9Jh$-#=aF@U(M6mNnBz2N#C~z^e~^wg&Ku`B zLYaWnjvlMBk=-O7I$T$6VS*o(8#`-jYdcHi2n#neeo+`8Qizf8z|Y{*2kL`_dd&l} zVa|Si&_$&XC%*68BK)@mgYp^$zo$UFq3mx#;C@#(_=#ZM=1g@bs zvyqubFmc-r9}+g;sTv_!Q|J}NJF-BP8HQ#z?~5m|EsME(8`L*ISAt`&u3@I5?eCsm zUGj1ITfJUA`Wq$U=RgW!;SqG#MqMMDSxw5sn$6xy6$?dyM{m{l;06T3u z9AW8(GE8lC1yDN@HFWz$Fs?8##4dxDE41Sd93LMF1vX!Y5$Z=K;12)2CmiHeoVB`c z0Th&4TjMYSYhjEK#r*^!M^=f|y)dQpp4k?ijP1zKveTPjm#d~CcRZD$*Ws57n~!l^ z)Q6LF%K=Xkg&3`f`Zc8d{WpvtT)P=A&OmK?E5H9=C+z7-i9`_P4~0`w(5g7JQ`*HP zzX`cOc*&!IF+khw0o`BiL4F%uoh}C8lLq%Qu7u(OP~$xar?r z9)u4q!_Y{aO^z8eqf6T=MCu3!RzK^n)S?7QPkWcT2ti`*P!xOUMdX1g{LecQInXL& z-extox__7%YxYH;$W>HwS>ZOY+j9C^GL;l*W6-Q4f$8LAv_wuSmb`!4M#9@jnB?{( z8rY)t6I4jK*4tTWw%l(vpc9s!+y-E$w3nVWP%$kMOIL%)LZd`Jj!pWW>I}a%`eFsk z;}~W+qs>8^yYp@(YY$G42({k9O(6ye1n#CNg1y;ZA@`e{;C?GuFHlyA|M{hk8^+<1VjE*h#X6w&AFtz>e7yU|m z|5up>>4A4p(SB4E6c&{J{caBb92V9QM$YomG7(R7=U1NV}*W5khFU>BoO9UY#5s`VxHn)Ex?pv{$q+ z*@@CaiRAoGoaKG@o^QPnZE$RNHzxi{xY2}j`^)+GQiz4?n!`pzB0*0ZMMm_r_eh53 z1uEnk6VV-_c3Z~9)NR=Jdt|(h-Zloe2IXb(KtA~Jz7rr8{p9Hh@BYPx+c+fXdmXJr$7 zM*2poBFMH<>#yQ<$sOh6&<)GyzV%2UBWX%=AvR0In-o$9!wFD==MdhE-s8rmQ^hb) zrxwRJDYk;L_yDGKJYxL^iAuIP2-Rd!Tnz(m6J*3UsLQp%@dGfmr`$_*3Z_kn+)9G_ zqZoFO+}?$K#(XAQL9{FhZOI7IIv8zR(d?h@nw6%d(Iw&zG&ITGMuPm#GaI^)(yzO4 zxjHg9z+y5xq9h$HeL^m*$JjOG;|mljg^*1&q6>In>)=Rc&Jv@K+$JJKyiGD*7nTgt zSHjX;y3Kh`9GNPcb}kfjUA)wScc@ASi2160acD8+x)5AUIU&*P0PH=Fh67Gj^VE_d zfAils&Fww)DXEvj8!vt84fJWVF8{v^*|Um}f>q3UNtto0ifg>?S5HSsV6Ya9xWJKB^N_?86(Cn94#gv~fICBY6Z z=i8>L8?=A+M&MX6y$756up`zi2u`{k8U9-D@<1IofF7va7b|ip1pdsDbB9zfrsI{m zTcN8Ar(%8Dz?JVnKSqf+S8=|8vV>yFO`}=T$;f>Kgp+f3Q`AXiTq=}+jljUCMDe#ErORXWa8Y+ngLDB>Q)}xM`sT7KKE$XH1 zP!vskRbTe2HlE~VAsol)jn@SSjB<Dn{eJ)9VjlkM-=J?(ogLNsEymklRhk!S~r_ zk{vx6ttoa;X#;KrKE$26TA9sOZrVVIP^sq`WY#sd6PZxDr-hCL3nRg@rb5$2=PEPR zC`sf&{5g#iPwc2tEfX(KS}Z-B?x%&=dOVGBHxGPZt{>b9Od1s+2kk68JpxnOJn!<= zMS~dEyprncpzU^T@gyMR)N+))p(i<{a1+>vqLLt@-?8+A;+**!Pcx%^Lc1;#jW^J0 zj|J3j7c>Dc3J!Ml*%e$AaE~p_#(Hkz&z{xGR6-yc6{h|kVE~IaVNM>;(YjIo-o>IH zb)K+qUdZ~jtB^nWD$^aUiwc}3UuSyazu)_%zv3sDtQm!d^aoxHb#p`f%~Blvmw`op z0;dRJ&u5O!c4m+D5c%RCSNTi6S^`INbf}=+2eLK|X0pFgIW)hWUuO_$@14-<+U1+B z4{3O8=TAc6%+KJP2OK5M47XM>I8FFaCp|=pBbDH3$#4i{^kfy@Gf&giwageB8t;_Y zOd*UZDqMtm^{Dd407;V}gOClm5+N32stT#I5wl#%5^14W=su+BS&NQ3KX9E;3~8RS zQW(PGVA}U05plHpOqsF=!;?)o1OKR%Spt>qA!d-cr6`6qD}p&ZJJW`2d9K(~@;T~o z6aC&XPY=VXxdX)qK0O}?F#xdE)NL5SwWc(rH(^=sXfy%l_iatg=PZk1^k4y|eDefS zx7&wbq_T28ts{K~8|w~CSAA_iGU|zGPK!m{;6K6Sygx#FQbBM{l~4S5g4_*GO#b&8 z|FX`iZ(DPlTrfE_V4rRF1VWnI2nDSBWEk93AE|?;=Up=&8w_V|_ee1{;m_`TkM?NU zNw@WtAW3PGL}=@+X`h6IR2_FDuzPX+51}o}*~vj_QeGRy!FRQ+?f`I&MeL z)P28U(O=d{pgf0LGB(jbd7NHmHzP!te{hVxi*m`k@r#EiL3 zm*UXM%Q8ChGe@Hi34l794#%RG*?$KW=TS-G~_OG`6|Xp)LLrRHbK~&PGAbWM>2R<^_60T;jS48 zI*mhQ)-ADKYAiErg3)m zG0UJkiPr#WO@L3{w3^`YtIDa}O*S>>wMt+5AqP{4_5G?cTK44p7XNiW|l(2+6G zPX#-ZQzI>Mt@d1%oXF5VQQkbUKyY~?RF1hBGs;-6sm%A>NaJHnd8S30%p}$#c zCPOIeflD+6a#JBcuWBnU{0vN&9I0GVGL6~s4Y|l29=bE*MbA4vS8&F%X&4GjzD{0= z8j#6aj67YPv00_Mt!QQ@9*aKH(Si$cx8A#MZ?QruJcA#U#&Fyg5Z=T~;Ud`^?|2Rm z^H4;kJ9I)fG`SY@9hl7|SFj;HflCGL7bR}S^(M^NycbU*>xi@o8pz2+4iVu<{_YV$ z8zL7%5v82h2+U@q^wwb|chKnQi5Yd#CI(}=h)eJASk^NuPF5oZpFJSph5>ivsJ>7oX;h43}qiqGK1Gh4L}mlIK^9)6->d= zs!X_@LV=3Or~RPr20&UsQm!G(_I3~@kl%%}wiYE)#N1~xaR!K?)9 zqDU~ZF?AG>v(TyaJZKD7+dvy$?x5{4%`U}x(TwtDgk&?DIgZK!+L0K@a1Rm%xk*YO z>eoW_jcrE!ESBcV2c`sJnZ0E_lQ}9v*3U|j-xsgF)by>7m!OU9jL|73w`i%k-_-_m zuSXn&ORs^DMVd5_1;wS{na_D}hES&>f?v`DDq>lxF_@d*go?pc;EZz-iepl=`jTzASH9`|#bQ^Z1}sju>4oa zs^pUo*sQ#SiT^I|bUl*1LIjG8rN93?IPlkY{F`f3H&zX=AVirH13p6!HRcK##J`xE=ttWNYa6@&%JP1~2gc?~M)E+2?$>oW2X~HBk$2uZ`$cDs`03#TxlOmza z>y@l&$i3})Y9yX6!KK%hoyCEg2kB%(J^FEul9!Psc;@rHx=QBNY8!#ZJQ0-3{!yhR zDNto|dm@Wek+zwg$TP2fzW=s*d@A{Wtp${;2@XbQjvpkSg2)DWzP9q5(#iwqa{@t| znA$@qvM4D%tzL9W<)%^?a1RsQm^c!$+P8WIH)qlIzh+`N6$WXX^LJah}vi9?JX5|gpn$o~5Sd>s#p zeIJ|3zL+Rl^y>x39b69>_K#S&Q)20KV|BU)d9DVs!cew9zCqPmDh|8_LgWY5o8gws z!X#&PwtL5wHY*A1cT~BGlpC_1l$lv0aa^Tv1{zE_;2Ed*iA%F%&6%h`yd=P;#PrXR z681C+UJo@BAR9K%JiZWyYHZ`B!LE4SYaQ70O`LjSN3WHAjVo%w=^8yF16cc<5Mo-VKI*p5#713-c!zRh|mTibkffUV)h>U0Xu@F-1A+q+6KOyEMz5*s@<_F_dbbc1Nb z4Cx%wRjLN}?HHI!iQvSlG$PtMeJYSly%J!T+l)xdXyFs88Sh{P_a9r>mTCHJm(ol7 zuk~~R9MMA5$F1j8k z)NM3?uvm+_Dl_X1dWFT5XZf7@@XssJ89KdNHUd%(V0;&gD=?Gj9F_wVR{f|{;bBhS zGoH?CHLVeA^2m6-j9^}mB+B>T3b~t?=0ih5h7v8jYHzkQzQu={8?`Q4d$J>>_(8!+ z)CL*^AqcvQ6Cm;dYHOC5%OxP65DKEQt5m#d`8(830mug;2chrbamP|dQBv~iW*a>D zd4E1Bf#Bpy`eFc2y)`OXnnashBj^NhJ(YLj%f1vJRjW0a)S8Gv&Hfq{uNef+@X*fd zNsQT<1EGg4;UWEENu@?qxeN!}*GlS0v)Q(|K>V~ z&Hzaz6mF8+c`H9v6-%v^nKP`Ci?cg!he!4V$ZkNFfY^b-?mkyuZ7jqS%AMi^(+!x4 zACmW9CEG&@&Kvk$k)c#sJHKFNt+@mcVPz_7Jw%KV6Rdjv0x`rG!MyO(bfYptIs7{s zWAwpkh7@-s9aKxMN~)|LQ3|gGqjZ3DcdpUs2xgpCgyaH95RxG}dnFngg%qhCgda0W zI%38wHj)WpCX=Lq8i%|8;QPOih4G+<8Y6^+l-;@6m7g`m(k;7;U0kfsXR?-Tq8^%x zG+CDSzua!?S$)4P01##@jAS86G|6^NBs~THNR!;qQmCyVs!E_@y{6$I+-xR>_7M@% zeBp<2{0szhPgX$KI1viJXb_)JI}5b6O-P_H5w@ES)(XDYgSD0bQ*C@(b{9uh#1&`F zDjq34xYqKkXrJk35H{orgy1Ue%41dgkk~LbK1F)lfsp@y)^tENx&%;-^YS>ekA} z^nBV51t-8zm6iG6bTcg`XFx`gH}|f~sl++9>$i&{ywx4EZy(Zq;Dq3uT`6#F;o}Ch{H#HFCH%j42=e=W+-dMY1B!o3XAC zyyyTm%@6`puoWyE)!^}-5)v%UY=)BF1--W=!0iDFPI&PxPX-h8TP2Y}OL0I{LbI%d z3L5vC_r_Qd1xZmnk}i%yT4Cv_?$eF=C9{7+19n&Id+XA=&%BAM{-Wdk)zaOmN#jCP zmeRhGLvM-*E8+t+DH8hwIP*~Bd4YBBOsm4BFz3=R&agOcF7gS=t;2no}gcqbEU~G~wpcD9$}HgrYe0vr7c{D zRTp7b+s$yNyzTdT&N`;k*$kR%CXp9SQD_5?e*@}z&1HmQ>sxHK7~0A*j1W-~+GHd5 zMBty~p^$m`X%u7M04ygmrBap~|3@L!wT_Tmc-)e*BU^FXHCjC+>RYzn>h?E5A z25wmZV_F%5NSa6i0DYtatdfaiOw_cXls}WNbdsl{YJ6KQbU2SH>pY=I(+DGx=%Q=H zreN2||3CWeFSq)ZR* zIMi^pqdC6(G7dFXCVl?-sj`0|07^wMZB2H&BKO<0-CdA6C(p7^_|B;62M1CL+Lec) zVP~W&6I2QR;!3N)bIY$a*lVK|ZqD}?-{d-P1f3h;oXTQ&r87b;`m6DBkX3BVSz+VP zv)&{=-N~33A+k0plOrU2c59@r)5YHy^vvf*eI*Nq`?Clk?wLJU(bF#L-^jjriqOQw zmWm)$^~c#U)7k+~&k2Gp^j{#Ywl@+|{Y}2ZBNK)tWCPB&>{oY>J_KP^-IPT^knuz8 z097qEVF*x$h5@jeI%X^HuhmbN<&(la{p6VQ&3o^?d%Y?iVig>xSE4-uvh|cIwKB^2D}R+r193(^64pF(cpsYve)s94(nUC+t{KX&uu^5i zugHpMt~m&A6(7>K!VV1IN?ajN6TnrOrRv&BYL_<_DNc0IR1~HJrX=$3Yb|2jga|@D zXsqKgyh*Y)*G_;q79HCJaYJI>!2>r|z$1+}q7$7B1HwTY)s*ox4R%63RUZ`TrfmA( zN}FIOlUDvbdBAT640}qA0Jx^ud!PP;!qn#DB=FHh(yne#XisNPkzR+lDcHYVM1lDL zUERHV=R~~5xQ))>yWe0HKfll<7OZk~eE6RJ=G`;?>OQ&j2Vq3|-&9dmka9%|Pga4e zIY;M|2D|FjzqU08A-Mm<%3W_h@IC?e;pcCE^x;SEJpIA?9%Yl$42jWd+C~TztobE& z4gOK6NlAC`V)gaC-m!1!#WT>NsFDQo>49ob-vIX;=bbn9+ZcED|M>uu`+0mwGd|t+M@08DCpX&IVH1-ll z4ADQ{@XSYuALiX+Sm-Ln)c5i=0DFV+tcy-p?PC>ehK_>hp~C@t@hE00QEK4uR4uN_ zI9@}CTv-=df8JgjUYf?D|$%J6;MEgM@3~FOd@wS2_B`h z8xm2u6D;=Vd8vF`nE+_GQ7-2W8g=~r57VFTiWjipZ}|4Y@WECYC^yWYZ%h|@VR|JTTH@EBWsDsxac@p0#uCn-k|a20v2U6IX>F28b}uXP z!lKm#*;*eAY9fij%f07o-X~>A&j$h6inDo5|NY^gWqG*TQ4(Es<~7SC$Kx)Soz6u0|aCoj_z5jw;`>o^GO4#MJ{X1x}b-~YQ(s@T)Z!>KiK#<{|z`3~!r z->9;N81sa$tkao;RSD)qzGxQ!Mg2}_y9vfjGb`2ga9fq7$%a@G(_eCH7d6K>uyI~M zoH1_pPOn|kTg%+%Nk|wbj6Lvld*fIiaWbL4bhCeYyxEF8<}WUrr0?Iu`41o)C&*5BJ7s0J5fblUxhFrt%=Twi%z#2cye{$e!gh%mU?jc zq2q3JEF(7SH0epZ7A{^H+AfCW0+m`I41%vM#wNM&{H7NXpl1z3sbU`*4k}=%iisL3 z?g_}*8_z_gVccENk|5Gjd&-MkXFDy&sav&=2pB?HKcP)e=XeDD)*H`sXXh4AoZ<1# zATq(r+{t#?EGQwFZ-#syg~+uX*8$SuQ-5|9Ot*9$&qh&i*z&jN>e z3u@Hy#u7uX?#BdU5~zYM zs;zALwCLIv2qcGp1VcjWlCRe;%Az-@oa6+s;Be=TZJFJRY_6e~0b;(;i(o7RT+i)Q z#|9ED*7B|&;=DOJAxOR3IwD0$v1ciaA~0EdoUN(E;NCba$gWdv;;GPPqd%v^@U#+x zR7h7%HQ+`Y)Z(!wO!`-*kL7RzZATEo+q!XBLM^C}fhnPrHGpW2sp zurK)pc_#wqKE*A(5!`o6-H`mR79?DOh@=q1h|F-?-4&I^^_O$UPMiQdO-L$hU0(RH zO$H_eZ_*hztnSfj<7Y-x@5It^(i&cOknE^Q!t=aY!3&0YKI$9D`iKhwV7*kCgkgK7AY2)XN2L%I}W6bL>m6^UCB1cmFbqxy!8s4P~86O#$lHdU+PX6Gy26jnDMdEpkrobEtw--(_{Fbz7E9P@cm2(m6yRe| zi%wfYNfvthrRZTQzT7g`5{ap`5&(TsqYwT<5s4r{rQJRiSO1jnE52*)~&MVN%SPF zB7|P*U`hA>CwCaJXK$l&VyDqcTt~{!U?eGeujTmo$=TRz)1*|dH>cKnyJ2H^>ED;+ z!fzREl0~Z1G;7Ov1K{Z7HBIz#gvN2cdX5fyhNCpm%aQPzyMeqLjZXi0Ng9wCkTf^1jCdW2zciXL|jt<3Hu~NMwEcg#3QT$ z0WgGGi0Kw0JvHVb1C?ngU}cC!Ak_c^B+@YhcY!d$3%femoHn{_@%iKj(1>@?UU9Za zwpXlZ`vll8nV%$kMT>LDHu2)b#~N-nNqr$aWWR^AAXfO9$&AFOyubBmhkG)jK_f?& z9J^1EENv{{B@WNOb!} zq^Hif=DOAXB$aD;w_d-B(q}E%<6dw7x1NIi2R<)GoP#QC;xFE2W0Vra5ffzwepcmw zlBGDpTZe56Q5xdiwo9e)sn4X(KUV3e8+MqWwNsFjb_tdtQ9{lpYogc!&SF_Ag4h~gy8Ai{()F7l$Rq|&CgP3t<}4~yk$y*V4F z3l}e4zH;^2^&2-43`j<%2>h8@%5hb!Eq$&(wwN`z1V^Rtma1wH>`|#Wb294{7sY*qVP3=iq}g8C0wrc>8< z)c<<`7#x8_p)pt-ouZ>JN`u=>%t|t9P%csZXMtwHiI@or!5fMWrR1nMYtBdcy4bcOK zneFcC8uxb79)db#{iS}_w{Qbo#dbQSp#Cs882D&6V&1_a5gvxQ+9haF%MxIif5Kmc z{r<8)igbTJ4)ivW>q&w6wG-LQLJ3&FK^+Jm zwhV9;A+AR{Yp8>QM#G2{Wx>fr>ZHpI?Kwdh+b}I<9U|yK2ZvNLMP=^Cn)wirSlpBg zJ?@ioX1<5@HXQk5b)a@Y*VOSgL8MTVh7A%j5(>sz$i_*rmb%y4_nSiNG^4ZXlGzBu zxRwNHEk^Iq%jzUQ1f@yrJn!fr-iL1}c_1l}<+mr&+^5Lac%f|J27Fzy1b78ZZ=G$vgdvKD`$4AI0rQ^NW zUpjkE`r~Q1<`+tJre*z+Z9GcTh_8bm7u5X~fhrZD(STO*N+~3_uJ%D^gr@CfDXip>}M{w@3~kWC+|NwYdy}rq^>-SWJOe?bb;Y ziGkPKNFSu?CQP2vljH5+2N7;A&WMZzL2w+5zZ(M7R7#6{n{O z#Gg2m_0_4i$&Rh`aPMho@_w~no*f+BY=4#a0l=5TrDx304-D6ZQe>7&SxLrA zEy%TZtdmJRCoLU{O+hlSe# n2(9rG{s=Adns=eIFL+JUL&fp`E2sX)l3(vv|4&*@ZUg`T;X1QK literal 0 HcmV?d00001 diff --git a/site/assets/fonts/jetbrains-mono-700-latin-ext.woff2 b/site/assets/fonts/jetbrains-mono-700-latin-ext.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..82f96681c0762d98ec703df7836829d0ab44a785 GIT binary patch literal 11624 zcmV-uEtk@FPew8T0RR9104-<$6951J0CXGx04)Ci0RR9100000000000000000000 z0000Qf=e5UE*yhC24Fu^R6$gMASWIGg*q=x5eN$4WX?GYgbV;M#YzD-0we>75(FRx zheijHRSX9klV=yu+c!eotx8J>VEK+hVB?^G4WAoDt(v6t+5i7%Bo#R-DU!Cs-nb9t zOfFScwz{iToK6j#O;zI(Doak1Pn~zsm@b{-%$d^s>;2AXW^j>qxS|Oi?ZLB$wQVlJ z8EPNXt6+%*!4NA@Ad+uWLLXE@4>C+IB|lPdL6%Jxj2=0-jBx&8xx>Yw{wTr8=WDg~6vS*Dao z<=LIoSskoyAMF6Q|Ep^Lj}MR_D2lR=E=^WSsoQ?TnwdpT`mkiq%a*m)xprP@@|~dq zk^)IUeT=c++e7?;H-?s|gp8*`jtnJ;m%#r{kd2YEPk;`ots+SZP!U-I+xYrw1YOIL zSOMRVbJZ9U?q)W4A;+S<`s=S6W%rBbivGV1DHtOx&JYv_6wm=2U5?y^d3t0{=B4>^ z^BW+6WSE(#L4w;C_w$;(J2c%r??2wx%xE3jMuj%BK%&dDnR z2-5)W?gwmUs(})lwFLqNs9AACFxlg$z|%j2h@k7<2=KNlKC^*&_J`IV$~^&xJ%pQf zGpPzxp`wT-;gU-lN)sdvekH+XRE#-$Q(m;&s~RtE%cgcO`^o~%1(~E^{QLr8YF;S) z>CGoKra@uLS(c%x(u9L}l&S8(C|v19I21uXFOet^(qbJ#NdDebv;7aiN>GL}c;^6( z51w^~Dz^YgIfl;Fx#(Q|{U5-`CUUU^#3caAph)SK;)P|p0WV?!K>|Qn15=k$SY=91 zbcneRA(XCSC_1;Tr%%&+T-1f(|Nr-EdD!S1Oe2X>4}N3BFK*E^PKERq>C-f_I+-LI zJtab+1VTYYbcO7=g)MM8_pN{b9j4~t5VyBGFQS`;R^&0~=Z8^Bh(j)Ro|kPoIh7im zCwO5uVi1@#G&=U5)evfkgmw z1kfY|5WM+Jd~P7p-3K9%lLG-nYW1seAD)Z0X$-h=8>eYUNhT~}ND0^tV+ zo5xlbSvU%qpS~*%OWPlc!oC36Pc4N11Xar8rTSpAX<>`aB(UKOAi4l_M31>B6D|~GT)X_r(_1pJle{FdzGpql=%5F8{i+S@ z3Wzj%l0n3S0rZ;Wa5|2|m*LUp^?>brvN$@IA$QctTUyB_ewQkX0dBjjyQT0Tj_n69 zUAcMUNhi-OL$=)m@DQPi1VfCmz!E8TIN*vKp7;?&1TiF&MnC$aBAY_glv6_ktqf)u zqZ!XM+OFr*2IRO@QhIaNBv}-jkOP9MsG7GF+TrRZ&Rs53U_yqh6)-?s*S2-(Yj1Mz zechr?>^TIAOu167fO8U_V^*CdOBqqV1XU(;)>9T8&u+P_s)fmX%#NDEO6Wo1Sx*9s zZ@%WY>{a!NQI?gNd^|Qzs%<(5C&oyz#qMFhNX&?^h%E{c00MBa0P+LUK>!XS^yi|) z5{F^x^L?=^t{v$tvhElLL*Myf0RdhDg7DEm3muFw!4j#gBEDoe;VzFz0&ju{BZh>b z!X39xmpr_#GBJF^K3U)ysxR;q__wXU;uh}09(xA+p23TviI0FMw@(Rm$npnRO;6eA)Cxrw5>5G-+BdG9VU%dyh9@pJKYh z9h#e_tckuMbhOYjn1P{mwK6rDv60M;Wo8Vi2`r5#GnK8$tW9EP3L6fl zb23vK7qhvU%heq2=J7C}mxX*R;cc-+d@U7ZC4cP#tq^XV2ph<)7iE)JTgBKS+GZ(s zOSVgrod!Crp92*38sHG6{rWp7-7(ot$x-a0QkRvuWV-;%^|cR2ITNDK)Z%Dv94=@D)4uD28&^`=!%K_&A0Kj5W6YF|JC$qXDRx#AY zHX#Tq*t09O2E-;<({h!tAT6U}rjohsMOnRvesC;9E9R<(xhhNDqM|~*b#=QTSb|x{ zuu4q~V@;05p-C8&u(K~$@Lp4n8G5n*Y4G{LaKhsRSH1St~c%)jF z>PVs#(-5t~T5F0Sc9F-j8nrOVF<2dyZAuVwQD!Pd5E{tbB(`T0EWcP8IJ(B^Gwwj? zvBMT31UaL-cc+}cJ+HU9tMz&>C%xMu)kac|rCQlB0-+;I_mrBlaRA%fXV?G#?0)|W z>K~eqSk;%^zq0!Lp*s?-T1P|??fF}cT#Y15FWrikbQDpipTD0lF zhSkxrGIIOXqSA#Lfx}wLB`ADPWP6Q6CzhN^iVQ;QM2?YI`(@xHboJI%SZnB@ePz5A zD!XsJ)F6e3%s60jkfIsmL@PDbBPHkOI*NRhgIlP*TG>p&X8pEhT-9gUug~sNJRVmW z*B%aXz^i1dK$xMhDA@ZmSWU$TH{Bfk)%|k0#2e z*kxa4W!vtVZMLo~yCIjB-Aow=D!Y(>CzbS0YR$(9|KFg{nE~7MoDD!=(8nU!1JWb~bY~Qta6a+e?n1iYlo{ zo**N~(yZPCykB#8<;qQWt!JGL(43E}BN&=+2c|-(+F?;y;Xx*Zl56Mk!udSY$$6s23 z?CPp1=T}Ti!nhrtk|V)2j0TA6nGJTj053_z_iX*_aC_ZYhntT)69o?M__^uzjXvk` z1PX~dHEyCmC|pXQMgoH@HcizP*Ng58Bx=zEROqv8ugSd(ylj{oHX3OBOoxR5i6tOC zp=$ueX>Bnu1oDI+ir=2nKqy%ObC2U^Q^U)L|MWHopFXX<__ThrJACpaDw4+x!@CYIvYbo0i8_fhZi)J?jf7pP>4e4JJLOd4u@t-OqPxs zDgD+!U4S-tGYz?mu9`cKa za;_^j=%j{O}ZQ~HC_UW7-J&U%t3d-9*IZt^W*sI)lX}bMIU;RTC?Z90anKYPH zB(P>BX<*re(WD>@8I~kj1VzY}xHUV78IzhYf~?|waa%0*6xYGo)7Zsm+Mi*CF}4H6 z`#uBKrHb|9W4`q7!lvS-O7WxazTGR5WN<(H)+?XhRf!BZ#0{Pye|If9YjzO_d=-$9 zeL0G+B&^faM#LX9@5g54Gp+OFqsdNyvFVqqdpgmvMA+}zu?2H3H^cY`lDqu|d7Yry zy#vIHIB@zRd%>;h{d>1wHJ+70u81cIGN^j0sQXi)^Zt!9F7Ez!-e_g~az*Fak*4jR zdBYX^)SV69?^YtqJ3hbj_hMv~tMhf}+v$xwLwZFfh9GbjMyduQ=RTvNk}C{NL<1~E zNFpH%1sJm=LB|+B@W9DKP<45GxhP6~M+^@;vYfnE3b(fO_*gN^=QrcY-dOgD4NKLt zlXELd4|SP-Y|!7&xDHLNf5#aweiV^!wkWjV$)c(Qba}zjWIg6sdz6bHIo^IOa2LjJ z8M4JnGHe3P(JrU0e-Pc9)(W-K)EH?FCx%fnHwmKH%1|W1*o*^1=(&ugyVgG=P`216 z1Gs$AKeqPr5{cT_t~xxYhMgQ6H&E^aU=tUw!8#l#5E z!K1@}AD)5;9{fM~U-^}M{y0?W#eL#e`s>>7!YuxC*Lv^MX$N-}mQ2m3Dsd%6@J@>4 zsrppu$vJTILS(d#ogcY4Lpdk#DF%apwV;zFNQ#B6WH*^Ts0zFl_G_wvJ*DQ3J{{Mj zIGc37u@bG;d%MQoB!}Kw2-Ve!mJJ#Lsb_VdSMu6m+K5a+CRN7`|T$s7=Yaa zBk~2=rz#+WzlBjI>hWeGp{s4)j|X_7ZWgbN%>^QfnN)CZG+XvAB#XDYm~qD+a8(VmcS z>U&u`ueNo3{89WKq-!|xb-%4P@U$MJ%eq@CwUnmq_GOck^q#gBO5bhy(gsUliM1%{ znG?Cq%Ln03#%?Eh7Vd{J!D?q59eDYm(V4)%b{%-#ZuO8SIyG@kJRZ~o-D9x2dfBiG zaS^L4tJ_5_UZa(zE~Jn(8f-DfD*+pXZem8=oKR;1BmT^ucbsUyTj#Yqd59tSb_c~V znAx)StCl0$p)YAN7nT^aQcCFR?N*pn*n-fA)BH@0O zJtsvN8x&?~gGip{?@~KNy@eO=&BH8=e7gg3OqL;m`IkdSwyG0(U3?(5Il73qk&v<48J zencdaK0m%c)~c^YE4Q`DTFp2J-V!(rMzhY_K9l8Z@^>w428kkGFnPg8TlcRzWU0R3 zm+~uGhDUW>{Lr@tlvQ+lxb+4ZWCnuibKa+(Q(TY1iQfgpkwF3ILOMw?125zioDD>j z=*$cYS$<@qSA^3bA+#{e(~((CXsDk=h&hcxNMd6gEue56SyzyZuej5PCcIfr&XLEi zJxNO}&qXX9Z$EU!SLKwaomq}YLCg{Z5s7iUw_srJ)WjWA*H;yc4GI=N#f~_ag27Rg z8*s_ldA-4$KANp*W?~-fiENox+HeDcBZNbPf5aR40m}BWBpgTmy%wUgY|;&*f-Hx+ANYUZ4YsqNHjQSNlz#e4_v z73MC?r&O#$dcJ@KfzwBLKlkok<5SYJl3{l(l|`gsDzi3pNHOtIQN zt ze!sLUkScwE3~budFQ1AXdw3b7^!Q`dZ&2ruK}qot4qYi;DP@Z>tBmgUCORruQaO9ktl}TNqC>lGg>B~(-JRs&mI-}OnP=s z+fj~4&Oxk40qom8loZwv6)mstyp`6IcI)AXyRM<9s`&=#hR^Ub{FI$w+$89`M-5lG zB0=|9I4~OGd{cbG51HoDPpaiF^bP2+w72mcSLr5o8glncb3I2skEEdPC2jw6wpWxu z#{y{wD!Omdr5_$#hBepyeup1sMZ$q-xR9jREV>noCuyuS+IEemU0cR~FHZvJp!kOF zaf^jbGX-#KoVt*jEr6IKZ~gK9(E8VJgTr>h-2;GkrW%hBX$pC%1Rs>BZAF)Q6!6sm4w#?LYS$1WBy5q$82UC}cj0l#E zv$(0HCzViE|Cx<+RRd`FT$}dQL8HF{&bM(N?EC2#VI3Io5o`2krJL6qnEY;Tvfj{O zJ&wFr+p^nE0mi!xa@f#0B3%f>ZJGK)Frp^S3nZCL)rC4z!!CwejCQ{0$=m0YEef8)rJR1$0hC zDr{VAnl5 z!jqQl8tE`EvdnXI)2uJ`g?96X;pR!BdHGLY=yQFS>R!shRidGBsaXF!m9t`a;`Ll9 zsPql5nHHYcGh^~2aAkN_Fr!bxJX80v3NZXB{rS#<=_j4&GB$ink!>n^k?o1dviPOY zr@V<*M$4 ze!@S*aj;sC*xY;>0o=3ipp!tpTP6KI6m-M<4?P6@VPhxZ$s! zh_Nb30gq&nFS%${6OANQmrx(}PiM6Psj@5tNF0L%CO5^YNL^YoJYzFEYqBW^ax7<(jghIEjE=TC>1&8lCa5si zCWkuOiEi+!wT4*{D{eyT+S0jQ+!bBdd*you5U#=%-pIrRkTBrkfFe}rT&ES9GM=gI z&*2t z_6d^5CMzrJTPIAPd*a_7n$fryvZ~BwD<^p>QAH|Ot(rAV?b<4<4z;VZw|n{xQE zC*R{5*Yia?+QX4nx!%*=_tal^O@kQ;b8BQMHlfI=*iR=duKlW z0)0yVz5njScV`674%jnj{K*bt3s#ScIr5-l_FmiC+gDy;Ni%J~(kx1vL~p-?BFT|7 zdbMmiMNY$7MW76UXe2|L-H*&E`$_(~VzB=8&uGz|?W0?u^EvqO=#Cpm-ltbdVu&Gz zVdEqYL$uGHbDJ{>zXiaaRNNoeCK*zmQJ7Rj0%aVVsRg-MoT)aH+<$0{R1n(M{SqG4 z*CkJiaMCXw!$K@(Iz}Q3ULjE6bmz~;++gT670T;Kgn@h1z6J&k+I_?5~A|3m*yW03$InO0$=Ac=T3PA=;h z=?M#+|4u=($?ekU&Xuk>U*)2?7(A(GwB@HY0|E413PZ^FgeYh25D`?$&zmz86qVXabDvd)S#E?DP zCBsw^^-vVYBvYi3CB%jZ2{jlBPzW2+oN|@srcLFR!gm@6v z6U_JVvukvUFMt6hZxt9rP@HINATx5ipuRy9pHYT9-r?dRWv{@?8GNyu5pqQWgsFA2 z(BzNZ->h72N*D-9N@%h2Wy*4C@V2{RF7lNX z>|NILhd>Bf#+ZP+3P;wD$7^vv$i&t)G6PFun+=0W4i{NETZqjQYZ3=mK>NM}jZ~Cd zAra-YL%+&i;5Gkpkvi!*`T2e zo*l?vnG@f?gYGN_#<{Q%elxA~EFB60;OJlL{o;<{5(jQMRuLNsQR;%kC!%juYY`4p0Rt=Jm5V?GK({H10>|OskE!iA!Za5ccMi9HU zkxVi_OZps{ZI=NJ;tG0Cy1U`SY#8#@h+lQ}jh2Y1yL@CTqf!K=YdX9-(3q`Kk|18E zC}-UpD$UqUeB=L>%XPz;b9C}|T{(A{QEw!v4B^w^*zv1fqvZX#0~@v)_Yqz-GGKyN z{_=gVJ;;2Vg<@ems!F0Wc@g}3@5B@t#)g@IOa<~lFg4BRLXLXWcwkS`*@katu zGxcZIb;A@EY42TpR?MEXC$J#h{zoSW5q?85-!;K8QRMMg!MiVj&W|(pV+^sSHC@fwCj;BlYLuh2NnHmWw zUQ)11^LVeAO7K!qj8U;82d6v%;q0ckva|_fSQjNG=raDAti{%o5^{%*Z)pcXuP$;HB3ekQOe5?`nK(BdobdLVzL8j zn9xG?d(M5S!Xv#Q$9HvAignlF1N(b%l8bl1!0xPBf66*qK#paj*81OqWYJ7*su%OP zSY{2*F|DfNEUoRPK{v5;g`O7?;r2ZKZAhys2>D(+34D2b{C3+vd2&HS!U{B21}gX0 z{QF_ma1@bzAtR&|NTg1Zk0sN4gNllZ~MVy+;l- zD2J2xiSl~W40KLLX9htKXhLIp$euHV5ERjz=XWuc@J|tsNB_cQBIK+5UcB4YX0cFO z5uqkjK2WvRxiSWXC(BrPrZBKiHLSJzSl5U(BZ)WiklnJ8n=ITJkR@%7SNNL-OzD=F_vyO*RL{eF`?}m zOr`}QGm6ZxjiiEP6P9%KBilucweP86jCxe8Dj(H~1n7Iy5i+iNLmr zBa;9r($U=^mExMUF=gKf5GyZ72XlBqoJ4nW8C~RKhVTR}Cr4st9`60mmOjb9PiJw8q<)$sgUK~E$IZo`ehUnW6A%@y(dDd} z0y&d4;mm1ow$$2BZ^uSDb0W7(`z3Z(7wLHKPt7XP8Cn;N>dGE+ou!k z9d@H0Ew@S8F3KD|8YivZr{8len`6Xy!=+)N7hkJrk|EB@Jom9gPMQx=GbE&@Jljl& z@AzfJ6~}!~DOtN6i?hzHWQzKGEr+S4QmG`l(rI18osIDSJ_Wk>^obJ&EL$>w`5os~ zaaDauv)naq4~7AYO}aUg*-ZyiEHfeYa7QA8at1#pkJYKmpzlG)(_n!~h^O*8FCv*M z&K0$Ty`2XMDsaj}slM;6cuy;trso%OMBn=HGW2}m6hm|6*BFzsxWiBy!2{>o{ARb> zVhLX_&aNOZF>t+GJaVciZ+#~lg(gG8G+kOtRk&H*diD#^zUfMQw84Eh;_)wI9ZS2(n_FLQ| zbsgdiCE?f1ChdBj`#+VNlEwgz5|?`)q&0Gl^Xa5?POS%xi)rY6|KWF?Qrr%u7PvoO z@C_MVSgm>od{v$1Q{~GLmnZEaZ@cF$7+q*km zl+I<)zh@74-!f$dz;1nV5G@TV_c~sg9VedrGC9zPXqq{=!zFT<%|>crtXzYB7lO?Y zw#Z~Mv2%U4oCcz=0v4g>-Y03cj{8fpi==)jH$5I+4();4CNh$;nTk_g-1xI3JyM#a+vYDz`@T`q$L*wFz5(dR%I$n1DRALErfDy4Nu_0_Rfbgi>(wd#p zsu~$DNon(rpq)N^jj0RUrpRY)@$rrpWOyYZ*^p#O z|H%4MY$uPuWApN1n^^0vlo-*&-0_#`Y@bAePGzzg~1A2?b~4vGWQ_kT}XKlV+=V<1yQ%*X)0+cgu7q|jMRQsBJmAE z!H_DPNEW5T2s<+6xQ}LsF|ZtHeN$6~uMACXx>(vQAvH}b*DD$u2-5w^Rc34~nZ6Iq z&=XBCUI#UyU=HZKUI7IK?5F|rT-!5JiprsVj2V@T#i*#G&=dOp2f#@!5isXIyo*D# zgvPUV%d@N-Aa2vnn`yf$q;epA7xRN{Q{1 z0`rNz@B?<^AD11)>u|yXnk%(3C55RQ65TJV_&~Y$#$v*y`Iinh7DOv6ZKgwQUVbP%p2B-kvAWj>q1#c&vJwl`5 zOr{zZ_Kp}iZF^BJ4(mIzsiRR))b*;FEVuzK4mo8j7@)d6+>t2P5iQ;kH^c$AXImHC zUcbnmF*aSZU&p((JEpBahfc)VU=1g0jX$OWxZlytp#0^s$0yb+PSvbhS2Wt z%VJVF3lj|Sp3QnP&N{Aq~c_YH;%yobiKl&EFply8PYCD%rZDZ zhIV`lvO?luki#Wr1i4J2G05W-iAQMj3%$o7Kr;jihmIo1g{D729t6Gw`OwiF)PRp| zK}~oW7Sw{9)Sxy37>IqqiGDZ5hyY48s^qJdpi#a`YK0ONYZR$oKDBBMQq-tcV>{MW zj8={Py^(4T?SP`$wzT|4k)l`;wI)^8pcG3Jv9dcwy@O2INMVquK9DQZ*y4m=t3eQV zp%^MuPdyMDQ_;N!1LFO+1VvU{<$k*fkw4Po^L9%<=_tb@B>|O3FRtRKKdG-k{OX z{dU*V)@j()(>G`|G_uQXd+fEZ-TNJI5Gv$wheV+SBB{`mJ);y&rO_F!kXmd#pfolI zTRfM?7YIcqiu;-F(*ht=5=Ocw7sCmXDpfP3S&kQaT;C|k7DgH-!7L4Nc_Khcsm3ONo*?#KcSR{B7XA-qlo0wE_* zrh&yES+$tbf@2RKh4_*N8j4(OXffqkniO|ch0vqmv0HkLOVgSv(Eusv9^jmE#SJHk zt6uF7nPGakc_NmJu=HfrVO6bezcxF=V(s~Q*M--nVErs3=5*6K$I|!kE~@)hTG^l| zcq(k<0n6gvqrqs7na%9$>KBJv$uF8w%$Iiv@VJA>fD4pB7I>L_B?w+kC6cD7?y%_U zdQ^?=uTaA?{`TT8EQ#S6SSci%__dNl$Plh`C8Slh7^ySV<*u}HBIojjc^zJcm7Yqe zt;kb{)m$B3_o0mS3V}9y`yBLYU0rzR>A9Zk-F=+nbGG+jRXO{NpD+^t|Mc=TO-8Sq z9Bf%$C-;&xbMi?f_+=bJ+qXH}QoYok)xAcpk?V7Yxq6O>V}-#P{nW?pOHZ=5a=BQ< z#nFlYa6=?;z=0b);CaHIxsT_G{ykR)A6Ia+;s^iSpQh%SJX#`1ie@~{Y!y>0RJ00)nm@L2l^Qa=>l2hHE zGP9K&!{2V*=TEjNVT{@FQ?1X}+LTN(C{ac~z{qdhj9B z8U!E(heijZ3=9WbP!@4Q(d&)~x|7`bT&-&Hs*sy!%I%P-;oo1;Y=qU7#TGc(|No!1 zbc}(6-Unc&W>x(v|6ijW{&ED~YM3;NqM5 zD<4T=wzMtYPh95^;}_`JX3AL0=NBm|MNs~INH-XEao=Y_!%kt?!D?ulQ*qD)i|;=0 zMyAsL)zobjez|7GMeZu8at$|Jo3^}sqW#2F7lDn-7+EK2-y_J)W;gi_;R_)kVhkb1 z@EBtRjEDgvMvOGZh?u5`h4a~06@o%&8UDS7oz}`%!%COc>2GbR=-fClBJSu z$%zAY6Al2JX6Z=RIUM)hBUiG^wKKuLGI!99r^Op>gURXk6BZ=U=9c!Uy= z(kU7ZShUpfU<4|*4i;_&W3j4#ci)e0^#z!WFkf7+C^}$IN-at)+PhLr)>vf-kRUJe zNJ3G!+YeIc%#aM)S>=F-{(CK_-vEs{rBDja+e4WX+tW#o>^Lo?1ppNQS_FPR@#}TI zziSz0_DII?^dF%DESi_(f^0po^f1JZ)L5BNal$OQ+^H zlbOHRZR(~&+NBbGYi`?s4bhza4?Q?Y>p*FdKuAcC05RLFWRs1P$tFP-k|2Q+AXtS8 z{41qSdsV0yv^}9>Q1dgRe)QgbPRyv{?pp>yapXY|Lk20<|Ns2uPHPkWedDd0E21dS zEXBYR??=1$Wlh@c_(6B04mE~F(@J7qo%VKH1In>wkS)s~$8lOtO8+iLFnyS4nEx`= z)xn=eeEXk)pmbEg98u<-t1n&b%wj3wLZE5Wv_so|#^=|VJ4ud&MB(n8Fr)zGmj{YS zo&M+hGqrtV0g^b%Rg=>Dnq|mKIy5{Sx_w`UI0-@5M5)^e@OHmxB_=0k-L+R#*ZNRy z*3dfbZrCjqD#nS}>v6y5rMdIR^ZsI9Q7olsLNYVSL?$LcyF|d>n`)K*hX$#psM`Xh zHQ-wCEHrZlvl}GN`25W8?hkbLZ-8htK&lB+5&%-GCM4Z7KuQ8QGgpM;03f+ba-7C_ zj`s~v1{@2y9iFi+8*|=f>ngt>obbZS!mHf7AV@C>uP#W>|1z~qyZ>}+-=NuY=Xiy^ zl{MkT4)Q+rLG~Ndvj8!Jhf`nn3h7f`*LAJl2@9+0jeG`z< zF8ibnC0L4riq7og{kOwd>-#~onxnVvHn%xtN=itAh)4*?IPUrX|I5v&BK`sv#n$HG z#1r)D071aYm)!F(HV{<$=?I5YMC5ek=Tz9_R8lzu1v=G&ojN+FUbr(_j5AiE^N>T% z!&2qH+liQUAlaV=1c^jZI1ivWXDUi_WT31gfdH^~G9cGOz)U5%bQT~wKrS47;&k{V z@XTMO1?ES4ljDF15dgT%_@9PhpaOvg5hSl)7tR|e1J-9Sh;FP196bU6ego_ICy%#^ zpTYiQKZ@mRkrXVJ30N({{PNXjRd$Rhd7fcUDf&zV5df|+5r5|;aPZ}Zi~xG7;WfR0 z@q6&GqcP&S;`lj%TGXtYx(cB0j^_n{;0sx$0g@PWVaz^86(ZB4FaZde5Dc0XA!{R40Q^A? zvUY!Ae*g*7s}k^GcZ~q-F#?-_M-ry&?^~|)Sak5>Bz+2pehg(^zOH;iXqwyn@5vRO z`f9o0IQzMk3l<$}^XG;DDPV};>{y%t?VkMR-q>W2&+R*y0A3#x|MwTq0+M;NFBV)C zfomlO%mIkgv4nRL01VH+^+JLM6HC@?*s`;jBOboxL|nO(SYxeqeE8W!X{&A2cGzhb zoe-hIM2L34K?x2yELFM;nX=_L!64shXPj58%te<}t5v7oRoC3qq}d(c`9Yg@4|VF& z?WsQfe)rNVe;6@p+=RbO`^TJx0CI?oXo!KB$P!s2HsTPh+##T5KsCj>+g` zODK)XQGx!Pey{#nOqO6`ZTHkr4!@JC#8O>+uvSmPS5`iy$J zdXj2X*_*g3Tt%}irBV5!;v3=y{j=gc@m%t7@fLLp!@_R0zIm0ktPG5Jh}Nv$j-R8!Xl%VMjL#f{}M zN@F=$=9g)ukjpIY74?OtP!t}HJ$ZAk%w+?Quf>v4(IwJF+%UzBeEiN~p3Y;g6|gxr zYCV`Kjs(3=8#tC3@VveJ21G?DDLK0gJy9%C%xsW|=W;1J( zZX_^Zecvuv&!DmVFK2DudSfk)sPSOe+G()V@_JjoncK=Nxfa*0XfxLoP+~s#?s})2 zhndrvldsHI7}LUR=Bl|2mpx;C*YCpZ!{9G!Jc~}nA`$)BYFUAFG3~`{n@O}_8ksuY zWu4hVDwA^Ws5*Qod~(ld9uZ^}X|4tmR4p@x_ z^d4aFpalSVq6O#6Z(+M&n`?)#ptkGsUpxUNq9k+(C8NVA#mkMq@DUKWM@rTXd1P~~!|BsJOsJ^E6fjeRl585QKN(dk9Ziu~1C`=XM_)e+Zdd2-y< zzVeyjQ6=A9OF@daGadc2CUkC|Poss?KqK=!rfr)uZ$zy_-8gnl1+KP6kDfVXXo%gm}fCn%C(u)Hm#Q)cWp#$|KVRzfkRO|QF4#OJi%n(G+f*~>14tJ zzZmhAnH{*e0Rd&JE?rHrvb!z@W&+oX3rQGz<4LEC{PKt{T$25he15NHzqoi69iC*Xl zlc-7p;i7T|m;+@v%ccf}$XlXmKsqr~u8rCNIob?~bqp{E@^WNF74jBOU@8zxaKg1s zOO)gAg;?i+bHMgKR*2P9AP)fMJHw|!at|}!SeOE6*vD|uzeFTV)srx4L|>!e5AYr^ z?(}sMNSoK?MgSe6^Bs|)S&r7}u+{5cefQOOIIn_cS+-=6IdIJFde%9k&MD3%o(!W0`yYHSO)0(V5r7m19QikDk6tzDmyf&$x1B z24$evA&b&uzs?Oa#YW}%Vc2d|jto7i(I)H4(25eo4HBvpuD2*witoMAt`t}NxNEc) za_cDX_Eh9?+12mKj7OicxhHg)u0tI$<|H!rLAtU>McU12o2K0GKa)X{P=RDn zLp<$F?!RyACG{@U;?m8$dtbw)-5g&k?{G}7dNJ)&#wp<465Zdz0ZC!pg zP4=R0wkf)LfHhq3?)&Tx&e@(6ABS_}WaXmKjCaqB#Rb^+{;rLPG)?G9*h@t>omk$0 zMobO;jfW_S3@+xB8(tAom~nywHozE6N&D+L=Rpk}szSfiderfm)`brXI7{lU>n1KK zT$sW7yqg%Lgz&t1U>(%I%83X zdVCzWM$iM}kW}DmJ9V`V^q`e`?cyRpm$6dq06M_>Ds--^sWg{$NeAq-nL~%L#SE&p zZd6ow#dIwtxj&dpbFSdH4iuplDWdZo#r~LW#`{LI4>iCRU!lmP9#P?gz8M|ySwcmq zqQ2LuBHG2O4&L9XY}%34`7mC^*&U@5@3>eswNfd?Gt_~@_XZH5dnStI3PqpM;pZr zFrwq|6rR?#eM6?gS^90z&%jMHt5V#U&DaZe+ubAAPZveY2O9CYh`X0m&7PQiNK`JV zx;E8TS6K=3bG(>xczU!DpsMpxd>9WX9CtMVn1%@-62p#*FsiEPE_nx?Z##_+R*mB_ z^#C4pBjOy^5Iy)8ix@a+uj}c-tSo{Yj<$sxFpI8U+QG%HOQuUyiL_nnn7hh*5L|_e z45k9jU>Gf>qEOR&8F~}2-uAr`igYlmre-U)NV+<3c60y z)->arNi&6JK%CEFMW*JF&ard#_wqzEc)^1^Qy%!j^k5SG_{Lzh0q-!t=>Z1V>nE}3 zrc$&ok^iP2CaTwnd+;avOf-&h69J=;hLMPDr23hWUDZ-8?s8=RR`gYjbBH7{TWQ5wW_rnYI*bj92Q_Srk2 zcPy?NN~NRc=>=TBr`hHOO8zEIFcEdAS>w>uhAmN7sJd#OSB!(1FIl_*ez|yr01d$D zebH>5qo`%LBKL|Sc8vZgkpZk;QxFj>u8Q;<+Lv2opv;+U{egiS^V{yv9OZR9EDv{4t3LUNTb>$5M;Oitbs2eXN*gn3nXw7=(?JNLO6qr<=T)PrHG!aw;sV3C%QO2&? z@j2LQ@fBkGl%hkEm4l;U^pn(6Vmu8rKS59PWMwL2(nC}Pp+a?72E--!7bJ9p!%6f2 zb*{&u<^i-paG+|7HceNtkLZf6W#hSYHMBoFVLIqX)DF-Rhi0gCv!>QmkA_SuG@TLD zRgsVZP_wLz?jflWD10=kZvwm2nwVdZA!ZDPs$;kkiY48LNryViN+<~Qy_g7xr|_JR zTy)E=1f!O4-X#Js4O6nl#K{H3s$DkTRNJf-Tkwe;W$+RYn*?bI&r}qE?m-VA&2dE< z-4)%@j4vY0U8H)p6dFaQG=K^pTgcyvIsE)(6m%{VQu^(r1@;Zyh7JU&H;`_NmL(i# zX>KFwdK1Zp08?^LPr@W2n|S5YqsqtP>jO!qBU1V=RJ$iU^Is(TO=4kFP={Kz2gJJd z)>S-tVXeW3%XuSVvbZYJw@{iK&oMxaqI}Hwc*NX7+`}F+GR60)FzZ5N)Q#uf6FJ>@ zfBEP=zWxeu`ma$ef&YUw_;9J%Ic92r8X&bknm7MJG{)@lK_Kd9xFYwWN9@$vMZt%5 zWr?WFB$X-!ak|LeA>Pq|C1B6zZDhmDpBv$|YE25!~K zJzoM;j=jmgw=!R$2WHQ5%ESK7Bw(@~m%W`qbl~FISe8er7^MAH_FDqTF2jD-P94aG zNnc{m?ETgQY~t}lIbge=k*!J=yS^gIT>~mSTSZt}q1Kwhyra-v%Z$|?T6!SCr<3$0 zL=A);+;7`=Fey|iay6ox4o^_YX726i?Qy>;0dAMbuy{l!+^BOLrMlb7GV7werXrjaAD-rI~t&K z5dQwO&YZ<*5fetV+Ro*I7hUnor*S4DPE`)&Q6cyS?|JR|@r7>`?;_b-qOf zzVI+|Q2C2710*}xiz`Ns>giO;?x`MkR79tQ)rIj#+2&M<=I8ZC%|s+Lrpzal995J7 zcS-el3)CptSSnB+m{-pFG(abX@y+H91=FMAvzkYElnw+h4?W#;yEe?_$ zs;4ZFJda9D77o;caue;5MWh3H$Hh>`YO#&bNt$bebgH&6{^bE^xVVR3yG9o*x@0i# zaA6T010L{UjyZ;Tjf6>w$n*1hbQp$n9<}1I5ew$`EM zUo$%AYu5N#YA-EOe>CpEWuVzOc=t1AeJrku^cm1-p0zSSX@Yvq_*sMb6tgn+kdbMY zM}=8k%ergAT4*Z;pk(SdDFYb z0yb^RyYVZNS>1R*;?seKrJAlt%!tlRb~=opBy3tBi*?BuCCbKpGd}4viO3Xep|q-Y z(@3cBF6H{7!{=PU{3xY-`THoz!SJdrZZB1R$3@!LPqY;6xwzif3D1fYFB_U>eBx^2 zke1C74kA*Tr*oW;wTQ)kKaJ{GBUQOIGR0#3h3}?KEK;F#L)0y(_((Zt@0mHJ>T1{8 zQbf+$WEko|J77buD=cDkl+7?PrL|lcn-OPg(4#y3o1stZr2JuN{Z42lq)4n8bH_q} zqGWBX8Q+14g!xE2&Lq@6ZnW#9pS7RHUgx;&(4zYiZN5Z-H$!L!X03r0Xdl)>&?fU_ zRiyp0rX)N~LbMVJpRGwGc&en?hbAYt5=NvZL2o6rj$HI!=A|2cYuNyR#{J&NBUXU+ zqPvO6bUvT^^i`&6?R_0)bC$#5c4J*X$)(3=`3Rx_Xxbw$7IORHj!;-hSJ&RFaj zTbS`~%H?sG&7V^Z8|-+b##yUJz`ocs$t^=@YcIxn?pzdTGy^@ztF97}W@S z$jDUnQejqy{pt=o{~Lu=QGzLX5nv@~E94#kcB5J#BmAf^B`ycbNE)0aQeXf`VWMkHiG6l!Nb%a@j2-T&%#%Y6mc( zJnNKLXcfoHl+~)Z>ts-aZ3vH(?$)zguP9NyxN}iDzC#mEup(H|b~F`e0!8OD+L`0V zz&#)x(TYmL>NUxs&zeuSkA%-`huARi9jU9-+|-8%^=#Ctd%fu#$D%FdFq&#^jPncsFcVX9n`dwQBt8!^U^m}9lv!q zSlaNbLw*06#vP}xk89Ql-(CSh&ck8VERBiN^n-`8!IF}CG;ETVpF?8K19GCOLg&!>WiNl zK8m)b^2-UY=z9gVj}$0%@M4#?(ncx$&G@vzY=o!s6l$3wlbfN!E1idR+yK9g3$C5T zHDnKbQ4C~vlS~ifQgoQvaOE4Y0nWf4vNmo~sW7X{pACV9U=1~RjA7ZyG(hW7XuJ~| zZ#Xt{Kcx-`HF-?#D0@01i-y4IgWsfbv*(~K4h6}O_jx2nwxVU%bykCnaO&J;p!f{8 zQX{sqxGItt^4J_37$8r{gU$F@W;_sc*+WLAm`sIP9sYLI!Rg?as=zhd9KAF^Qe?wE z3e0Lm786FaI!9z@{_W7mRIo+|@~jbVvbieKDr8AHlrunL$wJKdU@$8YQrJUArVvhr zS=}lZHB0_BG9b9R0OW>r!utv1hCn^z2Z{EdCEC zW+&7I5+HHdawNF}a^6g+6snh6;|!f8>@Z1*u7csiMvQdAVtk}~Aj9OD2<;yG$zV}$6LFrtTT z6)#x)a}IAJkB#-^1}AckPxc7dJFA!4zdEY#y12Q?;=50MDb}jZX$x`Si@aX7991D& zmKxJSJX9;5Cvg$PhUa+IjEOHnwGP;UIJ;nZ$w%9(7yG!U`h|k?GS#u!{$%fUq12vVx9# zB*qF%GNWJE*Mm14yg|k9rB%wH>iNE@Y|4o1=SZNV;9kPs%1@Jv#yn|L>1L`MS8W1W zT&oJKIHe==nYw@dy)fp68@Ou>r|hXJiS_fPmpXc_90CSxNG#9cqav9>>L5WZRz+e| zm+EaueJ7@0c=5GDRafxFbg zkil8@@DZ8Fq{bJ^{0$^G{_8za67l`XdCv(KD`{$LbLHjGs5A?gfN@qiD&wa%iV5 zH14thDBu?C1P&r9?7-gx?go?)xacXq#Vw6TQT*JVkB)$*qv%&~h-sqe74`x$(MdlO zfIV8U9u$M~$~nlz_YkftVRaII-b z=q$nvb69M!*>bRiqoufbL|nOXx02Wz9z1!GsZ^#aM7W$pSZ5;ze@fc~`iR;tyXkyP zFGPeW(PG3pD9Ito4oh_@)=&`)lg|3vKc>xwg%~ISnZc(TLV%huQ3|p^2y&fB5+b2R za3M$Fb7`(IIO&x0$Y6+2Awhu#18Wv6Sy_z3jy)#J2sq&rayD-{sZ}IaTg$}(8+cpK zmk&8Vo2YCNV5=Y+J7{h8i7sX&6igQR~1Aee<&a&V26NbZhG zu3gl+%DHvHe=+Rn29y@b)c9xTDB&tg)DOs^!Z1PUWc2T{hA1l@r%HZ0t zU|B^r7Fv~GGnl??&WDFYXg4-k1qy+^r_Dng^Y>DHg+(v&CB;jfV^UvbE9F)`YB6E2 z8r8%-^z@?gdVc7)+-()>xQc0fMl^1Hr`aXCJisH6mJNtB>qaI%bf?^PS9<6@-kOwZ zLh_cjn9t`^wOzl%&6YZWGI@OUBbJ|8@x}#FsS{W5of9$oDiz7#hDw-dW41<32-5IH zO!_J>B2LD@DSjKcAbKX87!@q+aCKB>42&7moTq->XBz!+yT18jd>?)p#B|PxfxtNq zXq4?|f`17K!j*lGuj3LH#E1%DF3n7T)M3dZA&}%iE+4%oM^Hd-g5~&`&HqjBDmI%P z7nIIe803c8{EeJ+`KiNJ&es{)2-=;pWSnP3Mtb%YTfB4ias-5@asmM-wjsS3b)w4- z*dsrcMIr2xqTGbIz{EXMy+uW~$#Y5{$>+D3~w6-w4IF}DEPLNLusXmpKB1u;yBSFVzSBP2L(j^|u zFNXB7v0Di{w1stW!$N+sL2^!GafKkQuvtOZGBler0OOt~S4U!bia>=bM*xBbX5mzg zm?nS_1VyT26Af!J{0!!o0|n%P@Q$hOBAOQ`ezq6`%r6#Mn2nL(V7!zRT-dh4!qB0k2XBgS*1n@IPD)1m5?_Y zR9Lol*(`CBY+>2K_#$L=6(DKmWr@eketXwn#qKYZ!x~!0~aVw>iA-S?#a|QfOp4U9DD)dSRb@tm%6v!bk!mc7n8UY^f8cZH!Q-ji~YXdR#GR?3>MO%unpC0*IW3F&SSj>7) zK`ll>ONn;h)b4#|os{iQ94gwj&U|Iqm{9CO zsQ%+qB~W8DgYj3bcOHB}x?^@K@{1K>?4PX;4*Huckt%j+FH@YjP{mFe~+5+!h$X)Nizs)C)Xq$Qq{?AX#`kgp2b%uLMznzVQbxh<`--H32; zo=iH&-?MMZVGwU?0YPB-HYn8Y`$sl*R-dq2u0_`tWA)W^kKQ`v#u0ys7lCWasAbVV$pcBS89V*Hpnf@NtO#CZL^HLC3 z{X3f>w$dS^y7EN+5ceQ@}2y<@|)R_ml3B((XdD2N#y-Bv`pOhHVsSD+U zQRwx>k;1yPP>N4->5vu;NPaisaD{Y8g#mn*mxaLSWn-bVyFBu;HPFf>X^M@Fb;BSC zAqjY-!76e&CcuMTLem#Jg4vjpA;f5>%oPX4W6mnqsCigj=LT0C2YXv*hngb{FPrKd z3-$R~_T+R2HA;Uhslu8idH@K&JaVkn{5E_vh@z1UB!U`##P z+wwaK6(oQXnmTyA$S;$5`FhL_BTK{~b)=z2OE$_B|r)_DxkKa(yh4{z{96PKjYX3{I+VH;#d`6{!NGpe!NcqRwoYnHPrKQJ1?ne-)U zj=8vnHXg|`;W@1YyC{m_BB7{^IEAogogLy^(V`(2h$x(%bww~`jH-N;<)aouUa>&C zEPiP1AS@xfzd~{I{B};D@nc&Q&PYXEql40zo}d$RLMp^k8=KV;Y70Bv$c1;9nq21k z9j=s6tk8aLP&iHBSTOMxb7jBz0XtgME<5#5>MPA|ef>mwA9kmju+Vil9rcxJn1xmg3RateS9*XE8Q~OFl4MKAW23iS@*dDQ?r8(pee1XHGNLb*M&j1;3kYaW~7G>(R$$JvnfT#f-~4~W~%=*ViJE{NFk+J>3=I; z4$0io7#Wa|4<|o1O>g_@Z0BT={Z~O zg$W}*)Ed@jEJD|{Yn{D_m`A49c+C|fe~;tf)1tQHFTP%bvkuOxXZE%n&aUT<4ie#s z?(L5xUA>&W{pto+^9_`4Bj#GN3f)b3*)kL&J|bPILS|VouY)+EP^>6F+$daJlN@UV zn?Wq(A=si}2^{YV@72=upv`5m7CGURj@e^|QeuXjqNELhp-pfLP1Z9E^=EfAgP>ep zLNRcVo7Wk)n`g!LjbEdq_Jd{Tmsii)mnRMRi#jeJ*c&$zP}Ab_?G;qW^&dTw*NRgs z7Rj8bc3!uax6o-%}2Pv}`xu&9GujFdDSf2gm@c?y%LsZ-25jxE4*K>B5S=LTd z+WGTL(+l{D1sdzEb>igp0qbe)h}-##spP?{Q~X9@lP}oXk5^0o9E^Ijpx3J{5Oyg( z%u5q?1eSzV%RQxFLUIZRr@3lM=EKMbXsXyMGmdhDIv|?QrvZ1hHl_f6^Gu=E^z1&w{pnj?IU0%krfo3j&5S*V4gB2<5^i1(`+0wdK=32bi6L&*~H0Xocw zDE5>1n{Jk}#3(wIM=ZM$?~z;*m1O08hcqImzYkCq`T(S>efz5uik0;d$5^Z-6w(6; zjzA0*XpGDR>WPLo6l$Q_b;K3&Xj+Wc$D4Cn)z*(vbn|S!JvdQR9cWcn`Y0bm(G*s$ zBs*GaR+m$izZN+bQu2}DBh)DeX-!viUv0?$&iMx~c(VO44Qpo5KDXx^>9fTz@6lTV zhi*8JT%B-Z$eCx_R7Z3#aWNm$C4mFNA_x=iHkpKDAW@XHCxIwh zc(>P@$S>C7VV=-YBV94Y(XfQJy9K}CaY_TD9E3_xz3E1L*1xZ)4nPiR^s+P1(-#gN z%&RlBa`IqmZCE_Kjdv7gXLn6HO5F$~CR%yLOBBCA3~_?ONW{2&0*ix6K}uuV9<2hQ z)TM;`(Aoc`kQI<-vg`5j{{MdDI)z9%@~ZNd`{~{pTMRsY%U4QzzLiHI`t+bRKifP5 zq&i?^Tvyp%%jV~&uSS_`TLL}Uy*VtjrJN_fVJ?syymp0t*+s&>oLx@^AIXy7Rl>EUFW+XnV% z-|odwx)LsN&im)1qQ$p2qX#&BYxmpQnjAn0T_5(^3`*Fv|Rn- z%75LvZ+!IG{~f+T@BQ-X`}tL~)>tcV{ytdvnq5$hn~*OpO@DSxfb`Ap_tNJ+-AC^O z=jf?#ev$pg8k=X@)xbaYZYZIqOqy$TWWyPoy#<9n9V#miipf>56SEk!h{c9=7A?{m z^a=%`*LHxFEJLV79w2N6xxZ3kFa)JCKf$25L8mhis2w##yf9D(mj&{Fa08=nsQik3>N{&-b_gF?SjUi*1;_PAIeG3R&5El_T?q7J%-W_wb@fQ#+R}ML?l27wjWKyP z8mPt=ZT;qCx)`6>Z2o#te<>}W)IwW8Z}42$6kOCqvFa%8q_$Nopc`BKqLmYE!H~bZ zWNh*8t+r3i}V6cd&68$d9l#1WkqS4j&*#M?DXElIA34N;YaB;d)XuhC<4$2uTn)g5T9if7^x ztx1pQOh`NvU)|6GCN974|Llj`vx1e%nWeXvzAL}?K8SeUFZM{Cjpj~guPEY^seXMb zzsNdmT5jNMbt>(9zimA~$*!0(#k5Xf;Deme#P)entq+$A7@J^u`@@>{s$V)HJHJ>i zu-o~|yS@ZZ+Q%LKLg9rwb8J6u-YE1xer*=`7)ybXKEPNCJT&;g`rB9PaMqOgj;Lg> zc&#FG3``t#$Ws!GRC$+{hG%^5tv4wt+>J?#UM!FZ3qOS+7OJ%42ufQhn=StjURoyG zhglp*w&pM=nsc7TS2%pOEgy!Ro#`Am+lRRv1V4EtCz{h6&316Q_+d*%d^*C;JQuaj zE^uUKAOc`#8Mj-o#P~2X##BUgvJz3+N_uJ{!NEXHq}8b*NW32>NR0|Nq5UXs0xMaD zFo_~S^cxiZYKb8@zjjiIE(=$ybtVJ412vI4HLl??lS&TNg6`e~u_mYR*L~4}4vz!| zgEbM4(QQQ&6QepSm@y_gJ`rJy)NH~Q=0lZjmd>OTtq$>|3v5$B|@!%3yTPq$pctFF86~H zdxjscDpovxj2iXwUqeisF&SnX_ylf3^@NFF$AE!-1N1eHJovGKMxKfRq@Br9J-(GQqj=p!B2HIgyH)=HK&wftJW2=s|)q*`^OmV}3 zkLNYVT+Rp|__gsj&>=SSvrVG!Zqo@Ex0rL127UsUA^xE|DbHO(qR-`J7xMGuYA1fs zbBO!0!{SeQHI_rXPaPaaxQ9W7fT@D~y#X@m5^LC_h+(TO$V%kuHe!Qg7U9wn1ilsb zF`d=`Fpdq}&NY^wZ#jBK4V_@9gvG?<#3*Ex7FyW z+#IZGqR*c-`iG#}P=p?Ayr48ZI}I;$FpiSCCVwWAOrS=shQ~jp>|@m$?hL!Gg2>NP zXtQ`<_E{G}vmzyB^TU9^6}0YW$|iCJvd;v(XP&oCDK&#zEso0KYM@U-WfcJ_jtBGP zG$PG&76}c7A1!)?KPV>*v>Gu{TCI`L=NILvQIkUZN z$dsC1m#q1J(T``M3qrE9yCk(awJERKu#?lWhcl)WEZQRi!YlHxR;oo`Nnb}im&n*q z2{>IKWZk?ZVq>nB8ytwm(W!b%@JBhi?-!%A#UOR~woHoxI{Fp;gL9$7OP8%ZNCSPv zhu?0H1@iRT=5qk9$$)u zg=9}7^av^YRp_p=ai1ylW)vZQW&_5 zpVgI)t23E3_4BkQ@>bQG=bh@W%+HFl?RZb#l44gS6%5zo;Op%rgNuV3k_5YXyxjt7 z67i7}H#!{zFV}2)CNPG>;`K(C9XIiI@pn=2pli5B4QRq^aAbi@sH|hVE0F5MM&0bo~5T z)$FuGsFI%8PMw5ZCrqoa%$#3_jJ85lkN>jH+N3pUL`bqTBi)(&Iy82=2BLeV4?Sb( zconG;iAr};O*tkZ^GdNF6D}DB@pi7KjQHoISXFHuCF;)??qwg zbZ)jLb5|zk2q#gwsV?}6mGoUQm3%d6&hf|Gg4L6K_gP zMB%(8mp>LP`*rf|t_(JiVhQ#AR{`q!x7JSHpU77Gfi03GI~LS+;P~c8 z+ov60aQD64H&SiczdBN$^?}V=+X;s9s zzj~x^-`n7RWSv(awDDMnvI0aiY$gI(Rux(^W?ca+5T&Ff*-zn{9C!@o?~J&^D@jz^ z2(*!O+=a22T``~qs2*p{>cE?wJfUrI@K)sNZ*b4lJrG=oyqSMH26{6g4(X#Oy0BXw zEQMfQjeXn>GO>i6|m^-t~t`I+zl+^H&H zPN}Of2w=lkb?LjU4WA3%2%@ik&nwLg;6Tj}Z}kx)FnT)wY0B%}kS8+o1b9B;LpVN8YLm9N6Rd0G*F7K3$ECX)ImR3V#>la5 zm_0RHeKOG#XtwnWmxHF1>skI$ zp&e~pWidD5(Ei72g>*0B+64trMszUo?;8FcJ;a^wDwh#2&|P%5|IR-*j+y}~lK8yR z4xg_(Fb(>)o?uvC2!}|Y35_{xpqG^NE~TC?>imt$^m;3`cPY7B$1>`L6~F(+1bW}f zTDwq}1JC~eo1t{`kCkg>A7++V8*gRFzY#3^jdh!n%cfQAK~{H_cCm)PeaBTL3pO=t zYsAb06n9<~x6U_Euop;AyYBOC;e#XHckOGrN?bUj@}I2_rIh1%K>YIB=83r8NtlSi zi>vL>zIA_Ap4HczsCjwGV!RE;wwTizw}AEH)8vuar$l>@*)GSqIGZQr?^&jRE7YlZ z^nuEd)X^|lSFJC5oKk7Eb|!Y_4l z7I;#p#-OKW#^vYBzX+PnGDU@g^9SKpfM#YKF!|?*RY7xE&e~Fg9N@YMo8kGt{8@&- z_gbSTB{eExSUUXZ-0?ZPb}+I&^Xh?6bSnxefxtG(2s|2T@}kvR@uSg8oSyKYWehNvi?PIA2X=@2Yg7*Eg2L_1uds z7klaUJgl=$I~OCAV$=nI*;N6JI&#G$Ic~xo(m;-VwO^>eP+i=__>71OF`2QP=ZNP* zFy&xIvtE_aeN59H-fs!mL+yz<$wKt@6SY7iql5Vd1Ai;Yyi!#TU?JxW62|09(za8VrD;L+{_1mQ{2H3NPw?WJsxf?fZ-pq4& zlw^xr1T_NtX8Y)S=} zLFvqtmam~6{FOLoSt{jQ3{qxYl1=LUo(K2dTG0XDx&vIEGpoF(R=HcE=C|dpy?4Al z3hW*pW5N+Nj$#@d2{EC{aAQz}&m~>aQA@*TOnx3r|NmnfGDAdcs~IC!{`Yj$NEir` zpwlsoyE1T&|NT3J1Goei08`3%Po2E~l?(gA+}}CBg)i=-kD4Z@xhBN{5i9Awte89% zk(jDgu4(^N1&U!`7iC;g>Sgfm#U`&KqSZzmC(Noeo?yS2Fcvu$JB&qycz^ai4$VZ; zI6E!bN~UIhy*Jd*?x*b0xhtyVEuzNUoKDeVQ73rKqV*-tE``!k82&1CbCx*Y3q0%dijny5BO)dLBg{{6gknU=7 zvG6@jJ=y89UIC}@{oPj7boWlZ*5X29Z@fDxD~d4H)9GK|T+8E)2&~iZKU&2VJf8%F z5l6cYYqa!Ru*PY9lINA@{mkO~xD| z6{Mts)D>!^fK)=hE*a(RH?0@jsWN0>>)GrEC#SZkUiCj~j(m!zCud2Wj59B1bjRYXoP_^@@a9I1iy*Y0 zG`a)EJsG9B33n6e z__pnJ6<21#L9{%e$`ja?l7Xqbfvq%g2p$@sz>|6mulc88^)=uS|7XoZ4+7aXK30zx@P%`mOY3UOYil<#2YvOjx)4M}#>)m`J?Bz*n-2{e1fkeUFwEgr)rFGoru? z#*U=ev#yzt0QhA9|EO{QTN2P{_v*LK<+t|*?s6MemvR8C;IK4NF%!VGkLE(=hCJBt zuptcdQlaIE#jxMm2aAi_`PpsU@ah`KM_u1KABJY1MPGHox?ju~8QKr;)LqiRh;`~1 zg!i2YY@PiJw=~~~!7wns$4lvaTXPzN^02VW2T!yn?qj}sA?CACO6BXAuj)&y#zT8= zFfYm!yqPiQvE?!0)dQj>4JI32d~gtq8AM$`GBeM(S0{dkKfgB7wJx~;$m`H+mn{m4v&J@C)SZSCi0Tc z&Bc}AQQEnRA$WKqbMUo^@aO!ID#`=dK7Zu}eoqm^$Ysx3FMbUsU?$uQuS2HQE+~H* zwpi%%V===o(-flH7_w|$>y=p*b=$Xv{NRYUZz^__ zaV_OUlR{tPl^MG5ZQE;gS7y(%X(9EN7P|Qi&OPWvq3`fvZ{C$zk*=l8Qb73h+-$L< zQobYX*G%@5Ic-0lsYtAfeZiXKZm^l|FWzK-4H0o{`o|t9Y)t21d@5 z%Zg?FxV#Pdi{r<|Hu4+V8xvtz|N4aNhUq;B>!P?8Vbur9ZT_7J&0bZK1^dcsJWbpu zpLASeyYDAZ;_mC3s*hUwQCk;p0RcuQgohq{?KI#y1(2dsVqb>0>-4Z66R#A1Mq0-E zHF1wGBfX;=;6(%+^M9*&J{Ns{*-5K8u38T=2g0kvU+~|k0eS$?f#0$Qks=^`^Id4* z+~NMT**T^jSp;kKXqg|JFoR<|A%Gs_FIn?b2B@3?T?XdIuq_}Wd09zDI!a8 z8GY9;a9&ZfTN|q<@7;Dj{NW#9_&HayPYD*0MuXs^58o#zmty~nc|g+7B+IM15p_w$ zAJr_oDP^~n2x#wDYxCPjY&+*TkL2Q)$_E1cELvUkG-Ij{2SSK+WUa^!2)?)QnmV;zRNUxQSPow_&}oDTPy# z9uuz~wDfd@NLYaj{*YX9? z=`HtW)1UrMAiQS>1U}<)J#d%%owK$0VRihRGa}oAg1Ed2y_g`mhzN{jzuzXm{rnyB zT6|^KtA6e7X(!=liw3tHPfB{bdf7PdT@r$pjn(e8>`Zn#m(Av;$I5?V0|?h zkguZ}?$5i>lLK^V2uG-Xpf6Z3H_9hC^8SS=i_{M|5tgg${&3z67yDqj)}0HUO#V5x zZ4!3uS77U@0h3=xTZ|~Z-E9#}9h}2LMUH=ul|};v-P!#}!8xMsVU26s(K0)eQ-llFtWEn=q#b&UA-m<(b~&*BK0jC{iTSvB+3}6WQ$q@MXrgmL+P@(57%OU?+O<~xGeI+L!C;3uWP7| zK(Uc@tJxH&$S=KL1gi1-S(of%eEJMp2^Tx3fyI!}y$SCyW;M=@{(D}1A)vAQevAu? z=O2dQCC628OIAc0Z$VCXxWp5V7*&UAmC}q4{(#o~k_QCc1-8lI6Z)?1-%Lm`BjAO9 z(^;H83x6X5YxH5YcFbF&3#3KxTYpZf@ef!_SmWLfyIVWSEyr-AQAFhVU+kDa$hQz~ zaZlR3v*`++Elwt2^vkE=;4VoGe%5xLFA8-kdz$x_!^m8x|`Kj^7m$b@6O82jSQ zcpKhe-hJn#|G)q0e|ljOXe^p1Z6_^?7Dr2_9iI)ebN;*N zbQk(|dKmrGy0PxBh0}4-%0+>T;ujrRRDX7!)0@m-GF%ycj6}w%UArIe_j~@L((-#9 zJ=2<~#H!u~J4AFyRy0PndhI%`M&MXVi_;&rmE<0XgtY`}(W=R6-RwG>#oSxPOVqWGvKYKsN$+4s_-IOMz zrRlHf^K?9&&n#_hZA3O=n{_rDfB*K1$}VNkpc$00wNMA6VLZ%+weTivhy8FIS=id! zy4Y?(NALcD-GXK?!de`U^Kmn7!=1PfzrdqJXm^@A+3%$XX%20qt+a#o(RU1(?P9@V z1>4Qa*)7(^Cb*4*kAsqHc^uE<4g6>Rn$HQlCEO)~C9)+t5h{|!7vh|_EbfX<@w=E1 z@AGAjiFs%KDxWPZmr9qW7VX7s$>DA)cbD;Hc3E0pFMldum2b+~idnIi>8cx&$MfRp zWw!jETH>TrKdOE;q~_ zFqY0v&Kr%&gqnDB*nDQP%n9>_IcG{u>CLx@1priV+U6i3-5vCwwp@^n*kUk7o^H%F z1eDs}|Mk<`U%uerfbeIiwG|`L7QY4vZxKqzsMc?1*Z5#&^OiOnlkm&j+GE^z-+}y( zIy4ICUtZ=(Bj`bVZWUvS@Y3x}t&2&OM1;74xi;9Muh;0>D|wU(JLQuOsUV3yQz63^ zCm$3|WJta;S|Do&#w3jCXQKIpVYZ@u5tAFYkECY5KQwuRGgqb(ldy!{awH#A1+52) zHp6lZgmChL54iLj5#0~~C_@H|Z9nv(<(v*vdCS?j76*N~PosU}rZC!3b$n&8mr&C@ zm7&M%Mv+{f8565g&`oUMp5BJgLXcNjI}e=188B%SEm_UWK^(8KL_Y&}2}b|!D_jAP zPOFYCCrx9S7DMbPXHAu0!|bW=o4^M9Jh$-#=aF@U(M6mNnBz2N#C~z^e~^wg&Ku`B zLYaWnjvlMBk=-O7I$T$6VS*o(8#`-jYdcHi2n#neeo+`8Qizf8z|Y{*2kL`_dd&l} zVa|Si&_$&XC%*68BK)@mgYp^$zo$UFq3mx#;C@#(_=#ZM=1g@bs zvyqubFmc-r9}+g;sTv_!Q|J}NJF-BP8HQ#z?~5m|EsME(8`L*ISAt`&u3@I5?eCsm zUGj1ITfJUA`Wq$U=RgW!;SqG#MqMMDSxw5sn$6xy6$?dyM{m{l;06T3u z9AW8(GE8lC1yDN@HFWz$Fs?8##4dxDE41Sd93LMF1vX!Y5$Z=K;12)2CmiHeoVB`c z0Th&4TjMYSYhjEK#r*^!M^=f|y)dQpp4k?ijP1zKveTPjm#d~CcRZD$*Ws57n~!l^ z)Q6LF%K=Xkg&3`f`Zc8d{WpvtT)P=A&OmK?E5H9=C+z7-i9`_P4~0`w(5g7JQ`*HP zzX`cOc*&!IF+khw0o`BiL4F%uoh}C8lLq%Qu7u(OP~$xar?r z9)u4q!_Y{aO^z8eqf6T=MCu3!RzK^n)S?7QPkWcT2ti`*P!xOUMdX1g{LecQInXL& z-extox__7%YxYH;$W>HwS>ZOY+j9C^GL;l*W6-Q4f$8LAv_wuSmb`!4M#9@jnB?{( z8rY)t6I4jK*4tTWw%l(vpc9s!+y-E$w3nVWP%$kMOIL%)LZd`Jj!pWW>I}a%`eFsk z;}~W+qs>8^yYp@(YY$G42({k9O(6ye1n#CNg1y;ZA@`e{;C?GuFHlyA|M{hk8^+<1VjE*h#X6w&AFtz>e7yU|m z|5up>>4A4p(SB4E6c&{J{caBb92V9QM$YomG7(R7=U1NV}*W5khFU>BoO9UY#5s`VxHn)Ex?pv{$q+ z*@@CaiRAoGoaKG@o^QPnZE$RNHzxi{xY2}j`^)+GQiz4?n!`pzB0*0ZMMm_r_eh53 z1uEnk6VV-_c3Z~9)NR=Jdt|(h-Zloe2IXb(KtA~Jz7rr8{p9Hh@BYPx+c+fXdmXJr$7 zM*2poBFMH<>#yQ<$sOh6&<)GyzV%2UBWX%=AvR0In-o$9!wFD==MdhE-s8rmQ^hb) zrxwRJDYk;L_yDGKJYxL^iAuIP2-Rd!Tnz(m6J*3UsLQp%@dGfmr`$_*3Z_kn+)9G_ zqZoFO+}?$K#(XAQL9{FhZOI7IIv8zR(d?h@nw6%d(Iw&zG&ITGMuPm#GaI^)(yzO4 zxjHg9z+y5xq9h$HeL^m*$JjOG;|mljg^*1&q6>In>)=Rc&Jv@K+$JJKyiGD*7nTgt zSHjX;y3Kh`9GNPcb}kfjUA)wScc@ASi2160acD8+x)5AUIU&*P0PH=Fh67Gj^VE_d zfAils&Fww)DXEvj8!vt84fJWVF8{v^*|Um}f>q3UNtto0ifg>?S5HSsV6Ya9xWJKB^N_?86(Cn94#gv~fICBY6Z z=i8>L8?=A+M&MX6y$756up`zi2u`{k8U9-D@<1IofF7va7b|ip1pdsDbB9zfrsI{m zTcN8Ar(%8Dz?JVnKSqf+S8=|8vV>yFO`}=T$;f>Kgp+f3Q`AXiTq=}+jljUCMDe#ErORXWa8Y+ngLDB>Q)}xM`sT7KKE$XH1 zP!vskRbTe2HlE~VAsol)jn@SSjB<Dn{eJ)9VjlkM-=J?(ogLNsEymklRhk!S~r_ zk{vx6ttoa;X#;KrKE$26TA9sOZrVVIP^sq`WY#sd6PZxDr-hCL3nRg@rb5$2=PEPR zC`sf&{5g#iPwc2tEfX(KS}Z-B?x%&=dOVGBHxGPZt{>b9Od1s+2kk68JpxnOJn!<= zMS~dEyprncpzU^T@gyMR)N+))p(i<{a1+>vqLLt@-?8+A;+**!Pcx%^Lc1;#jW^J0 zj|J3j7c>Dc3J!Ml*%e$AaE~p_#(Hkz&z{xGR6-yc6{h|kVE~IaVNM>;(YjIo-o>IH zb)K+qUdZ~jtB^nWD$^aUiwc}3UuSyazu)_%zv3sDtQm!d^aoxHb#p`f%~Blvmw`op z0;dRJ&u5O!c4m+D5c%RCSNTi6S^`INbf}=+2eLK|X0pFgIW)hWUuO_$@14-<+U1+B z4{3O8=TAc6%+KJP2OK5M47XM>I8FFaCp|=pBbDH3$#4i{^kfy@Gf&giwageB8t;_Y zOd*UZDqMtm^{Dd407;V}gOClm5+N32stT#I5wl#%5^14W=su+BS&NQ3KX9E;3~8RS zQW(PGVA}U05plHpOqsF=!;?)o1OKR%Spt>qA!d-cr6`6qD}p&ZJJW`2d9K(~@;T~o z6aC&XPY=VXxdX)qK0O}?F#xdE)NL5SwWc(rH(^=sXfy%l_iatg=PZk1^k4y|eDefS zx7&wbq_T28ts{K~8|w~CSAA_iGU|zGPK!m{;6K6Sygx#FQbBM{l~4S5g4_*GO#b&8 z|FX`iZ(DPlTrfE_V4rRF1VWnI2nDSBWEk93AE|?;=Up=&8w_V|_ee1{;m_`TkM?NU zNw@WtAW3PGL}=@+X`h6IR2_FDuzPX+51}o}*~vj_QeGRy!FRQ+?f`I&MeL z)P28U(O=d{pgf0LGB(jbd7NHmHzP!te{hVxi*m`k@r#EiL3 zm*UXM%Q8ChGe@Hi34l794#%RG*?$KW=TS-G~_OG`6|Xp)LLrRHbK~&PGAbWM>2R<^_60T;jS48 zI*mhQ)-ADKYAiErg3)m zG0UJkiPr#WO@L3{w3^`YtIDa}O*S>>wMt+5AqP{4_5G?cTK44p7XNiW|l(2+6G zPX#-ZQzI>Mt@d1%oXF5VQQkbUKyY~?RF1hBGs;-6sm%A>NaJHnd8S30%p}$#c zCPOIeflD+6a#JBcuWBnU{0vN&9I0GVGL6~s4Y|l29=bE*MbA4vS8&F%X&4GjzD{0= z8j#6aj67YPv00_Mt!QQ@9*aKH(Si$cx8A#MZ?QruJcA#U#&Fyg5Z=T~;Ud`^?|2Rm z^H4;kJ9I)fG`SY@9hl7|SFj;HflCGL7bR}S^(M^NycbU*>xi@o8pz2+4iVu<{_YV$ z8zL7%5v82h2+U@q^wwb|chKnQi5Yd#CI(}=h)eJASk^NuPF5oZpFJSph5>ivsJ>7oX;h43}qiqGK1Gh4L}mlIK^9)6->d= zs!X_@LV=3Or~RPr20&UsQm!G(_I3~@kl%%}wiYE)#N1~xaR!K?)9 zqDU~ZF?AG>v(TyaJZKD7+dvy$?x5{4%`U}x(TwtDgk&?DIgZK!+L0K@a1Rm%xk*YO z>eoW_jcrE!ESBcV2c`sJnZ0E_lQ}9v*3U|j-xsgF)by>7m!OU9jL|73w`i%k-_-_m zuSXn&ORs^DMVd5_1;wS{na_D}hES&>f?v`DDq>lxF_@d*go?pc;EZz-iepl=`jTzASH9`|#bQ^Z1}sju>4oa zs^pUo*sQ#SiT^I|bUl*1LIjG8rN93?IPlkY{F`f3H&zX=AVirH13p6!HRcK##J`xE=ttWNYa6@&%JP1~2gc?~M)E+2?$>oW2X~HBk$2uZ`$cDs`03#TxlOmza z>y@l&$i3})Y9yX6!KK%hoyCEg2kB%(J^FEul9!Psc;@rHx=QBNY8!#ZJQ0-3{!yhR zDNto|dm@Wek+zwg$TP2fzW=s*d@A{Wtp${;2@XbQjvpkSg2)DWzP9q5(#iwqa{@t| znA$@qvM4D%tzL9W<)%^?a1RsQm^c!$+P8WIH)qlIzh+`N6$WXX^LJah}vi9?JX5|gpn$o~5Sd>s#p zeIJ|3zL+Rl^y>x39b69>_K#S&Q)20KV|BU)d9DVs!cew9zCqPmDh|8_LgWY5o8gws z!X#&PwtL5wHY*A1cT~BGlpC_1l$lv0aa^Tv1{zE_;2Ed*iA%F%&6%h`yd=P;#PrXR z681C+UJo@BAR9K%JiZWyYHZ`B!LE4SYaQ70O`LjSN3WHAjVo%w=^8yF16cc<5Mo-VKI*p5#713-c!zRh|mTibkffUV)h>U0Xu@F-1A+q+6KOyEMz5*s@<_F_dbbc1Nb z4Cx%wRjLN}?HHI!iQvSlG$PtMeJYSly%J!T+l)xdXyFs88Sh{P_a9r>mTCHJm(ol7 zuk~~R9MMA5$F1j8k z)NM3?uvm+_Dl_X1dWFT5XZf7@@XssJ89KdNHUd%(V0;&gD=?Gj9F_wVR{f|{;bBhS zGoH?CHLVeA^2m6-j9^}mB+B>T3b~t?=0ih5h7v8jYHzkQzQu={8?`Q4d$J>>_(8!+ z)CL*^AqcvQ6Cm;dYHOC5%OxP65DKEQt5m#d`8(830mug;2chrbamP|dQBv~iW*a>D zd4E1Bf#Bpy`eFc2y)`OXnnashBj^NhJ(YLj%f1vJRjW0a)S8Gv&Hfq{uNef+@X*fd zNsQT<1EGg4;UWEENu@?qxeN!}*GlS0v)Q(|K>V~ z&Hzaz6mF8+c`H9v6-%v^nKP`Ci?cg!he!4V$ZkNFfY^b-?mkyuZ7jqS%AMi^(+!x4 zACmW9CEG&@&Kvk$k)c#sJHKFNt+@mcVPz_7Jw%KV6Rdjv0x`rG!MyO(bfYptIs7{s zWAwpkh7@-s9aKxMN~)|LQ3|gGqjZ3DcdpUs2xgpCgyaH95RxG}dnFngg%qhCgda0W zI%38wHj)WpCX=Lq8i%|8;QPOih4G+<8Y6^+l-;@6m7g`m(k;7;U0kfsXR?-Tq8^%x zG+CDSzua!?S$)4P01##@jAS86G|6^NBs~THNR!;qQmCyVs!E_@y{6$I+-xR>_7M@% zeBp<2{0szhPgX$KI1viJXb_)JI}5b6O-P_H5w@ES)(XDYgSD0bQ*C@(b{9uh#1&`F zDjq34xYqKkXrJk35H{orgy1Ue%41dgkk~LbK1F)lfsp@y)^tENx&%;-^YS>ekA} z^nBV51t-8zm6iG6bTcg`XFx`gH}|f~sl++9>$i&{ywx4EZy(Zq;Dq3uT`6#F;o}Ch{H#HFCH%j42=e=W+-dMY1B!o3XAC zyyyTm%@6`puoWyE)!^}-5)v%UY=)BF1--W=!0iDFPI&PxPX-h8TP2Y}OL0I{LbI%d z3L5vC_r_Qd1xZmnk}i%yT4Cv_?$eF=C9{7+19n&Id+XA=&%BAM{-Wdk)zaOmN#jCP zmeRhGLvM-*E8+t+DH8hwIP*~Bd4YBBOsm4BFz3=R&agOcF7gS=t;2no}gcqbEU~G~wpcD9$}HgrYe0vr7c{D zRTp7b+s$yNyzTdT&N`;k*$kR%CXp9SQD_5?e*@}z&1HmQ>sxHK7~0A*j1W-~+GHd5 zMBty~p^$m`X%u7M04ygmrBap~|3@L!wT_Tmc-)e*BU^FXHCjC+>RYzn>h?E5A z25wmZV_F%5NSa6i0DYtatdfaiOw_cXls}WNbdsl{YJ6KQbU2SH>pY=I(+DGx=%Q=H zreN2||3CWeFSq)ZR* zIMi^pqdC6(G7dFXCVl?-sj`0|07^wMZB2H&BKO<0-CdA6C(p7^_|B;62M1CL+Lec) zVP~W&6I2QR;!3N)bIY$a*lVK|ZqD}?-{d-P1f3h;oXTQ&r87b;`m6DBkX3BVSz+VP zv)&{=-N~33A+k0plOrU2c59@r)5YHy^vvf*eI*Nq`?Clk?wLJU(bF#L-^jjriqOQw zmWm)$^~c#U)7k+~&k2Gp^j{#Ywl@+|{Y}2ZBNK)tWCPB&>{oY>J_KP^-IPT^knuz8 z097qEVF*x$h5@jeI%X^HuhmbN<&(la{p6VQ&3o^?d%Y?iVig>xSE4-uvh|cIwKB^2D}R+r193(^64pF(cpsYve)s94(nUC+t{KX&uu^5i zugHpMt~m&A6(7>K!VV1IN?ajN6TnrOrRv&BYL_<_DNc0IR1~HJrX=$3Yb|2jga|@D zXsqKgyh*Y)*G_;q79HCJaYJI>!2>r|z$1+}q7$7B1HwTY)s*ox4R%63RUZ`TrfmA( zN}FIOlUDvbdBAT640}qA0Jx^ud!PP;!qn#DB=FHh(yne#XisNPkzR+lDcHYVM1lDL zUERHV=R~~5xQ))>yWe0HKfll<7OZk~eE6RJ=G`;?>OQ&j2Vq3|-&9dmka9%|Pga4e zIY;M|2D|FjzqU08A-Mm<%3W_h@IC?e;pcCE^x;SEJpIA?9%Yl$42jWd+C~TztobE& z4gOK6NlAC`V)gaC-m!1!#WT>NsFDQo>49ob-vIX;=bbn9+ZcED|M>uu`+0mwGd|t+M@08DCpX&IVH1-ll z4ADQ{@XSYuALiX+Sm-Ln)c5i=0DFV+tcy-p?PC>ehK_>hp~C@t@hE00QEK4uR4uN_ zI9@}CTv-=df8JgjUYf?D|$%J6;MEgM@3~FOd@wS2_B`h z8xm2u6D;=Vd8vF`nE+_GQ7-2W8g=~r57VFTiWjipZ}|4Y@WECYC^yWYZ%h|@VR|JTTH@EBWsDsxac@p0#uCn-k|a20v2U6IX>F28b}uXP z!lKm#*;*eAY9fij%f07o-X~>A&j$h6inDo5|NY^gWqG*TQ4(Es<~7SC$Kx)Soz6u0|aCoj_z5jw;`>o^GO4#MJ{X1x}b-~YQ(s@T)Z!>KiK#<{|z`3~!r z->9;N81sa$tkao;RSD)qzGxQ!Mg2}_y9vfjGb`2ga9fq7$%a@G(_eCH7d6K>uyI~M zoH1_pPOn|kTg%+%Nk|wbj6Lvld*fIiaWbL4bhCeYyxEF8<}WUrr0?Iu`41o)C&*5BJ7s0J5fblUxhFrt%=Twi%z#2cye{$e!gh%mU?jc zq2q3JEF(7SH0epZ7A{^H+AfCW0+m`I41%vM#wNM&{H7NXpl1z3sbU`*4k}=%iisL3 z?g_}*8_z_gVccENk|5Gjd&-MkXFDy&sav&=2pB?HKcP)e=XeDD)*H`sXXh4AoZ<1# zATq(r+{t#?EGQwFZ-#syg~+uX*8$SuQ-5|9Ot*9$&qh&i*z&jN>e z3u@Hy#u7uX?#BdU5~zYM zs;zALwCLIv2qcGp1VcjWlCRe;%Az-@oa6+s;Be=TZJFJRY_6e~0b;(;i(o7RT+i)Q z#|9ED*7B|&;=DOJAxOR3IwD0$v1ciaA~0EdoUN(E;NCba$gWdv;;GPPqd%v^@U#+x zR7h7%HQ+`Y)Z(!wO!`-*kL7RzZATEo+q!XBLM^C}fhnPrHGpW2sp zurK)pc_#wqKE*A(5!`o6-H`mR79?DOh@=q1h|F-?-4&I^^_O$UPMiQdO-L$hU0(RH zO$H_eZ_*hztnSfj<7Y-x@5It^(i&cOknE^Q!t=aY!3&0YKI$9D`iKhwV7*kCgkgK7AY2)XN2L%I}W6bL>m6^UCB1cmFbqxy!8s4P~86O#$lHdU+PX6Gy26jnDMdEpkrobEtw--(_{Fbz7E9P@cm2(m6yRe| zi%wfYNfvthrRZTQzT7g`5{ap`5&(TsqYwT<5s4r{rQJRiSO1jnE52*)~&MVN%SPF zB7|P*U`hA>CwCaJXK$l&VyDqcTt~{!U?eGeujTmo$=TRz)1*|dH>cKnyJ2H^>ED;+ z!fzREl0~Z1G;7Ov1K{Z7HBIz#gvN2cdX5fyhNCpm%aQPzyMeqLjZXi0Ng9wCkTf^1jCdW2zciXL|jt<3Hu~NMwEcg#3QT$ z0WgGGi0Kw0JvHVb1C?ngU}cC!Ak_c^B+@YhcY!d$3%femoHn{_@%iKj(1>@?UU9Za zwpXlZ`vll8nV%$kMT>LDHu2)b#~N-nNqr$aWWR^AAXfO9$&AFOyubBmhkG)jK_f?& z9J^1EENv{{B@WNOb!} zq^Hif=DOAXB$aD;w_d-B(q}E%<6dw7x1NIi2R<)GoP#QC;xFE2W0Vra5ffzwepcmw zlBGDpTZe56Q5xdiwo9e)sn4X(KUV3e8+MqWwNsFjb_tdtQ9{lpYogc!&SF_Ag4h~gy8Ai{()F7l$Rq|&CgP3t<}4~yk$y*V4F z3l}e4zH;^2^&2-43`j<%2>h8@%5hb!Eq$&(wwN`z1V^Rtma1wH>`|#Wb294{7sY*qVP3=iq}g8C0wrc>8< z)c<<`7#x8_p)pt-ouZ>JN`u=>%t|t9P%csZXMtwHiI@or!5fMWrR1nMYtBdcy4bcOK zneFcC8uxb79)db#{iS}_w{Qbo#dbQSp#Cs882D&6V&1_a5gvxQ+9haF%MxIif5Kmc z{r<8)igbTJ4)ivW>q&w6wG-LQLJ3&FK^+Jm zwhV9;A+AR{Yp8>QM#G2{Wx>fr>ZHpI?Kwdh+b}I<9U|yK2ZvNLMP=^Cn)wirSlpBg zJ?@ioX1<5@HXQk5b)a@Y*VOSgL8MTVh7A%j5(>sz$i_*rmb%y4_nSiNG^4ZXlGzBu zxRwNHEk^Iq%jzUQ1f@yrJn!fr-iL1}c_1l}<+mr&+^5Lac%f|J27Fzy1b78ZZ=G$vgdvKD`$4AI0rQ^NW zUpjkE`r~Q1<`+tJre*z+Z9GcTh_8bm7u5X~fhrZD(STO*N+~3_uJ%D^gr@CfDXip>}M{w@3~kWC+|NwYdy}rq^>-SWJOe?bb;Y ziGkPKNFSu?CQP2vljH5+2N7;A&WMZzL2w+5zZ(M7R7#6{n{O z#Gg2m_0_4i$&Rh`aPMho@_w~no*f+BY=4#a0l=5TrDx304-D6ZQe>7&SxLrA zEy%TZtdmJRCoLU{O+hlSe# n2(9rG{s=Adns=eIFL+JUL&fp`E2sX)l3(vv|4&*@ZUg`T;X1QK literal 0 HcmV?d00001 diff --git a/site/assets/fonts/jetbrains-mono-800-latin-ext.woff2 b/site/assets/fonts/jetbrains-mono-800-latin-ext.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..82f96681c0762d98ec703df7836829d0ab44a785 GIT binary patch literal 11624 zcmV-uEtk@FPew8T0RR9104-<$6951J0CXGx04)Ci0RR9100000000000000000000 z0000Qf=e5UE*yhC24Fu^R6$gMASWIGg*q=x5eN$4WX?GYgbV;M#YzD-0we>75(FRx zheijHRSX9klV=yu+c!eotx8J>VEK+hVB?^G4WAoDt(v6t+5i7%Bo#R-DU!Cs-nb9t zOfFScwz{iToK6j#O;zI(Doak1Pn~zsm@b{-%$d^s>;2AXW^j>qxS|Oi?ZLB$wQVlJ z8EPNXt6+%*!4NA@Ad+uWLLXE@4>C+IB|lPdL6%Jxj2=0-jBx&8xx>Yw{wTr8=WDg~6vS*Dao z<=LIoSskoyAMF6Q|Ep^Lj}MR_D2lR=E=^WSsoQ?TnwdpT`mkiq%a*m)xprP@@|~dq zk^)IUeT=c++e7?;H-?s|gp8*`jtnJ;m%#r{kd2YEPk;`ots+SZP!U-I+xYrw1YOIL zSOMRVbJZ9U?q)W4A;+S<`s=S6W%rBbivGV1DHtOx&JYv_6wm=2U5?y^d3t0{=B4>^ z^BW+6WSE(#L4w;C_w$;(J2c%r??2wx%xE3jMuj%BK%&dDnR z2-5)W?gwmUs(})lwFLqNs9AACFxlg$z|%j2h@k7<2=KNlKC^*&_J`IV$~^&xJ%pQf zGpPzxp`wT-;gU-lN)sdvekH+XRE#-$Q(m;&s~RtE%cgcO`^o~%1(~E^{QLr8YF;S) z>CGoKra@uLS(c%x(u9L}l&S8(C|v19I21uXFOet^(qbJ#NdDebv;7aiN>GL}c;^6( z51w^~Dz^YgIfl;Fx#(Q|{U5-`CUUU^#3caAph)SK;)P|p0WV?!K>|Qn15=k$SY=91 zbcneRA(XCSC_1;Tr%%&+T-1f(|Nr-EdD!S1Oe2X>4}N3BFK*E^PKERq>C-f_I+-LI zJtab+1VTYYbcO7=g)MM8_pN{b9j4~t5VyBGFQS`;R^&0~=Z8^Bh(j)Ro|kPoIh7im zCwO5uVi1@#G&=U5)evfkgmw z1kfY|5WM+Jd~P7p-3K9%lLG-nYW1seAD)Z0X$-h=8>eYUNhT~}ND0^tV+ zo5xlbSvU%qpS~*%OWPlc!oC36Pc4N11Xar8rTSpAX<>`aB(UKOAi4l_M31>B6D|~GT)X_r(_1pJle{FdzGpql=%5F8{i+S@ z3Wzj%l0n3S0rZ;Wa5|2|m*LUp^?>brvN$@IA$QctTUyB_ewQkX0dBjjyQT0Tj_n69 zUAcMUNhi-OL$=)m@DQPi1VfCmz!E8TIN*vKp7;?&1TiF&MnC$aBAY_glv6_ktqf)u zqZ!XM+OFr*2IRO@QhIaNBv}-jkOP9MsG7GF+TrRZ&Rs53U_yqh6)-?s*S2-(Yj1Mz zechr?>^TIAOu167fO8U_V^*CdOBqqV1XU(;)>9T8&u+P_s)fmX%#NDEO6Wo1Sx*9s zZ@%WY>{a!NQI?gNd^|Qzs%<(5C&oyz#qMFhNX&?^h%E{c00MBa0P+LUK>!XS^yi|) z5{F^x^L?=^t{v$tvhElLL*Myf0RdhDg7DEm3muFw!4j#gBEDoe;VzFz0&ju{BZh>b z!X39xmpr_#GBJF^K3U)ysxR;q__wXU;uh}09(xA+p23TviI0FMw@(Rm$npnRO;6eA)Cxrw5>5G-+BdG9VU%dyh9@pJKYh z9h#e_tckuMbhOYjn1P{mwK6rDv60M;Wo8Vi2`r5#GnK8$tW9EP3L6fl zb23vK7qhvU%heq2=J7C}mxX*R;cc-+d@U7ZC4cP#tq^XV2ph<)7iE)JTgBKS+GZ(s zOSVgrod!Crp92*38sHG6{rWp7-7(ot$x-a0QkRvuWV-;%^|cR2ITNDK)Z%Dv94=@D)4uD28&^`=!%K_&A0Kj5W6YF|JC$qXDRx#AY zHX#Tq*t09O2E-;<({h!tAT6U}rjohsMOnRvesC;9E9R<(xhhNDqM|~*b#=QTSb|x{ zuu4q~V@;05p-C8&u(K~$@Lp4n8G5n*Y4G{LaKhsRSH1St~c%)jF z>PVs#(-5t~T5F0Sc9F-j8nrOVF<2dyZAuVwQD!Pd5E{tbB(`T0EWcP8IJ(B^Gwwj? zvBMT31UaL-cc+}cJ+HU9tMz&>C%xMu)kac|rCQlB0-+;I_mrBlaRA%fXV?G#?0)|W z>K~eqSk;%^zq0!Lp*s?-T1P|??fF}cT#Y15FWrikbQDpipTD0lF zhSkxrGIIOXqSA#Lfx}wLB`ADPWP6Q6CzhN^iVQ;QM2?YI`(@xHboJI%SZnB@ePz5A zD!XsJ)F6e3%s60jkfIsmL@PDbBPHkOI*NRhgIlP*TG>p&X8pEhT-9gUug~sNJRVmW z*B%aXz^i1dK$xMhDA@ZmSWU$TH{Bfk)%|k0#2e z*kxa4W!vtVZMLo~yCIjB-Aow=D!Y(>CzbS0YR$(9|KFg{nE~7MoDD!=(8nU!1JWb~bY~Qta6a+e?n1iYlo{ zo**N~(yZPCykB#8<;qQWt!JGL(43E}BN&=+2c|-(+F?;y;Xx*Zl56Mk!udSY$$6s23 z?CPp1=T}Ti!nhrtk|V)2j0TA6nGJTj053_z_iX*_aC_ZYhntT)69o?M__^uzjXvk` z1PX~dHEyCmC|pXQMgoH@HcizP*Ng58Bx=zEROqv8ugSd(ylj{oHX3OBOoxR5i6tOC zp=$ueX>Bnu1oDI+ir=2nKqy%ObC2U^Q^U)L|MWHopFXX<__ThrJACpaDw4+x!@CYIvYbo0i8_fhZi)J?jf7pP>4e4JJLOd4u@t-OqPxs zDgD+!U4S-tGYz?mu9`cKa za;_^j=%j{O}ZQ~HC_UW7-J&U%t3d-9*IZt^W*sI)lX}bMIU;RTC?Z90anKYPH zB(P>BX<*re(WD>@8I~kj1VzY}xHUV78IzhYf~?|waa%0*6xYGo)7Zsm+Mi*CF}4H6 z`#uBKrHb|9W4`q7!lvS-O7WxazTGR5WN<(H)+?XhRf!BZ#0{Pye|If9YjzO_d=-$9 zeL0G+B&^faM#LX9@5g54Gp+OFqsdNyvFVqqdpgmvMA+}zu?2H3H^cY`lDqu|d7Yry zy#vIHIB@zRd%>;h{d>1wHJ+70u81cIGN^j0sQXi)^Zt!9F7Ez!-e_g~az*Fak*4jR zdBYX^)SV69?^YtqJ3hbj_hMv~tMhf}+v$xwLwZFfh9GbjMyduQ=RTvNk}C{NL<1~E zNFpH%1sJm=LB|+B@W9DKP<45GxhP6~M+^@;vYfnE3b(fO_*gN^=QrcY-dOgD4NKLt zlXELd4|SP-Y|!7&xDHLNf5#aweiV^!wkWjV$)c(Qba}zjWIg6sdz6bHIo^IOa2LjJ z8M4JnGHe3P(JrU0e-Pc9)(W-K)EH?FCx%fnHwmKH%1|W1*o*^1=(&ugyVgG=P`216 z1Gs$AKeqPr5{cT_t~xxYhMgQ6H&E^aU=tUw!8#l#5E z!K1@}AD)5;9{fM~U-^}M{y0?W#eL#e`s>>7!YuxC*Lv^MX$N-}mQ2m3Dsd%6@J@>4 zsrppu$vJTILS(d#ogcY4Lpdk#DF%apwV;zFNQ#B6WH*^Ts0zFl_G_wvJ*DQ3J{{Mj zIGc37u@bG;d%MQoB!}Kw2-Ve!mJJ#Lsb_VdSMu6m+K5a+CRN7`|T$s7=Yaa zBk~2=rz#+WzlBjI>hWeGp{s4)j|X_7ZWgbN%>^QfnN)CZG+XvAB#XDYm~qD+a8(VmcS z>U&u`ueNo3{89WKq-!|xb-%4P@U$MJ%eq@CwUnmq_GOck^q#gBO5bhy(gsUliM1%{ znG?Cq%Ln03#%?Eh7Vd{J!D?q59eDYm(V4)%b{%-#ZuO8SIyG@kJRZ~o-D9x2dfBiG zaS^L4tJ_5_UZa(zE~Jn(8f-DfD*+pXZem8=oKR;1BmT^ucbsUyTj#Yqd59tSb_c~V znAx)StCl0$p)YAN7nT^aQcCFR?N*pn*n-fA)BH@0O zJtsvN8x&?~gGip{?@~KNy@eO=&BH8=e7gg3OqL;m`IkdSwyG0(U3?(5Il73qk&v<48J zencdaK0m%c)~c^YE4Q`DTFp2J-V!(rMzhY_K9l8Z@^>w428kkGFnPg8TlcRzWU0R3 zm+~uGhDUW>{Lr@tlvQ+lxb+4ZWCnuibKa+(Q(TY1iQfgpkwF3ILOMw?125zioDD>j z=*$cYS$<@qSA^3bA+#{e(~((CXsDk=h&hcxNMd6gEue56SyzyZuej5PCcIfr&XLEi zJxNO}&qXX9Z$EU!SLKwaomq}YLCg{Z5s7iUw_srJ)WjWA*H;yc4GI=N#f~_ag27Rg z8*s_ldA-4$KANp*W?~-fiENox+HeDcBZNbPf5aR40m}BWBpgTmy%wUgY|;&*f-Hx+ANYUZ4YsqNHjQSNlz#e4_v z73MC?r&O#$dcJ@KfzwBLKlkok<5SYJl3{l(l|`gsDzi3pNHOtIQN zt ze!sLUkScwE3~budFQ1AXdw3b7^!Q`dZ&2ruK}qot4qYi;DP@Z>tBmgUCORruQaO9ktl}TNqC>lGg>B~(-JRs&mI-}OnP=s z+fj~4&Oxk40qom8loZwv6)mstyp`6IcI)AXyRM<9s`&=#hR^Ub{FI$w+$89`M-5lG zB0=|9I4~OGd{cbG51HoDPpaiF^bP2+w72mcSLr5o8glncb3I2skEEdPC2jw6wpWxu z#{y{wD!Omdr5_$#hBepyeup1sMZ$q-xR9jREV>noCuyuS+IEemU0cR~FHZvJp!kOF zaf^jbGX-#KoVt*jEr6IKZ~gK9(E8VJgTr>h-2;GkrW%hBX$pC%1Rs>BZAF)Q6!6sm4w#?LYS$1WBy5q$82UC}cj0l#E zv$(0HCzViE|Cx<+RRd`FT$}dQL8HF{&bM(N?EC2#VI3Io5o`2krJL6qnEY;Tvfj{O zJ&wFr+p^nE0mi!xa@f#0B3%f>ZJGK)Frp^S3nZCL)rC4z!!CwejCQ{0$=m0YEef8)rJR1$0hC zDr{VAnl5 z!jqQl8tE`EvdnXI)2uJ`g?96X;pR!BdHGLY=yQFS>R!shRidGBsaXF!m9t`a;`Ll9 zsPql5nHHYcGh^~2aAkN_Fr!bxJX80v3NZXB{rS#<=_j4&GB$ink!>n^k?o1dviPOY zr@V<*M$4 ze!@S*aj;sC*xY;>0o=3ipp!tpTP6KI6m-M<4?P6@VPhxZ$s! zh_Nb30gq&nFS%${6OANQmrx(}PiM6Psj@5tNF0L%CO5^YNL^YoJYzFEYqBW^ax7<(jghIEjE=TC>1&8lCa5si zCWkuOiEi+!wT4*{D{eyT+S0jQ+!bBdd*you5U#=%-pIrRkTBrkfFe}rT&ES9GM=gI z&*2t z_6d^5CMzrJTPIAPd*a_7n$fryvZ~BwD<^p>QAH|Ot(rAV?b<4<4z;VZw|n{xQE zC*R{5*Yia?+QX4nx!%*=_tal^O@kQ;b8BQMHlfI=*iR=duKlW z0)0yVz5njScV`674%jnj{K*bt3s#ScIr5-l_FmiC+gDy;Ni%J~(kx1vL~p-?BFT|7 zdbMmiMNY$7MW76UXe2|L-H*&E`$_(~VzB=8&uGz|?W0?u^EvqO=#Cpm-ltbdVu&Gz zVdEqYL$uGHbDJ{>zXiaaRNNoeCK*zmQJ7Rj0%aVVsRg-MoT)aH+<$0{R1n(M{SqG4 z*CkJiaMCXw!$K@(Iz}Q3ULjE6bmz~;++gT670T;Kgn@h1z6J&k+I_?5~A|3m*yW03$InO0$=Ac=T3PA=;h z=?M#+|4u=($?ekU&Xuk>U*)2?7(A(GwB@HY0|E413PZ^FgeYh25D`?$&zmz86qVXabDvd)S#E?DP zCBsw^^-vVYBvYi3CB%jZ2{jlBPzW2+oN|@srcLFR!gm@6v z6U_JVvukvUFMt6hZxt9rP@HINATx5ipuRy9pHYT9-r?dRWv{@?8GNyu5pqQWgsFA2 z(BzNZ->h72N*D-9N@%h2Wy*4C@V2{RF7lNX z>|NILhd>Bf#+ZP+3P;wD$7^vv$i&t)G6PFun+=0W4i{NETZqjQYZ3=mK>NM}jZ~Cd zAra-YL%+&i;5Gkpkvi!*`T2e zo*l?vnG@f?gYGN_#<{Q%elxA~EFB60;OJlL{o;<{5(jQMRuLNsQR;%kC!%juYY`4p0Rt=Jm5V?GK({H10>|OskE!iA!Za5ccMi9HU zkxVi_OZps{ZI=NJ;tG0Cy1U`SY#8#@h+lQ}jh2Y1yL@CTqf!K=YdX9-(3q`Kk|18E zC}-UpD$UqUeB=L>%XPz;b9C}|T{(A{QEw!v4B^w^*zv1fqvZX#0~@v)_Yqz-GGKyN z{_=gVJ;;2Vg<@ems!F0Wc@g}3@5B@t#)g@IOa<~lFg4BRLXLXWcwkS`*@katu zGxcZIb;A@EY42TpR?MEXC$J#h{zoSW5q?85-!;K8QRMMg!MiVj&W|(pV+^sSHC@fwCj;BlYLuh2NnHmWw zUQ)11^LVeAO7K!qj8U;82d6v%;q0ckva|_fSQjNG=raDAti{%o5^{%*Z)pcXuP$;HB3ekQOe5?`nK(BdobdLVzL8j zn9xG?d(M5S!Xv#Q$9HvAignlF1N(b%l8bl1!0xPBf66*qK#paj*81OqWYJ7*su%OP zSY{2*F|DfNEUoRPK{v5;g`O7?;r2ZKZAhys2>D(+34D2b{C3+vd2&HS!U{B21}gX0 z{QF_ma1@bzAtR&|NTg1Zk0sN4gNllZ~MVy+;l- zD2J2xiSl~W40KLLX9htKXhLIp$euHV5ERjz=XWuc@J|tsNB_cQBIK+5UcB4YX0cFO z5uqkjK2WvRxiSWXC(BrPrZBKiHLSJzSl5U(BZ)WiklnJ8n=ITJkR@%7SNNL-OzD=F_vyO*RL{eF`?}m zOr`}QGm6ZxjiiEP6P9%KBilucweP86jCxe8Dj(H~1n7Iy5i+iNLmr zBa;9r($U=^mExMUF=gKf5GyZ72XlBqoJ4nW8C~RKhVTR}Cr4st9`60mmOjb9PiJw8q<)$sgUK~E$IZo`ehUnW6A%@y(dDd} z0y&d4;mm1ow$$2BZ^uSDb0W7(`z3Z(7wLHKPt7XP8Cn;N>dGE+ou!k z9d@H0Ew@S8F3KD|8YivZr{8len`6Xy!=+)N7hkJrk|EB@Jom9gPMQx=GbE&@Jljl& z@AzfJ6~}!~DOtN6i?hzHWQzKGEr+S4QmG`l(rI18osIDSJ_Wk>^obJ&EL$>w`5os~ zaaDauv)naq4~7AYO}aUg*-ZyiEHfeYa7QA8at1#pkJYKmpzlG)(_n!~h^O*8FCv*M z&K0$Ty`2XMDsaj}slM;6cuy;trso%OMBn=HGW2}m6hm|6*BFzsxWiBy!2{>o{ARb> zVhLX_&aNOZF>t+GJaVciZ+#~lg(gG8G+kOtRk&H*diD#^zUfMQw84Eh;_)wI9ZS2(n_FLQ| zbsgdiCE?f1ChdBj`#+VNlEwgz5|?`)q&0Gl^Xa5?POS%xi)rY6|KWF?Qrr%u7PvoO z@C_MVSgm>od{v$1Q{~GLmnZEaZ@cF$7+q*km zl+I<)zh@74-!f$dz;1nV5G@TV_c~sg9VedrGC9zPXqq{=!zFT<%|>crtXzYB7lO?Y zw#Z~Mv2%U4oCcz=0v4g>-Y03cj{8fpi==)jH$5I+4();4CNh$;nTk_g-1xI3JyM#a+vYDz`@T`q$L*wFz5(dR%I$n1DRALErfDy4Nu_0_Rfbgi>(wd#p zsu~$DNon(rpq)N^jj0RUrpRY)@$rrpWOyYZ*^p#O z|H%4MY$uPuWApN1n^^0vlo-*&-0_#`Y@bAePGzzg~1A2?b~4vGWQ_kT}XKlV+=V<1yQ%*X)0+cgu7q|jMRQsBJmAE z!H_DPNEW5T2s<+6xQ}LsF|ZtHeN$6~uMACXx>(vQAvH}b*DD$u2-5w^Rc34~nZ6Iq z&=XBCUI#UyU=HZKUI7IK?5F|rT-!5JiprsVj2V@T#i*#G&=dOp2f#@!5isXIyo*D# zgvPUV%d@N-Aa2vnn`yf$q;epA7xRN{Q{1 z0`rNz@B?<^AD11)>u|yXnk%(3C55RQ65TJV_&~Y$#$v*y`Iinh7DOv6ZKgwQUVbP%p2B-kvAWj>q1#c&vJwl`5 zOr{zZ_Kp}iZF^BJ4(mIzsiRR))b*;FEVuzK4mo8j7@)d6+>t2P5iQ;kH^c$AXImHC zUcbnmF*aSZU&p((JEpBahfc)VU=1g0jX$OWxZlytp#0^s$0yb+PSvbhS2Wt z%VJVF3lj|Sp3QnP&N{Aq~c_YH;%yobiKl&EFply8PYCD%rZDZ zhIV`lvO?luki#Wr1i4J2G05W-iAQMj3%$o7Kr;jihmIo1g{D729t6Gw`OwiF)PRp| zK}~oW7Sw{9)Sxy37>IqqiGDZ5hyY48s^qJdpi#a`YK0ONYZR$oKDBBMQq-tcV>{MW zj8={Py^(4T?SP`$wzT|4k)l`;wI)^8pcG3Jv9dcwy@O2INMVquK9DQZ*y4m=t3eQV zp%^MuPdyMDQ_;N!1LFO+1VvU{<$k*fkw4Po^L9%<=_tb@B>|O3FRtRKKdG-k{OX z{dU*V)@j()(>G`|G_uQXd+fEZ-TNJI5Gv$wheV+SBB{`mJ);y&rO_F!kXmd#pfolI zTRfM?7YIcqiu;-F(*ht=5=Ocw7sCmXDpfP3S&kQaT;C|k7DgH-!7L4Nc_Khcsm3ONo*?#KcSR{B7XA-qlo0wE_* zrh&yES+$tbf@2RKh4_*N8j4(OXffqkniO|ch0vqmv0HkLOVgSv(Eusv9^jmE#SJHk zt6uF7nPGakc_NmJu=HfrVO6bezcxF=V(s~Q*M--nVErs3=5*6K$I|!kE~@)hTG^l| zcq(k<0n6gvqrqs7na%9$>KBJv$uF8w%$Iiv@VJA>fD4pB7I>L_B?w+kC6cD7?y%_U zdQ^?=uTaA?{`TT8EQ#S6SSci%__dNl$Plh`C8Slh7^ySV<*u}HBIojjc^zJcm7Yqe zt;kb{)m$B3_o0mS3V}9y`yBLYU0rzR>A9Zk-F=+nbGG+jRXO{NpD+^t|Mc=TO-8Sq z9Bf%$C-;&xbMi?f_+=bJ+qXH}QoYok)xAcpk?V7Yxq6O>V}-#P{nW?pOHZ=5a=BQ< z#nFlYa6=?;z=0b);CaHIxsT_G{ykR)A6Ia+;s^iSpQh%SJX#`1ie@~{Y!y>0RJ00)nm@L2l^Qa=>l2hHE zGP9K&!{2V*=TEjNVT{@FQ?1X}+LTN(C{ac~z{qdhj9B z8U!E(heijZ3=9WbP!@4Q(d&)~x|7`bT&-&Hs*sy!%I%P-;oo1;Y=qU7#TGc(|No!1 zbc}(6-Unc&W>x(v|6ijW{&ED~YM3;NqM5 zD<4T=wzMtYPh95^;}_`JX3AL0=NBm|MNs~INH-XEao=Y_!%kt?!D?ulQ*qD)i|;=0 zMyAsL)zobjez|7GMeZu8at$|Jo3^}sqW#2F7lDn-7+EK2-y_J)W;gi_;R_)kVhkb1 z@EBtRjEDgvMvOGZh?u5`h4a~06@o%&8UDS7oz}`%!%COc>2GbR=-fClBJSu z$%zAY6Al2JX6Z=RIUM)hBUiG^wKKuLGI!99r^Op>gURXk6BZ=U=9c!Uy= z(kU7ZShUpfU<4|*4i;_&W3j4#ci)e0^#z!WFkf7+C^}$IN-at)+PhLr)>vf-kRUJe zNJ3G!+YeIc%#aM)S>=F-{(CK_-vEs{rBDja+e4WX+tW#o>^Lo?1ppNQS_FPR@#}TI zziSz0_DII?^dF%DESi_(f^0po^f1JZ)L5BNal$OQ+^H zlbOHRZR(~&+NBbGYi`?s4bhza4?Q?Y>p*FdKuAcC05RLFWRs1P$tFP-k|2Q+AXtS8 z{41qSdsV0yv^}9>Q1dgRe)QgbPRyv{?pp>yapXY|Lk20<|Ns2uPHPkWedDd0E21dS zEXBYR??=1$Wlh@c_(6B04mE~F(@J7qo%VKH1In>wkS)s~$8lOtO8+iLFnyS4nEx`= z)xn=eeEXk)pmbEg98u<-t1n&b%wj3wLZE5Wv_so|#^=|VJ4ud&MB(n8Fr)zGmj{YS zo&M+hGqrtV0g^b%Rg=>Dnq|mKIy5{Sx_w`UI0-@5M5)^e@OHmxB_=0k-L+R#*ZNRy z*3dfbZrCjqD#nS}>v6y5rMdIR^ZsI9Q7olsLNYVSL?$LcyF|d>n`)K*hX$#psM`Xh zHQ-wCEHrZlvl}GN`25W8?hkbLZ-8htK&lB+5&%-GCM4Z7KuQ8QGgpM;03f+ba-7C_ zj`s~v1{@2y9iFi+8*|=f>ngt>obbZS!mHf7AV@C>uP#W>|1z~qyZ>}+-=NuY=Xiy^ zl{MkT4)Q+rLG~Ndvj8!Jhf`nn3h7f`*LAJl2@9+0jeG`z< zF8ibnC0L4riq7og{kOwd>-#~onxnVvHn%xtN=itAh)4*?IPUrX|I5v&BK`sv#n$HG z#1r)D071aYm)!F(HV{<$=?I5YMC5ek=Tz9_R8lzu1v=G&ojN+FUbr(_j5AiE^N>T% z!&2qH+liQUAlaV=1c^jZI1ivWXDUi_WT31gfdH^~G9cGOz)U5%bQT~wKrS47;&k{V z@XTMO1?ES4ljDF15dgT%_@9PhpaOvg5hSl)7tR|e1J-9Sh;FP196bU6ego_ICy%#^ zpTYiQKZ@mRkrXVJ30N({{PNXjRd$Rhd7fcUDf&zV5df|+5r5|;aPZ}Zi~xG7;WfR0 z@q6&GqcP&S;`lj%TGXtYx(cB0j^_n{;0sx$0g@PWVaz^86(ZB4FaZde5Dc0XA!{R40Q^A? zvUY!Ae*g*7s}k^GcZ~q-F#?-_M-ry&?^~|)Sak5>Bz+2pehg(^zOH;iXqwyn@5vRO z`f9o0IQzMk3l<$}^XG;DDPV};>{y%t?VkMR-q>W2&+R*y0A3#x|MwTq0+M;NFBV)C zfomlO%mIkgv4nRL01VH+^+JLM6HC@?*s`;jBOboxL|nO(SYxeqeE8W!X{&A2cGzhb zoe-hIM2L34K?x2yELFM;nX=_L!64shXPj58%te<}t5v7oRoC3qq}d(c`9Yg@4|VF& z?WsQfe)rNVe;6@p+=RbO`^TJx0CI?oXo!KB$P!s2HsTPh+##T5KsCj>+g` zODK)XQGx!Pey{#nOqO6`ZTHkr4!@JC#8O>+uvSmPS5`iy$J zdXj2X*_*g3Tt%}irBV5!;v3=y{j=gc@m%t7@fLLp!@_R0zIm0ktPG5Jh}Nv$j-R8!Xl%VMjL#f{}M zN@F=$=9g)ukjpIY74?OtP!t}HJ$ZAk%w+?Quf>v4(IwJF+%UzBeEiN~p3Y;g6|gxr zYCV`Kjs(3=8#tC3@VveJ21G?DDLK0gJy9%C%xsW|=W;1J( zZX_^Zecvuv&!DmVFK2DudSfk)sPSOe+G()V@_JjoncK=Nxfa*0XfxLoP+~s#?s})2 zhndrvldsHI7}LUR=Bl|2mpx;C*YCpZ!{9G!Jc~}nA`$)BYFUAFG3~`{n@O}_8ksuY zWu4hVDwA^Ws5*Qod~(ld9uZ^}X|4tmR4p@x_ z^d4aFpalSVq6O#6Z(+M&n`?)#ptkGsUpxUNq9k+(C8NVA#mkMq@DUKWM@rTXd1P~~!|BsJOsJ^E6fjeRl585QKN(dk9Ziu~1C`=XM_)e+Zdd2-y< zzVeyjQ6=A9OF@daGadc2CUkC|Poss?KqK=!rfr)uZ$zy_-8gnl1+KP6kDfVXXo%gm}fCn%C(u)Hm#Q)cWp#$|KVRzfkRO|QF4#OJi%n(G+f*~>14tJ zzZmhAnH{*e0Rd&JE?rHrvb!z@W&+oX3rQGz<4LEC{PKt{T$25he15NHzqoi69iC*Xl zlc-7p;i7T|m;+@v%ccf}$XlXmKsqr~u8rCNIob?~bqp{E@^WNF74jBOU@8zxaKg1s zOO)gAg;?i+bHMgKR*2P9AP)fMJHw|!at|}!SeOE6*vD|uzeFTV)srx4L|>!e5AYr^ z?(}sMNSoK?MgSe6^Bs|)S&r7}u+{5cefQOOIIn_cS+-=6IdIJFde%9k&MD3%o(!W0`yYHSO)0(V5r7m19QikDk6tzDmyf&$x1B z24$evA&b&uzs?Oa#YW}%Vc2d|jto7i(I)H4(25eo4HBvpuD2*witoMAt`t}NxNEc) za_cDX_Eh9?+12mKj7OicxhHg)u0tI$<|H!rLAtU>McU12o2K0GKa)X{P=RDn zLp<$F?!RyACG{@U;?m8$dtbw)-5g&k?{G}7dNJ)&#wp<465Zdz0ZC!pg zP4=R0wkf)LfHhq3?)&Tx&e@(6ABS_}WaXmKjCaqB#Rb^+{;rLPG)?G9*h@t>omk$0 zMobO;jfW_S3@+xB8(tAom~nywHozE6N&D+L=Rpk}szSfiderfm)`brXI7{lU>n1KK zT$sW7yqg%Lgz&t1U>(%I%83X zdVCzWM$iM}kW}DmJ9V`V^q`e`?cyRpm$6dq06M_>Ds--^sWg{$NeAq-nL~%L#SE&p zZd6ow#dIwtxj&dpbFSdH4iuplDWdZo#r~LW#`{LI4>iCRU!lmP9#P?gz8M|ySwcmq zqQ2LuBHG2O4&L9XY}%34`7mC^*&U@5@3>eswNfd?Gt_~@_XZH5dnStI3PqpM;pZr zFrwq|6rR?#eM6?gS^90z&%jMHt5V#U&DaZe+ubAAPZveY2O9CYh`X0m&7PQiNK`JV zx;E8TS6K=3bG(>xczU!DpsMpxd>9WX9CtMVn1%@-62p#*FsiEPE_nx?Z##_+R*mB_ z^#C4pBjOy^5Iy)8ix@a+uj}c-tSo{Yj<$sxFpI8U+QG%HOQuUyiL_nnn7hh*5L|_e z45k9jU>Gf>qEOR&8F~}2-uAr`igYlmre-U)NV+<3c60y z)->arNi&6JK%CEFMW*JF&ard#_wqzEc)^1^Qy%!j^k5SG_{Lzh0q-!t=>Z1V>nE}3 zrc$&ok^iP2CaTwnd+;avOf-&h69J=;hLMPDr23hWUDZ-8?s8=RR`gYjbBH7{TWQ5wW_rnYI*bj92Q_Srk2 zcPy?NN~NRc=>=TBr`hHOO8zEIFcEdAS>w>uhAmN7sJd#OSB!(1FIl_*ez|yr01d$D zebH>5qo`%LBKL|Sc8vZgkpZk;QxFj>u8Q;<+Lv2opv;+U{egiS^V{yv9OZR9EDv{4t3LUNTb>$5M;Oitbs2eXN*gn3nXw7=(?JNLO6qr<=T)PrHG!aw;sV3C%QO2&? z@j2LQ@fBkGl%hkEm4l;U^pn(6Vmu8rKS59PWMwL2(nC}Pp+a?72E--!7bJ9p!%6f2 zb*{&u<^i-paG+|7HceNtkLZf6W#hSYHMBoFVLIqX)DF-Rhi0gCv!>QmkA_SuG@TLD zRgsVZP_wLz?jflWD10=kZvwm2nwVdZA!ZDPs$;kkiY48LNryViN+<~Qy_g7xr|_JR zTy)E=1f!O4-X#Js4O6nl#K{H3s$DkTRNJf-Tkwe;W$+RYn*?bI&r}qE?m-VA&2dE< z-4)%@j4vY0U8H)p6dFaQG=K^pTgcyvIsE)(6m%{VQu^(r1@;Zyh7JU&H;`_NmL(i# zX>KFwdK1Zp08?^LPr@W2n|S5YqsqtP>jO!qBU1V=RJ$iU^Is(TO=4kFP={Kz2gJJd z)>S-tVXeW3%XuSVvbZYJw@{iK&oMxaqI}Hwc*NX7+`}F+GR60)FzZ5N)Q#uf6FJ>@ zfBEP=zWxeu`ma$ef&YUw_;9J%Ic92r8X&bknm7MJG{)@lK_Kd9xFYwWN9@$vMZt%5 zWr?WFB$X-!ak|LeA>Pq|C1B6zZDhmDpBv$|YE25!~K zJzoM;j=jmgw=!R$2WHQ5%ESK7Bw(@~m%W`qbl~FISe8er7^MAH_FDqTF2jD-P94aG zNnc{m?ETgQY~t}lIbge=k*!J=yS^gIT>~mSTSZt}q1Kwhyra-v%Z$|?T6!SCr<3$0 zL=A);+;7`=Fey|iay6ox4o^_YX726i?Qy>;0dAMbuy{l!+^BOLrMlb7GV7werXrjaAD-rI~t&K z5dQwO&YZ<*5fetV+Ro*I7hUnor*S4DPE`)&Q6cyS?|JR|@r7>`?;_b-qOf zzVI+|Q2C2710*}xiz`Ns>giO;?x`MkR79tQ)rIj#+2&M<=I8ZC%|s+Lrpzal995J7 zcS-el3)CptSSnB+m{-pFG(abX@y+H91=FMAvzkYElnw+h4?W#;yEe?_$ zs;4ZFJda9D77o;caue;5MWh3H$Hh>`YO#&bNt$bebgH&6{^bE^xVVR3yG9o*x@0i# zaA6T010L{UjyZ;Tjf6>w$n*1hbQp$n9<}1I5ew$`EM zUo$%AYu5N#YA-EOe>CpEWuVzOc=t1AeJrku^cm1-p0zSSX@Yvq_*sMb6tgn+kdbMY zM}=8k%ergAT4*Z;pk(SdDFYb z0yb^RyYVZNS>1R*;?seKrJAlt%!tlRb~=opBy3tBi*?BuCCbKpGd}4viO3Xep|q-Y z(@3cBF6H{7!{=PU{3xY-`THoz!SJdrZZB1R$3@!LPqY;6xwzif3D1fYFB_U>eBx^2 zke1C74kA*Tr*oW;wTQ)kKaJ{GBUQOIGR0#3h3}?KEK;F#L)0y(_((Zt@0mHJ>T1{8 zQbf+$WEko|J77buD=cDkl+7?PrL|lcn-OPg(4#y3o1stZr2JuN{Z42lq)4n8bH_q} zqGWBX8Q+14g!xE2&Lq@6ZnW#9pS7RHUgx;&(4zYiZN5Z-H$!L!X03r0Xdl)>&?fU_ zRiyp0rX)N~LbMVJpRGwGc&en?hbAYt5=NvZL2o6rj$HI!=A|2cYuNyR#{J&NBUXU+ zqPvO6bUvT^^i`&6?R_0)bC$#5c4J*X$)(3=`3Rx_Xxbw$7IORHj!;-hSJ&RFaj zTbS`~%H?sG&7V^Z8|-+b##yUJz`ocs$t^=@YcIxn?pzdTGy^@ztF97}W@S z$jDUnQejqy{pt=o{~Lu=QGzLX5nv@~E94#kcB5J#BmAf^B`ycbNE)0aQeXf`VWMkHiG6l!Nb%a@j2-T&%#%Y6mc( zJnNKLXcfoHl+~)Z>ts-aZ3vH(?$)zguP9NyxN}iDzC#mEup(H|b~F`e0!8OD+L`0V zz&#)x(TYmL>NUxs&zeuSkA%-`huARi9jU9-+|-8%^=#Ctd%fu#$D%FdFq&#^jPncsFcVX9n`dwQBt8!^U^m}9lv!q zSlaNbLw*06#vP}xk89Ql-(CSh&ck8VERBiN^n-`8!IF}CG;ETVpF?8K19GCOLg&!>WiNl zK8m)b^2-UY=z9gVj}$0%@M4#?(ncx$&G@vzY=o!s6l$3wlbfN!E1idR+yK9g3$C5T zHDnKbQ4C~vlS~ifQgoQvaOE4Y0nWf4vNmo~sW7X{pACV9U=1~RjA7ZyG(hW7XuJ~| zZ#Xt{Kcx-`HF-?#D0@01i-y4IgWsfbv*(~K4h6}O_jx2nwxVU%bykCnaO&J;p!f{8 zQX{sqxGItt^4J_37$8r{gU$F@W;_sc*+WLAm`sIP9sYLI!Rg?as=zhd9KAF^Qe?wE z3e0Lm786FaI!9z@{_W7mRIo+|@~jbVvbieKDr8AHlrunL$wJKdU@$8YQrJUArVvhr zS=}lZHB0_BG9b9R0OW>r!utv1hCn^z2Z{EdCEC zW+&7I5+HHdawNF}a^6g+6snh6;|!f8>@Z1*u7csiMvQdAVtk}~Aj9OD2<;yG$zV}$6LFrtTT z6)#x)a}IAJkB#-^1}AckPxc7dJFA!4zdEY#y12Q?;=50MDb}jZX$x`Si@aX7991D& zmKxJSJX9;5Cvg$PhUa+IjEOHnwGP;UIJ;nZ$w%9(7yG!U`h|k?GS#u!{$%fUq12vVx9# zB*qF%GNWJE*Mm14yg|k9rB%wH>iNE@Y|4o1=SZNV;9kPs%1@Jv#yn|L>1L`MS8W1W zT&oJKIHe==nYw@dy)fp68@Ou>r|hXJiS_fPmpXc_90CSxNG#9cqav9>>L5WZRz+e| zm+EaueJ7@0c=5GDRafxFbg zkil8@@DZ8Fq{bJ^{0$^G{_8za67l`XdCv(KD`{$LbLHjGs5A?gfN@qiD&wa%iV5 zH14thDBu?C1P&r9?7-gx?go?)xacXq#Vw6TQT*JVkB)$*qv%&~h-sqe74`x$(MdlO zfIV8U9u$M~$~nlz_YkftVRaII-b z=q$nvb69M!*>bRiqoufbL|nOXx02Wz9z1!GsZ^#aM7W$pSZ5;ze@fc~`iR;tyXkyP zFGPeW(PG3pD9Ito4oh_@)=&`)lg|3vKc>xwg%~ISnZc(TLV%huQ3|p^2y&fB5+b2R za3M$Fb7`(IIO&x0$Y6+2Awhu#18Wv6Sy_z3jy)#J2sq&rayD-{sZ}IaTg$}(8+cpK zmk&8Vo2YCNV5=Y+J7{h8i7sX&6igQR~1Aee<&a&V26NbZhG zu3gl+%DHvHe=+Rn29y@b)c9xTDB&tg)DOs^!Z1PUWc2T{hA1l@r%HZ0t zU|B^r7Fv~GGnl??&WDFYXg4-k1qy+^r_Dng^Y>DHg+(v&CB;jfV^UvbE9F)`YB6E2 z8r8%-^z@?gdVc7)+-()>xQc0fMl^1Hr`aXCJisH6mJNtB>qaI%bf?^PS9<6@-kOwZ zLh_cjn9t`^wOzl%&6YZWGI@OUBbJ|8@x}#FsS{W5of9$oDiz7#hDw-dW41<32-5IH zO!_J>B2LD@DSjKcAbKX87!@q+aCKB>42&7moTq->XBz!+yT18jd>?)p#B|PxfxtNq zXq4?|f`17K!j*lGuj3LH#E1%DF3n7T)M3dZA&}%iE+4%oM^Hd-g5~&`&HqjBDmI%P z7nIIe803c8{EeJ+`KiNJ&es{)2-=;pWSnP3Mtb%YTfB4ias-5@asmM-wjsS3b)w4- z*dsrcMIr2xqTGbIz{EXMy+uW~$#Y5{$>+D3~w6-w4IF}DEPLNLusXmpKB1u;yBSFVzSBP2L(j^|u zFNXB7v0Di{w1stW!$N+sL2^!GafKkQuvtOZGBler0OOt~S4U!bia>=bM*xBbX5mzg zm?nS_1VyT26Af!J{0!!o0|n%P@Q$hOBAOQ`ezq6`%r6#Mn2nL(V7!zRT-dh4!qB0k2XBgS*1n@IPD)1m5?_Y zR9Lol*(`CBY+>2K_#$L=6(DKmWr@eketXwn#qKYZ!x~!0~aVw>iA-S?#a|QfOp4U9DD)dSRb@tm%6v!bk!mc7n8UY^f8cZH!Q-ji~YXdR#GR?3>MO%unpC0*IW3F&SSj>7) zK`ll>ONn;h)b4#|os{iQ94gwj&U|Iqm{9CO zsQ%+qB~W8DgYj3bcOHB}x?^@K@{1K>?4PX;4*Huckt%j+FH@YjP{mFe~+5+!h$X)Nizs)C)Xq$Qq{?AX#`kgp2b%uLMznzVQbxh<`--H32; zo=iH&-?MMZVGwU?0YPB-HYn8Y`$sl*R-dq2u0_`tWA)W^kKQ`v#u0ys7lCWasAbVV$pcBS89V*Hpnf@NtO#CZL^HLC3 z{X3f>w$dS^y7EN+5ceQ@}2y<@|)R_ml3B((XdD2N#y-Bv`pOhHVsSD+U zQRwx>k;1yPP>N4->5vu;NPaisaD{Y8g#mn*mxaLSWn-bVyFBu;HPFf>X^M@Fb;BSC zAqjY-!76e&CcuMTLem#Jg4vjpA;f5>%oPX4W6mnqsCigj=LT0C2YXv*hngb{FPrKd z3-$R~_T+R2HA;Uhslu8idH@K&JaVkn{5E_vh@z1UB!U`##P z+wwaK6(oQXnmTyA$S;$5`FhL_BTK{~b)=z2OE$_B|r)_DxkKa(yh4{z{96PKjYX3{I+VH;#d`6{!NGpe!NcqRwoYnHPrKQJ1?ne-)U zj=8vnHXg|`;W@1YyC{m_BB7{^IEAogogLy^(V`(2h$x(%bww~`jH-N;<)aouUa>&C zEPiP1AS@xfzd~{I{B};D@nc&Q&PYXEql40zo}d$RLMp^k8=KV;Y70Bv$c1;9nq21k z9j=s6tk8aLP&iHBSTOMxb7jBz0XtgME<5#5>MPA|ef>mwA9kmju+Vil9rcxJn1xmg3RateS9*XE8Q~OFl4MKAW23iS@*dDQ?r8(pee1XHGNLb*M&j1;3kYaW~7G>(R$$JvnfT#f-~4~W~%=*ViJE{NFk+J>3=I; z4$0io7#Wa|4<|o1O>g_@Z0BT={Z~O zg$W}*)Ed@jEJD|{Yn{D_m`A49c+C|fe~;tf)1tQHFTP%bvkuOxXZE%n&aUT<4ie#s z?(L5xUA>&W{pto+^9_`4Bj#GN3f)b3*)kL&J|bPILS|VouY)+EP^>6F+$daJlN@UV zn?Wq(A=si}2^{YV@72=upv`5m7CGURj@e^|QeuXjqNELhp-pfLP1Z9E^=EfAgP>ep zLNRcVo7Wk)n`g!LjbEdq_Jd{Tmsii)mnRMRi#jeJ*c&$zP}Ab_?G;qW^&dTw*NRgs z7Rj8bc3!uax6o-%}2Pv}`xu&9GujFdDSf2gm@c?y%LsZ-25jxE4*K>B5S=LTd z+WGTL(+l{D1sdzEb>igp0qbe)h}-##spP?{Q~X9@lP}oXk5^0o9E^Ijpx3J{5Oyg( z%u5q?1eSzV%RQxFLUIZRr@3lM=EKMbXsXyMGmdhDIv|?QrvZ1hHl_f6^Gu=E^z1&w{pnj?IU0%krfo3j&5S*V4gB2<5^i1(`+0wdK=32bi6L&*~H0Xocw zDE5>1n{Jk}#3(wIM=ZM$?~z;*m1O08hcqImzYkCq`T(S>efz5uik0;d$5^Z-6w(6; zjzA0*XpGDR>WPLo6l$Q_b;K3&Xj+Wc$D4Cn)z*(vbn|S!JvdQR9cWcn`Y0bm(G*s$ zBs*GaR+m$izZN+bQu2}DBh)DeX-!viUv0?$&iMx~c(VO44Qpo5KDXx^>9fTz@6lTV zhi*8JT%B-Z$eCx_R7Z3#aWNm$C4mFNA_x=iHkpKDAW@XHCxIwh zc(>P@$S>C7VV=-YBV94Y(XfQJy9K}CaY_TD9E3_xz3E1L*1xZ)4nPiR^s+P1(-#gN z%&RlBa`IqmZCE_Kjdv7gXLn6HO5F$~CR%yLOBBCA3~_?ONW{2&0*ix6K}uuV9<2hQ z)TM;`(Aoc`kQI<-vg`5j{{MdDI)z9%@~ZNd`{~{pTMRsY%U4QzzLiHI`t+bRKifP5 zq&i?^Tvyp%%jV~&uSS_`TLL}Uy*VtjrJN_fVJ?syymp0t*+s&>oLx@^AIXy7Rl>EUFW+XnV% z-|odwx)LsN&im)1qQ$p2qX#&BYxmpQnjAn0T_5(^3`*Fv|Rn- z%75LvZ+!IG{~f+T@BQ-X`}tL~)>tcV{ytdvnq5$hn~*OpO@DSxfb`Ap_tNJ+-AC^O z=jf?#ev$pg8k=X@)xbaYZYZIqOqy$TWWyPoy#<9n9V#miipf>56SEk!h{c9=7A?{m z^a=%`*LHxFEJLV79w2N6xxZ3kFa)JCKf$25L8mhis2w##yf9D(mj&{Fa08=nsQik3>N{&-b_gF?SjUi*1;_PAIeG3R&5El_T?q7J%-W_wb@fQ#+R}ML?l27wjWKyP z8mPt=ZT;qCx)`6>Z2o#te<>}W)IwW8Z}42$6kOCqvFa%8q_$Nopc`BKqLmYE!H~bZ zWNh*8t+r3i}V6cd&68$d9l#1WkqS4j&*#M?DXElIA34N;YaB;d)XuhC<4$2uTn)g5T9if7^x ztx1pQOh`NvU)|6GCN974|Llj`vx1e%nWeXvzAL}?K8SeUFZM{Cjpj~guPEY^seXMb zzsNdmT5jNMbt>(9zimA~$*!0(#k5Xf;Deme#P)entq+$A7@J^u`@@>{s$V)HJHJ>i zu-o~|yS@ZZ+Q%LKLg9rwb8J6u-YE1xer*=`7)ybXKEPNCJT&;g`rB9PaMqOgj;Lg> zc&#FG3``t#$Ws!GRC$+{hG%^5tv4wt+>J?#UM!FZ3qOS+7OJ%42ufQhn=StjURoyG zhglp*w&pM=nsc7TS2%pOEgy!Ro#`Am+lRRv1V4EtCz{h6&316Q_+d*%d^*C;JQuaj zE^uUKAOc`#8Mj-o#P~2X##BUgvJz3+N_uJ{!NEXHq}8b*NW32>NR0|Nq5UXs0xMaD zFo_~S^cxiZYKb8@zjjiIE(=$ybtVJ412vI4HLl??lS&TNg6`e~u_mYR*L~4}4vz!| zgEbM4(QQQ&6QepSm@y_gJ`rJy)NH~Q=0lZjmd>OTtq$>|3v5$B|@!%3yTPq$pctFF86~H zdxjscDpovxj2iXwUqeisF&SnX_ylf3^@NFF$AE!-1N1eHJovGKMxKfRq@Br9J-(GQqj=p!B2HIgyH)=HK&wftJW2=s|)q*`^OmV}3 zkLNYVT+Rp|__gsj&>=SSvrVG!Zqo@Ex0rL127UsUA^xE|DbHO(qR-`J7xMGuYA1fs zbBO!0!{SeQHI_rXPaPaaxQ9W7fT@D~y#X@m5^LC_h+(TO$V%kuHe!Qg7U9wn1ilsb zF`d=`Fpdq}&NY^wZ#jBK4V_@9gvG?<#3*Ex7FyW z+#IZGqR*c-`iG#}P=p?Ayr48ZI}I;$FpiSCCVwWAOrS=shQ~jp>|@m$?hL!Gg2>NP zXtQ`<_E{G}vmzyB^TU9^6}0YW$|iCJvd;v(XP&oCDK&#zEso0KYM@U-WfcJ_jtBGP zG$PG&76}c7A1!)?KPV>*v>Gu{TCI`L=NILvQIkUZN z$dsC1m#q1J(T``M3qrE9yCk(awJERKu#?lWhcl)WEZQRi!YlHxR;oo`Nnb}im&n*q z2{>IKWZk?ZVq>nB8ytwm(W!b%@JBhi?-!%A#UOR~woHoxI{Fp;gL9$7OP8%ZNCSPv zhu?0H1@iRT=5qk9$$)u zg=9}7^av^YRp_p=ai1ylW)vZQW&_5 zpVgI)t23E3_4BkQ@>bQG=bh@W%+HFl?RZb#l44gS6%5zo;Op%rgNuV3k_5YXyxjt7 z67i7}H#!{zFV}2)CNPG>;`K(C9XIiI@pn=2pli5B4QRq^aAbi@sH|hVE0F5MM&0bo~5T z)$FuGsFI%8PMw5ZCrqoa%$#3_jJ85lkN>jH+N3pUL`bqTBi)(&Iy82=2BLeV4?Sb( zconG;iAr};O*tkZ^GdNF6D}DB@pi7KjQHoISXFHuCF;)??qwg zbZ)jLb5|zk2q#gwsV?}6mGoUQm3%d6&hf|Gg4L6K_gP zMB%(8mp>LP`*rf|t_(JiVhQ#AR{`q!x7JSHpU77Gfi03GI~LS+;P~c8 z+ov60aQD64H&SiczdBN$^?}V=+X;s9s zzj~x^-`n7RWSv(awDDMnvI0aiY$gI(Rux(^W?ca+5T&Ff*-zn{9C!@o?~J&^D@jz^ z2(*!O+=a22T``~qs2*p{>cE?wJfUrI@K)sNZ*b4lJrG=oyqSMH26{6g4(X#Oy0BXw zEQMfQjeXn>GO>i6|m^-t~t`I+zl+^H&H zPN}Of2w=lkb?LjU4WA3%2%@ik&nwLg;6Tj}Z}kx)FnT)wY0B%}kS8+o1b9B;LpVN8YLm9N6Rd0G*F7K3$ECX)ImR3V#>la5 zm_0RHeKOG#XtwnWmxHF1>skI$ zp&e~pWidD5(Ei72g>*0B+64trMszUo?;8FcJ;a^wDwh#2&|P%5|IR-*j+y}~lK8yR z4xg_(Fb(>)o?uvC2!}|Y35_{xpqG^NE~TC?>imt$^m;3`cPY7B$1>`L6~F(+1bW}f zTDwq}1JC~eo1t{`kCkg>A7++V8*gRFzY#3^jdh!n%cfQAK~{H_cCm)PeaBTL3pO=t zYsAb06n9<~x6U_Euop;AyYBOC;e#XHckOGrN?bUj@}I2_rIh1%K>YIB=83r8NtlSi zi>vL>zIA_Ap4HczsCjwGV!RE;wwTizw}AEH)8vuar$l>@*)GSqIGZQr?^&jRE7YlZ z^nuEd)X^|lSFJC5oKk7Eb|!Y_4l z7I;#p#-OKW#^vYBzX+PnGDU@g^9SKpfM#YKF!|?*RY7xE&e~Fg9N@YMo8kGt{8@&- z_gbSTB{eExSUUXZ-0?ZPb}+I&^Xh?6bSnxefxtG(2s|2T@}kvR@uSg8oSyKYWehNvi?PIA2X=@2Yg7*Eg2L_1uds z7klaUJgl=$I~OCAV$=nI*;N6JI&#G$Ic~xo(m;-VwO^>eP+i=__>71OF`2QP=ZNP* zFy&xIvtE_aeN59H-fs!mL+yz<$wKt@6SY7iql5Vd1Ai;Yyi!#TU?JxW62|09(za8VrD;L+{_1mQ{2H3NPw?WJsxf?fZ-pq4& zlw^xr1T_NtX8Y)S=} zLFvqtmam~6{FOLoSt{jQ3{qxYl1=LUo(K2dTG0XDx&vIEGpoF(R=HcE=C|dpy?4Al z3hW*pW5N+Nj$#@d2{EC{aAQz}&m~>aQA@*TOnx3r|NmnfGDAdcs~IC!{`Yj$NEir` zpwlsoyE1T&|NT3J1Goei08`3%Po2E~l?(gA+}}CBg)i=-kD4Z@xhBN{5i9Awte89% zk(jDgu4(^N1&U!`7iC;g>Sgfm#U`&KqSZzmC(Noeo?yS2Fcvu$JB&qycz^ai4$VZ; zI6E!bN~UIhy*Jd*?x*b0xhtyVEuzNUoKDeVQ73rKqV*-tE``!k82&1CbCx*Y3q0%dijny5BO)dLBg{{6gknU=7 zvG6@jJ=y89UIC}@{oPj7boWlZ*5X29Z@fDxD~d4H)9GK|T+8E)2&~iZKU&2VJf8%F z5l6cYYqa!Ru*PY9lINA@{mkO~xD| z6{Mts)D>!^fK)=hE*a(RH?0@jsWN0>>)GrEC#SZkUiCj~j(m!zCud2Wj59B1bjRYXoP_^@@a9I1iy*Y0 zG`a)EJsG9B33n6e z__pnJ6<21#L9{%e$`ja?l7Xqbfvq%g2p$@sz>|6mulc88^)=uS|7XoZ4+7aXK30zx@P%`mOY3UOYil<#2YvOjx)4M}#>)m`J?Bz*n-2{e1fkeUFwEgr)rFGoru? z#*U=ev#yzt0QhA9|EO{QTN2P{_v*LK<+t|*?s6MemvR8C;IK4NF%!VGkLE(=hCJBt zuptcdQlaIE#jxMm2aAi_`PpsU@ah`KM_u1KABJY1MPGHox?ju~8QKr;)LqiRh;`~1 zg!i2YY@PiJw=~~~!7wns$4lvaTXPzN^02VW2T!yn?qj}sA?CACO6BXAuj)&y#zT8= zFfYm!yqPiQvE?!0)dQj>4JI32d~gtq8AM$`GBeM(S0{dkKfgB7wJx~;$m`H+mn{m4v&J@C)SZSCi0Tc z&Bc}AQQEnRA$WKqbMUo^@aO!ID#`=dK7Zu}eoqm^$Ysx3FMbUsU?$uQuS2HQE+~H* zwpi%%V===o(-flH7_w|$>y=p*b=$Xv{NRYUZz^__ zaV_OUlR{tPl^MG5ZQE;gS7y(%X(9EN7P|Qi&OPWvq3`fvZ{C$zk*=l8Qb73h+-$L< zQobYX*G%@5Ic-0lsYtAfeZiXKZm^l|FWzK-4H0o{`o|t9Y)t21d@5 z%Zg?FxV#Pdi{r<|Hu4+V8xvtz|N4aNhUq;B>!P?8Vbur9ZT_7J&0bZK1^dcsJWbpu zpLASeyYDAZ;_mC3s*hUwQCk;p0RcuQgohq{?KI#y1(2dsVqb>0>-4Z66R#A1Mq0-E zHF1wGBfX;=;6(%+^M9*&J{Ns{*-5K8u38T=2g0kvU+~|k0eS$?f#0$Qks=^`^Id4* z+~NMT**T^jSp;kKXqg|JFoR<|A%Gs_FIn?b2B@3?T?XdIuq_}Wd09zDI!a8 z8GY9;a9&ZfTN|q<@7;Dj{NW#9_&HayPYD*0MuXs^58o#zmty~nc|g+7B+IM15p_w$ zAJr_oDP^~n2x#wDYxCPjY&+*TkL2Q)$_E1cELvUkG-Ij{2SSK+WUa^!2)?)QnmV;zRNUxQSPow_&}oDTPy# z9uuz~wDfd@NLYaj{*YX9? z=`HtW)1UrMAiQS>1U}<)J#d%%owK$0VRihRGa}oAg1Ed2y_g`mhzN{jzuzXm{rnyB zT6|^KtA6e7X(!=liw3tHPfB{bdf7PdT@r$pjn(e8>`Zn#m(Av;$I5?V0|?h zkguZ}?$5i>lLK^V2uG-Xpf6Z3H_9hC^8SS=i_{M|5tgg${&3z67yDqj)}0HUO#V5x zZ4!3uS77U@0h3=xTZ|~Z-E9#}9h}2LMUH=ul|};v-P!#}!8xMsVU26s(K0)eQ-llFtWEn=q#b&UA-m<(b~&*BK0jC{iTSvB+3}6WQ$q@MXrgmL+P@(57%OU?+O<~xGeI+L!C;3uWP7| zK(Uc@tJxH&$S=KL1gi1-S(of%eEJMp2^Tx3fyI!}y$SCyW;M=@{(D}1A)vAQevAu? z=O2dQCC628OIAc0Z$VCXxWp5V7*&UAmC}q4{(#o~k_QCc1-8lI6Z)?1-%Lm`BjAO9 z(^;H83x6X5YxH5YcFbF&3#3KxTYpZf@ef!_SmWLfyIVWSEyr-AQAFhVU+kDa$hQz~ zaZlR3v*`++Elwt2^vkE=;4VoGe%5xLFA8-kdz$x_!^m8x|`Kj^7m$b@6O82jSQ zcpKhe-hJn#|G)q0e|ljOXe^p1Z6_^?7Dr2_9iI)ebN;*N zbQk(|dKmrGy0PxBh0}4-%0+>T;ujrRRDX7!)0@m-GF%ycj6}w%UArIe_j~@L((-#9 zJ=2<~#H!u~J4AFyRy0PndhI%`M&MXVi_;&rmE<0XgtY`}(W=R6-RwG>#oSxPOVqWGvKYKsN$+4s_-IOMz zrRlHf^K?9&&n#_hZA3O=n{_rDfB*K1$}VNkpc$00wNMA6VLZ%+weTivhy8FIS=id! zy4Y?(NALcD-GXK?!de`U^Kmn7!=1PfzrdqJXm^@A+3%$XX%20qt+a#o(RU1(?P9@V z1>4Qa*)7(^Cb*4*kAsqHc^uE<4g6>Rn$HQlCEO)~C9)+t5h{|!7vh|_EbfX<@w=E1 z@AGAjiFs%KDxWPZmr9qW7VX7s$>DA)cbD;Hc3E0pFMldum2b+~idnIi>8cx&$MfRp zWw!jETH>TrKdOE;q~_ zFqY0v&Kr%&gqnDB*nDQP%n9>_IcG{u>CLx@1priV+U6i3-5vCwwp@^n*kUk7o^H%F z1eDs}|Mk<`U%uerfbeIiwG|`L7QY4vZxKqzsMc?1*Z5#&^OiOnlkm&j+GE^z-+}y( zIy4ICUtZ=(Bj`bVZWUvS@Y3x}t&2&OM1;74xi;9Muh;0>D|wU(JLQuOsUV3yQz63^ zCm$3|WJta;S|Do&#w3jCXQKIpVYZ@u5tAFYkECY5KQwuRGgqb(ldy!{awH#A1+52) zHp6lZgmChL54iLj5#0~~C_@H|Z9nv(<(v*vdCS?j76*N~PosU}rZC!3b$n&8mr&C@ zm7&M%Mv+{f8565g&`oUMp5BJgLXcNjI}e=188B%SEm_UWK^(8KL_Y&}2}b|!D_jAP zPOFYCCrx9S7DMbPXHAu0!|bW=o4^M9Jh$-#=aF@U(M6mNnBz2N#C~z^e~^wg&Ku`B zLYaWnjvlMBk=-O7I$T$6VS*o(8#`-jYdcHi2n#neeo+`8Qizf8z|Y{*2kL`_dd&l} zVa|Si&_$&XC%*68BK)@mgYp^$zo$UFq3mx#;C@#(_=#ZM=1g@bs zvyqubFmc-r9}+g;sTv_!Q|J}NJF-BP8HQ#z?~5m|EsME(8`L*ISAt`&u3@I5?eCsm zUGj1ITfJUA`Wq$U=RgW!;SqG#MqMMDSxw5sn$6xy6$?dyM{m{l;06T3u z9AW8(GE8lC1yDN@HFWz$Fs?8##4dxDE41Sd93LMF1vX!Y5$Z=K;12)2CmiHeoVB`c z0Th&4TjMYSYhjEK#r*^!M^=f|y)dQpp4k?ijP1zKveTPjm#d~CcRZD$*Ws57n~!l^ z)Q6LF%K=Xkg&3`f`Zc8d{WpvtT)P=A&OmK?E5H9=C+z7-i9`_P4~0`w(5g7JQ`*HP zzX`cOc*&!IF+khw0o`BiL4F%uoh}C8lLq%Qu7u(OP~$xar?r z9)u4q!_Y{aO^z8eqf6T=MCu3!RzK^n)S?7QPkWcT2ti`*P!xOUMdX1g{LecQInXL& z-extox__7%YxYH;$W>HwS>ZOY+j9C^GL;l*W6-Q4f$8LAv_wuSmb`!4M#9@jnB?{( z8rY)t6I4jK*4tTWw%l(vpc9s!+y-E$w3nVWP%$kMOIL%)LZd`Jj!pWW>I}a%`eFsk z;}~W+qs>8^yYp@(YY$G42({k9O(6ye1n#CNg1y;ZA@`e{;C?GuFHlyA|M{hk8^+<1VjE*h#X6w&AFtz>e7yU|m z|5up>>4A4p(SB4E6c&{J{caBb92V9QM$YomG7(R7=U1NV}*W5khFU>BoO9UY#5s`VxHn)Ex?pv{$q+ z*@@CaiRAoGoaKG@o^QPnZE$RNHzxi{xY2}j`^)+GQiz4?n!`pzB0*0ZMMm_r_eh53 z1uEnk6VV-_c3Z~9)NR=Jdt|(h-Zloe2IXb(KtA~Jz7rr8{p9Hh@BYPx+c+fXdmXJr$7 zM*2poBFMH<>#yQ<$sOh6&<)GyzV%2UBWX%=AvR0In-o$9!wFD==MdhE-s8rmQ^hb) zrxwRJDYk;L_yDGKJYxL^iAuIP2-Rd!Tnz(m6J*3UsLQp%@dGfmr`$_*3Z_kn+)9G_ zqZoFO+}?$K#(XAQL9{FhZOI7IIv8zR(d?h@nw6%d(Iw&zG&ITGMuPm#GaI^)(yzO4 zxjHg9z+y5xq9h$HeL^m*$JjOG;|mljg^*1&q6>In>)=Rc&Jv@K+$JJKyiGD*7nTgt zSHjX;y3Kh`9GNPcb}kfjUA)wScc@ASi2160acD8+x)5AUIU&*P0PH=Fh67Gj^VE_d zfAils&Fww)DXEvj8!vt84fJWVF8{v^*|Um}f>q3UNtto0ifg>?S5HSsV6Ya9xWJKB^N_?86(Cn94#gv~fICBY6Z z=i8>L8?=A+M&MX6y$756up`zi2u`{k8U9-D@<1IofF7va7b|ip1pdsDbB9zfrsI{m zTcN8Ar(%8Dz?JVnKSqf+S8=|8vV>yFO`}=T$;f>Kgp+f3Q`AXiTq=}+jljUCMDe#ErORXWa8Y+ngLDB>Q)}xM`sT7KKE$XH1 zP!vskRbTe2HlE~VAsol)jn@SSjB<Dn{eJ)9VjlkM-=J?(ogLNsEymklRhk!S~r_ zk{vx6ttoa;X#;KrKE$26TA9sOZrVVIP^sq`WY#sd6PZxDr-hCL3nRg@rb5$2=PEPR zC`sf&{5g#iPwc2tEfX(KS}Z-B?x%&=dOVGBHxGPZt{>b9Od1s+2kk68JpxnOJn!<= zMS~dEyprncpzU^T@gyMR)N+))p(i<{a1+>vqLLt@-?8+A;+**!Pcx%^Lc1;#jW^J0 zj|J3j7c>Dc3J!Ml*%e$AaE~p_#(Hkz&z{xGR6-yc6{h|kVE~IaVNM>;(YjIo-o>IH zb)K+qUdZ~jtB^nWD$^aUiwc}3UuSyazu)_%zv3sDtQm!d^aoxHb#p`f%~Blvmw`op z0;dRJ&u5O!c4m+D5c%RCSNTi6S^`INbf}=+2eLK|X0pFgIW)hWUuO_$@14-<+U1+B z4{3O8=TAc6%+KJP2OK5M47XM>I8FFaCp|=pBbDH3$#4i{^kfy@Gf&giwageB8t;_Y zOd*UZDqMtm^{Dd407;V}gOClm5+N32stT#I5wl#%5^14W=su+BS&NQ3KX9E;3~8RS zQW(PGVA}U05plHpOqsF=!;?)o1OKR%Spt>qA!d-cr6`6qD}p&ZJJW`2d9K(~@;T~o z6aC&XPY=VXxdX)qK0O}?F#xdE)NL5SwWc(rH(^=sXfy%l_iatg=PZk1^k4y|eDefS zx7&wbq_T28ts{K~8|w~CSAA_iGU|zGPK!m{;6K6Sygx#FQbBM{l~4S5g4_*GO#b&8 z|FX`iZ(DPlTrfE_V4rRF1VWnI2nDSBWEk93AE|?;=Up=&8w_V|_ee1{;m_`TkM?NU zNw@WtAW3PGL}=@+X`h6IR2_FDuzPX+51}o}*~vj_QeGRy!FRQ+?f`I&MeL z)P28U(O=d{pgf0LGB(jbd7NHmHzP!te{hVxi*m`k@r#EiL3 zm*UXM%Q8ChGe@Hi34l794#%RG*?$KW=TS-G~_OG`6|Xp)LLrRHbK~&PGAbWM>2R<^_60T;jS48 zI*mhQ)-ADKYAiErg3)m zG0UJkiPr#WO@L3{w3^`YtIDa}O*S>>wMt+5AqP{4_5G?cTK44p7XNiW|l(2+6G zPX#-ZQzI>Mt@d1%oXF5VQQkbUKyY~?RF1hBGs;-6sm%A>NaJHnd8S30%p}$#c zCPOIeflD+6a#JBcuWBnU{0vN&9I0GVGL6~s4Y|l29=bE*MbA4vS8&F%X&4GjzD{0= z8j#6aj67YPv00_Mt!QQ@9*aKH(Si$cx8A#MZ?QruJcA#U#&Fyg5Z=T~;Ud`^?|2Rm z^H4;kJ9I)fG`SY@9hl7|SFj;HflCGL7bR}S^(M^NycbU*>xi@o8pz2+4iVu<{_YV$ z8zL7%5v82h2+U@q^wwb|chKnQi5Yd#CI(}=h)eJASk^NuPF5oZpFJSph5>ivsJ>7oX;h43}qiqGK1Gh4L}mlIK^9)6->d= zs!X_@LV=3Or~RPr20&UsQm!G(_I3~@kl%%}wiYE)#N1~xaR!K?)9 zqDU~ZF?AG>v(TyaJZKD7+dvy$?x5{4%`U}x(TwtDgk&?DIgZK!+L0K@a1Rm%xk*YO z>eoW_jcrE!ESBcV2c`sJnZ0E_lQ}9v*3U|j-xsgF)by>7m!OU9jL|73w`i%k-_-_m zuSXn&ORs^DMVd5_1;wS{na_D}hES&>f?v`DDq>lxF_@d*go?pc;EZz-iepl=`jTzASH9`|#bQ^Z1}sju>4oa zs^pUo*sQ#SiT^I|bUl*1LIjG8rN93?IPlkY{F`f3H&zX=AVirH13p6!HRcK##J`xE=ttWNYa6@&%JP1~2gc?~M)E+2?$>oW2X~HBk$2uZ`$cDs`03#TxlOmza z>y@l&$i3})Y9yX6!KK%hoyCEg2kB%(J^FEul9!Psc;@rHx=QBNY8!#ZJQ0-3{!yhR zDNto|dm@Wek+zwg$TP2fzW=s*d@A{Wtp${;2@XbQjvpkSg2)DWzP9q5(#iwqa{@t| znA$@qvM4D%tzL9W<)%^?a1RsQm^c!$+P8WIH)qlIzh+`N6$WXX^LJah}vi9?JX5|gpn$o~5Sd>s#p zeIJ|3zL+Rl^y>x39b69>_K#S&Q)20KV|BU)d9DVs!cew9zCqPmDh|8_LgWY5o8gws z!X#&PwtL5wHY*A1cT~BGlpC_1l$lv0aa^Tv1{zE_;2Ed*iA%F%&6%h`yd=P;#PrXR z681C+UJo@BAR9K%JiZWyYHZ`B!LE4SYaQ70O`LjSN3WHAjVo%w=^8yF16cc<5Mo-VKI*p5#713-c!zRh|mTibkffUV)h>U0Xu@F-1A+q+6KOyEMz5*s@<_F_dbbc1Nb z4Cx%wRjLN}?HHI!iQvSlG$PtMeJYSly%J!T+l)xdXyFs88Sh{P_a9r>mTCHJm(ol7 zuk~~R9MMA5$F1j8k z)NM3?uvm+_Dl_X1dWFT5XZf7@@XssJ89KdNHUd%(V0;&gD=?Gj9F_wVR{f|{;bBhS zGoH?CHLVeA^2m6-j9^}mB+B>T3b~t?=0ih5h7v8jYHzkQzQu={8?`Q4d$J>>_(8!+ z)CL*^AqcvQ6Cm;dYHOC5%OxP65DKEQt5m#d`8(830mug;2chrbamP|dQBv~iW*a>D zd4E1Bf#Bpy`eFc2y)`OXnnashBj^NhJ(YLj%f1vJRjW0a)S8Gv&Hfq{uNef+@X*fd zNsQT<1EGg4;UWEENu@?qxeN!}*GlS0v)Q(|K>V~ z&Hzaz6mF8+c`H9v6-%v^nKP`Ci?cg!he!4V$ZkNFfY^b-?mkyuZ7jqS%AMi^(+!x4 zACmW9CEG&@&Kvk$k)c#sJHKFNt+@mcVPz_7Jw%KV6Rdjv0x`rG!MyO(bfYptIs7{s zWAwpkh7@-s9aKxMN~)|LQ3|gGqjZ3DcdpUs2xgpCgyaH95RxG}dnFngg%qhCgda0W zI%38wHj)WpCX=Lq8i%|8;QPOih4G+<8Y6^+l-;@6m7g`m(k;7;U0kfsXR?-Tq8^%x zG+CDSzua!?S$)4P01##@jAS86G|6^NBs~THNR!;qQmCyVs!E_@y{6$I+-xR>_7M@% zeBp<2{0szhPgX$KI1viJXb_)JI}5b6O-P_H5w@ES)(XDYgSD0bQ*C@(b{9uh#1&`F zDjq34xYqKkXrJk35H{orgy1Ue%41dgkk~LbK1F)lfsp@y)^tENx&%;-^YS>ekA} z^nBV51t-8zm6iG6bTcg`XFx`gH}|f~sl++9>$i&{ywx4EZy(Zq;Dq3uT`6#F;o}Ch{H#HFCH%j42=e=W+-dMY1B!o3XAC zyyyTm%@6`puoWyE)!^}-5)v%UY=)BF1--W=!0iDFPI&PxPX-h8TP2Y}OL0I{LbI%d z3L5vC_r_Qd1xZmnk}i%yT4Cv_?$eF=C9{7+19n&Id+XA=&%BAM{-Wdk)zaOmN#jCP zmeRhGLvM-*E8+t+DH8hwIP*~Bd4YBBOsm4BFz3=R&agOcF7gS=t;2no}gcqbEU~G~wpcD9$}HgrYe0vr7c{D zRTp7b+s$yNyzTdT&N`;k*$kR%CXp9SQD_5?e*@}z&1HmQ>sxHK7~0A*j1W-~+GHd5 zMBty~p^$m`X%u7M04ygmrBap~|3@L!wT_Tmc-)e*BU^FXHCjC+>RYzn>h?E5A z25wmZV_F%5NSa6i0DYtatdfaiOw_cXls}WNbdsl{YJ6KQbU2SH>pY=I(+DGx=%Q=H zreN2||3CWeFSq)ZR* zIMi^pqdC6(G7dFXCVl?-sj`0|07^wMZB2H&BKO<0-CdA6C(p7^_|B;62M1CL+Lec) zVP~W&6I2QR;!3N)bIY$a*lVK|ZqD}?-{d-P1f3h;oXTQ&r87b;`m6DBkX3BVSz+VP zv)&{=-N~33A+k0plOrU2c59@r)5YHy^vvf*eI*Nq`?Clk?wLJU(bF#L-^jjriqOQw zmWm)$^~c#U)7k+~&k2Gp^j{#Ywl@+|{Y}2ZBNK)tWCPB&>{oY>J_KP^-IPT^knuz8 z097qEVF*x$h5@jeI%X^HuhmbN<&(la{p6VQ&3o^?d%Y?iVig>xSE4-uvh|cIwKB^2D}R+r193(^64pF(cpsYve)s94(nUC+t{KX&uu^5i zugHpMt~m&A6(7>K!VV1IN?ajN6TnrOrRv&BYL_<_DNc0IR1~HJrX=$3Yb|2jga|@D zXsqKgyh*Y)*G_;q79HCJaYJI>!2>r|z$1+}q7$7B1HwTY)s*ox4R%63RUZ`TrfmA( zN}FIOlUDvbdBAT640}qA0Jx^ud!PP;!qn#DB=FHh(yne#XisNPkzR+lDcHYVM1lDL zUERHV=R~~5xQ))>yWe0HKfll<7OZk~eE6RJ=G`;?>OQ&j2Vq3|-&9dmka9%|Pga4e zIY;M|2D|FjzqU08A-Mm<%3W_h@IC?e;pcCE^x;SEJpIA?9%Yl$42jWd+C~TztobE& z4gOK6NlAC`V)gaC-m!1!#WT>NsFDQo>49ob-vIX;=bbn9+ZcED|M>uu`+0mwGd|t+M@08DCpX&IVH1-ll z4ADQ{@XSYuALiX+Sm-Ln)c5i=0DFV+tcy-p?PC>ehK_>hp~C@t@hE00QEK4uR4uN_ zI9@}CTv-=df8JgjUYf?D|$%J6;MEgM@3~FOd@wS2_B`h z8xm2u6D;=Vd8vF`nE+_GQ7-2W8g=~r57VFTiWjipZ}|4Y@WECYC^yWYZ%h|@VR|JTTH@EBWsDsxac@p0#uCn-k|a20v2U6IX>F28b}uXP z!lKm#*;*eAY9fij%f07o-X~>A&j$h6inDo5|NY^gWqG*TQ4(Es<~7SC$Kx)Soz6u0|aCoj_z5jw;`>o^GO4#MJ{X1x}b-~YQ(s@T)Z!>KiK#<{|z`3~!r z->9;N81sa$tkao;RSD)qzGxQ!Mg2}_y9vfjGb`2ga9fq7$%a@G(_eCH7d6K>uyI~M zoH1_pPOn|kTg%+%Nk|wbj6Lvld*fIiaWbL4bhCeYyxEF8<}WUrr0?Iu`41o)C&*5BJ7s0J5fblUxhFrt%=Twi%z#2cye{$e!gh%mU?jc zq2q3JEF(7SH0epZ7A{^H+AfCW0+m`I41%vM#wNM&{H7NXpl1z3sbU`*4k}=%iisL3 z?g_}*8_z_gVccENk|5Gjd&-MkXFDy&sav&=2pB?HKcP)e=XeDD)*H`sXXh4AoZ<1# zATq(r+{t#?EGQwFZ-#syg~+uX*8$SuQ-5|9Ot*9$&qh&i*z&jN>e z3u@Hy#u7uX?#BdU5~zYM zs;zALwCLIv2qcGp1VcjWlCRe;%Az-@oa6+s;Be=TZJFJRY_6e~0b;(;i(o7RT+i)Q z#|9ED*7B|&;=DOJAxOR3IwD0$v1ciaA~0EdoUN(E;NCba$gWdv;;GPPqd%v^@U#+x zR7h7%HQ+`Y)Z(!wO!`-*kL7RzZATEo+q!XBLM^C}fhnPrHGpW2sp zurK)pc_#wqKE*A(5!`o6-H`mR79?DOh@=q1h|F-?-4&I^^_O$UPMiQdO-L$hU0(RH zO$H_eZ_*hztnSfj<7Y-x@5It^(i&cOknE^Q!t=aY!3&0YKI$9D`iKhwV7*kCgkgK7AY2)XN2L%I}W6bL>m6^UCB1cmFbqxy!8s4P~86O#$lHdU+PX6Gy26jnDMdEpkrobEtw--(_{Fbz7E9P@cm2(m6yRe| zi%wfYNfvthrRZTQzT7g`5{ap`5&(TsqYwT<5s4r{rQJRiSO1jnE52*)~&MVN%SPF zB7|P*U`hA>CwCaJXK$l&VyDqcTt~{!U?eGeujTmo$=TRz)1*|dH>cKnyJ2H^>ED;+ z!fzREl0~Z1G;7Ov1K{Z7HBIz#gvN2cdX5fyhNCpm%aQPzyMeqLjZXi0Ng9wCkTf^1jCdW2zciXL|jt<3Hu~NMwEcg#3QT$ z0WgGGi0Kw0JvHVb1C?ngU}cC!Ak_c^B+@YhcY!d$3%femoHn{_@%iKj(1>@?UU9Za zwpXlZ`vll8nV%$kMT>LDHu2)b#~N-nNqr$aWWR^AAXfO9$&AFOyubBmhkG)jK_f?& z9J^1EENv{{B@WNOb!} zq^Hif=DOAXB$aD;w_d-B(q}E%<6dw7x1NIi2R<)GoP#QC;xFE2W0Vra5ffzwepcmw zlBGDpTZe56Q5xdiwo9e)sn4X(KUV3e8+MqWwNsFjb_tdtQ9{lpYogc!&SF_Ag4h~gy8Ai{()F7l$Rq|&CgP3t<}4~yk$y*V4F z3l}e4zH;^2^&2-43`j<%2>h8@%5hb!Eq$&(wwN`z1V^Rtma1wH>`|#Wb294{7sY*qVP3=iq}g8C0wrc>8< z)c<<`7#x8_p)pt-ouZ>JN`u=>%t|t9P%csZXMtwHiI@or!5fMWrR1nMYtBdcy4bcOK zneFcC8uxb79)db#{iS}_w{Qbo#dbQSp#Cs882D&6V&1_a5gvxQ+9haF%MxIif5Kmc z{r<8)igbTJ4)ivW>q&w6wG-LQLJ3&FK^+Jm zwhV9;A+AR{Yp8>QM#G2{Wx>fr>ZHpI?Kwdh+b}I<9U|yK2ZvNLMP=^Cn)wirSlpBg zJ?@ioX1<5@HXQk5b)a@Y*VOSgL8MTVh7A%j5(>sz$i_*rmb%y4_nSiNG^4ZXlGzBu zxRwNHEk^Iq%jzUQ1f@yrJn!fr-iL1}c_1l}<+mr&+^5Lac%f|J27Fzy1b78ZZ=G$vgdvKD`$4AI0rQ^NW zUpjkE`r~Q1<`+tJre*z+Z9GcTh_8bm7u5X~fhrZD(STO*N+~3_uJ%D^gr@CfDXip>}M{w@3~kWC+|NwYdy}rq^>-SWJOe?bb;Y ziGkPKNFSu?CQP2vljH5+2N7;A&WMZzL2w+5zZ(M7R7#6{n{O z#Gg2m_0_4i$&Rh`aPMho@_w~no*f+BY=4#a0l=5TrDx304-D6ZQe>7&SxLrA zEy%TZtdmJRCoLU{O+hlSe# n2(9rG{s=Adns=eIFL+JUL&fp`E2sX)l3(vv|4&*@ZUg`T;X1QK literal 0 HcmV?d00001 diff --git a/site/assets/fonts/space-grotesk-500-latin-ext.woff2 b/site/assets/fonts/space-grotesk-500-latin-ext.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..db732c272dc2d48c5600b88ca24d2206fb123bd4 GIT binary patch literal 18940 zcmV)0K+eB+Pew8T0RR9107?7+6aWAK0J%H>07;Di0RR9100000000000000000000 z0000QflM2~CLDrHKS)+VQiLZ4U_Vn-K~z{L9sr37FGLXt3ja9l2n&W>05IeP0X708 z1C2BUAO(bO2c8%V2OHO_XQ+AiNd=8>tNH;0FEJVsdmKpU4mm1nC?^$1_W%F?=O-H> z8{Gd6;Mts0H?^`Vg}_V<(HX9o5l+crk!B2`vshsg8S^~m5<_%xvVpRgDN;^WF61hy zMw((ls==o9yy-<<#Lw3yB^O6Gxj+(xm;nLvjV^(<^f=sN)BIoB!tmBH~36 z6_hbVF+dT~A<|w#(!dyE6vJo?T$G#Z?>6oA-(2M1+jmhe+GW0ISHAW|℘#uhC9M zoE;HijWx@Adls?N*l|wCnhCQiNXyV51y3M^m=i)uLrQq+J79liua|flCzO_0fge~N zY8*kD?9c18dIrhzx7c3@mMo(TkzpKOAnbPUxVtir<|;0)-R_E-kTOIL^UwbuvES#t zED9u{1ma<~EGyx_TB&7eBIEye-ZuZg2tfk%YxYcKx18nA?Va)UEa%Kp#Gja6@zMgt zQV7AuN{cch23a7ZBd!y+T5lU5=m4NRP-t!c;Ozv_VXl!%qy|Dt3jna- z!~!Pt2lr|8a@Q0_MmWKEqt!vdIq=XX9Mz& ziaDM1V8NRphGoKts%1aoV!1<^6J%zvJhFM@-%W|&2)^K9fbyIv{BSw zBihXl_=;Sv4Sem2pN!74D`Q?Ce^zSFQ7C=0XdsbITYTC+54|&l__^^3A?7d$oP4{xkW-;xmQ))cPoqdl*Y~#h*xK zTsbdkmjpS+7q99N5Z^0&C27-A+ci&UFX^j6XicC8dIe6zy~%dlQhtN0BmOMMfU%a4 zL$7Cu88vEKe}IX5m`Qr?A)> z2Hkq)=(mx>W?PimX{QRi?c;R70acE=s@nC)FgGZI!uj|iR2M=^pv#3O)YYbEx@*NG z#`R(o>qep^8!t7Odl_T)AZx51myrxl%8Jd?@-ox&3RCE1rK$3&nz(&gdpbBvUc{sBeb(YeUxd?a< zR&o@??^g3yqfW3!&AhZ&1hJUrqq84kiKVEz`o5M~j%r1pWTn-7tm%j9wid~{zK`{K zA^QKEWWXR_LpGw=WDBybM&N}r(Cwm+x7%I}`x?pq;H6Yv?@uB+&HssW#yQ@uxC-aG z>u_$m!_O-da3*~N^{sE=eCJ1t{KT@tuK{#H5Ih8hfcSua$OsvNgCZz+33JVBliLCk z_=1-_g+L&XF%nr65Rvjh4fSL;B&qV@!>33`>WUF{B~!th^y$tTgE%)1a^7WL zBElFm+%V2tN(04RZISNvL)`ZO)x$>es8Ky`-k$VBJoTKn7meg)-`gu6LwvG&nomtY zy!KvzF!@3(TwA-qG3;-~8~hVM5veeK=tVs8n;JFLZKNSYfPs#!~!SI0&{1G9eM_^=3WsxVKqsA;H8ie)6 zkYKY$q;vl=(HUbT&bvzHx^bAh9?*H@Iir_8mf=(H?9KGNN zwai8ORgmi{5eXRF3nH3%s~}yk?rjx+*M*^Tx8r2hjn&p=z%v`fvCzbum(YmkNu?LT zNQNvnd1l5FH(Q7ez~aj)yVug~f*VffK=7N_g2fKL8G}RF2Hoi=S1?^0b}$OeC{=B} z!L~-|u)(y7npu;LAIxc9o#3c-|N9O5OUJQi)70_%_X}%cl0=$?jg|y#QATY$XV%-A zKMRvD50g)_ml$$I6@oMv%V<%7klKs{OYTFt%g9ctC39*-8^DqHlfHeC?1(#Zoi9`snA@njG-*=$Qr zCCcg2b0&Yz8e`7oygwJp>ycii3ln zCIHlvgtmMssep{hQI2t}6P+}>2`{n`*6YzX8QcKudD&>Q$Gi6U zjz&J(V8Nf>65;d?0&3l?*QeKE>Js1;V6Tt{?0mN!u)wr~=sK4rK9e+Eu&!SyRHS&i zWO<({U98+5Syk;ERgF4&O?J$2C!EY=biRS_eD4Q8=BK2Yf}bb9JP*n9A{^jnglsSJ z0wQmuiO&XL^<|M2n>eiWKSE#;#%YiB4uTwY%#mw>T;Ey>l<%295afMRP%pUPs%tS# z=f{UHxbl$$VPf#KDsOAJxh0WAZ#4)K96to#waipK5Cp|G`lDM%FCG5*6`)7GUGWbYk0_i?K?q2e0`NGYANs zPn#dJJMmgP8Hi9rQNSJ&HxmuSIYp+X?Z{$lIYu>lyfqOdaZ!*eBU>Lo5I{jd@5zQSIbE!H<4eCVjlACzWeivg4}l;-fQ1OaO1N7tx%9>WFeykR z5d@GR0-ypVIHU)Zj{^auB2#-&ca$Z(K5YcpU@qF%THt?IM1HH|j4k-ge^a^+;BFW% zY7`vXBT9BUTVG#0I?_jZo%gYfrdn>TjrOWKRZwryd-MtYM>5fnA%P6#dT^u15>X_O zK?yaCaF8-EbKuH?6&v>bkB`OwOY}cuI%NOcz(WE(?7Q6z{Ph{Y~H_AE3w{zNN zvddod-y?;5-@K`-)c@b%ahp1XDSz@qjsSl2LM#DrZTutdC3dKf)>@auxFAD7P5x^1 z?pU2z>MNG|d)FoE&5G@JvLD@cH@{dp(-wqgSdJf!pD|oM*79|LtMtrueQB2{bnPnA z0RD5cokoe8BxxqrB3Y{x?IhaBc*u27nnPtSwfR!bqc9t00gZ*U7P*?7&SH9<(kx-H zl-V*SU5py+XR+MfGOS>=(*3feTP4eXWLm?f+tW&ATWg(q`{YG7nXSrgQ{lgywwq-Kml2hAs|6QR10 zBo~|ERwj3{`Y@MItMw+2cP;c=!~SXO@2!8&eN?51+&-=PCP*@J8{toEpx9#`mDWu8~=Wlmq! z`RH-H_+ZAx=;*k2@u z+RWouX(VFkqXN$#A-W+dba%v0s8oV3sX#Js`-NcJa7QBLt<(g!29*&pHHDYpmcJui zwK;S88~0~9gl>ShTt#T4;?j$Y2hz%2`(`b8TQ=H=Q8a_~8U-B)^=YsZ71gr!?YD}J z*(uCljzw2yUJ*bf1Y1Ntcz&9TAn zWgnPr%-}G|t*9rg>UkCB^L^!%FN5G3XT7jm`CfEK>#)fAG_-wIXPI*xp}2RtOK%U> z_ZvGxKO8VsG^!r`+mOW^dJ0{O=%k@E?iKph7)z9ebBvN~&3=R0itaLIf7rP29m7k$ zLWZyxn#Asn{X){?`+4)uHVGUm5=SP{MFAre){D@e$Nry3k5x|#`w$zVl>1mAoMIt> zecf`>|FSfyQqVvcjU#F2UI;Zs>QkYipKIf_uW>F)SS~^zLMR;|Cqbm1YL0INO(0lJ zqSBj<(1zv~X_f0%O;e%*_pRJe%2JhF>h3@o?0k~JOTww~4dERLRnQZzqYoDAT0|lh zNZxn%Ii4TbaNy@G>M1M3NU|>1zkdIZcMRbMIussBl52S=2T*w9%STZaQu@TGwz3Y2 zD4>MA0(Wu5n%W7)Hc18yL(I-uM{ZEzd#6B>5r#_LqdLr4iyEraD}+QXomZGaNYvk0 z116BFQq%WcN76OEj?dkH^~F%0{GdS-7n$WLixi34_Fj4Ts@qr8>>|nQjLX5ur63XO z+He*5o`r?qAnvM4P$=DOkf6Rn8imZLBLLOlt1;8@q9OQwH&O%37d?@|no)|>q34DH zP!GPfYvO~qJaexVAK36R{%Sod?Y`TFj$8ZJckm^tGh&rNjEJJ5bkmQ{5li5yFtOjv z*OH>-tvU=%C1s_+Z4&{S#i}}FvN!wBeNs%)q;{;F5nUk3N7(p5S?`Lb<+kr{d!3*Z z#Fr>UT2rOxUl>56=xI^o6hn18XFnygmcv-Nx++{UJO+~JttVO0v^=jn4A3&qz`Lu& zf$R!2vZkc(@QcwRg-80xAg~0rw!2yG8lq08WDWYmRG_MxI3L3sM?>yDA_#kt#NnqtA%d zA;MuM0FT;j^$os3(jn+}F)W0`pK>;+P+!Rm#Sok63s#=H&2u*F*CGwsHB5K=+TG8# z5{n^&W7AcC0!I=;`XWHouKJ{!WTt3?k8E9rHC3b7wK8N& zTWNu-qfp#f9@e0iIyPxf<1OBzAFmXl!bv0zKf@W zG$Sd+)tE(MN$-1b>Iq-onWr~7O+w^Kf1e>hbrpFe^~Qc}M%Z^I&V@N!?X%C~Jho3{ zR=$XaN7ChpSHi5nc9o z!eC(pVs1qsA>l+=Rqu0zd8tul&!L^(L~9bI^(|7;s&2QO*c{2O&82M_xC->Do1v9(7QO4{*JBwJ2Vz{LxafCZrK^=kmx}_< zlfK$fQdB{z*rXi^1;wdI<$}Z+5=^Gok@Yei#*}iMo~)DW9}fp^2<)|>Rfl)>s`%xC z=@Nf$(XJSQHZDPE5YAwU*$EfY!$t8{&TYO|53-MaryVS(~^WSxXV1`L1ljl|o($bm|uwp|3mXMO5 z%MP1iF4eAZRT!qf%NmMeQ!FZ#vY=4}#HH`#LGpJ?!Ah~Z#i{i<&#~vF&ccEMXJP51 zYL2?TMGQOVoz*lCqCJBhry$w~HLvq#_Y{I(@ZWpVZH`5IWt2)lcy|pmDwlRtOPL@CgymPudUXEKFugC zo{9cntQRCC7?PlfVsogCXn}l88HbKfT3E^2TBXXJfo7=P6l5mnR@Ih}O8R7OPBjv# z49OH@lQOj>gPfV_rbeToTrA0JI%tT&jM2%-xgwE6MN%Q6CEMyVn-8v&<}Ky}pQ5Q% zsu})#soZr+jl|5F97p4nWAXyj=um4od=yhC)+V*8#e!N@?gq6%Un5o2SvcEpg*8r_ z-l9_Gf0mic`!l8-pIMS;F_+~*>i6j5>c(1yMwXhT&dB_jbO{#5eu&=q#>|pv>J+M` zU)!ZgbrGq!s%nF(Vp36cH8`ZcyC)Cmnd0R9IB~v?r;M~^>2=mw6|SF3Ze29?a7@TC^qoeiQkar|MhRoGCdtg>n-VjWM)9{Yd4|Ollj4SXg(y8+ znc2I|0cqf@kW8^Osg-UkYCVg$VU|Ay=4AV@zWVudGiPsXs?(U0>$0GR`5P?>(i9D!&pRf4&d6fF z7N%8OfD}_5>DnUMazc6HfaE|io82k_nvd8qyoFg=hKN$|O0ci-YjxQYzW8G zln}p=+qWD-a?`D_W^A!MmB^KINjmutiD#A3zDIXlkiW<}4J#tRKKcAQAML4k`FGOi zHzWHx=t@`2rKka*ic>2Z8e zJbiw$>yEf3?lqCsG3}BXHoFFh+!fp^UA&g3w@Io$6)hE6&fJdQkhodwc4cQoS~&c( zKP)}`O#N)C`7kInVu2VMCEe55QOm{4Z-u3?MvM;exOJ zK3S4rC@lmXWx>joODf0ZtKut4>Z__EQ*p~#Qg;){IK45iB@6Kd3s)>^*O#2J|EqOT z#g(aUj%Y%TIuMzz5XTTfjRLGP6CPi;oTt_?Q|<4!%VXK1&b2!%Wrbz`iuD zH)EExPm1rNO)J`Ze`kg3PgNOO6;Vp$ZsGI0x!brZU7Klk!)&)4y+tp;smE6 zs3fuKK@mq(XJ}N5QH{Db>PA}%;dI=>E=z7cdJ0;sIw-tJM>U~G;lj@gPj;3SC78_+ zE!OX^jg`BUyI}iGc7%HPPmCUXF)&~UBa&Q~Kun8y7R4O72#UCcUFqD;1B#!!JO(a9 zbT_H6l8oP__)LNBckq{@Wve5;=fd#2Pe)KE0|I~d?}nyEKm@Fh%k456yK+ojX{s(5 z{$29e44y2D$0+kagp7WN&bUoyoMq6*Zf9d5_V--zV>HCeN6m`|1>=J6cM3EDXqM4G zrZYaGGwv|xca{4)=j?Af9b?<&<$vkqy7a-7;xsV~rxbN%q<6vE-w98q#MKVTcL6?H*S$__zBiO7jX9?84CdMt6*1 z8dQfBRu{BY6lEGvu3eR+Azu~wm$S}$C$X=X+`M@s z;DkKCL6KCO=C7s{>AO}L_l{v>gVR$O1>4ZH`*%ACW2z&E29||MILnr)rJGaK=|#Eo zE7upWx3bwCl72qM)VEeB;x*i9+rmJxJ}mizQxboL_)}=RZP&OxDVdoeUJLEFvD>cd z^3qb$uG@Rt;^eF;*J)Fl$SIgJwkT}ScL@8MV#s%R$X`4x9%|ms2^R0*h{F7=siR30 zD~azNNau@J{@TN-~ND;OppH zF?_W}xm_52oX0yJ4ar}pns9rjlA0fL3&Jjm?Mi#R(RMFYMZ9dL8db@1ow3Sm%D=^b zU&bz{?!0KpHEPJ3O;yW982O45&JB>?x7p1m6Sro&FO3pkK_f(IiAG)Khx@_$`=RIJ z`G+3v++j>rZk)>sLTC4XqMq2xMVAIiWQ*vJFzkm(o@Ytk~;*&OJ}^NJ* zxQJ50MIjXfw%jMbztXtFm|>ZXfKPLBNaZ3Ec7K3xJn$-ZyhR+}LtH%vLdLs2n!FS4 z6!;YsGLpl1ngf?c5jyXU9dGuYAdIOgp>hge0X1Y@2?3$w4hU!&Y-X#)u#`i>HQ3G< zS|Ye@Xg+tRBFz23C4qr34uQ3B8z~kCbi!aK1l3qNglo+Z91pl5a?GPL)e^R5&x0ee z0XEsj0#E4d!aZQr!mWGAuaJ=9;Ru8jEGb<3;UI+8@=b{7xs(sugK2NTDBOo>HI5y~ zv}g(7x{|Y69pSX8)meui`SgfN_8#Y#K}4^k>5PIItcS8D#fJ=5aDHqZNRH>qD(I{4D;mt z>ZXwpQ0KAC=|ZA7zZfEVwF~}aF7yFJX$z^Puma*b95`kKL6$I{;|qi#h%cC{jN@`@ zEdZQ$xXDhB_~uF;((p8I0A{o(h>rEV#yVw>qEB^iu7zmx%#t}wc`v-TcBpp0CjMcR zFo*SDS@gz~+AhcPPK566>SMnmq_d|(LQ1oJox;03ARMY#lj2lt+AfoC!?P^Jq-Vy+1tJba^Lcz_PtPYsarzX&p-=T z`_tpm!8f$%`&q2?+Ay&BN1b1{O@I}e(svL3s5%~pX+R!l=4m{KTw#?=0 zq_P}@#!vO(0Gy0I5hk2P1*>Kb3GG+;zVwy(D4|= zLJ$1ND)}L3XP7mZ&2_pfbkY@8Icc=kSeNZl^yR5c%{}mW$(^62c7Bx)S`PC-Vja;H z5;ufyh~=)8!R;-+#q16To^tCg>vZNF!~kaVebrGV2pF^Dou4V3t?=?irNhzaPKyn*#V7^6L$0Soz=%up0Ku z+dZ<%IZg**1y0|-c@}VGRgT%0LyofH?2u-9$t^wZbd*+{Ai@VwheM{9xiiuyhqe6M z-$cPzQ|am&o0$2WIO-W2y!V!I%-_DZK}aD&!fGGCt#K#!eZn4qhZ!Gw`}8f5+UK<- zQHkV+#gmro`l_kqbCK&u$@wjCT37pz_&DSm80KFn zffw|+Z%64rPU+y)uute14ErBwKPwI#p2l`Q*NBJ|MN16ByvK?9vt^sn44KJqH1E>L zsIS~f!7-n_hb+KJB4)z%Jxf2d!9W1V-d{(uDuz{J9G*rDSTDt&e#8 z?XiHtJhqL&(Iz%H(!}bErj5E$b`Kn;%=wkNTKS5BRla&|XN*EFNgErS+2W~WGwi?1 ztXD{!u0XuR)lE zYwrKsYkql;JO9I0X-8h)eskUb>bD<&6W)&B_uIYwpMT%$7w`AecF`9A`vdRl$XM-s zhdM%;AAQ$bSfHF*<(q2ypX{BbbB)2)DCXL5`MQ$`lrzg%KgYJVs}P|ao0PM$cT#Fd zv%n_r49WJ$ou`9x2d|wn$l}`C2#}e0c?}5{tb3;mCCxq9r}JB zWl3(kP4*?(H+NP@YS68l^f#Umq7Py;7EWrlBon3IL&{H_T5@!vjIourOtlp#$0ppT z-RjPy_9PEf4m5T7NNSf8&o{p|eA6jqjS^Wp^bvLEdZud0!qOi=Fe2lvkVWV+%aLk_ zQFk^orAJ2RFTqiXwnipfQb78LGB!BKY~1G7HES1v~Ia^&|ULcNR$|$U*tT#h-ul*BHpx>Cgymsb~ZDpP!p47gy?8qFN9f zX=a(uzrq4_mXwxH1-fxn`%gZ9dJDb3S1*b{_dKmFj08BA5O(L+*Wa7s2CkAHP4yQj zPqW-o^2YjHiba@g>l<0sXt~e$-F7!-bAkY^wkc1or=*9rj85ZhAPT&7&R_SJjvW=1 zVDRX2Y7cv7j7go?8fz21sG+Cj9>LXadqri{hCk|G)Sa%z$~P&R9SQ&P&q{$bs}07@ zwq6Ct7;e*(-lGwz(N2T`_ACv_#tc0O!?6_DVBEjf0fgX#ds`=Vv@NU1Obk1c))25< z+?sRAiMnvhoXtnF3n)L_N?fC9q(P+MCBuy7$lo&(+Dm?6F!`rgZeycW9Nor;8mN>qCNvHB0A5%gYf7XTQ}%oBLkEhSl(8Rws@kcoWdE;qpr7Fj1vnH?qtUEE@2qWi7kd^fk))zCh_D^uxAw^tCS^C&4AHYbYIbfO_m zYEhed)us-0sagFhql$JlYe5L(V>(g9lZ=Wq5Ev93655Pe(`L+?3mhr(ppb|dBtd!d zW?Hz3%Zw zo3|z*r>do#zIUueFJaPY2aldSd-0kZZn^BL>&{+z#Q5ps*LBm5d*#==A)=|hjX z&N<(Sz<&X!+L~fz;n-s$a@m1pcX`4`eZ%+t+=##VpDBxClA1b=N>nnIZ(Dv%w{%Z| z-s@Dc^0g9bm(-~us#6D*RWr34w#E*Fi9=QzK8{iCdZn9spceoT2p9y^7_g$pj2#a+ zPBQ}rLsMv$;|bot4?wZnuJ&XNCQ%9grB~Y1os*k|&C7@H(#%@2*f@UBk9$fzvHY0) zj{Fh%WAgswN0T2ivWFAKnA+&0bzn6;DZ&fihFJm4~-rj{pTe z4*;8GPVvT4x!avJ>2{MkYc>{ZNpDE^e2u01{Z{5|(M(sJ)ib)=YwsZQgpS~OVHhxt zq&FB(1xMIG*a!al}JETF5VyLb zLIhp4$J5QmRsS2gvGt#qE`8{!vmseF!cQ_N8Tw@mRbIzo={eJ^5GCo?rEIY!mfDKs zX0u723XwJPPlI!tQN7cUwg*cNg7n)wBesnsS!X7;?`Nxi=G((4qbU!n?gt24_N6ey zo*d}uiYfy~`)RlEImZ->>vUY105UTR1EB%~CnZaR8#jU!;m4AIRmWy$zuxga|EK=j z?LZH6aBZ{%Wb^@L5ZF*DAhD0Mu=41}#YpgwFzfx*(w~l-4@CO%-<{LzLEj;F_c*89 ziD39&gNB&=hkuP>8?E;O>_*$eX)nx@77@RU9fGiZ?qNx@=uyV3EM)<0^|Tj>q^vx= zFb}nVvA1UYaA?sebpLwb+cH$6nst;af^5N`;Hu(2cX1|GGdY|BWS+__&j^Jx;m53Q zP)%`y;WH~ub%Im7Vw|(k33d*Vj?2ubfp}R9J-yB|Dgy{b%edv6;xCTk zmu`R?EJG(FDIG^ObQZ0a-8X1mHI)MtGem2`GAe9Z$llrv<4PU1W)5$y{dD#BSF>IJ z+xPIFRx+o-mBij`8JEfFT@^Lf7Wv+>O5yc}P6xV}f=`Tg4wqkkfK`o2l7D@0PSJT& z5rMPvO!)fw&&PxEyPIyxGE0HQil|grfwbXuCm|eSscSMNVl`gymZc*PO3=ocwyA#4YM@8 zsz!b`Zkd>+)M%E(Ov*z$UA@^baAwG%sPJ-aXex&Q0j2lW3yE~Ngx9rh3vWea z(Wz)MxyTtcoYTpyXd;KR;^+Q8(Vm2r#Hf9W{y0W-wY0z3Z_NLAJyX0fKD@9=-F?xi z>*PqELaM5*${r?`q-$8wFKDT6r4>M7PG9NkoFQy*JRT*}rI@&YL8$Ee9;?7+4>nOV zDQWlL55Cj=2hbXpvMNASb1sWSJ#jz`MgUKTWAV(?^UXTeb)Hg4f9se!Kji2Sv^FfH zQvhdLp|lH&OTq3{3f>n`rNg4AQL+`n;6uwqoeiMuB6Xh>s6pwfK&DL1DOiL6?(g!1 z2wOP2q8_70EW~8e({g&#kn)-08qQ?BRj5#~G%Pc4@SwV9+Rt)1P&6IiwY54*j&z-|K!G}hZ|<%o+Mnvq zr%fj#wuus!bcer#u0p@lAL$tkGm5(`w+-#0b<}ySouNd5Gc)d-nogsU89np?Q7 z!(@T$B0)pro(Ol;gNONzUH{kq{9pNnA8#uxGT*kPyRKpMxltC{(!godY8Bt}ObHkA zC6r>kRrPZ`b44*TWL{>aMroy)MZKc@OFj<8)PvyPpFvY}QmcUzW-?Acs#YO%=ltRD z0+sVGahTyRUgja>nKp>2R=6vK1|Y4F?eL(R zuQU}8xvjtIlpg&i(b(P8wsrz-=Cm8pt=>PWOE>axlGx%(@goVw`v4~#O~>X7g(XmS zNFbDD(oZI?ZzYK@=5zQ0VG1x`?uhG%aY*Y#wF6<}3&4!C>N0$UDw&KGwn2|j0mo-- zMje%q=IV_+$$?V2hR|7qESG~*288|E(Z&lzew9TC5sXrJ2DsrGR*AjH1PF-8 zzD0`bkN7g74WO+}ia*@T03@yBMxzOd%1pJ28w)X@R0@+mzA|6VHy|{DDFDBiqi&aGP-RHc zE8D@^yKY4rTZar(*$gTxMa8slH%mFb85=5uS6{+EM593-kA_hmw`|32M*^QqZ{D9q z43kP_GpQ%@e!S71>n&ph$F*>B{IaQj z;`vv%u^|3tYy~DnHK?+ozz5=rX@!tm&}^`4mvBWZiFUyqEf1EBA+b`K*AUD`9ccHlx1?3 zvUQXGd@^boMy&K;hqhg3`YKbE(&r?GQViP0J&IJ46~v!r6$fWb37<)Whgfx%chGmC zYkL?;3vZgrr*IXkhAl*3#TW5~d^18025lLs<#62u25A#ljE0k=1AZ1CMM6Z*vg9z# zrrofbDYLAt82)ik_$(+%6C=msnAo zFXJooNj|>B28#pc5+*=c<)9=v6EHD*C$76M9Ie`|Q~P#!VkvtmThe+p@%RxqJgeA+ z;mqbMpHzu0qDy>$0DS;qRF4VEUPe^3gi`Fyp16&|+aMN($hlVHWr1|xe{+$>S!D|g zT}cu);c#7zlPCRiW2^U9DU|+4y!(={R5H+CeaYtcnYjpy7Ii2aw=I-FRp)Jkpvr_= zh@!1aUQbDZl=Q%p!9Ktj!2p#3LVUx^1D;X>sh&(01An5Az|X(j^9xjKXqC<7G6P+8 z*FIx*R&;Q9H$LuVops%oDyLJ7naf=9g38;P5#u78WH44raNB#>8l}kgu!-8B3INE(@LFAxgBoIXV^Sa zt;fe;QacGx2Wms)tyNDiaw`)#ARTsmDYxHB_=Fg!LIXI$6c|>K&DRkcAXaslnqO^; zgpb3Q7Xl(KM-YwekA>nE`EQ8fq01?xrCp@7CB3m~+7!BZAZv08+9QQbdnG8)1d1G|bBVeV9r^pSh zS2tFN|6#|za-Xya@-^L=xRt6Z5#s`hk)F&v+{ntaZEd0mN_$ZP=?e-5EH39p6frgP z+ZIUWo~1dUQ#%80b8d4Q1sO&40=K8<_q~O zzA~S&NB{}1^mJwgRXuHV)741@at7nC*i4h@Y{QvNwNPJaObcd}Q_(sa8hS6C4ew(Q zk?%)e9UYGAdAp+4h8|1bZRZLN!V)e4<)SHx9O5t>*^p$ z9l>=`J>pw&~Lx)qT@sZq;>>K{tcL~`F&?`m4$KJ;9xhhXKc5Qudm;Yxga zC!J(+S!96~;5)3$$Xf~1+0o5oVbKHnoI|Fc(@NXK9Lo&Lp?Wy_;8oO@Hl?`|XOCPw zp(jVAHgMqnQ8n(RyfU-&7WbY?>U%J%BqzKjvw~*&u6qTZBdw6IQGvfW4T2^!!FCBP zFqC`+QW{kii72Soc?z347+zaQtT;l5ma5i0EYxTJf1-#bzlKp1RRoW=CHlQ?aUC}t z{nKOWc1GJ&FoSl!F_`9-D;H}q^fJRLNz?H$ZtAXs#f8E9#9y4hA@F=1{irvxa2QI3 z!bM`+W2@L_FZ=OmuJ$!3j%nNz2H7zN|VVXP~wRnqCcFx{b3ByD;? z<)*isPi@&Yl&DOpCiY$uMr3@m%PKwAnLc7MMHc6(6bvZ~B$DsOG8{#CZS<}Ci(dWz z@epb%A-H!NH8bDrvWK*-GJiKCn0n2~Y^Uc9De{)`+;yd;HLsvXOE(~ka}|3jSJ1;G zN7g)RB5s6o4h8cX$UQ#+2f^50&;kwO9l_TV6EgNZ=^|)QLjl)elbqWRuD+1ChSDHf zeudJk)lVf)kq6Yh=*FG{P@M!PFBBsBLMQgY7IMKQ2a_V(H_k{9Dec#OW6vc^TGq%BXXzP7(k;gEU*_LA$;i zgRW<-6<9=lDwR4)kG~dRxV?25Uy2prxuPh02bcM^cp?qhR}{lX#8t)-*fYC)h5iz^ zd^S*aGN$r^N?-(?L0ZuA}^)-}F3|WVKeB>RC z=W~;;F>Zeg@TJWE1zIdny}?=9<;NDDpy+x1#b+r!Nh7*9Tkk!bWA_?IHwK=8ah)R* z@uwyB<%#(tY8*VShaIP8Ik;rB8~9D1B{;;H7%Yt`43dj+TNhsDoR_9K)<4M+ADmCd zzf(ee*fwk05!kg;sn%*9*`Z8VEgXTvRJUPjM)pp7{^L9>t8b$;4qD4t1}F}7-EV(6YX*KCL6(M3W-ZO(s}|{Aa)My6a;s-cVQ#L=Rp=4vho-ULWr_T zOBKK#hficddh8pwJX1Zr`I==c?H-RF0_BD8?9p0gdwDeOsr+~a__mei69#~X=Ru^8 z=Ikrta(#%>d=%Krd}R?|iy+H+!+DlTrEC}@u3@Os&#)UWft8alY(Ne*6fkz*n1ajs z9Gg$A44}C=4uT7L7NzUD!-XDn;wRi5)vCqgJwd7)Td;4CPrpyFd`6T}%m<}fqcU_(p4$&v?3%L2Yk zqr@45=T*C+$^&Ip6lDZel2^9kIUP+iN1(XZ+O{!9l0beLl~ZQOlu*7EhwBm$$s(b0 z2hZrW;qmT2YZAm=^v<*?;>_L(2dCqW$~DEsG@QI{qAt;dxOT|DXUoXIglc zjDv=0Z?2ZqgYA>d^c|P;l+2T@Y8^b1@=+Kf*WnTn4dZ}1G2q-W5VkU+UM(m#K!bsv z5Oal9Y};C70m}(A_Ld8^epCj?(^dP$Cmvr-?n&UhE-t6f+Gw20$gD({FM~CnSgUr( z0d3g(9z5KqdWk6c9u61QoSdWYo3mXg4%`GGmvv!tw_vNeIga{d2!7^y8(syD53up> zu{2vVb0h>yfb~*^7_(G{8k$kC3`M5(E-ee%;_{MirOC{$>aZSh*OnG?&VenbrMwf& z48W8Jv4E5*dt_EYP@_evf@5A^I}lWK=!)i9O`@1-i-2xWSaWQp9KL^NEJW~mIV!$_ z9%VBQ%Kv%U*YF8ji%0}Dflyrmw>hV|z5^m8tih;NmaBm_IYSL;3@eTInH;-~Mb%#! z4-PnZLeB80#emKC+0lUE-P6RN&5_p!DQ6A4WK7o8k?!y=BA1`LmZ*C~C7S-K!J`Ah zqbXl{)-4nLVN6Ds7dt>=y~O6jQ9dR^UB7UUdk+eDj98URn5+45s@ZGm<8@K!X z>;)}5rFKUTWIzuG5b!Ux1%F>~{{OD=5X&@q@6J|K2Uwjcvy>aLIzZGVunt|lQ`p-N zYfr1mXIDBwi)rMtPoXl1vZ;h-ds;)XKC2tp#)(%mJGENks-<)VM~h%42H0WQ^ezsQ zw7wmy`0palDaA)QZGfdkZ;eWld)S>NdwAsA1|5Xr4kyWvn4aAe8$`qcB+ff z?qPqAZgR?s7^lswPtVo7hs)5{TUxW^3Zlwj{Y=D#1#?1Reu$&*Bj$~{BXT)L`Ia_FyfQzsT^>5S$jlf>5AKnfkgSC5<5jk&h7s7ikqtQiGD#E_z04 z(n=&}1d$--9~%uI$qtTV8-3K~oty3%cAsG_?+PRnF6v8zOUM9f1=)Af2mY5r9Hgg5 z;*uS#on z)6%|`wMQqkQ}!(87jtOjJb6|ImUF# zvFTU@$b$N&M#w@G2_f$v60pB!4O}u*a;fFfC|#{;HQME?1YUh;w`{jIatXd`*DS4S zXG;4{5k{g`gDK4!rMlEKi$S_vrJ^cP$(U1`2c=TS){Ex=cD1$Zbj_M@BoPw5_f22+ z3IX_}2{%R`+yt7A&T1DM(@ z*Tft=@KV)kE4w_Lgbf=vYm}f$!%gp66`ItGueR|}n*a}R7sjhz&4=^$oZ2gr{D0@X z7o;F~z>5?mS`408aRlNCB@juJB$-4CDLEw-y)*_!CKgudGGxkPlP$+gcKI9%6)QpJ z9|Gcq5TVE4dBeY%gtt|+d<@gF9oMTzAgaTpY%+yPqcb97vDh3guNMOZLJd*0zF1SD zrLCi@r!Vc#z}S+EjIGH``hYYAWabJ!3+py)+G@_WoVqP zDFh0GBakRG28+WJh$J$FN~1HFEH;PB;|qi$u|z79E0ij=Myt~sj3%?iYO_0>E;n}% zPcLsDUq6>Tbx|>K36rKIot82Uk(QB_Gb68{sHCi-ss@FrYrr)TT1XTcgT>(qL=u@o zE#}a9+I)dfB*t|lQbI<`>53nctO!-p4b!q6*Av7#mSjcMbi=f4$MyUmY(#N0X|+4u zUOycSN8`0@GM&vYEY>$Rw?GI+Pz)zXie^}j7eq-`R82Qb%kFTx+#YXr{qb=PHx3VE zH5Cj-jZ@_CX)4fn@yYcEE@EV+gOlP4d<=zYMi$gm$oe286peA(o}w!{w62(y87<8n zyre6N;u|9RO_}^QNaV6N@#=3Yev*1E>8iSMX69Xsxc76vo&Vb1&4I^~B6Gzy7xrx8 zeZN-(^(>R}0I95cW^F9hD^3hnYmZDR?dDynzlfie(T&dmDrJNSi9xJwibFg6MPG0z zxEOoScfI?|(Esh^VCN5vmG!H}D{FW69N6Zd5rp2XCo?if2?VD> z5P>lkEm~uH+1h@>4-;{-VNp{-GzpVQkY*-Ky|dnhS@tY7u30C_r5#edRh9p_q7gs4${clsy-1e; zj?n#V*Uy!2lJJNMi25RVX(F3uRHN%h1dHJT8p*hkKW#HXw2>P(32=(^EvGLDnrxiU zs)DVFcs?)0Gzm;Bn?lsJ5KTnLpo=d4f)EU?E{{a)3ll=ZN`Qn|7+@rl!scBQoY=CZ6s{6U#0e(W4t*C= z4|H7k#G@GBBmHyxTUxweIsLctrE4O|Ct~kD2jjO$&O^bJr;$9FG+^uRZwC!?a1X57 zUYsR**o_xJ`#lEy<;t#ETJ-zs4p{o;9+cuXnKtQyeLUB9gE0kJphnS;$YX z{vpX26&(p^TmK?DyYtLih(Bae&zLp1L&fDB@72PvD2U=gY%MIP5rL*(I~p0`hOB|{YT zNX`J*86y@HP0~StlVmO@FJ)(gu#vkk#axLrzQf;wtzoEsk_9ZJHJY7yao@{$DdZz5 z$vJTM4IW2nN;?DVn?O85Lq*5NM8btd{C88lQ(VG>j5vRF2^XHb*C?^Ur~pBGkqlSp zh{O8yt<-#+V?+Sqgh>qL5ZMS>4rf`I)Lxh(5}?rRGN?inPBwBJAu3H;nMRYq=xg>F zH7kCE~8A^z7^5j+Y2RnwsR literal 0 HcmV?d00001 diff --git a/site/assets/fonts/space-grotesk-500-latin.woff2 b/site/assets/fonts/space-grotesk-500-latin.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..0f3474ee8af2f8253225f3b41bf79be986a1ae13 GIT binary patch literal 22288 zcmV)GK)%0sPew8T0RR9109OzI6aWAK0M5Js09K#?0RR9100000000000000000000 z0000QgCraJbR3CJKS)+VQiCZ5U_Vn-K~z{L9sq<|FGLXt3W0$z=64H(NB}VCSOGQy zBm;>I1Rw>3ZU>7B3D{ z{r~@GB*-Bn3HnE{ZS~!@APT9V5<7^B_Js`F5KNEO5xxvDEJe0@sBuD71qjHTQJWF7 z(lMhDs)UR{M{&~N@Z^*VS5!Xl6m8{zPv6RNJkc57kyX42LV}PWo#3o%&!1=O`wrRi z{k6E`ueYvPb_yx;@D(IGh?V@`PtxW9miG*&e+Qhx$IWOS<;ay01c;R>rFHU!EZv{$ z)t%T5-_o5z3g?aVb}Y0G-#O>40%MoQh^Sa6+Lz~_{AG6TtClo?Yy!2$$n?D-Fh&j+ zOxa>aKxGllIs5mqk67_x727`F@}1r^#1Y_uQ^( zuN$Qql~GIrggD7bauSjdLP&_(@7e6Vucl;6f~gvc!q36bY*8#CE)?JnFW@3CHq)sE}sq| zjlSHgqbT|GqYn=djFNdryF<{h$R-ezz1vH2&q9Dl1#oJ;nY`fpCt>w6Du7c_fWm-KiIc#if-K~hF($(M z{Jp7Z`yW8)mVyJIxa+u3TsXq17vb1au3S48-QT|p?tUy5Sm4qEAax)}TFV1Z2Eda9 zk_uRYcLUcREJG}vi>|g$?boVkzlcXlz0hu` zgigJAe~103$g;b)i+!~2)q$r{)mC+R7Ig(K0m-FA2wasE3KZ$c zljMd7i9liD^4B}eQyCEW&UXolX8E2VDu$A*peRn#EHBEcZj?3_qL@(TypZjCaohKY z*X}#W!>AC~l168~3yb^4Z;oRrfPgtd)Ru7K$!A_@`kmK3c(>_zpnDn!4!h%~`|tLt zpMu=G?)Y9Sy-0R1?H$@gS8tLM^XxYuxL(_AU+}=FIq>DI{HZVxTHweVdqdZ7cSZJ2 z_q9ufO?Bk{s@y??w4w%%{Oh5qQo7L``+=hO_@%DYhP}V+DkQO~YgcWo6}6yxs=eyVQ?}9+RvU{0wWCOtS_Jx^NBJ`EL%yDg#4`r@ zc=kcwoMTx78S-WJWgw9>B@kOQ!BQ4VG6MrCy!Ff-`QQuSxva4jG=np>&ytytL<2Lm z&*02UCFV({2s7sbGC<4DiXU_ew1|OyJ`S3HnHn#fVFFfddW9ze95VnX?9dXKsePnN zJYbohseNi^P{0xlGh+ZP5t%xIfc_qf2rviG259coxH zC0)g*|GAtH0n>k$d+#^;9{l57sHT7BQ79Pp9BC&($ZaVDIB-Xi#`@mZOX)CE>WP4a zeo-7*{i0J~^&X+h1IRT)rNxgQ&NU)WT=Oo01Z&I0`pk6Sm>A5)Gtc%w5s6V~`5=ZHu{7`mJw6{dt z4AAHV$%F{AC^m;L5Q-!+xk9DZyx_h#6H_yD3u_x&JBQP|X3p$sy&ry2g3p2vgLi`0 zBNM@sfcpWr0={0tQ1{tpP0#oK;dmDg=kWI!XZisj zMrSr>P=4GQhuziL>0R~bWOn{S0fz@PKkE^4)$22~;$69|Ssy1*=kt8|;?>?t)A}tA91WYOHf%1W4wHF|c~ThO^uIqupzT^e$Eo1^J1F`8^8%N#M{UwSM2WluI* z%z!V;crE9U=%ou)iVAndw4=}ZQ^F;lN+uem)7!N0`Td7?$G_|Cwg!z*<^SySX4(0jA|EE~$=Dp~wRfOLuBi~0#FE4NI;ce+BJ@T${A86;= zKCd1grMk;si|6C6Ypu+GI$yVPvANCV*(*n~sh$4Dx8+$~H|l-B@O=>ZteC;O(nn5V zEGnH4Ng2|L-R$7`0CC&n@I8`*tjVgJW=CEK$&c4R_&+=3!12^~bCXB#hrwsY-~Q65 zt)YdowS`mMk!X&z3cJg4_8&IQuRJEz*~~p&C+jTZ>yM(&$n;Qi(Yt3`+427X&HCp9 zmm~KdI*hyT-G+RNIU;a~$|%U*staM$`v;zhkAu?F-tI0)@yv#I4^n$yDDsch*wxEV z*QCV%eIM1Ne*qnsPXLr)l>8ThN0a7%YVALYG4qk}bnnebyYl5X6Z6S9;?9slZsD}0 z_pUO|=jXs5!nOu2M8&6JK`yYPFviKkf+EG zJO3}4akn%{-z93!4p{@~7$vvi^nV`4X>5GK`{uy`-M1rN?*k zyBqY&BjSr*T-m%b8EMRK?ko6LQ2d?YEsQiK?=+Qa|hs%0hl!a z3kTq^0oZo{rUqco0Bjn7l>>0>4xF?D$L+wx0PG!rB?B-s0OJ8TVgS|;Q0hy<6B7~b z(&#jr4xLUXNgad)9F7i;ry~$Rp^zsM0kPOzA`wcZ7BU$nmx~k%J*ASN(rD}JlLiLb zhK39yW2T8I!_1tpu+X-&B&@8ot*r?g8)R!s+S%#a+hYd@iKC;XlasEqv(&{!|oQ9)@VMbGkRK$}hno##Ary!WPy=$<&*3IDPc# zj!7tpAyUU1>S;Km%})hfsA77W2PESjIbS5OLNtU4e z1;Hw5#M=wc@73AduQnE{-=(-CbhG~9QB@fv?_`A(3Uc7zA_c1lNl*QB8j+wb%swJ`Cv-{GGE-d*sk6roq1_p`d~yZ;N)l)L|5nuPKrg39kOvXHr9Uf**(IjUmQzP;YV8vd7D18UR4va>mp`6@`I_tShpex!2XrTry@)E{N!7`S!f|abYy9fSW?Vofj96rE# zl0HPUcar5JD&bOP7xI{Qv>I=s>2@1qgtmpb8}$#%39D@->>CF&wsjnifTI{kU1d&RBNJg3Y__Ai?0?a^Ng~IcVMP8D5DOkpGRT0p>2~bUJ8p-9+zl$fg1xL4ZV--iX?6=4Msd?MOkeN_y9V9;*M_Fcs-HS0uvM{TeK>a3j@Z}$uOZh-8 zRc)=RAwgH>H~p0vQZQ|XDcm0-*8C0<=J(lJw=7_#rvyKqE%PM@JZ#_--yq90+ zEf$a!ZMRC+*Yk7bltlI0rUAJ$q_JD^ZVlSFvxd8Xu5_b2J?I$|+PO)sXkoK6uOc?Y z#ya)et&d)wLf<@QV~Hmmci|?Gbv^S$c*lk3pYiRcf$o_F3d56-k`W3wTzpE=(Njph z8Q@{*iOolBT%+A!QCKh(>xzQG|9=3w2gD-bwnoq%>1vLErW3U{_+tIh9^mL+9|NX7 zY)pqVfKcOu0x<%T@ZI0Oy)&hubmiwYjZ%-kHCn^ZUsCeoRAD~Mtqi9x!E)SR@9FlN zE5f&F8-`p7)C7c&8Yh}Wk|-gp^fWxVa6*;g1k1+>@)F0U6k`*rB5W#bAeF%OR;Pdt_jz4=>LVGtNc0*8amKW=hH&^wJ zoX;$#B#OQ+V)Q&jP!fbmKLu)l9Fw1Qp-x=B+3Obah40=xA zi4}R^lW+bc*UYB}yLr!XegeCgm&X`{k-M^9lWNMYe)z?xA4+-A3*7h7SHF`(3`W{A z5K_&EucKMd%u@~ERx4;f5Mfl5K$1^=6(*%ta#Lh%!+{6K08{+Oeurw%H6NnGqpbUTjIc+Bjj z!=7y1{G|#qd`X=o4@Y_bk}+CXgQtY3LcufTzLPciy=R}zfBB_0L38{M`jFE$^Bc2$L#`YzfMF>;@n*Z*A8y}afZtDt zXFsaQFo~dESpmQq$HKW9FGbcH9N-qf?E)uXyzf6xxn()_;Qu&`o(^>rpf>^edBwpd z3?Whkmf^uV+#|Q#`d|Q0SP%k0~L;DLwyd)!A4)z*fc6#mk>Sgv`LG2zitx< zeP=`3%L`(dWX69Xsxsh03dz)zB2|>3TF^X;Jns^h$4Y!q?wgCd;x$q4*M|+qcqU`E zO$=o&Wf^o~03#T~c{qTN-}Ix+h2dv5Z`qO>88Z*_nMFyKsYavu4mjh}X?L0^FW4$z16+gk z|HGyUtF!hvs3QviNjh@Kwh&9$)XT1$J z*=V#??kVf3tp~~j<$HIu_ht+ zs!;6GvUFpHEx8&_ZP9vXDJf@kmuQtOo0)dr!0@rJ!6s1~TCR1&?ZOk4bp@?eSL-Pz zqx?6pBsHR`E4QwC<(!8S^-LGnSME#Z!Egy_e8+C~2pkAVq^ww?oFD|GDdaC*<{C4U zN8t%oIUHNuhn47V!6CsYa8B}W(3-n}M~kN!Vm2~+(?+RL#iiglgMr0iwb0Et!7wf5 z{hLt1f9@L_l&AuT%|eeYn6UngxNjm}Y)5*kQs@~Qk=qC%5JaIV zQN~K1V5!XXMyac~!3rjYY}aOQ6%Rasl!Yh)^I9k&!xsR^=WgIQtn}imvs^Jd zPlq+&Y(Yf7+rX$=q0xn+MF=2QuZOt#*U-4a5O)+9NFNtLL>muqkL2VKF3A*5FYZmC z65~|r)(3z-x{_STNK3%5!u}z=Qx(2U1z2~OwZ09W$ROM))(htZ1hAaek<+iPwmOOl zjgy>Q%y=;D$*HWa*u}7hQ@PiNDD0K6ym8+qS}3n!L^~yh0bqg#^bm=vHd8RiWD3n> zo%U3+UG!h7w9=8Dm^QeC)mK#$LxE}dHd@n$Z4IRjHi**O8Pn&zYy30X;Rrf*hz~SR ztX=q!<5345ccJ)Qp>85m&}m(2C>x@81lqex0%8hcg^!b%BahTj~|7i!SNPeJ-b90DA6w}o9c|g5E{u7$3TN3 zWVJ&+@jE5V^^Xcg%kL+0!EdOh_1g|%5J3sC zu3?}4;MB)91D)_9+%nyMujWwivOBFH!A**YqC^AjNAy08ks(&P#w7M2^+7F&VL8Z& z7>^Q!2qkf~x0?g$j68U5dN7&s1vMG5(vUU`q`eoveiH4OEvkHSJeqs!4Zzc7mE$sF zmoa{&^#eMTB8yM!910{f@>(VgI7#XN9)&&(0-#Bv^|KmLlvSCwZ{-3S^B?rgPYfj1L=$p2Mua*?|kBen1Um14b`y+ z9X=vHj3b!RL^Vro;1M!pPkKv(c%hCMSZN_Bs)HFd~< z@6*UX@67(Evhv3-W;XAq+-c_*POfJA`_ND7NL{jHH+0?$8lnwQnIhe1(}Es#>%>Xj z>S(pTh2IxMF^s6|3Yy#WPmXT331Acr8{-C&3a}?*_8_#>8P(}4niDr-lW>wh$wPoa z05$W2$gV+kY0{fwzVANKSc&1Pbe`-jMYqgx{L{u#r_^<vK-B@=QWvPb1sX3DKv|lMEAY&k=j&b7ZySA}nZz@y?xEtCP*j zDUwioXj<&P-&g7N%RFAGuXST!b9F(g>A;HnBitC})D=!HUJ#1yHnBOvkGAFhqt0t~ z&bDW%xo7!ho~i++yy>QH3c}p0hU%SDBkyjKw=n%o z4B1)Zn!1F&P3t#uM@%ZsULGsckiLiJ_34_SVn$WOLCxxyU5;bPROzK>k&|JroMp5s zvC^{$<5{=^-&)7HRB*LU>qT!8s`awoY~_zldfYu{nz@wO+GiRHzh%#f61U+fS{-lM zt-uf;I%C87ZFkCJt<0dK8g+52$WLoy2MYB&yY-X-S9+*6(`R=D!fR(4uZCG-`-$8W zX{s&5L{9Gy;xQuzY~Vw2DVLYVoH>o#DM#d(+HcBgHJx>|xg#3eBNw__^&rqt0XFHu z^s&v2)=RFNH(4LnbEz(asBNSoko7w~g6{Db&fjIds;u!AI}2KZM3ZXjYq+UJy^Yov zfrffU3!2uBa;Q4Vc2QLX0U{}@V7>C&6t_ciTT+dz=C)+rd9zX;+UgQE~+EJ1uJKtO;qf0a1`5`hN@^? z`qyaj)(Sg(>8dX0zqUdVYVa|q3aOsFba9Y`g!+1-Tm{!?uC+O2wZ_o}7#=f?Mq7LK z?p+G2CDq}o{>B=c5`XB72R~ON%9~hXei>E4^7^q7E>D7)8ValJZM~bg0vx*>k^UF4mL6fX;85}PI3^Dif)e%pc zBCRo2>+{z+D$AA_$bbL8p~Ju?`IVin`-=PZP1RLZP1W_kY?r)qHXr=^>A3p!VYt!N z7Z!MS-ng=B8@zGb06L7W>>fU6BO6e^4SrQ^y~%=av8>=rJL?1=zRL&GGyXkdd8rO= zbc>hB0Q|uA0%#p}Z}Y)(2m=q13RfXp&Efv~EtS@W8hj7Q zBsO1Bz^6=u?ygqmyko7e^}^5bHB2^J#{)HpBOuqqRajigfbTstkp!x+RMu^Ut@7@$ z)FyDZhU*A*bjQFS0}K&jj>%=SO|W_MdqG65 z)3l?K4ijZxLUntSLt~Oj{h!+0rGL|ciMBeA$=Kil*GCTs53HfK(FTPPGI_~}aAXuz z{sdd)(Xd1*U&m+@)lahs6$Rus;K?71B%!iHB8&arr?9pfLTzj7q}EzOOz-$F1pec-K*2-WAAa2X@CQ4;9B~ks!W8g#N|sDw z5IljC^#Uc&SV}i=tx`Szkr=a@478k3R#n59PO0tWT>;QS6GMQQVsdG>88)~0dzR@* zjZxrhj#Lw>o%4A^31%4hC(o!b?r7n|yKFc<11f=u^ur{af91!PJ?-boeBl*62W;}L zSPSh2JM)B^oa_6%41PVz6{8A~Ql{d7Y$UM2jRa5h!MdDMse!{_YG$pzf8R(sT2|Sl zcez6*ST}#CiH(Ysbb9G|^nR9|{54D4W S8#S~?xaXqu;tAo2S~9su2vSq{fi^hG zZr7Po<bZN1nCG8(eo2YFxpm6EjkW4twrGK&5SvIKZ@KfiGC0Oe>gfDx<6UNyd=d<_-sH z5Gi7*Z0{Bt3=zJhzA{C__caI=>12nAxN( zUYjTH26PDhv^x7bBvQ68B|asjlmw#!uw&zZN%Gm?<9X=3jXjfs*WuE;fQgu*n6zDs z$f4?%Du*xF=qI>q8!gN|gw3`6chD6x;3KXI#lB%AO?rc+cC(d!8Mh_0rl*m{DlS5sZ%YgWq%@^jMnm;+@9M6Mn?smkrG zYTy*@k~SS|P_!1bx~Ql>+5Ed%9F0lL72gkc2n{FnfRN>QQNix7$o_mqzMnkIU!F%U zA?GdUgS4*-bGT+X@cUQ!ZTSX?(u|pv5(5hD{$#}_Y9gFSH5JR48dbC!CT!6DRn0QF zVNJJhwqf-*tA;-x*Ry1WWqHq1u|f1J{sP?WrOPcVW-n2ke~@JLY+tuwO(jU4Ol@8! zE6V`y6Oxn!ywS_j%aZ15J)pgOMjw*%f6liuVC*f+reqPxo}NuUd64b4n1T0rsyvl^ zi3Y#lp2;M65_$aB&L79k%uf#f>y;~ItpDs3F4r@wLL;Ed%QTg>U2KEClPB?uMRb#f zd+=XcO0MN(8S?$TTmZeOMlEmCzoNf#6!J>u$A|va{r_72@1StLb!+(nb!FW=?4=`} zxp~?Prbfh9J~a%DR03^YZs4n`fcq=76utA_KtJv0>gr{kJ!yZ;0N$-STw$g7K#Cm8EH`>W92pCCvp0ybSw+htHe9EWFU#LaVv{egq~J<-(eW4^jmLo;pqhhJs|~aT;J`Z% z0BBvA$SGkKDLdbXu4znasmN7B7cLhLNj(ZJYpybnw!2r_8xn?e?+fvl)PK6KUcLVY$Z`~p6}c0f0gu5@A8>IiDe3BvYcYHAdSaSo z(fnRYerx`wZtK{PUpgJ zCTmomqkvzH84a2?6zeb*>`e@`wm3CLnY8sMxr?r}%{HBe=kXe*S>S1jR1>N~5wF*F z6`{I)k9YrEpJ1zXn~Y6 zbhO5LOLE;Kn-i_ni(RyGHN7lvO)B9HViq#u(3GBJv&*$ED)3J(lQ4)6CRSbT7^B@e zix2M;Nmo5B(Bf&wyivhfx5y?C3TLK?*Kd!>Iv6oNmI2ByIG=; zve-(dfml1kt(Ij^{CtO(#NsF%g{bvUdKM|Pt2#R(+Laa419=xHG%F(=otjmu^)4lZ2j;G7U)2tT2_1Q%*R6Hr$}Muc z+)9nnrOc4z6|2ijxV&AgSW(G1J5!RO&^ZB2m)7%zbuwAOuV!hn@q)Fs)|zmZI%HiL z>Brt;Pfj{Rj|VhTSt8HK5V`xgPi0J>p8gaUB!Bd=UT_t^i_m{u62}Y2vE}jci*ZZg z^+HP=jJ>^rzv2|a+vwYSgq8f2r<76~!k$xmKx4zsoo91x3?`9hcJ18thmFKwMt*Z* z=ZOs@8BS4Ot zl68FDvT&?37~};HOXOmc(WBRyJf@Nz`_rZX1AkAvOa1IPe;I#iSG(1H z{TDOX@&J1Pl*AbCd<+aBV-@GeV(0ZfpAm2JdG#)MO?YGPYfH!GEZ{=C`5exC9>iVX zY^MIUSlD0IxmtcAy8=gYms(>SCIj$t?IaP{vRd zm~X?wWqby+qO7cf$>0NtlF#JNW7;JNlSY%Kq*M9g%#Sj&K5Xvm%UPMPggWu0Imjg` zVOW=1YL)`Y6J@{6*$)o9KrWPT|J$CKaU<=igIQFlgN@hH-Yw2ObYmM@h=Vt|{jj{* zUfQpNciPQx1Sk||zMPr$(u0m?WyW7Bb_8XAZkyjCl^}U-n)-yS%mZC8ar78(J8RmH zKej&mZ2e||9@7gp*B|uOdq?0dVs?pHq+sgju;y+t%gxtl3WHUAR|Ef&5G1jtUoI1a zx4(e0kH_0bDcH|F&h8@R$Jp#xKB)`LjkGLSuUa^$aBUwgWeuOxY}i)5mCyI^-Cgap z>I*CrF1t^oL&Bjsr19UbTNm3{z|>OHJzL{j;gdosZxxY2wq4rdOSvfsg;=A9+SX0(a7NK;mUctdG)Qn zl5_XO9=F2}FzL}`=qP?Uv+AeNaHVcWJKSmRE_cSg@5=W)>#zs2EHmX>K}BWZr+^(h zI2Zy&HPdgimEf$*hR;NHDjXF4v?U4PHjqc*$;TVsPbsjkICf_*+7fVb zoBQWAMl#Zx`wL5A>(choL{x>V!kRiSsQb6V58ua^uVA6?&Rf;}&m=dFNaErS2hQAM@3LRs z69&DvxmCRt;q>~KEAK*qC;O#oAvSM0XQD;$vM=`zHj>+;><60&WneSh>Jl>-6a=U{ZC}H z2S$M$$>cG`D6195b0RA-J5@+fm$q(1i}-qc!Nrcr=;boji=qf!S#fy-VZ9Npdu3}G z;3FQ=bG}j0*C6WwhE72wk;k+iifUCIqbL!LAPDopB-Evbs7lcyl|eJ1&TK(6K&?2U zjrw-`4j3P{mM_R-E1HWMqKz5{Ud+-Dcw!B}&qBQb3F|#bLyd=ON$r-JObuYV4=um} zz$$apt64-xgG2I3W=Pv2R)= zlPaVLN>>9eJO5)psK-&)z40dyB}Nx}I_ZOmbkLhYjrH07p5)MQ(5t2Hj=D6W?~b z)pNbk_q^sx$6Yx6pB~$D`-Dvyq6~S4mTDU5XNa{NDQnX=4gyBzR{ zr#|eGZTbdpG@*n@`Fa4D(H?#F>IfW{K z_B}x5`j6I?ND6hjjm8o#gH=uR2(<^*W`}P^j>xY@wH{aF#i1s0&5y$RW07~Yc_j>s z#e!I>Hs`vFf$ehTHjAQ;?D7r1Yx;K5(I$L zeMM?`jngu2o|l{_b$?xrYUOg49&Q-wfWDgx?@c^4KyR$NE>o=E>EE&Ik`Ee3 z15AvIaEuX@+H;7J*qsn4E@C0Nno@zlV+KPrh~W!E6|_rW+|?fMOqn$_*`5HH93i97 z*ieH!uWqCz(xGP0a6F`haLJooU?Jha%?@qVVYWUnH?niBF|ZoU@y}?+d>FAZ4IEie zAs}gpVi1u63nFK#sZ279rS_lua8`$e%aGKjLGUp3%*HI5+IuDm*67)rK=r^=^fo8#CMo+ZQL*zH-8Nu<%Z0VD%3itGrC7WzNDyvhh6QkMNT zBmF7yxyS!Hg^yXYvQi66IiIR_98^?X zNkOE?B|!>p_VPYp4PnVuB-A8@nW48CIj_9oNHsmwBbuKCoB&2!opu`V-7`V#&T=~@ za0cLVtkv355-D69a8Jh!S=(J{*cKFHI5N-k&LWCZd66BrGkhzFi#*{8l~Dj= zo^TL5J;hYf&Ooi52%<*|9h3eu0Fh(X9a~LltevEgl1O#L0snOBSo;egyu<0$`T~N^ z@IuY4N=xl-tdT{Dq}PCP^o3YeY^Na&W%h=_#dZRM|I5szM1=?yAFAV!x8Ys3i4&Y` zs2MsomPvI<+)8WT4GqbrQw&{A7MNBLo58Ue?gd|UNQ8X?{tT*6QU(lCDRQ9myp4wy zw5y#h0a|8gY@lT1hR23Fb6t?=q{f;HC|?}&rTO#}e9E5yQ#nEs?GGB#A^d6X^Zg^A z5%tR_p7Nn4yaJ%ImwQoo2i9P?=$8Za8cIFc` zTqcjQ=I14QwpVGc>shIgbR%+}%49{IR1A83$qo$XVCn#unTseFoxTFpvLTUu6O|W1 z4llGBDRx{G5C`ou;(cBt125l3V0eZT55rDx+`1u`>Rz|z>7qzOUPn>O0__Z&%jsZ4 zW~f3@bGZlOygJ*)_Z(~u*xz?>78Mv%8NS*#8+dAev9iXLWy-3y4*TtDO>(@b?G7VO zF{{f_YHP5RS>Ae>5}uH><>3rAb5g=$c)vDSFfs|N-vn8_DM&J@>Cw&XVk(mXm))eW z8mZ!44^y7_PkBEd$7AJ)QV2Y8C<@gj$3Zo#b-qOB=Hzu|bKRmnf_11QU6$iYJ#tM)&sjN12$wz)M_ztS-ehV zv0|bZlL}rz8;4OzU>i4UeSLDd$gO0`Qj57ZD~wMkT#)@=nz^Tt_$B%Znqw%>cL@(FY<|awP>1XQWM**9uW+ zKt1MZg+U-cP*yOVaINZ{IsNAHvjmkS_`w1z98M547eXl3f`Gtt5@mziS2OZ7-F0P} zP(&#-M8pm#<^Th zyUfY}o|TBzy)o1!Po!n-p;znn$WG{GnkaLvPKB6wsO(vlM?A(ewG?UkyTX$g2A^%x zJ;iK-bPc0$xp3;Fb>_ep$3dF#RMukS~vz-2R9^LQg0mPo5b3E?x7?&hfz6aW6*4Rfbo zC9wV=R6vNmgcVpi7TDqB?{M{M-sgO|-GiOA(4scdOWV0F=^90Z*W-lfReG5awfi|A z0M12{>hJ$d{e#*%n7< zD&nOLo_fmIh~2>0B*x0AftoxT10j8Nqw>kegSN)7Oh%TSD!kaLhYr6_)5g8r2Rv!C z=g@Ud&AJtqLd@$BTqs}|tbf?X=(HwLR4#gKZeGK9feG-iF~-hB*Uqy%4CJ2F_sWBT zeZsSxGHmn^bWSjlptwBk>#e~Te|#rK=o^M!(K6IVVt|k%-Pl!SHwKb;gqyYUkD|CbK~D)hoJP(!uqiR2`B z-1tT50qI22ys1RpvvZ5RrZ2SnpO;Z+fXYm_02O6 z2@JKH>+=C}xKz8STsai)x$YrrI9^>j=$Bm6urp+dG^vEqL#oEzxa9}6BZ9;hfXre7 z?iZIaBwcGgCzS0pL=nMY@Kk`|sG3o!s$y(Qn|-EDk8HDV{`wO~sfXhd7Pu2^((m;2 zKl~j_;xC}yluF`W>%wtFD*_od-sTS@ zUVI6#lO#ATGs%NE1Dj<7QD|&csaevdYtwDpSQTIdTJY3UWuX-l*0pE#Lj%{vLnM}t zvjcI*%F01-zcUIN5|lDLo17JP@O=XqpCr|N{4;#C%+g<)OuD_Hd zOZ}gCPy}sRXw;f@1MN*AjoSf+K{{CLhuu75FwRmI1TQQ=9$4frboqzXP)-R`e9JS^ zajs_=qJ?aO&X^ulO}-;Gnf$oi_5Gxn_#mf}3Oj_SMPFq%i0()8;z}}@n|Hby#+kY2 zhee+Q8VQT@`7=aAg3O71`m8=A4ZAO#tOG~eA%V(T;1Uo#Osrzo$GnjBXIo4_ZI+pl z;8jBc_S|WG96VZ(SAX6V&>8fZ1I+GDLxv-;|47YlePb>r!ID_zpw%{iAVMHwh%l7) z9!$2M$k}nlD^Ir=43Gc-bV`R&1_H4b+Cl5FQXdSZdSe7GzgAv+>V|%afB^KuBOfg( zcvp4VwERQ7Q$cuH>*AX^oxb<%2T^{E;SeDxr*Zq@b_ZexY+LFS@wjQr3UnFoPBeW0M_U@2Af3@D>jQdB0A+zRAN#XofX!m|y@gza?=YI?V z6r&Jb_g~)yD$WJa9PCL@}bCm?ig%Ju~n1H878S6*H&_SwHF-Lb-uj_a(5jH7g= zBIrjIU?t;ul;I0aTZq^kr*4L86P8zU9mt6)jC&+iU0PUJT8b*<_sDDSNe}fK zE5i07M%zQ1b)4dtB=AmmE-r_F6U2ze1m$fQocX`&2g?YT;w+c?Enm1^`#M(&rIKkr zNj(gceq5io3euLr>GjSq0&IV_!1_sjli_hY+a*RXF9VG^!wN_kn&Y}`1kH%W;@FRC zbF^Mq2vI#Q^0z(i)LgEB>oVj0Z)}3V4C7e4cINzm*fEgmS_mv3y;7|S{t6}SV}30;~IpuI8I86<(QtAv0+TT0_AxOHY7(lDzA!&@{9=? z3dVdI4XRwJ>jXj^;-5N8?v*ghsV>EQQ(W zR)%fm&-N_#s5{%a2=2%cl}hao&ru&<9uowy56XpOy9xk|<7~X#n*w*ENzwYzTD^y0 zBU&I@G+Mv63*6oah*dTatwuGif+U)-Y7E<|{nF|wgF!Z`X&ZW+p|mW!y?d26fL3CB zWM=s7lcX{k${~KgKjyb91<=y>t3C22)*Xq+muc1=%o_hb#Q3}CsNd>-rap@ zvW&xEt4XG3{nq4qn}D>^%HF{YX`}J0*1_kBD_^gy{t}m$*RsoPLg-rh)o*>}A6Odm z?)*ampq$~Q1TE8QX@^j0q5S(|M`3ioNpM`ZO-2Hpee4rI`dc#zUVkS{ zDophmMd^-WgY)N=>t+dd3(jW|b6X<<)S@v2y^%6UW;Pnsm6kFFqtTrrvkj{|dIXm6 z%F%|llLc+ioWgV2a;4JqxZo?y0h4(#W0FyWm0Ks)O#v#?ngxVn3;}|e>w1_x-L?4* ziNL1@HI+nRmM4u6xjI-IKUr=v2*I_wax^}g8gXjyl44UaIFS5zbCJkMUY zkvo|LoCl%I0;+|;&Xx{hjVc71 zBn2&P(5#r(SNPGCXe3c&>Y1vIg#@9bR+@1W$JSMuM%CUUKwAyU(VS>fG;!o0DAmn}3SkK~i zZp%?k4V423bi@@jFCjZ$u)TIb&x@~g=o}+cIW+WTC1_=DvRBAF( zal_LQbhD1NM+&vYw0Uf!E4*r3VO)s&7f3%PFesATKFFbp*2oZXQ%3k~VdWl_L2-V{ zRo~|u@*v0wG`v$|&icC+_lt_V#WT?`G^zlna34#(h4eTa3B|~_&D|qbz)6|e7~C)P zxUCmMBT}Aa6uVYU5vQe|)v6JvGpdx+FG0r;E{u3aF>^gZL2*lBl@TrIj%Y(+VCBbd zq#`$O_ap>kDZ$S^*|y{O)O+??c#4z-U76Bk8&M16xO$V%=YiVaqcKK}R6m7}=U1p+ zJgm$#mBz5>aA-=bP4f^HSvN1pq}Syc?h$lDP#tT5*Qv5g)W_z)lo=7BRpi0&;89~c zn;}ZJ_8iLnKX#$SWMcX5BnWcaU7nPb7u4u}{T=a;(W^gpp{AxNwiD>A%2@#lM&Zs{ ziagUCgfQC+Ub)wgvb@T(UnnY6Rgzq>JDSg0#5fA!07J%WfH44h%vz-YPc+v7aB|Zo z#avIrFc?Oru77B5R#}2Tj*tL8K-M zC>-!~rxX=VNU6EdttjBepDR97RRQWFUG<^&To4#6)0LMAYQ09smMEq|v_M~pbyc~o zaRrq>8o1VE3+C6rJkq53_IbI7K)yiCpYvtjK{s#_>lm9;`($ z`YYOrH0)JrgSqyPIa~#uXxP_mEP*ROWjDCkkmL><%oduu-UV_0MDJc}2o@6auT9ye z;L-8h2Y2hkba@eG^`cCnN^dL+UEK);s_dsiQZ`D^<*ls1SYE{Bz?$3!*Jlh)%p9%O zFe}v<630U2-QVlQ1g~nvyw5O!pD`hhnSZKjAWq!iK{W>%HADF)nYNt{Fyse!P6Y=D z?^)0^SmgiI4}FL6S)4f9Guv~{7wjDmE%eVpt_?f5S{62g>*Kn4{Ra2cL5HtuS3#nJ zC@9XTJ!_rj_kntd&5kI;^L_5&+o|WDdv_0GmACTm(z{!aRkd>Ta_{v*3um~wzJ4!A z&ucYz3|3RJaRlrn>ioEhEcENYdVf;&O{4^r3Bj?E?<*$#$S=Y0G|{QQ;yVEZDd zrg)n8JgDv%uOc`egI^*4?oA0b5OJCCyw=dQ`l?8bn^#$y#`l>y|JU$lK1jaYN?OwH zV&eftkbFH~&d*z23fc((?kl(dXwT0Gs-(64(ZH>%4RF6YsL#~4%MWc^=Nkw|lQ_0i zG|($4jLmcjw-I+L6_c7EY6RP6RO-2@=XyBf2KOj~iPT?Q=i8I>Mc`?v;({hlLNcd` z%sCJt8ExKx!q)BtATMyTl44ANwZP^^kzs?bp{7vt!hpR=x}cZ zgDi{YIUJPS*Ur@dys|REm*5pRS3~n-*N7vHF^7=xoyz^_@CH$ov8;}yEk-1ivIL6N z(jB<KDBx-ttq9J)S@~#hchlW-W$xAKPW( z>0LdVbF!Ysd2wnu8KkfBZ#9eEmsfntR^LASd z+l7w@{CFTAtO9t^VBL&OicMo6g+9%9++IXBYfhP<5f_CZB3-o{081auy?^<+%xUzoNq)V@<1ik3LNH9+rhisWcu`#Z;P2gOd}APS*%8P zlEJkB3NI0p2i~PqYYm5pD^r73$<& zuJ$kz(B~}&j+*`E2&}G%A%+Gfhca64r`rL2ZMnPCUpJ>wI5jg6j?ixb?ncp_E=s|5 z#%MhT7#VgC1P>c8hki@$IbUv_ZoR@Cm_%<*0%-}P`6LH$w8a38<SFcA)+Imr0z6j8jT0rhI z&0QgVVJ)v`ag4p>Zr>3}x0_7e&liUbBMphTuoc?1&4g#Q)Pm%cK?ANCNG$xN(;Ym*PAJsZ4l2tx1r65z18tL^&vjVGdAlBN3ToY>-`EYBey zS*eAfAhckZJQP-IEC;xfBS~aDS0kK3hd{uuMK+ZYJ?U2mOsxVaIazkZXuW||^0m`B z-UE|iIY^AK%u690G<*+DZ;aX2x`zNc80t~Aj1FiIJj;e0pECreY1_8wB>}UlKGV7Z zk5$2wH8U4!X$Qi%6oaa|j62Gq-Z}r$047tyN1V$9k;Dpvyzx+c0Vt%UyU7q27VKKE zXPOPg$JY;tUHx}|O?#iK)435RtTc(j__M`!p9d;Is7l(YX&DO7#3n^H&T$0(7hw5L^|(5dnbL^!gtp|Nf<6d zt(~p`Y^=0UkoL?rlNtma(H0DhV4P(PP(1mb6Z&CsS%{sKpHt1w+G>TM6&nNwzD#eG zS3q!wwFJzp(GY>nuvKXw5NyfR9prMZ$!hhg1Z40upp?FMtUwqHxFq%xeFoe1IzhJ@ zTi3Xq`n4kk4?;aV;hyh&|Eos>#>GeP|NeKrbYsLJToUm*lPDYPudC^f%hR9chnWl+ znL_Gr5*bEDT%-ciB6^yL7W*& z(o&6F+uRxmSuGYJPA0@jE9Z5&)6T6OZJc3DfV?7H+qBh`X~HXj14q#aTvNNpqd@`n z1y$+pYbj;zYhzi-?Xv`WK$Td}>k=-Lsl9f~PtV5n<$g>aG>aCXcx-KaR zKwilXxsS{I6O!ww+-7D!1+O#^%~{RdWZB5f1`&`!7%QCPPcyF8nhvAm&r|=S6t`Ak;l~U#2X}hDDV28qhW`ybc`;H*E}6w$SU*m1zq*b}BajpV3phRF@cv z7!jh*^_S5Um6^*HYk>>P!u=u|^@v+hZcj82imuND%{L=lWqoh)~WS%!r#2bIZp|;2Q-hhEh1CzUW#ydIm-&W)@a9b`DOy zAP7mrP(YRHUDvAPJL12cI(lg`)C(d~@Yc#V(g{QkI%K~C&bz>i2Lq#RczWSkxyt3b8}fDZmI62J(#a;f6>}@n+4tV*Dy&mf zM9cxbe5a3YJ$m))GhmKE^UO8hLJJ(U#}uP1GGvUmj(Tr}l_r{OnyID}J3(TCg~mHh z>YJ~=Q~BVd!^})9=E>A(#5md3yW_5z?s@2u)6RSkpwkSk3u%w8PX6LC+LszKnUg8ui+K37$7Nnab^7vp)a=jl0EgnD4+}{4?m5{0 z-kEP4;)Eu)a@sa(NvQnqtQ%ewTU6MffuSc`i!E literal 0 HcmV?d00001 diff --git a/site/assets/fonts/space-grotesk-600-latin-ext.woff2 b/site/assets/fonts/space-grotesk-600-latin-ext.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..db732c272dc2d48c5600b88ca24d2206fb123bd4 GIT binary patch literal 18940 zcmV)0K+eB+Pew8T0RR9107?7+6aWAK0J%H>07;Di0RR9100000000000000000000 z0000QflM2~CLDrHKS)+VQiLZ4U_Vn-K~z{L9sr37FGLXt3ja9l2n&W>05IeP0X708 z1C2BUAO(bO2c8%V2OHO_XQ+AiNd=8>tNH;0FEJVsdmKpU4mm1nC?^$1_W%F?=O-H> z8{Gd6;Mts0H?^`Vg}_V<(HX9o5l+crk!B2`vshsg8S^~m5<_%xvVpRgDN;^WF61hy zMw((ls==o9yy-<<#Lw3yB^O6Gxj+(xm;nLvjV^(<^f=sN)BIoB!tmBH~36 z6_hbVF+dT~A<|w#(!dyE6vJo?T$G#Z?>6oA-(2M1+jmhe+GW0ISHAW|℘#uhC9M zoE;HijWx@Adls?N*l|wCnhCQiNXyV51y3M^m=i)uLrQq+J79liua|flCzO_0fge~N zY8*kD?9c18dIrhzx7c3@mMo(TkzpKOAnbPUxVtir<|;0)-R_E-kTOIL^UwbuvES#t zED9u{1ma<~EGyx_TB&7eBIEye-ZuZg2tfk%YxYcKx18nA?Va)UEa%Kp#Gja6@zMgt zQV7AuN{cch23a7ZBd!y+T5lU5=m4NRP-t!c;Ozv_VXl!%qy|Dt3jna- z!~!Pt2lr|8a@Q0_MmWKEqt!vdIq=XX9Mz& ziaDM1V8NRphGoKts%1aoV!1<^6J%zvJhFM@-%W|&2)^K9fbyIv{BSw zBihXl_=;Sv4Sem2pN!74D`Q?Ce^zSFQ7C=0XdsbITYTC+54|&l__^^3A?7d$oP4{xkW-;xmQ))cPoqdl*Y~#h*xK zTsbdkmjpS+7q99N5Z^0&C27-A+ci&UFX^j6XicC8dIe6zy~%dlQhtN0BmOMMfU%a4 zL$7Cu88vEKe}IX5m`Qr?A)> z2Hkq)=(mx>W?PimX{QRi?c;R70acE=s@nC)FgGZI!uj|iR2M=^pv#3O)YYbEx@*NG z#`R(o>qep^8!t7Odl_T)AZx51myrxl%8Jd?@-ox&3RCE1rK$3&nz(&gdpbBvUc{sBeb(YeUxd?a< zR&o@??^g3yqfW3!&AhZ&1hJUrqq84kiKVEz`o5M~j%r1pWTn-7tm%j9wid~{zK`{K zA^QKEWWXR_LpGw=WDBybM&N}r(Cwm+x7%I}`x?pq;H6Yv?@uB+&HssW#yQ@uxC-aG z>u_$m!_O-da3*~N^{sE=eCJ1t{KT@tuK{#H5Ih8hfcSua$OsvNgCZz+33JVBliLCk z_=1-_g+L&XF%nr65Rvjh4fSL;B&qV@!>33`>WUF{B~!th^y$tTgE%)1a^7WL zBElFm+%V2tN(04RZISNvL)`ZO)x$>es8Ky`-k$VBJoTKn7meg)-`gu6LwvG&nomtY zy!KvzF!@3(TwA-qG3;-~8~hVM5veeK=tVs8n;JFLZKNSYfPs#!~!SI0&{1G9eM_^=3WsxVKqsA;H8ie)6 zkYKY$q;vl=(HUbT&bvzHx^bAh9?*H@Iir_8mf=(H?9KGNN zwai8ORgmi{5eXRF3nH3%s~}yk?rjx+*M*^Tx8r2hjn&p=z%v`fvCzbum(YmkNu?LT zNQNvnd1l5FH(Q7ez~aj)yVug~f*VffK=7N_g2fKL8G}RF2Hoi=S1?^0b}$OeC{=B} z!L~-|u)(y7npu;LAIxc9o#3c-|N9O5OUJQi)70_%_X}%cl0=$?jg|y#QATY$XV%-A zKMRvD50g)_ml$$I6@oMv%V<%7klKs{OYTFt%g9ctC39*-8^DqHlfHeC?1(#Zoi9`snA@njG-*=$Qr zCCcg2b0&Yz8e`7oygwJp>ycii3ln zCIHlvgtmMssep{hQI2t}6P+}>2`{n`*6YzX8QcKudD&>Q$Gi6U zjz&J(V8Nf>65;d?0&3l?*QeKE>Js1;V6Tt{?0mN!u)wr~=sK4rK9e+Eu&!SyRHS&i zWO<({U98+5Syk;ERgF4&O?J$2C!EY=biRS_eD4Q8=BK2Yf}bb9JP*n9A{^jnglsSJ z0wQmuiO&XL^<|M2n>eiWKSE#;#%YiB4uTwY%#mw>T;Ey>l<%295afMRP%pUPs%tS# z=f{UHxbl$$VPf#KDsOAJxh0WAZ#4)K96to#waipK5Cp|G`lDM%FCG5*6`)7GUGWbYk0_i?K?q2e0`NGYANs zPn#dJJMmgP8Hi9rQNSJ&HxmuSIYp+X?Z{$lIYu>lyfqOdaZ!*eBU>Lo5I{jd@5zQSIbE!H<4eCVjlACzWeivg4}l;-fQ1OaO1N7tx%9>WFeykR z5d@GR0-ypVIHU)Zj{^auB2#-&ca$Z(K5YcpU@qF%THt?IM1HH|j4k-ge^a^+;BFW% zY7`vXBT9BUTVG#0I?_jZo%gYfrdn>TjrOWKRZwryd-MtYM>5fnA%P6#dT^u15>X_O zK?yaCaF8-EbKuH?6&v>bkB`OwOY}cuI%NOcz(WE(?7Q6z{Ph{Y~H_AE3w{zNN zvddod-y?;5-@K`-)c@b%ahp1XDSz@qjsSl2LM#DrZTutdC3dKf)>@auxFAD7P5x^1 z?pU2z>MNG|d)FoE&5G@JvLD@cH@{dp(-wqgSdJf!pD|oM*79|LtMtrueQB2{bnPnA z0RD5cokoe8BxxqrB3Y{x?IhaBc*u27nnPtSwfR!bqc9t00gZ*U7P*?7&SH9<(kx-H zl-V*SU5py+XR+MfGOS>=(*3feTP4eXWLm?f+tW&ATWg(q`{YG7nXSrgQ{lgywwq-Kml2hAs|6QR10 zBo~|ERwj3{`Y@MItMw+2cP;c=!~SXO@2!8&eN?51+&-=PCP*@J8{toEpx9#`mDWu8~=Wlmq! z`RH-H_+ZAx=;*k2@u z+RWouX(VFkqXN$#A-W+dba%v0s8oV3sX#Js`-NcJa7QBLt<(g!29*&pHHDYpmcJui zwK;S88~0~9gl>ShTt#T4;?j$Y2hz%2`(`b8TQ=H=Q8a_~8U-B)^=YsZ71gr!?YD}J z*(uCljzw2yUJ*bf1Y1Ntcz&9TAn zWgnPr%-}G|t*9rg>UkCB^L^!%FN5G3XT7jm`CfEK>#)fAG_-wIXPI*xp}2RtOK%U> z_ZvGxKO8VsG^!r`+mOW^dJ0{O=%k@E?iKph7)z9ebBvN~&3=R0itaLIf7rP29m7k$ zLWZyxn#Asn{X){?`+4)uHVGUm5=SP{MFAre){D@e$Nry3k5x|#`w$zVl>1mAoMIt> zecf`>|FSfyQqVvcjU#F2UI;Zs>QkYipKIf_uW>F)SS~^zLMR;|Cqbm1YL0INO(0lJ zqSBj<(1zv~X_f0%O;e%*_pRJe%2JhF>h3@o?0k~JOTww~4dERLRnQZzqYoDAT0|lh zNZxn%Ii4TbaNy@G>M1M3NU|>1zkdIZcMRbMIussBl52S=2T*w9%STZaQu@TGwz3Y2 zD4>MA0(Wu5n%W7)Hc18yL(I-uM{ZEzd#6B>5r#_LqdLr4iyEraD}+QXomZGaNYvk0 z116BFQq%WcN76OEj?dkH^~F%0{GdS-7n$WLixi34_Fj4Ts@qr8>>|nQjLX5ur63XO z+He*5o`r?qAnvM4P$=DOkf6Rn8imZLBLLOlt1;8@q9OQwH&O%37d?@|no)|>q34DH zP!GPfYvO~qJaexVAK36R{%Sod?Y`TFj$8ZJckm^tGh&rNjEJJ5bkmQ{5li5yFtOjv z*OH>-tvU=%C1s_+Z4&{S#i}}FvN!wBeNs%)q;{;F5nUk3N7(p5S?`Lb<+kr{d!3*Z z#Fr>UT2rOxUl>56=xI^o6hn18XFnygmcv-Nx++{UJO+~JttVO0v^=jn4A3&qz`Lu& zf$R!2vZkc(@QcwRg-80xAg~0rw!2yG8lq08WDWYmRG_MxI3L3sM?>yDA_#kt#NnqtA%d zA;MuM0FT;j^$os3(jn+}F)W0`pK>;+P+!Rm#Sok63s#=H&2u*F*CGwsHB5K=+TG8# z5{n^&W7AcC0!I=;`XWHouKJ{!WTt3?k8E9rHC3b7wK8N& zTWNu-qfp#f9@e0iIyPxf<1OBzAFmXl!bv0zKf@W zG$Sd+)tE(MN$-1b>Iq-onWr~7O+w^Kf1e>hbrpFe^~Qc}M%Z^I&V@N!?X%C~Jho3{ zR=$XaN7ChpSHi5nc9o z!eC(pVs1qsA>l+=Rqu0zd8tul&!L^(L~9bI^(|7;s&2QO*c{2O&82M_xC->Do1v9(7QO4{*JBwJ2Vz{LxafCZrK^=kmx}_< zlfK$fQdB{z*rXi^1;wdI<$}Z+5=^Gok@Yei#*}iMo~)DW9}fp^2<)|>Rfl)>s`%xC z=@Nf$(XJSQHZDPE5YAwU*$EfY!$t8{&TYO|53-MaryVS(~^WSxXV1`L1ljl|o($bm|uwp|3mXMO5 z%MP1iF4eAZRT!qf%NmMeQ!FZ#vY=4}#HH`#LGpJ?!Ah~Z#i{i<&#~vF&ccEMXJP51 zYL2?TMGQOVoz*lCqCJBhry$w~HLvq#_Y{I(@ZWpVZH`5IWt2)lcy|pmDwlRtOPL@CgymPudUXEKFugC zo{9cntQRCC7?PlfVsogCXn}l88HbKfT3E^2TBXXJfo7=P6l5mnR@Ih}O8R7OPBjv# z49OH@lQOj>gPfV_rbeToTrA0JI%tT&jM2%-xgwE6MN%Q6CEMyVn-8v&<}Ky}pQ5Q% zsu})#soZr+jl|5F97p4nWAXyj=um4od=yhC)+V*8#e!N@?gq6%Un5o2SvcEpg*8r_ z-l9_Gf0mic`!l8-pIMS;F_+~*>i6j5>c(1yMwXhT&dB_jbO{#5eu&=q#>|pv>J+M` zU)!ZgbrGq!s%nF(Vp36cH8`ZcyC)Cmnd0R9IB~v?r;M~^>2=mw6|SF3Ze29?a7@TC^qoeiQkar|MhRoGCdtg>n-VjWM)9{Yd4|Ollj4SXg(y8+ znc2I|0cqf@kW8^Osg-UkYCVg$VU|Ay=4AV@zWVudGiPsXs?(U0>$0GR`5P?>(i9D!&pRf4&d6fF z7N%8OfD}_5>DnUMazc6HfaE|io82k_nvd8qyoFg=hKN$|O0ci-YjxQYzW8G zln}p=+qWD-a?`D_W^A!MmB^KINjmutiD#A3zDIXlkiW<}4J#tRKKcAQAML4k`FGOi zHzWHx=t@`2rKka*ic>2Z8e zJbiw$>yEf3?lqCsG3}BXHoFFh+!fp^UA&g3w@Io$6)hE6&fJdQkhodwc4cQoS~&c( zKP)}`O#N)C`7kInVu2VMCEe55QOm{4Z-u3?MvM;exOJ zK3S4rC@lmXWx>joODf0ZtKut4>Z__EQ*p~#Qg;){IK45iB@6Kd3s)>^*O#2J|EqOT z#g(aUj%Y%TIuMzz5XTTfjRLGP6CPi;oTt_?Q|<4!%VXK1&b2!%Wrbz`iuD zH)EExPm1rNO)J`Ze`kg3PgNOO6;Vp$ZsGI0x!brZU7Klk!)&)4y+tp;smE6 zs3fuKK@mq(XJ}N5QH{Db>PA}%;dI=>E=z7cdJ0;sIw-tJM>U~G;lj@gPj;3SC78_+ zE!OX^jg`BUyI}iGc7%HPPmCUXF)&~UBa&Q~Kun8y7R4O72#UCcUFqD;1B#!!JO(a9 zbT_H6l8oP__)LNBckq{@Wve5;=fd#2Pe)KE0|I~d?}nyEKm@Fh%k456yK+ojX{s(5 z{$29e44y2D$0+kagp7WN&bUoyoMq6*Zf9d5_V--zV>HCeN6m`|1>=J6cM3EDXqM4G zrZYaGGwv|xca{4)=j?Af9b?<&<$vkqy7a-7;xsV~rxbN%q<6vE-w98q#MKVTcL6?H*S$__zBiO7jX9?84CdMt6*1 z8dQfBRu{BY6lEGvu3eR+Azu~wm$S}$C$X=X+`M@s z;DkKCL6KCO=C7s{>AO}L_l{v>gVR$O1>4ZH`*%ACW2z&E29||MILnr)rJGaK=|#Eo zE7upWx3bwCl72qM)VEeB;x*i9+rmJxJ}mizQxboL_)}=RZP&OxDVdoeUJLEFvD>cd z^3qb$uG@Rt;^eF;*J)Fl$SIgJwkT}ScL@8MV#s%R$X`4x9%|ms2^R0*h{F7=siR30 zD~azNNau@J{@TN-~ND;OppH zF?_W}xm_52oX0yJ4ar}pns9rjlA0fL3&Jjm?Mi#R(RMFYMZ9dL8db@1ow3Sm%D=^b zU&bz{?!0KpHEPJ3O;yW982O45&JB>?x7p1m6Sro&FO3pkK_f(IiAG)Khx@_$`=RIJ z`G+3v++j>rZk)>sLTC4XqMq2xMVAIiWQ*vJFzkm(o@Ytk~;*&OJ}^NJ* zxQJ50MIjXfw%jMbztXtFm|>ZXfKPLBNaZ3Ec7K3xJn$-ZyhR+}LtH%vLdLs2n!FS4 z6!;YsGLpl1ngf?c5jyXU9dGuYAdIOgp>hge0X1Y@2?3$w4hU!&Y-X#)u#`i>HQ3G< zS|Ye@Xg+tRBFz23C4qr34uQ3B8z~kCbi!aK1l3qNglo+Z91pl5a?GPL)e^R5&x0ee z0XEsj0#E4d!aZQr!mWGAuaJ=9;Ru8jEGb<3;UI+8@=b{7xs(sugK2NTDBOo>HI5y~ zv}g(7x{|Y69pSX8)meui`SgfN_8#Y#K}4^k>5PIItcS8D#fJ=5aDHqZNRH>qD(I{4D;mt z>ZXwpQ0KAC=|ZA7zZfEVwF~}aF7yFJX$z^Puma*b95`kKL6$I{;|qi#h%cC{jN@`@ zEdZQ$xXDhB_~uF;((p8I0A{o(h>rEV#yVw>qEB^iu7zmx%#t}wc`v-TcBpp0CjMcR zFo*SDS@gz~+AhcPPK566>SMnmq_d|(LQ1oJox;03ARMY#lj2lt+AfoC!?P^Jq-Vy+1tJba^Lcz_PtPYsarzX&p-=T z`_tpm!8f$%`&q2?+Ay&BN1b1{O@I}e(svL3s5%~pX+R!l=4m{KTw#?=0 zq_P}@#!vO(0Gy0I5hk2P1*>Kb3GG+;zVwy(D4|= zLJ$1ND)}L3XP7mZ&2_pfbkY@8Icc=kSeNZl^yR5c%{}mW$(^62c7Bx)S`PC-Vja;H z5;ufyh~=)8!R;-+#q16To^tCg>vZNF!~kaVebrGV2pF^Dou4V3t?=?irNhzaPKyn*#V7^6L$0Soz=%up0Ku z+dZ<%IZg**1y0|-c@}VGRgT%0LyofH?2u-9$t^wZbd*+{Ai@VwheM{9xiiuyhqe6M z-$cPzQ|am&o0$2WIO-W2y!V!I%-_DZK}aD&!fGGCt#K#!eZn4qhZ!Gw`}8f5+UK<- zQHkV+#gmro`l_kqbCK&u$@wjCT37pz_&DSm80KFn zffw|+Z%64rPU+y)uute14ErBwKPwI#p2l`Q*NBJ|MN16ByvK?9vt^sn44KJqH1E>L zsIS~f!7-n_hb+KJB4)z%Jxf2d!9W1V-d{(uDuz{J9G*rDSTDt&e#8 z?XiHtJhqL&(Iz%H(!}bErj5E$b`Kn;%=wkNTKS5BRla&|XN*EFNgErS+2W~WGwi?1 ztXD{!u0XuR)lE zYwrKsYkql;JO9I0X-8h)eskUb>bD<&6W)&B_uIYwpMT%$7w`AecF`9A`vdRl$XM-s zhdM%;AAQ$bSfHF*<(q2ypX{BbbB)2)DCXL5`MQ$`lrzg%KgYJVs}P|ao0PM$cT#Fd zv%n_r49WJ$ou`9x2d|wn$l}`C2#}e0c?}5{tb3;mCCxq9r}JB zWl3(kP4*?(H+NP@YS68l^f#Umq7Py;7EWrlBon3IL&{H_T5@!vjIourOtlp#$0ppT z-RjPy_9PEf4m5T7NNSf8&o{p|eA6jqjS^Wp^bvLEdZud0!qOi=Fe2lvkVWV+%aLk_ zQFk^orAJ2RFTqiXwnipfQb78LGB!BKY~1G7HES1v~Ia^&|ULcNR$|$U*tT#h-ul*BHpx>Cgymsb~ZDpP!p47gy?8qFN9f zX=a(uzrq4_mXwxH1-fxn`%gZ9dJDb3S1*b{_dKmFj08BA5O(L+*Wa7s2CkAHP4yQj zPqW-o^2YjHiba@g>l<0sXt~e$-F7!-bAkY^wkc1or=*9rj85ZhAPT&7&R_SJjvW=1 zVDRX2Y7cv7j7go?8fz21sG+Cj9>LXadqri{hCk|G)Sa%z$~P&R9SQ&P&q{$bs}07@ zwq6Ct7;e*(-lGwz(N2T`_ACv_#tc0O!?6_DVBEjf0fgX#ds`=Vv@NU1Obk1c))25< z+?sRAiMnvhoXtnF3n)L_N?fC9q(P+MCBuy7$lo&(+Dm?6F!`rgZeycW9Nor;8mN>qCNvHB0A5%gYf7XTQ}%oBLkEhSl(8Rws@kcoWdE;qpr7Fj1vnH?qtUEE@2qWi7kd^fk))zCh_D^uxAw^tCS^C&4AHYbYIbfO_m zYEhed)us-0sagFhql$JlYe5L(V>(g9lZ=Wq5Ev93655Pe(`L+?3mhr(ppb|dBtd!d zW?Hz3%Zw zo3|z*r>do#zIUueFJaPY2aldSd-0kZZn^BL>&{+z#Q5ps*LBm5d*#==A)=|hjX z&N<(Sz<&X!+L~fz;n-s$a@m1pcX`4`eZ%+t+=##VpDBxClA1b=N>nnIZ(Dv%w{%Z| z-s@Dc^0g9bm(-~us#6D*RWr34w#E*Fi9=QzK8{iCdZn9spceoT2p9y^7_g$pj2#a+ zPBQ}rLsMv$;|bot4?wZnuJ&XNCQ%9grB~Y1os*k|&C7@H(#%@2*f@UBk9$fzvHY0) zj{Fh%WAgswN0T2ivWFAKnA+&0bzn6;DZ&fihFJm4~-rj{pTe z4*;8GPVvT4x!avJ>2{MkYc>{ZNpDE^e2u01{Z{5|(M(sJ)ib)=YwsZQgpS~OVHhxt zq&FB(1xMIG*a!al}JETF5VyLb zLIhp4$J5QmRsS2gvGt#qE`8{!vmseF!cQ_N8Tw@mRbIzo={eJ^5GCo?rEIY!mfDKs zX0u723XwJPPlI!tQN7cUwg*cNg7n)wBesnsS!X7;?`Nxi=G((4qbU!n?gt24_N6ey zo*d}uiYfy~`)RlEImZ->>vUY105UTR1EB%~CnZaR8#jU!;m4AIRmWy$zuxga|EK=j z?LZH6aBZ{%Wb^@L5ZF*DAhD0Mu=41}#YpgwFzfx*(w~l-4@CO%-<{LzLEj;F_c*89 ziD39&gNB&=hkuP>8?E;O>_*$eX)nx@77@RU9fGiZ?qNx@=uyV3EM)<0^|Tj>q^vx= zFb}nVvA1UYaA?sebpLwb+cH$6nst;af^5N`;Hu(2cX1|GGdY|BWS+__&j^Jx;m53Q zP)%`y;WH~ub%Im7Vw|(k33d*Vj?2ubfp}R9J-yB|Dgy{b%edv6;xCTk zmu`R?EJG(FDIG^ObQZ0a-8X1mHI)MtGem2`GAe9Z$llrv<4PU1W)5$y{dD#BSF>IJ z+xPIFRx+o-mBij`8JEfFT@^Lf7Wv+>O5yc}P6xV}f=`Tg4wqkkfK`o2l7D@0PSJT& z5rMPvO!)fw&&PxEyPIyxGE0HQil|grfwbXuCm|eSscSMNVl`gymZc*PO3=ocwyA#4YM@8 zsz!b`Zkd>+)M%E(Ov*z$UA@^baAwG%sPJ-aXex&Q0j2lW3yE~Ngx9rh3vWea z(Wz)MxyTtcoYTpyXd;KR;^+Q8(Vm2r#Hf9W{y0W-wY0z3Z_NLAJyX0fKD@9=-F?xi z>*PqELaM5*${r?`q-$8wFKDT6r4>M7PG9NkoFQy*JRT*}rI@&YL8$Ee9;?7+4>nOV zDQWlL55Cj=2hbXpvMNASb1sWSJ#jz`MgUKTWAV(?^UXTeb)Hg4f9se!Kji2Sv^FfH zQvhdLp|lH&OTq3{3f>n`rNg4AQL+`n;6uwqoeiMuB6Xh>s6pwfK&DL1DOiL6?(g!1 z2wOP2q8_70EW~8e({g&#kn)-08qQ?BRj5#~G%Pc4@SwV9+Rt)1P&6IiwY54*j&z-|K!G}hZ|<%o+Mnvq zr%fj#wuus!bcer#u0p@lAL$tkGm5(`w+-#0b<}ySouNd5Gc)d-nogsU89np?Q7 z!(@T$B0)pro(Ol;gNONzUH{kq{9pNnA8#uxGT*kPyRKpMxltC{(!godY8Bt}ObHkA zC6r>kRrPZ`b44*TWL{>aMroy)MZKc@OFj<8)PvyPpFvY}QmcUzW-?Acs#YO%=ltRD z0+sVGahTyRUgja>nKp>2R=6vK1|Y4F?eL(R zuQU}8xvjtIlpg&i(b(P8wsrz-=Cm8pt=>PWOE>axlGx%(@goVw`v4~#O~>X7g(XmS zNFbDD(oZI?ZzYK@=5zQ0VG1x`?uhG%aY*Y#wF6<}3&4!C>N0$UDw&KGwn2|j0mo-- zMje%q=IV_+$$?V2hR|7qESG~*288|E(Z&lzew9TC5sXrJ2DsrGR*AjH1PF-8 zzD0`bkN7g74WO+}ia*@T03@yBMxzOd%1pJ28w)X@R0@+mzA|6VHy|{DDFDBiqi&aGP-RHc zE8D@^yKY4rTZar(*$gTxMa8slH%mFb85=5uS6{+EM593-kA_hmw`|32M*^QqZ{D9q z43kP_GpQ%@e!S71>n&ph$F*>B{IaQj z;`vv%u^|3tYy~DnHK?+ozz5=rX@!tm&}^`4mvBWZiFUyqEf1EBA+b`K*AUD`9ccHlx1?3 zvUQXGd@^boMy&K;hqhg3`YKbE(&r?GQViP0J&IJ46~v!r6$fWb37<)Whgfx%chGmC zYkL?;3vZgrr*IXkhAl*3#TW5~d^18025lLs<#62u25A#ljE0k=1AZ1CMM6Z*vg9z# zrrofbDYLAt82)ik_$(+%6C=msnAo zFXJooNj|>B28#pc5+*=c<)9=v6EHD*C$76M9Ie`|Q~P#!VkvtmThe+p@%RxqJgeA+ z;mqbMpHzu0qDy>$0DS;qRF4VEUPe^3gi`Fyp16&|+aMN($hlVHWr1|xe{+$>S!D|g zT}cu);c#7zlPCRiW2^U9DU|+4y!(={R5H+CeaYtcnYjpy7Ii2aw=I-FRp)Jkpvr_= zh@!1aUQbDZl=Q%p!9Ktj!2p#3LVUx^1D;X>sh&(01An5Az|X(j^9xjKXqC<7G6P+8 z*FIx*R&;Q9H$LuVops%oDyLJ7naf=9g38;P5#u78WH44raNB#>8l}kgu!-8B3INE(@LFAxgBoIXV^Sa zt;fe;QacGx2Wms)tyNDiaw`)#ARTsmDYxHB_=Fg!LIXI$6c|>K&DRkcAXaslnqO^; zgpb3Q7Xl(KM-YwekA>nE`EQ8fq01?xrCp@7CB3m~+7!BZAZv08+9QQbdnG8)1d1G|bBVeV9r^pSh zS2tFN|6#|za-Xya@-^L=xRt6Z5#s`hk)F&v+{ntaZEd0mN_$ZP=?e-5EH39p6frgP z+ZIUWo~1dUQ#%80b8d4Q1sO&40=K8<_q~O zzA~S&NB{}1^mJwgRXuHV)741@at7nC*i4h@Y{QvNwNPJaObcd}Q_(sa8hS6C4ew(Q zk?%)e9UYGAdAp+4h8|1bZRZLN!V)e4<)SHx9O5t>*^p$ z9l>=`J>pw&~Lx)qT@sZq;>>K{tcL~`F&?`m4$KJ;9xhhXKc5Qudm;Yxga zC!J(+S!96~;5)3$$Xf~1+0o5oVbKHnoI|Fc(@NXK9Lo&Lp?Wy_;8oO@Hl?`|XOCPw zp(jVAHgMqnQ8n(RyfU-&7WbY?>U%J%BqzKjvw~*&u6qTZBdw6IQGvfW4T2^!!FCBP zFqC`+QW{kii72Soc?z347+zaQtT;l5ma5i0EYxTJf1-#bzlKp1RRoW=CHlQ?aUC}t z{nKOWc1GJ&FoSl!F_`9-D;H}q^fJRLNz?H$ZtAXs#f8E9#9y4hA@F=1{irvxa2QI3 z!bM`+W2@L_FZ=OmuJ$!3j%nNz2H7zN|VVXP~wRnqCcFx{b3ByD;? z<)*isPi@&Yl&DOpCiY$uMr3@m%PKwAnLc7MMHc6(6bvZ~B$DsOG8{#CZS<}Ci(dWz z@epb%A-H!NH8bDrvWK*-GJiKCn0n2~Y^Uc9De{)`+;yd;HLsvXOE(~ka}|3jSJ1;G zN7g)RB5s6o4h8cX$UQ#+2f^50&;kwO9l_TV6EgNZ=^|)QLjl)elbqWRuD+1ChSDHf zeudJk)lVf)kq6Yh=*FG{P@M!PFBBsBLMQgY7IMKQ2a_V(H_k{9Dec#OW6vc^TGq%BXXzP7(k;gEU*_LA$;i zgRW<-6<9=lDwR4)kG~dRxV?25Uy2prxuPh02bcM^cp?qhR}{lX#8t)-*fYC)h5iz^ zd^S*aGN$r^N?-(?L0ZuA}^)-}F3|WVKeB>RC z=W~;;F>Zeg@TJWE1zIdny}?=9<;NDDpy+x1#b+r!Nh7*9Tkk!bWA_?IHwK=8ah)R* z@uwyB<%#(tY8*VShaIP8Ik;rB8~9D1B{;;H7%Yt`43dj+TNhsDoR_9K)<4M+ADmCd zzf(ee*fwk05!kg;sn%*9*`Z8VEgXTvRJUPjM)pp7{^L9>t8b$;4qD4t1}F}7-EV(6YX*KCL6(M3W-ZO(s}|{Aa)My6a;s-cVQ#L=Rp=4vho-ULWr_T zOBKK#hficddh8pwJX1Zr`I==c?H-RF0_BD8?9p0gdwDeOsr+~a__mei69#~X=Ru^8 z=Ikrta(#%>d=%Krd}R?|iy+H+!+DlTrEC}@u3@Os&#)UWft8alY(Ne*6fkz*n1ajs z9Gg$A44}C=4uT7L7NzUD!-XDn;wRi5)vCqgJwd7)Td;4CPrpyFd`6T}%m<}fqcU_(p4$&v?3%L2Yk zqr@45=T*C+$^&Ip6lDZel2^9kIUP+iN1(XZ+O{!9l0beLl~ZQOlu*7EhwBm$$s(b0 z2hZrW;qmT2YZAm=^v<*?;>_L(2dCqW$~DEsG@QI{qAt;dxOT|DXUoXIglc zjDv=0Z?2ZqgYA>d^c|P;l+2T@Y8^b1@=+Kf*WnTn4dZ}1G2q-W5VkU+UM(m#K!bsv z5Oal9Y};C70m}(A_Ld8^epCj?(^dP$Cmvr-?n&UhE-t6f+Gw20$gD({FM~CnSgUr( z0d3g(9z5KqdWk6c9u61QoSdWYo3mXg4%`GGmvv!tw_vNeIga{d2!7^y8(syD53up> zu{2vVb0h>yfb~*^7_(G{8k$kC3`M5(E-ee%;_{MirOC{$>aZSh*OnG?&VenbrMwf& z48W8Jv4E5*dt_EYP@_evf@5A^I}lWK=!)i9O`@1-i-2xWSaWQp9KL^NEJW~mIV!$_ z9%VBQ%Kv%U*YF8ji%0}Dflyrmw>hV|z5^m8tih;NmaBm_IYSL;3@eTInH;-~Mb%#! z4-PnZLeB80#emKC+0lUE-P6RN&5_p!DQ6A4WK7o8k?!y=BA1`LmZ*C~C7S-K!J`Ah zqbXl{)-4nLVN6Ds7dt>=y~O6jQ9dR^UB7UUdk+eDj98URn5+45s@ZGm<8@K!X z>;)}5rFKUTWIzuG5b!Ux1%F>~{{OD=5X&@q@6J|K2Uwjcvy>aLIzZGVunt|lQ`p-N zYfr1mXIDBwi)rMtPoXl1vZ;h-ds;)XKC2tp#)(%mJGENks-<)VM~h%42H0WQ^ezsQ zw7wmy`0palDaA)QZGfdkZ;eWld)S>NdwAsA1|5Xr4kyWvn4aAe8$`qcB+ff z?qPqAZgR?s7^lswPtVo7hs)5{TUxW^3Zlwj{Y=D#1#?1Reu$&*Bj$~{BXT)L`Ia_FyfQzsT^>5S$jlf>5AKnfkgSC5<5jk&h7s7ikqtQiGD#E_z04 z(n=&}1d$--9~%uI$qtTV8-3K~oty3%cAsG_?+PRnF6v8zOUM9f1=)Af2mY5r9Hgg5 z;*uS#on z)6%|`wMQqkQ}!(87jtOjJb6|ImUF# zvFTU@$b$N&M#w@G2_f$v60pB!4O}u*a;fFfC|#{;HQME?1YUh;w`{jIatXd`*DS4S zXG;4{5k{g`gDK4!rMlEKi$S_vrJ^cP$(U1`2c=TS){Ex=cD1$Zbj_M@BoPw5_f22+ z3IX_}2{%R`+yt7A&T1DM(@ z*Tft=@KV)kE4w_Lgbf=vYm}f$!%gp66`ItGueR|}n*a}R7sjhz&4=^$oZ2gr{D0@X z7o;F~z>5?mS`408aRlNCB@juJB$-4CDLEw-y)*_!CKgudGGxkPlP$+gcKI9%6)QpJ z9|Gcq5TVE4dBeY%gtt|+d<@gF9oMTzAgaTpY%+yPqcb97vDh3guNMOZLJd*0zF1SD zrLCi@r!Vc#z}S+EjIGH``hYYAWabJ!3+py)+G@_WoVqP zDFh0GBakRG28+WJh$J$FN~1HFEH;PB;|qi$u|z79E0ij=Myt~sj3%?iYO_0>E;n}% zPcLsDUq6>Tbx|>K36rKIot82Uk(QB_Gb68{sHCi-ss@FrYrr)TT1XTcgT>(qL=u@o zE#}a9+I)dfB*t|lQbI<`>53nctO!-p4b!q6*Av7#mSjcMbi=f4$MyUmY(#N0X|+4u zUOycSN8`0@GM&vYEY>$Rw?GI+Pz)zXie^}j7eq-`R82Qb%kFTx+#YXr{qb=PHx3VE zH5Cj-jZ@_CX)4fn@yYcEE@EV+gOlP4d<=zYMi$gm$oe286peA(o}w!{w62(y87<8n zyre6N;u|9RO_}^QNaV6N@#=3Yev*1E>8iSMX69Xsxc76vo&Vb1&4I^~B6Gzy7xrx8 zeZN-(^(>R}0I95cW^F9hD^3hnYmZDR?dDynzlfie(T&dmDrJNSi9xJwibFg6MPG0z zxEOoScfI?|(Esh^VCN5vmG!H}D{FW69N6Zd5rp2XCo?if2?VD> z5P>lkEm~uH+1h@>4-;{-VNp{-GzpVQkY*-Ky|dnhS@tY7u30C_r5#edRh9p_q7gs4${clsy-1e; zj?n#V*Uy!2lJJNMi25RVX(F3uRHN%h1dHJT8p*hkKW#HXw2>P(32=(^EvGLDnrxiU zs)DVFcs?)0Gzm;Bn?lsJ5KTnLpo=d4f)EU?E{{a)3ll=ZN`Qn|7+@rl!scBQoY=CZ6s{6U#0e(W4t*C= z4|H7k#G@GBBmHyxTUxweIsLctrE4O|Ct~kD2jjO$&O^bJr;$9FG+^uRZwC!?a1X57 zUYsR**o_xJ`#lEy<;t#ETJ-zs4p{o;9+cuXnKtQyeLUB9gE0kJphnS;$YX z{vpX26&(p^TmK?DyYtLih(Bae&zLp1L&fDB@72PvD2U=gY%MIP5rL*(I~p0`hOB|{YT zNX`J*86y@HP0~StlVmO@FJ)(gu#vkk#axLrzQf;wtzoEsk_9ZJHJY7yao@{$DdZz5 z$vJTM4IW2nN;?DVn?O85Lq*5NM8btd{C88lQ(VG>j5vRF2^XHb*C?^Ur~pBGkqlSp zh{O8yt<-#+V?+Sqgh>qL5ZMS>4rf`I)Lxh(5}?rRGN?inPBwBJAu3H;nMRYq=xg>F zH7kCE~8A^z7^5j+Y2RnwsR literal 0 HcmV?d00001 diff --git a/site/assets/fonts/space-grotesk-600-latin.woff2 b/site/assets/fonts/space-grotesk-600-latin.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..0f3474ee8af2f8253225f3b41bf79be986a1ae13 GIT binary patch literal 22288 zcmV)GK)%0sPew8T0RR9109OzI6aWAK0M5Js09K#?0RR9100000000000000000000 z0000QgCraJbR3CJKS)+VQiCZ5U_Vn-K~z{L9sq<|FGLXt3W0$z=64H(NB}VCSOGQy zBm;>I1Rw>3ZU>7B3D{ z{r~@GB*-Bn3HnE{ZS~!@APT9V5<7^B_Js`F5KNEO5xxvDEJe0@sBuD71qjHTQJWF7 z(lMhDs)UR{M{&~N@Z^*VS5!Xl6m8{zPv6RNJkc57kyX42LV}PWo#3o%&!1=O`wrRi z{k6E`ueYvPb_yx;@D(IGh?V@`PtxW9miG*&e+Qhx$IWOS<;ay01c;R>rFHU!EZv{$ z)t%T5-_o5z3g?aVb}Y0G-#O>40%MoQh^Sa6+Lz~_{AG6TtClo?Yy!2$$n?D-Fh&j+ zOxa>aKxGllIs5mqk67_x727`F@}1r^#1Y_uQ^( zuN$Qql~GIrggD7bauSjdLP&_(@7e6Vucl;6f~gvc!q36bY*8#CE)?JnFW@3CHq)sE}sq| zjlSHgqbT|GqYn=djFNdryF<{h$R-ezz1vH2&q9Dl1#oJ;nY`fpCt>w6Du7c_fWm-KiIc#if-K~hF($(M z{Jp7Z`yW8)mVyJIxa+u3TsXq17vb1au3S48-QT|p?tUy5Sm4qEAax)}TFV1Z2Eda9 zk_uRYcLUcREJG}vi>|g$?boVkzlcXlz0hu` zgigJAe~103$g;b)i+!~2)q$r{)mC+R7Ig(K0m-FA2wasE3KZ$c zljMd7i9liD^4B}eQyCEW&UXolX8E2VDu$A*peRn#EHBEcZj?3_qL@(TypZjCaohKY z*X}#W!>AC~l168~3yb^4Z;oRrfPgtd)Ru7K$!A_@`kmK3c(>_zpnDn!4!h%~`|tLt zpMu=G?)Y9Sy-0R1?H$@gS8tLM^XxYuxL(_AU+}=FIq>DI{HZVxTHweVdqdZ7cSZJ2 z_q9ufO?Bk{s@y??w4w%%{Oh5qQo7L``+=hO_@%DYhP}V+DkQO~YgcWo6}6yxs=eyVQ?}9+RvU{0wWCOtS_Jx^NBJ`EL%yDg#4`r@ zc=kcwoMTx78S-WJWgw9>B@kOQ!BQ4VG6MrCy!Ff-`QQuSxva4jG=np>&ytytL<2Lm z&*02UCFV({2s7sbGC<4DiXU_ew1|OyJ`S3HnHn#fVFFfddW9ze95VnX?9dXKsePnN zJYbohseNi^P{0xlGh+ZP5t%xIfc_qf2rviG259coxH zC0)g*|GAtH0n>k$d+#^;9{l57sHT7BQ79Pp9BC&($ZaVDIB-Xi#`@mZOX)CE>WP4a zeo-7*{i0J~^&X+h1IRT)rNxgQ&NU)WT=Oo01Z&I0`pk6Sm>A5)Gtc%w5s6V~`5=ZHu{7`mJw6{dt z4AAHV$%F{AC^m;L5Q-!+xk9DZyx_h#6H_yD3u_x&JBQP|X3p$sy&ry2g3p2vgLi`0 zBNM@sfcpWr0={0tQ1{tpP0#oK;dmDg=kWI!XZisj zMrSr>P=4GQhuziL>0R~bWOn{S0fz@PKkE^4)$22~;$69|Ssy1*=kt8|;?>?t)A}tA91WYOHf%1W4wHF|c~ThO^uIqupzT^e$Eo1^J1F`8^8%N#M{UwSM2WluI* z%z!V;crE9U=%ou)iVAndw4=}ZQ^F;lN+uem)7!N0`Td7?$G_|Cwg!z*<^SySX4(0jA|EE~$=Dp~wRfOLuBi~0#FE4NI;ce+BJ@T${A86;= zKCd1grMk;si|6C6Ypu+GI$yVPvANCV*(*n~sh$4Dx8+$~H|l-B@O=>ZteC;O(nn5V zEGnH4Ng2|L-R$7`0CC&n@I8`*tjVgJW=CEK$&c4R_&+=3!12^~bCXB#hrwsY-~Q65 zt)YdowS`mMk!X&z3cJg4_8&IQuRJEz*~~p&C+jTZ>yM(&$n;Qi(Yt3`+427X&HCp9 zmm~KdI*hyT-G+RNIU;a~$|%U*staM$`v;zhkAu?F-tI0)@yv#I4^n$yDDsch*wxEV z*QCV%eIM1Ne*qnsPXLr)l>8ThN0a7%YVALYG4qk}bnnebyYl5X6Z6S9;?9slZsD}0 z_pUO|=jXs5!nOu2M8&6JK`yYPFviKkf+EG zJO3}4akn%{-z93!4p{@~7$vvi^nV`4X>5GK`{uy`-M1rN?*k zyBqY&BjSr*T-m%b8EMRK?ko6LQ2d?YEsQiK?=+Qa|hs%0hl!a z3kTq^0oZo{rUqco0Bjn7l>>0>4xF?D$L+wx0PG!rB?B-s0OJ8TVgS|;Q0hy<6B7~b z(&#jr4xLUXNgad)9F7i;ry~$Rp^zsM0kPOzA`wcZ7BU$nmx~k%J*ASN(rD}JlLiLb zhK39yW2T8I!_1tpu+X-&B&@8ot*r?g8)R!s+S%#a+hYd@iKC;XlasEqv(&{!|oQ9)@VMbGkRK$}hno##Ary!WPy=$<&*3IDPc# zj!7tpAyUU1>S;Km%})hfsA77W2PESjIbS5OLNtU4e z1;Hw5#M=wc@73AduQnE{-=(-CbhG~9QB@fv?_`A(3Uc7zA_c1lNl*QB8j+wb%swJ`Cv-{GGE-d*sk6roq1_p`d~yZ;N)l)L|5nuPKrg39kOvXHr9Uf**(IjUmQzP;YV8vd7D18UR4va>mp`6@`I_tShpex!2XrTry@)E{N!7`S!f|abYy9fSW?Vofj96rE# zl0HPUcar5JD&bOP7xI{Qv>I=s>2@1qgtmpb8}$#%39D@->>CF&wsjnifTI{kU1d&RBNJg3Y__Ai?0?a^Ng~IcVMP8D5DOkpGRT0p>2~bUJ8p-9+zl$fg1xL4ZV--iX?6=4Msd?MOkeN_y9V9;*M_Fcs-HS0uvM{TeK>a3j@Z}$uOZh-8 zRc)=RAwgH>H~p0vQZQ|XDcm0-*8C0<=J(lJw=7_#rvyKqE%PM@JZ#_--yq90+ zEf$a!ZMRC+*Yk7bltlI0rUAJ$q_JD^ZVlSFvxd8Xu5_b2J?I$|+PO)sXkoK6uOc?Y z#ya)et&d)wLf<@QV~Hmmci|?Gbv^S$c*lk3pYiRcf$o_F3d56-k`W3wTzpE=(Njph z8Q@{*iOolBT%+A!QCKh(>xzQG|9=3w2gD-bwnoq%>1vLErW3U{_+tIh9^mL+9|NX7 zY)pqVfKcOu0x<%T@ZI0Oy)&hubmiwYjZ%-kHCn^ZUsCeoRAD~Mtqi9x!E)SR@9FlN zE5f&F8-`p7)C7c&8Yh}Wk|-gp^fWxVa6*;g1k1+>@)F0U6k`*rB5W#bAeF%OR;Pdt_jz4=>LVGtNc0*8amKW=hH&^wJ zoX;$#B#OQ+V)Q&jP!fbmKLu)l9Fw1Qp-x=B+3Obah40=xA zi4}R^lW+bc*UYB}yLr!XegeCgm&X`{k-M^9lWNMYe)z?xA4+-A3*7h7SHF`(3`W{A z5K_&EucKMd%u@~ERx4;f5Mfl5K$1^=6(*%ta#Lh%!+{6K08{+Oeurw%H6NnGqpbUTjIc+Bjj z!=7y1{G|#qd`X=o4@Y_bk}+CXgQtY3LcufTzLPciy=R}zfBB_0L38{M`jFE$^Bc2$L#`YzfMF>;@n*Z*A8y}afZtDt zXFsaQFo~dESpmQq$HKW9FGbcH9N-qf?E)uXyzf6xxn()_;Qu&`o(^>rpf>^edBwpd z3?Whkmf^uV+#|Q#`d|Q0SP%k0~L;DLwyd)!A4)z*fc6#mk>Sgv`LG2zitx< zeP=`3%L`(dWX69Xsxsh03dz)zB2|>3TF^X;Jns^h$4Y!q?wgCd;x$q4*M|+qcqU`E zO$=o&Wf^o~03#T~c{qTN-}Ix+h2dv5Z`qO>88Z*_nMFyKsYavu4mjh}X?L0^FW4$z16+gk z|HGyUtF!hvs3QviNjh@Kwh&9$)XT1$J z*=V#??kVf3tp~~j<$HIu_ht+ zs!;6GvUFpHEx8&_ZP9vXDJf@kmuQtOo0)dr!0@rJ!6s1~TCR1&?ZOk4bp@?eSL-Pz zqx?6pBsHR`E4QwC<(!8S^-LGnSME#Z!Egy_e8+C~2pkAVq^ww?oFD|GDdaC*<{C4U zN8t%oIUHNuhn47V!6CsYa8B}W(3-n}M~kN!Vm2~+(?+RL#iiglgMr0iwb0Et!7wf5 z{hLt1f9@L_l&AuT%|eeYn6UngxNjm}Y)5*kQs@~Qk=qC%5JaIV zQN~K1V5!XXMyac~!3rjYY}aOQ6%Rasl!Yh)^I9k&!xsR^=WgIQtn}imvs^Jd zPlq+&Y(Yf7+rX$=q0xn+MF=2QuZOt#*U-4a5O)+9NFNtLL>muqkL2VKF3A*5FYZmC z65~|r)(3z-x{_STNK3%5!u}z=Qx(2U1z2~OwZ09W$ROM))(htZ1hAaek<+iPwmOOl zjgy>Q%y=;D$*HWa*u}7hQ@PiNDD0K6ym8+qS}3n!L^~yh0bqg#^bm=vHd8RiWD3n> zo%U3+UG!h7w9=8Dm^QeC)mK#$LxE}dHd@n$Z4IRjHi**O8Pn&zYy30X;Rrf*hz~SR ztX=q!<5345ccJ)Qp>85m&}m(2C>x@81lqex0%8hcg^!b%BahTj~|7i!SNPeJ-b90DA6w}o9c|g5E{u7$3TN3 zWVJ&+@jE5V^^Xcg%kL+0!EdOh_1g|%5J3sC zu3?}4;MB)91D)_9+%nyMujWwivOBFH!A**YqC^AjNAy08ks(&P#w7M2^+7F&VL8Z& z7>^Q!2qkf~x0?g$j68U5dN7&s1vMG5(vUU`q`eoveiH4OEvkHSJeqs!4Zzc7mE$sF zmoa{&^#eMTB8yM!910{f@>(VgI7#XN9)&&(0-#Bv^|KmLlvSCwZ{-3S^B?rgPYfj1L=$p2Mua*?|kBen1Um14b`y+ z9X=vHj3b!RL^Vro;1M!pPkKv(c%hCMSZN_Bs)HFd~< z@6*UX@67(Evhv3-W;XAq+-c_*POfJA`_ND7NL{jHH+0?$8lnwQnIhe1(}Es#>%>Xj z>S(pTh2IxMF^s6|3Yy#WPmXT331Acr8{-C&3a}?*_8_#>8P(}4niDr-lW>wh$wPoa z05$W2$gV+kY0{fwzVANKSc&1Pbe`-jMYqgx{L{u#r_^<vK-B@=QWvPb1sX3DKv|lMEAY&k=j&b7ZySA}nZz@y?xEtCP*j zDUwioXj<&P-&g7N%RFAGuXST!b9F(g>A;HnBitC})D=!HUJ#1yHnBOvkGAFhqt0t~ z&bDW%xo7!ho~i++yy>QH3c}p0hU%SDBkyjKw=n%o z4B1)Zn!1F&P3t#uM@%ZsULGsckiLiJ_34_SVn$WOLCxxyU5;bPROzK>k&|JroMp5s zvC^{$<5{=^-&)7HRB*LU>qT!8s`awoY~_zldfYu{nz@wO+GiRHzh%#f61U+fS{-lM zt-uf;I%C87ZFkCJt<0dK8g+52$WLoy2MYB&yY-X-S9+*6(`R=D!fR(4uZCG-`-$8W zX{s&5L{9Gy;xQuzY~Vw2DVLYVoH>o#DM#d(+HcBgHJx>|xg#3eBNw__^&rqt0XFHu z^s&v2)=RFNH(4LnbEz(asBNSoko7w~g6{Db&fjIds;u!AI}2KZM3ZXjYq+UJy^Yov zfrffU3!2uBa;Q4Vc2QLX0U{}@V7>C&6t_ciTT+dz=C)+rd9zX;+UgQE~+EJ1uJKtO;qf0a1`5`hN@^? z`qyaj)(Sg(>8dX0zqUdVYVa|q3aOsFba9Y`g!+1-Tm{!?uC+O2wZ_o}7#=f?Mq7LK z?p+G2CDq}o{>B=c5`XB72R~ON%9~hXei>E4^7^q7E>D7)8ValJZM~bg0vx*>k^UF4mL6fX;85}PI3^Dif)e%pc zBCRo2>+{z+D$AA_$bbL8p~Ju?`IVin`-=PZP1RLZP1W_kY?r)qHXr=^>A3p!VYt!N z7Z!MS-ng=B8@zGb06L7W>>fU6BO6e^4SrQ^y~%=av8>=rJL?1=zRL&GGyXkdd8rO= zbc>hB0Q|uA0%#p}Z}Y)(2m=q13RfXp&Efv~EtS@W8hj7Q zBsO1Bz^6=u?ygqmyko7e^}^5bHB2^J#{)HpBOuqqRajigfbTstkp!x+RMu^Ut@7@$ z)FyDZhU*A*bjQFS0}K&jj>%=SO|W_MdqG65 z)3l?K4ijZxLUntSLt~Oj{h!+0rGL|ciMBeA$=Kil*GCTs53HfK(FTPPGI_~}aAXuz z{sdd)(Xd1*U&m+@)lahs6$Rus;K?71B%!iHB8&arr?9pfLTzj7q}EzOOz-$F1pec-K*2-WAAa2X@CQ4;9B~ks!W8g#N|sDw z5IljC^#Uc&SV}i=tx`Szkr=a@478k3R#n59PO0tWT>;QS6GMQQVsdG>88)~0dzR@* zjZxrhj#Lw>o%4A^31%4hC(o!b?r7n|yKFc<11f=u^ur{af91!PJ?-boeBl*62W;}L zSPSh2JM)B^oa_6%41PVz6{8A~Ql{d7Y$UM2jRa5h!MdDMse!{_YG$pzf8R(sT2|Sl zcez6*ST}#CiH(Ysbb9G|^nR9|{54D4W S8#S~?xaXqu;tAo2S~9su2vSq{fi^hG zZr7Po<bZN1nCG8(eo2YFxpm6EjkW4twrGK&5SvIKZ@KfiGC0Oe>gfDx<6UNyd=d<_-sH z5Gi7*Z0{Bt3=zJhzA{C__caI=>12nAxN( zUYjTH26PDhv^x7bBvQ68B|asjlmw#!uw&zZN%Gm?<9X=3jXjfs*WuE;fQgu*n6zDs z$f4?%Du*xF=qI>q8!gN|gw3`6chD6x;3KXI#lB%AO?rc+cC(d!8Mh_0rl*m{DlS5sZ%YgWq%@^jMnm;+@9M6Mn?smkrG zYTy*@k~SS|P_!1bx~Ql>+5Ed%9F0lL72gkc2n{FnfRN>QQNix7$o_mqzMnkIU!F%U zA?GdUgS4*-bGT+X@cUQ!ZTSX?(u|pv5(5hD{$#}_Y9gFSH5JR48dbC!CT!6DRn0QF zVNJJhwqf-*tA;-x*Ry1WWqHq1u|f1J{sP?WrOPcVW-n2ke~@JLY+tuwO(jU4Ol@8! zE6V`y6Oxn!ywS_j%aZ15J)pgOMjw*%f6liuVC*f+reqPxo}NuUd64b4n1T0rsyvl^ zi3Y#lp2;M65_$aB&L79k%uf#f>y;~ItpDs3F4r@wLL;Ed%QTg>U2KEClPB?uMRb#f zd+=XcO0MN(8S?$TTmZeOMlEmCzoNf#6!J>u$A|va{r_72@1StLb!+(nb!FW=?4=`} zxp~?Prbfh9J~a%DR03^YZs4n`fcq=76utA_KtJv0>gr{kJ!yZ;0N$-STw$g7K#Cm8EH`>W92pCCvp0ybSw+htHe9EWFU#LaVv{egq~J<-(eW4^jmLo;pqhhJs|~aT;J`Z% z0BBvA$SGkKDLdbXu4znasmN7B7cLhLNj(ZJYpybnw!2r_8xn?e?+fvl)PK6KUcLVY$Z`~p6}c0f0gu5@A8>IiDe3BvYcYHAdSaSo z(fnRYerx`wZtK{PUpgJ zCTmomqkvzH84a2?6zeb*>`e@`wm3CLnY8sMxr?r}%{HBe=kXe*S>S1jR1>N~5wF*F z6`{I)k9YrEpJ1zXn~Y6 zbhO5LOLE;Kn-i_ni(RyGHN7lvO)B9HViq#u(3GBJv&*$ED)3J(lQ4)6CRSbT7^B@e zix2M;Nmo5B(Bf&wyivhfx5y?C3TLK?*Kd!>Iv6oNmI2ByIG=; zve-(dfml1kt(Ij^{CtO(#NsF%g{bvUdKM|Pt2#R(+Laa419=xHG%F(=otjmu^)4lZ2j;G7U)2tT2_1Q%*R6Hr$}Muc z+)9nnrOc4z6|2ijxV&AgSW(G1J5!RO&^ZB2m)7%zbuwAOuV!hn@q)Fs)|zmZI%HiL z>Brt;Pfj{Rj|VhTSt8HK5V`xgPi0J>p8gaUB!Bd=UT_t^i_m{u62}Y2vE}jci*ZZg z^+HP=jJ>^rzv2|a+vwYSgq8f2r<76~!k$xmKx4zsoo91x3?`9hcJ18thmFKwMt*Z* z=ZOs@8BS4Ot zl68FDvT&?37~};HOXOmc(WBRyJf@Nz`_rZX1AkAvOa1IPe;I#iSG(1H z{TDOX@&J1Pl*AbCd<+aBV-@GeV(0ZfpAm2JdG#)MO?YGPYfH!GEZ{=C`5exC9>iVX zY^MIUSlD0IxmtcAy8=gYms(>SCIj$t?IaP{vRd zm~X?wWqby+qO7cf$>0NtlF#JNW7;JNlSY%Kq*M9g%#Sj&K5Xvm%UPMPggWu0Imjg` zVOW=1YL)`Y6J@{6*$)o9KrWPT|J$CKaU<=igIQFlgN@hH-Yw2ObYmM@h=Vt|{jj{* zUfQpNciPQx1Sk||zMPr$(u0m?WyW7Bb_8XAZkyjCl^}U-n)-yS%mZC8ar78(J8RmH zKej&mZ2e||9@7gp*B|uOdq?0dVs?pHq+sgju;y+t%gxtl3WHUAR|Ef&5G1jtUoI1a zx4(e0kH_0bDcH|F&h8@R$Jp#xKB)`LjkGLSuUa^$aBUwgWeuOxY}i)5mCyI^-Cgap z>I*CrF1t^oL&Bjsr19UbTNm3{z|>OHJzL{j;gdosZxxY2wq4rdOSvfsg;=A9+SX0(a7NK;mUctdG)Qn zl5_XO9=F2}FzL}`=qP?Uv+AeNaHVcWJKSmRE_cSg@5=W)>#zs2EHmX>K}BWZr+^(h zI2Zy&HPdgimEf$*hR;NHDjXF4v?U4PHjqc*$;TVsPbsjkICf_*+7fVb zoBQWAMl#Zx`wL5A>(choL{x>V!kRiSsQb6V58ua^uVA6?&Rf;}&m=dFNaErS2hQAM@3LRs z69&DvxmCRt;q>~KEAK*qC;O#oAvSM0XQD;$vM=`zHj>+;><60&WneSh>Jl>-6a=U{ZC}H z2S$M$$>cG`D6195b0RA-J5@+fm$q(1i}-qc!Nrcr=;boji=qf!S#fy-VZ9Npdu3}G z;3FQ=bG}j0*C6WwhE72wk;k+iifUCIqbL!LAPDopB-Evbs7lcyl|eJ1&TK(6K&?2U zjrw-`4j3P{mM_R-E1HWMqKz5{Ud+-Dcw!B}&qBQb3F|#bLyd=ON$r-JObuYV4=um} zz$$apt64-xgG2I3W=Pv2R)= zlPaVLN>>9eJO5)psK-&)z40dyB}Nx}I_ZOmbkLhYjrH07p5)MQ(5t2Hj=D6W?~b z)pNbk_q^sx$6Yx6pB~$D`-Dvyq6~S4mTDU5XNa{NDQnX=4gyBzR{ zr#|eGZTbdpG@*n@`Fa4D(H?#F>IfW{K z_B}x5`j6I?ND6hjjm8o#gH=uR2(<^*W`}P^j>xY@wH{aF#i1s0&5y$RW07~Yc_j>s z#e!I>Hs`vFf$ehTHjAQ;?D7r1Yx;K5(I$L zeMM?`jngu2o|l{_b$?xrYUOg49&Q-wfWDgx?@c^4KyR$NE>o=E>EE&Ik`Ee3 z15AvIaEuX@+H;7J*qsn4E@C0Nno@zlV+KPrh~W!E6|_rW+|?fMOqn$_*`5HH93i97 z*ieH!uWqCz(xGP0a6F`haLJooU?Jha%?@qVVYWUnH?niBF|ZoU@y}?+d>FAZ4IEie zAs}gpVi1u63nFK#sZ279rS_lua8`$e%aGKjLGUp3%*HI5+IuDm*67)rK=r^=^fo8#CMo+ZQL*zH-8Nu<%Z0VD%3itGrC7WzNDyvhh6QkMNT zBmF7yxyS!Hg^yXYvQi66IiIR_98^?X zNkOE?B|!>p_VPYp4PnVuB-A8@nW48CIj_9oNHsmwBbuKCoB&2!opu`V-7`V#&T=~@ za0cLVtkv355-D69a8Jh!S=(J{*cKFHI5N-k&LWCZd66BrGkhzFi#*{8l~Dj= zo^TL5J;hYf&Ooi52%<*|9h3eu0Fh(X9a~LltevEgl1O#L0snOBSo;egyu<0$`T~N^ z@IuY4N=xl-tdT{Dq}PCP^o3YeY^Na&W%h=_#dZRM|I5szM1=?yAFAV!x8Ys3i4&Y` zs2MsomPvI<+)8WT4GqbrQw&{A7MNBLo58Ue?gd|UNQ8X?{tT*6QU(lCDRQ9myp4wy zw5y#h0a|8gY@lT1hR23Fb6t?=q{f;HC|?}&rTO#}e9E5yQ#nEs?GGB#A^d6X^Zg^A z5%tR_p7Nn4yaJ%ImwQoo2i9P?=$8Za8cIFc` zTqcjQ=I14QwpVGc>shIgbR%+}%49{IR1A83$qo$XVCn#unTseFoxTFpvLTUu6O|W1 z4llGBDRx{G5C`ou;(cBt125l3V0eZT55rDx+`1u`>Rz|z>7qzOUPn>O0__Z&%jsZ4 zW~f3@bGZlOygJ*)_Z(~u*xz?>78Mv%8NS*#8+dAev9iXLWy-3y4*TtDO>(@b?G7VO zF{{f_YHP5RS>Ae>5}uH><>3rAb5g=$c)vDSFfs|N-vn8_DM&J@>Cw&XVk(mXm))eW z8mZ!44^y7_PkBEd$7AJ)QV2Y8C<@gj$3Zo#b-qOB=Hzu|bKRmnf_11QU6$iYJ#tM)&sjN12$wz)M_ztS-ehV zv0|bZlL}rz8;4OzU>i4UeSLDd$gO0`Qj57ZD~wMkT#)@=nz^Tt_$B%Znqw%>cL@(FY<|awP>1XQWM**9uW+ zKt1MZg+U-cP*yOVaINZ{IsNAHvjmkS_`w1z98M547eXl3f`Gtt5@mziS2OZ7-F0P} zP(&#-M8pm#<^Th zyUfY}o|TBzy)o1!Po!n-p;znn$WG{GnkaLvPKB6wsO(vlM?A(ewG?UkyTX$g2A^%x zJ;iK-bPc0$xp3;Fb>_ep$3dF#RMukS~vz-2R9^LQg0mPo5b3E?x7?&hfz6aW6*4Rfbo zC9wV=R6vNmgcVpi7TDqB?{M{M-sgO|-GiOA(4scdOWV0F=^90Z*W-lfReG5awfi|A z0M12{>hJ$d{e#*%n7< zD&nOLo_fmIh~2>0B*x0AftoxT10j8Nqw>kegSN)7Oh%TSD!kaLhYr6_)5g8r2Rv!C z=g@Ud&AJtqLd@$BTqs}|tbf?X=(HwLR4#gKZeGK9feG-iF~-hB*Uqy%4CJ2F_sWBT zeZsSxGHmn^bWSjlptwBk>#e~Te|#rK=o^M!(K6IVVt|k%-Pl!SHwKb;gqyYUkD|CbK~D)hoJP(!uqiR2`B z-1tT50qI22ys1RpvvZ5RrZ2SnpO;Z+fXYm_02O6 z2@JKH>+=C}xKz8STsai)x$YrrI9^>j=$Bm6urp+dG^vEqL#oEzxa9}6BZ9;hfXre7 z?iZIaBwcGgCzS0pL=nMY@Kk`|sG3o!s$y(Qn|-EDk8HDV{`wO~sfXhd7Pu2^((m;2 zKl~j_;xC}yluF`W>%wtFD*_od-sTS@ zUVI6#lO#ATGs%NE1Dj<7QD|&csaevdYtwDpSQTIdTJY3UWuX-l*0pE#Lj%{vLnM}t zvjcI*%F01-zcUIN5|lDLo17JP@O=XqpCr|N{4;#C%+g<)OuD_Hd zOZ}gCPy}sRXw;f@1MN*AjoSf+K{{CLhuu75FwRmI1TQQ=9$4frboqzXP)-R`e9JS^ zajs_=qJ?aO&X^ulO}-;Gnf$oi_5Gxn_#mf}3Oj_SMPFq%i0()8;z}}@n|Hby#+kY2 zhee+Q8VQT@`7=aAg3O71`m8=A4ZAO#tOG~eA%V(T;1Uo#Osrzo$GnjBXIo4_ZI+pl z;8jBc_S|WG96VZ(SAX6V&>8fZ1I+GDLxv-;|47YlePb>r!ID_zpw%{iAVMHwh%l7) z9!$2M$k}nlD^Ir=43Gc-bV`R&1_H4b+Cl5FQXdSZdSe7GzgAv+>V|%afB^KuBOfg( zcvp4VwERQ7Q$cuH>*AX^oxb<%2T^{E;SeDxr*Zq@b_ZexY+LFS@wjQr3UnFoPBeW0M_U@2Af3@D>jQdB0A+zRAN#XofX!m|y@gza?=YI?V z6r&Jb_g~)yD$WJa9PCL@}bCm?ig%Ju~n1H878S6*H&_SwHF-Lb-uj_a(5jH7g= zBIrjIU?t;ul;I0aTZq^kr*4L86P8zU9mt6)jC&+iU0PUJT8b*<_sDDSNe}fK zE5i07M%zQ1b)4dtB=AmmE-r_F6U2ze1m$fQocX`&2g?YT;w+c?Enm1^`#M(&rIKkr zNj(gceq5io3euLr>GjSq0&IV_!1_sjli_hY+a*RXF9VG^!wN_kn&Y}`1kH%W;@FRC zbF^Mq2vI#Q^0z(i)LgEB>oVj0Z)}3V4C7e4cINzm*fEgmS_mv3y;7|S{t6}SV}30;~IpuI8I86<(QtAv0+TT0_AxOHY7(lDzA!&@{9=? z3dVdI4XRwJ>jXj^;-5N8?v*ghsV>EQQ(W zR)%fm&-N_#s5{%a2=2%cl}hao&ru&<9uowy56XpOy9xk|<7~X#n*w*ENzwYzTD^y0 zBU&I@G+Mv63*6oah*dTatwuGif+U)-Y7E<|{nF|wgF!Z`X&ZW+p|mW!y?d26fL3CB zWM=s7lcX{k${~KgKjyb91<=y>t3C22)*Xq+muc1=%o_hb#Q3}CsNd>-rap@ zvW&xEt4XG3{nq4qn}D>^%HF{YX`}J0*1_kBD_^gy{t}m$*RsoPLg-rh)o*>}A6Odm z?)*ampq$~Q1TE8QX@^j0q5S(|M`3ioNpM`ZO-2Hpee4rI`dc#zUVkS{ zDophmMd^-WgY)N=>t+dd3(jW|b6X<<)S@v2y^%6UW;Pnsm6kFFqtTrrvkj{|dIXm6 z%F%|llLc+ioWgV2a;4JqxZo?y0h4(#W0FyWm0Ks)O#v#?ngxVn3;}|e>w1_x-L?4* ziNL1@HI+nRmM4u6xjI-IKUr=v2*I_wax^}g8gXjyl44UaIFS5zbCJkMUY zkvo|LoCl%I0;+|;&Xx{hjVc71 zBn2&P(5#r(SNPGCXe3c&>Y1vIg#@9bR+@1W$JSMuM%CUUKwAyU(VS>fG;!o0DAmn}3SkK~i zZp%?k4V423bi@@jFCjZ$u)TIb&x@~g=o}+cIW+WTC1_=DvRBAF( zal_LQbhD1NM+&vYw0Uf!E4*r3VO)s&7f3%PFesATKFFbp*2oZXQ%3k~VdWl_L2-V{ zRo~|u@*v0wG`v$|&icC+_lt_V#WT?`G^zlna34#(h4eTa3B|~_&D|qbz)6|e7~C)P zxUCmMBT}Aa6uVYU5vQe|)v6JvGpdx+FG0r;E{u3aF>^gZL2*lBl@TrIj%Y(+VCBbd zq#`$O_ap>kDZ$S^*|y{O)O+??c#4z-U76Bk8&M16xO$V%=YiVaqcKK}R6m7}=U1p+ zJgm$#mBz5>aA-=bP4f^HSvN1pq}Syc?h$lDP#tT5*Qv5g)W_z)lo=7BRpi0&;89~c zn;}ZJ_8iLnKX#$SWMcX5BnWcaU7nPb7u4u}{T=a;(W^gpp{AxNwiD>A%2@#lM&Zs{ ziagUCgfQC+Ub)wgvb@T(UnnY6Rgzq>JDSg0#5fA!07J%WfH44h%vz-YPc+v7aB|Zo z#avIrFc?Oru77B5R#}2Tj*tL8K-M zC>-!~rxX=VNU6EdttjBepDR97RRQWFUG<^&To4#6)0LMAYQ09smMEq|v_M~pbyc~o zaRrq>8o1VE3+C6rJkq53_IbI7K)yiCpYvtjK{s#_>lm9;`($ z`YYOrH0)JrgSqyPIa~#uXxP_mEP*ROWjDCkkmL><%oduu-UV_0MDJc}2o@6auT9ye z;L-8h2Y2hkba@eG^`cCnN^dL+UEK);s_dsiQZ`D^<*ls1SYE{Bz?$3!*Jlh)%p9%O zFe}v<630U2-QVlQ1g~nvyw5O!pD`hhnSZKjAWq!iK{W>%HADF)nYNt{Fyse!P6Y=D z?^)0^SmgiI4}FL6S)4f9Guv~{7wjDmE%eVpt_?f5S{62g>*Kn4{Ra2cL5HtuS3#nJ zC@9XTJ!_rj_kntd&5kI;^L_5&+o|WDdv_0GmACTm(z{!aRkd>Ta_{v*3um~wzJ4!A z&ucYz3|3RJaRlrn>ioEhEcENYdVf;&O{4^r3Bj?E?<*$#$S=Y0G|{QQ;yVEZDd zrg)n8JgDv%uOc`egI^*4?oA0b5OJCCyw=dQ`l?8bn^#$y#`l>y|JU$lK1jaYN?OwH zV&eftkbFH~&d*z23fc((?kl(dXwT0Gs-(64(ZH>%4RF6YsL#~4%MWc^=Nkw|lQ_0i zG|($4jLmcjw-I+L6_c7EY6RP6RO-2@=XyBf2KOj~iPT?Q=i8I>Mc`?v;({hlLNcd` z%sCJt8ExKx!q)BtATMyTl44ANwZP^^kzs?bp{7vt!hpR=x}cZ zgDi{YIUJPS*Ur@dys|REm*5pRS3~n-*N7vHF^7=xoyz^_@CH$ov8;}yEk-1ivIL6N z(jB<KDBx-ttq9J)S@~#hchlW-W$xAKPW( z>0LdVbF!Ysd2wnu8KkfBZ#9eEmsfntR^LASd z+l7w@{CFTAtO9t^VBL&OicMo6g+9%9++IXBYfhP<5f_CZB3-o{081auy?^<+%xUzoNq)V@<1ik3LNH9+rhisWcu`#Z;P2gOd}APS*%8P zlEJkB3NI0p2i~PqYYm5pD^r73$<& zuJ$kz(B~}&j+*`E2&}G%A%+Gfhca64r`rL2ZMnPCUpJ>wI5jg6j?ixb?ncp_E=s|5 z#%MhT7#VgC1P>c8hki@$IbUv_ZoR@Cm_%<*0%-}P`6LH$w8a38<SFcA)+Imr0z6j8jT0rhI z&0QgVVJ)v`ag4p>Zr>3}x0_7e&liUbBMphTuoc?1&4g#Q)Pm%cK?ANCNG$xN(;Ym*PAJsZ4l2tx1r65z18tL^&vjVGdAlBN3ToY>-`EYBey zS*eAfAhckZJQP-IEC;xfBS~aDS0kK3hd{uuMK+ZYJ?U2mOsxVaIazkZXuW||^0m`B z-UE|iIY^AK%u690G<*+DZ;aX2x`zNc80t~Aj1FiIJj;e0pECreY1_8wB>}UlKGV7Z zk5$2wH8U4!X$Qi%6oaa|j62Gq-Z}r$047tyN1V$9k;Dpvyzx+c0Vt%UyU7q27VKKE zXPOPg$JY;tUHx}|O?#iK)435RtTc(j__M`!p9d;Is7l(YX&DO7#3n^H&T$0(7hw5L^|(5dnbL^!gtp|Nf<6d zt(~p`Y^=0UkoL?rlNtma(H0DhV4P(PP(1mb6Z&CsS%{sKpHt1w+G>TM6&nNwzD#eG zS3q!wwFJzp(GY>nuvKXw5NyfR9prMZ$!hhg1Z40upp?FMtUwqHxFq%xeFoe1IzhJ@ zTi3Xq`n4kk4?;aV;hyh&|Eos>#>GeP|NeKrbYsLJToUm*lPDYPudC^f%hR9chnWl+ znL_Gr5*bEDT%-ciB6^yL7W*& z(o&6F+uRxmSuGYJPA0@jE9Z5&)6T6OZJc3DfV?7H+qBh`X~HXj14q#aTvNNpqd@`n z1y$+pYbj;zYhzi-?Xv`WK$Td}>k=-Lsl9f~PtV5n<$g>aG>aCXcx-KaR zKwilXxsS{I6O!ww+-7D!1+O#^%~{RdWZB5f1`&`!7%QCPPcyF8nhvAm&r|=S6t`Ak;l~U#2X}hDDV28qhW`ybc`;H*E}6w$SU*m1zq*b}BajpV3phRF@cv z7!jh*^_S5Um6^*HYk>>P!u=u|^@v+hZcj82imuND%{L=lWqoh)~WS%!r#2bIZp|;2Q-hhEh1CzUW#ydIm-&W)@a9b`DOy zAP7mrP(YRHUDvAPJL12cI(lg`)C(d~@Yc#V(g{QkI%K~C&bz>i2Lq#RczWSkxyt3b8}fDZmI62J(#a;f6>}@n+4tV*Dy&mf zM9cxbe5a3YJ$m))GhmKE^UO8hLJJ(U#}uP1GGvUmj(Tr}l_r{OnyID}J3(TCg~mHh z>YJ~=Q~BVd!^})9=E>A(#5md3yW_5z?s@2u)6RSkpwkSk3u%w8PX6LC+LszKnUg8ui+K37$7Nnab^7vp)a=jl0EgnD4+}{4?m5{0 z-kEP4;)Eu)a@sa(NvQnqtQ%ewTU6MffuSc`i!E literal 0 HcmV?d00001 diff --git a/site/assets/fonts/space-grotesk-700-latin-ext.woff2 b/site/assets/fonts/space-grotesk-700-latin-ext.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..db732c272dc2d48c5600b88ca24d2206fb123bd4 GIT binary patch literal 18940 zcmV)0K+eB+Pew8T0RR9107?7+6aWAK0J%H>07;Di0RR9100000000000000000000 z0000QflM2~CLDrHKS)+VQiLZ4U_Vn-K~z{L9sr37FGLXt3ja9l2n&W>05IeP0X708 z1C2BUAO(bO2c8%V2OHO_XQ+AiNd=8>tNH;0FEJVsdmKpU4mm1nC?^$1_W%F?=O-H> z8{Gd6;Mts0H?^`Vg}_V<(HX9o5l+crk!B2`vshsg8S^~m5<_%xvVpRgDN;^WF61hy zMw((ls==o9yy-<<#Lw3yB^O6Gxj+(xm;nLvjV^(<^f=sN)BIoB!tmBH~36 z6_hbVF+dT~A<|w#(!dyE6vJo?T$G#Z?>6oA-(2M1+jmhe+GW0ISHAW|℘#uhC9M zoE;HijWx@Adls?N*l|wCnhCQiNXyV51y3M^m=i)uLrQq+J79liua|flCzO_0fge~N zY8*kD?9c18dIrhzx7c3@mMo(TkzpKOAnbPUxVtir<|;0)-R_E-kTOIL^UwbuvES#t zED9u{1ma<~EGyx_TB&7eBIEye-ZuZg2tfk%YxYcKx18nA?Va)UEa%Kp#Gja6@zMgt zQV7AuN{cch23a7ZBd!y+T5lU5=m4NRP-t!c;Ozv_VXl!%qy|Dt3jna- z!~!Pt2lr|8a@Q0_MmWKEqt!vdIq=XX9Mz& ziaDM1V8NRphGoKts%1aoV!1<^6J%zvJhFM@-%W|&2)^K9fbyIv{BSw zBihXl_=;Sv4Sem2pN!74D`Q?Ce^zSFQ7C=0XdsbITYTC+54|&l__^^3A?7d$oP4{xkW-;xmQ))cPoqdl*Y~#h*xK zTsbdkmjpS+7q99N5Z^0&C27-A+ci&UFX^j6XicC8dIe6zy~%dlQhtN0BmOMMfU%a4 zL$7Cu88vEKe}IX5m`Qr?A)> z2Hkq)=(mx>W?PimX{QRi?c;R70acE=s@nC)FgGZI!uj|iR2M=^pv#3O)YYbEx@*NG z#`R(o>qep^8!t7Odl_T)AZx51myrxl%8Jd?@-ox&3RCE1rK$3&nz(&gdpbBvUc{sBeb(YeUxd?a< zR&o@??^g3yqfW3!&AhZ&1hJUrqq84kiKVEz`o5M~j%r1pWTn-7tm%j9wid~{zK`{K zA^QKEWWXR_LpGw=WDBybM&N}r(Cwm+x7%I}`x?pq;H6Yv?@uB+&HssW#yQ@uxC-aG z>u_$m!_O-da3*~N^{sE=eCJ1t{KT@tuK{#H5Ih8hfcSua$OsvNgCZz+33JVBliLCk z_=1-_g+L&XF%nr65Rvjh4fSL;B&qV@!>33`>WUF{B~!th^y$tTgE%)1a^7WL zBElFm+%V2tN(04RZISNvL)`ZO)x$>es8Ky`-k$VBJoTKn7meg)-`gu6LwvG&nomtY zy!KvzF!@3(TwA-qG3;-~8~hVM5veeK=tVs8n;JFLZKNSYfPs#!~!SI0&{1G9eM_^=3WsxVKqsA;H8ie)6 zkYKY$q;vl=(HUbT&bvzHx^bAh9?*H@Iir_8mf=(H?9KGNN zwai8ORgmi{5eXRF3nH3%s~}yk?rjx+*M*^Tx8r2hjn&p=z%v`fvCzbum(YmkNu?LT zNQNvnd1l5FH(Q7ez~aj)yVug~f*VffK=7N_g2fKL8G}RF2Hoi=S1?^0b}$OeC{=B} z!L~-|u)(y7npu;LAIxc9o#3c-|N9O5OUJQi)70_%_X}%cl0=$?jg|y#QATY$XV%-A zKMRvD50g)_ml$$I6@oMv%V<%7klKs{OYTFt%g9ctC39*-8^DqHlfHeC?1(#Zoi9`snA@njG-*=$Qr zCCcg2b0&Yz8e`7oygwJp>ycii3ln zCIHlvgtmMssep{hQI2t}6P+}>2`{n`*6YzX8QcKudD&>Q$Gi6U zjz&J(V8Nf>65;d?0&3l?*QeKE>Js1;V6Tt{?0mN!u)wr~=sK4rK9e+Eu&!SyRHS&i zWO<({U98+5Syk;ERgF4&O?J$2C!EY=biRS_eD4Q8=BK2Yf}bb9JP*n9A{^jnglsSJ z0wQmuiO&XL^<|M2n>eiWKSE#;#%YiB4uTwY%#mw>T;Ey>l<%295afMRP%pUPs%tS# z=f{UHxbl$$VPf#KDsOAJxh0WAZ#4)K96to#waipK5Cp|G`lDM%FCG5*6`)7GUGWbYk0_i?K?q2e0`NGYANs zPn#dJJMmgP8Hi9rQNSJ&HxmuSIYp+X?Z{$lIYu>lyfqOdaZ!*eBU>Lo5I{jd@5zQSIbE!H<4eCVjlACzWeivg4}l;-fQ1OaO1N7tx%9>WFeykR z5d@GR0-ypVIHU)Zj{^auB2#-&ca$Z(K5YcpU@qF%THt?IM1HH|j4k-ge^a^+;BFW% zY7`vXBT9BUTVG#0I?_jZo%gYfrdn>TjrOWKRZwryd-MtYM>5fnA%P6#dT^u15>X_O zK?yaCaF8-EbKuH?6&v>bkB`OwOY}cuI%NOcz(WE(?7Q6z{Ph{Y~H_AE3w{zNN zvddod-y?;5-@K`-)c@b%ahp1XDSz@qjsSl2LM#DrZTutdC3dKf)>@auxFAD7P5x^1 z?pU2z>MNG|d)FoE&5G@JvLD@cH@{dp(-wqgSdJf!pD|oM*79|LtMtrueQB2{bnPnA z0RD5cokoe8BxxqrB3Y{x?IhaBc*u27nnPtSwfR!bqc9t00gZ*U7P*?7&SH9<(kx-H zl-V*SU5py+XR+MfGOS>=(*3feTP4eXWLm?f+tW&ATWg(q`{YG7nXSrgQ{lgywwq-Kml2hAs|6QR10 zBo~|ERwj3{`Y@MItMw+2cP;c=!~SXO@2!8&eN?51+&-=PCP*@J8{toEpx9#`mDWu8~=Wlmq! z`RH-H_+ZAx=;*k2@u z+RWouX(VFkqXN$#A-W+dba%v0s8oV3sX#Js`-NcJa7QBLt<(g!29*&pHHDYpmcJui zwK;S88~0~9gl>ShTt#T4;?j$Y2hz%2`(`b8TQ=H=Q8a_~8U-B)^=YsZ71gr!?YD}J z*(uCljzw2yUJ*bf1Y1Ntcz&9TAn zWgnPr%-}G|t*9rg>UkCB^L^!%FN5G3XT7jm`CfEK>#)fAG_-wIXPI*xp}2RtOK%U> z_ZvGxKO8VsG^!r`+mOW^dJ0{O=%k@E?iKph7)z9ebBvN~&3=R0itaLIf7rP29m7k$ zLWZyxn#Asn{X){?`+4)uHVGUm5=SP{MFAre){D@e$Nry3k5x|#`w$zVl>1mAoMIt> zecf`>|FSfyQqVvcjU#F2UI;Zs>QkYipKIf_uW>F)SS~^zLMR;|Cqbm1YL0INO(0lJ zqSBj<(1zv~X_f0%O;e%*_pRJe%2JhF>h3@o?0k~JOTww~4dERLRnQZzqYoDAT0|lh zNZxn%Ii4TbaNy@G>M1M3NU|>1zkdIZcMRbMIussBl52S=2T*w9%STZaQu@TGwz3Y2 zD4>MA0(Wu5n%W7)Hc18yL(I-uM{ZEzd#6B>5r#_LqdLr4iyEraD}+QXomZGaNYvk0 z116BFQq%WcN76OEj?dkH^~F%0{GdS-7n$WLixi34_Fj4Ts@qr8>>|nQjLX5ur63XO z+He*5o`r?qAnvM4P$=DOkf6Rn8imZLBLLOlt1;8@q9OQwH&O%37d?@|no)|>q34DH zP!GPfYvO~qJaexVAK36R{%Sod?Y`TFj$8ZJckm^tGh&rNjEJJ5bkmQ{5li5yFtOjv z*OH>-tvU=%C1s_+Z4&{S#i}}FvN!wBeNs%)q;{;F5nUk3N7(p5S?`Lb<+kr{d!3*Z z#Fr>UT2rOxUl>56=xI^o6hn18XFnygmcv-Nx++{UJO+~JttVO0v^=jn4A3&qz`Lu& zf$R!2vZkc(@QcwRg-80xAg~0rw!2yG8lq08WDWYmRG_MxI3L3sM?>yDA_#kt#NnqtA%d zA;MuM0FT;j^$os3(jn+}F)W0`pK>;+P+!Rm#Sok63s#=H&2u*F*CGwsHB5K=+TG8# z5{n^&W7AcC0!I=;`XWHouKJ{!WTt3?k8E9rHC3b7wK8N& zTWNu-qfp#f9@e0iIyPxf<1OBzAFmXl!bv0zKf@W zG$Sd+)tE(MN$-1b>Iq-onWr~7O+w^Kf1e>hbrpFe^~Qc}M%Z^I&V@N!?X%C~Jho3{ zR=$XaN7ChpSHi5nc9o z!eC(pVs1qsA>l+=Rqu0zd8tul&!L^(L~9bI^(|7;s&2QO*c{2O&82M_xC->Do1v9(7QO4{*JBwJ2Vz{LxafCZrK^=kmx}_< zlfK$fQdB{z*rXi^1;wdI<$}Z+5=^Gok@Yei#*}iMo~)DW9}fp^2<)|>Rfl)>s`%xC z=@Nf$(XJSQHZDPE5YAwU*$EfY!$t8{&TYO|53-MaryVS(~^WSxXV1`L1ljl|o($bm|uwp|3mXMO5 z%MP1iF4eAZRT!qf%NmMeQ!FZ#vY=4}#HH`#LGpJ?!Ah~Z#i{i<&#~vF&ccEMXJP51 zYL2?TMGQOVoz*lCqCJBhry$w~HLvq#_Y{I(@ZWpVZH`5IWt2)lcy|pmDwlRtOPL@CgymPudUXEKFugC zo{9cntQRCC7?PlfVsogCXn}l88HbKfT3E^2TBXXJfo7=P6l5mnR@Ih}O8R7OPBjv# z49OH@lQOj>gPfV_rbeToTrA0JI%tT&jM2%-xgwE6MN%Q6CEMyVn-8v&<}Ky}pQ5Q% zsu})#soZr+jl|5F97p4nWAXyj=um4od=yhC)+V*8#e!N@?gq6%Un5o2SvcEpg*8r_ z-l9_Gf0mic`!l8-pIMS;F_+~*>i6j5>c(1yMwXhT&dB_jbO{#5eu&=q#>|pv>J+M` zU)!ZgbrGq!s%nF(Vp36cH8`ZcyC)Cmnd0R9IB~v?r;M~^>2=mw6|SF3Ze29?a7@TC^qoeiQkar|MhRoGCdtg>n-VjWM)9{Yd4|Ollj4SXg(y8+ znc2I|0cqf@kW8^Osg-UkYCVg$VU|Ay=4AV@zWVudGiPsXs?(U0>$0GR`5P?>(i9D!&pRf4&d6fF z7N%8OfD}_5>DnUMazc6HfaE|io82k_nvd8qyoFg=hKN$|O0ci-YjxQYzW8G zln}p=+qWD-a?`D_W^A!MmB^KINjmutiD#A3zDIXlkiW<}4J#tRKKcAQAML4k`FGOi zHzWHx=t@`2rKka*ic>2Z8e zJbiw$>yEf3?lqCsG3}BXHoFFh+!fp^UA&g3w@Io$6)hE6&fJdQkhodwc4cQoS~&c( zKP)}`O#N)C`7kInVu2VMCEe55QOm{4Z-u3?MvM;exOJ zK3S4rC@lmXWx>joODf0ZtKut4>Z__EQ*p~#Qg;){IK45iB@6Kd3s)>^*O#2J|EqOT z#g(aUj%Y%TIuMzz5XTTfjRLGP6CPi;oTt_?Q|<4!%VXK1&b2!%Wrbz`iuD zH)EExPm1rNO)J`Ze`kg3PgNOO6;Vp$ZsGI0x!brZU7Klk!)&)4y+tp;smE6 zs3fuKK@mq(XJ}N5QH{Db>PA}%;dI=>E=z7cdJ0;sIw-tJM>U~G;lj@gPj;3SC78_+ zE!OX^jg`BUyI}iGc7%HPPmCUXF)&~UBa&Q~Kun8y7R4O72#UCcUFqD;1B#!!JO(a9 zbT_H6l8oP__)LNBckq{@Wve5;=fd#2Pe)KE0|I~d?}nyEKm@Fh%k456yK+ojX{s(5 z{$29e44y2D$0+kagp7WN&bUoyoMq6*Zf9d5_V--zV>HCeN6m`|1>=J6cM3EDXqM4G zrZYaGGwv|xca{4)=j?Af9b?<&<$vkqy7a-7;xsV~rxbN%q<6vE-w98q#MKVTcL6?H*S$__zBiO7jX9?84CdMt6*1 z8dQfBRu{BY6lEGvu3eR+Azu~wm$S}$C$X=X+`M@s z;DkKCL6KCO=C7s{>AO}L_l{v>gVR$O1>4ZH`*%ACW2z&E29||MILnr)rJGaK=|#Eo zE7upWx3bwCl72qM)VEeB;x*i9+rmJxJ}mizQxboL_)}=RZP&OxDVdoeUJLEFvD>cd z^3qb$uG@Rt;^eF;*J)Fl$SIgJwkT}ScL@8MV#s%R$X`4x9%|ms2^R0*h{F7=siR30 zD~azNNau@J{@TN-~ND;OppH zF?_W}xm_52oX0yJ4ar}pns9rjlA0fL3&Jjm?Mi#R(RMFYMZ9dL8db@1ow3Sm%D=^b zU&bz{?!0KpHEPJ3O;yW982O45&JB>?x7p1m6Sro&FO3pkK_f(IiAG)Khx@_$`=RIJ z`G+3v++j>rZk)>sLTC4XqMq2xMVAIiWQ*vJFzkm(o@Ytk~;*&OJ}^NJ* zxQJ50MIjXfw%jMbztXtFm|>ZXfKPLBNaZ3Ec7K3xJn$-ZyhR+}LtH%vLdLs2n!FS4 z6!;YsGLpl1ngf?c5jyXU9dGuYAdIOgp>hge0X1Y@2?3$w4hU!&Y-X#)u#`i>HQ3G< zS|Ye@Xg+tRBFz23C4qr34uQ3B8z~kCbi!aK1l3qNglo+Z91pl5a?GPL)e^R5&x0ee z0XEsj0#E4d!aZQr!mWGAuaJ=9;Ru8jEGb<3;UI+8@=b{7xs(sugK2NTDBOo>HI5y~ zv}g(7x{|Y69pSX8)meui`SgfN_8#Y#K}4^k>5PIItcS8D#fJ=5aDHqZNRH>qD(I{4D;mt z>ZXwpQ0KAC=|ZA7zZfEVwF~}aF7yFJX$z^Puma*b95`kKL6$I{;|qi#h%cC{jN@`@ zEdZQ$xXDhB_~uF;((p8I0A{o(h>rEV#yVw>qEB^iu7zmx%#t}wc`v-TcBpp0CjMcR zFo*SDS@gz~+AhcPPK566>SMnmq_d|(LQ1oJox;03ARMY#lj2lt+AfoC!?P^Jq-Vy+1tJba^Lcz_PtPYsarzX&p-=T z`_tpm!8f$%`&q2?+Ay&BN1b1{O@I}e(svL3s5%~pX+R!l=4m{KTw#?=0 zq_P}@#!vO(0Gy0I5hk2P1*>Kb3GG+;zVwy(D4|= zLJ$1ND)}L3XP7mZ&2_pfbkY@8Icc=kSeNZl^yR5c%{}mW$(^62c7Bx)S`PC-Vja;H z5;ufyh~=)8!R;-+#q16To^tCg>vZNF!~kaVebrGV2pF^Dou4V3t?=?irNhzaPKyn*#V7^6L$0Soz=%up0Ku z+dZ<%IZg**1y0|-c@}VGRgT%0LyofH?2u-9$t^wZbd*+{Ai@VwheM{9xiiuyhqe6M z-$cPzQ|am&o0$2WIO-W2y!V!I%-_DZK}aD&!fGGCt#K#!eZn4qhZ!Gw`}8f5+UK<- zQHkV+#gmro`l_kqbCK&u$@wjCT37pz_&DSm80KFn zffw|+Z%64rPU+y)uute14ErBwKPwI#p2l`Q*NBJ|MN16ByvK?9vt^sn44KJqH1E>L zsIS~f!7-n_hb+KJB4)z%Jxf2d!9W1V-d{(uDuz{J9G*rDSTDt&e#8 z?XiHtJhqL&(Iz%H(!}bErj5E$b`Kn;%=wkNTKS5BRla&|XN*EFNgErS+2W~WGwi?1 ztXD{!u0XuR)lE zYwrKsYkql;JO9I0X-8h)eskUb>bD<&6W)&B_uIYwpMT%$7w`AecF`9A`vdRl$XM-s zhdM%;AAQ$bSfHF*<(q2ypX{BbbB)2)DCXL5`MQ$`lrzg%KgYJVs}P|ao0PM$cT#Fd zv%n_r49WJ$ou`9x2d|wn$l}`C2#}e0c?}5{tb3;mCCxq9r}JB zWl3(kP4*?(H+NP@YS68l^f#Umq7Py;7EWrlBon3IL&{H_T5@!vjIourOtlp#$0ppT z-RjPy_9PEf4m5T7NNSf8&o{p|eA6jqjS^Wp^bvLEdZud0!qOi=Fe2lvkVWV+%aLk_ zQFk^orAJ2RFTqiXwnipfQb78LGB!BKY~1G7HES1v~Ia^&|ULcNR$|$U*tT#h-ul*BHpx>Cgymsb~ZDpP!p47gy?8qFN9f zX=a(uzrq4_mXwxH1-fxn`%gZ9dJDb3S1*b{_dKmFj08BA5O(L+*Wa7s2CkAHP4yQj zPqW-o^2YjHiba@g>l<0sXt~e$-F7!-bAkY^wkc1or=*9rj85ZhAPT&7&R_SJjvW=1 zVDRX2Y7cv7j7go?8fz21sG+Cj9>LXadqri{hCk|G)Sa%z$~P&R9SQ&P&q{$bs}07@ zwq6Ct7;e*(-lGwz(N2T`_ACv_#tc0O!?6_DVBEjf0fgX#ds`=Vv@NU1Obk1c))25< z+?sRAiMnvhoXtnF3n)L_N?fC9q(P+MCBuy7$lo&(+Dm?6F!`rgZeycW9Nor;8mN>qCNvHB0A5%gYf7XTQ}%oBLkEhSl(8Rws@kcoWdE;qpr7Fj1vnH?qtUEE@2qWi7kd^fk))zCh_D^uxAw^tCS^C&4AHYbYIbfO_m zYEhed)us-0sagFhql$JlYe5L(V>(g9lZ=Wq5Ev93655Pe(`L+?3mhr(ppb|dBtd!d zW?Hz3%Zw zo3|z*r>do#zIUueFJaPY2aldSd-0kZZn^BL>&{+z#Q5ps*LBm5d*#==A)=|hjX z&N<(Sz<&X!+L~fz;n-s$a@m1pcX`4`eZ%+t+=##VpDBxClA1b=N>nnIZ(Dv%w{%Z| z-s@Dc^0g9bm(-~us#6D*RWr34w#E*Fi9=QzK8{iCdZn9spceoT2p9y^7_g$pj2#a+ zPBQ}rLsMv$;|bot4?wZnuJ&XNCQ%9grB~Y1os*k|&C7@H(#%@2*f@UBk9$fzvHY0) zj{Fh%WAgswN0T2ivWFAKnA+&0bzn6;DZ&fihFJm4~-rj{pTe z4*;8GPVvT4x!avJ>2{MkYc>{ZNpDE^e2u01{Z{5|(M(sJ)ib)=YwsZQgpS~OVHhxt zq&FB(1xMIG*a!al}JETF5VyLb zLIhp4$J5QmRsS2gvGt#qE`8{!vmseF!cQ_N8Tw@mRbIzo={eJ^5GCo?rEIY!mfDKs zX0u723XwJPPlI!tQN7cUwg*cNg7n)wBesnsS!X7;?`Nxi=G((4qbU!n?gt24_N6ey zo*d}uiYfy~`)RlEImZ->>vUY105UTR1EB%~CnZaR8#jU!;m4AIRmWy$zuxga|EK=j z?LZH6aBZ{%Wb^@L5ZF*DAhD0Mu=41}#YpgwFzfx*(w~l-4@CO%-<{LzLEj;F_c*89 ziD39&gNB&=hkuP>8?E;O>_*$eX)nx@77@RU9fGiZ?qNx@=uyV3EM)<0^|Tj>q^vx= zFb}nVvA1UYaA?sebpLwb+cH$6nst;af^5N`;Hu(2cX1|GGdY|BWS+__&j^Jx;m53Q zP)%`y;WH~ub%Im7Vw|(k33d*Vj?2ubfp}R9J-yB|Dgy{b%edv6;xCTk zmu`R?EJG(FDIG^ObQZ0a-8X1mHI)MtGem2`GAe9Z$llrv<4PU1W)5$y{dD#BSF>IJ z+xPIFRx+o-mBij`8JEfFT@^Lf7Wv+>O5yc}P6xV}f=`Tg4wqkkfK`o2l7D@0PSJT& z5rMPvO!)fw&&PxEyPIyxGE0HQil|grfwbXuCm|eSscSMNVl`gymZc*PO3=ocwyA#4YM@8 zsz!b`Zkd>+)M%E(Ov*z$UA@^baAwG%sPJ-aXex&Q0j2lW3yE~Ngx9rh3vWea z(Wz)MxyTtcoYTpyXd;KR;^+Q8(Vm2r#Hf9W{y0W-wY0z3Z_NLAJyX0fKD@9=-F?xi z>*PqELaM5*${r?`q-$8wFKDT6r4>M7PG9NkoFQy*JRT*}rI@&YL8$Ee9;?7+4>nOV zDQWlL55Cj=2hbXpvMNASb1sWSJ#jz`MgUKTWAV(?^UXTeb)Hg4f9se!Kji2Sv^FfH zQvhdLp|lH&OTq3{3f>n`rNg4AQL+`n;6uwqoeiMuB6Xh>s6pwfK&DL1DOiL6?(g!1 z2wOP2q8_70EW~8e({g&#kn)-08qQ?BRj5#~G%Pc4@SwV9+Rt)1P&6IiwY54*j&z-|K!G}hZ|<%o+Mnvq zr%fj#wuus!bcer#u0p@lAL$tkGm5(`w+-#0b<}ySouNd5Gc)d-nogsU89np?Q7 z!(@T$B0)pro(Ol;gNONzUH{kq{9pNnA8#uxGT*kPyRKpMxltC{(!godY8Bt}ObHkA zC6r>kRrPZ`b44*TWL{>aMroy)MZKc@OFj<8)PvyPpFvY}QmcUzW-?Acs#YO%=ltRD z0+sVGahTyRUgja>nKp>2R=6vK1|Y4F?eL(R zuQU}8xvjtIlpg&i(b(P8wsrz-=Cm8pt=>PWOE>axlGx%(@goVw`v4~#O~>X7g(XmS zNFbDD(oZI?ZzYK@=5zQ0VG1x`?uhG%aY*Y#wF6<}3&4!C>N0$UDw&KGwn2|j0mo-- zMje%q=IV_+$$?V2hR|7qESG~*288|E(Z&lzew9TC5sXrJ2DsrGR*AjH1PF-8 zzD0`bkN7g74WO+}ia*@T03@yBMxzOd%1pJ28w)X@R0@+mzA|6VHy|{DDFDBiqi&aGP-RHc zE8D@^yKY4rTZar(*$gTxMa8slH%mFb85=5uS6{+EM593-kA_hmw`|32M*^QqZ{D9q z43kP_GpQ%@e!S71>n&ph$F*>B{IaQj z;`vv%u^|3tYy~DnHK?+ozz5=rX@!tm&}^`4mvBWZiFUyqEf1EBA+b`K*AUD`9ccHlx1?3 zvUQXGd@^boMy&K;hqhg3`YKbE(&r?GQViP0J&IJ46~v!r6$fWb37<)Whgfx%chGmC zYkL?;3vZgrr*IXkhAl*3#TW5~d^18025lLs<#62u25A#ljE0k=1AZ1CMM6Z*vg9z# zrrofbDYLAt82)ik_$(+%6C=msnAo zFXJooNj|>B28#pc5+*=c<)9=v6EHD*C$76M9Ie`|Q~P#!VkvtmThe+p@%RxqJgeA+ z;mqbMpHzu0qDy>$0DS;qRF4VEUPe^3gi`Fyp16&|+aMN($hlVHWr1|xe{+$>S!D|g zT}cu);c#7zlPCRiW2^U9DU|+4y!(={R5H+CeaYtcnYjpy7Ii2aw=I-FRp)Jkpvr_= zh@!1aUQbDZl=Q%p!9Ktj!2p#3LVUx^1D;X>sh&(01An5Az|X(j^9xjKXqC<7G6P+8 z*FIx*R&;Q9H$LuVops%oDyLJ7naf=9g38;P5#u78WH44raNB#>8l}kgu!-8B3INE(@LFAxgBoIXV^Sa zt;fe;QacGx2Wms)tyNDiaw`)#ARTsmDYxHB_=Fg!LIXI$6c|>K&DRkcAXaslnqO^; zgpb3Q7Xl(KM-YwekA>nE`EQ8fq01?xrCp@7CB3m~+7!BZAZv08+9QQbdnG8)1d1G|bBVeV9r^pSh zS2tFN|6#|za-Xya@-^L=xRt6Z5#s`hk)F&v+{ntaZEd0mN_$ZP=?e-5EH39p6frgP z+ZIUWo~1dUQ#%80b8d4Q1sO&40=K8<_q~O zzA~S&NB{}1^mJwgRXuHV)741@at7nC*i4h@Y{QvNwNPJaObcd}Q_(sa8hS6C4ew(Q zk?%)e9UYGAdAp+4h8|1bZRZLN!V)e4<)SHx9O5t>*^p$ z9l>=`J>pw&~Lx)qT@sZq;>>K{tcL~`F&?`m4$KJ;9xhhXKc5Qudm;Yxga zC!J(+S!96~;5)3$$Xf~1+0o5oVbKHnoI|Fc(@NXK9Lo&Lp?Wy_;8oO@Hl?`|XOCPw zp(jVAHgMqnQ8n(RyfU-&7WbY?>U%J%BqzKjvw~*&u6qTZBdw6IQGvfW4T2^!!FCBP zFqC`+QW{kii72Soc?z347+zaQtT;l5ma5i0EYxTJf1-#bzlKp1RRoW=CHlQ?aUC}t z{nKOWc1GJ&FoSl!F_`9-D;H}q^fJRLNz?H$ZtAXs#f8E9#9y4hA@F=1{irvxa2QI3 z!bM`+W2@L_FZ=OmuJ$!3j%nNz2H7zN|VVXP~wRnqCcFx{b3ByD;? z<)*isPi@&Yl&DOpCiY$uMr3@m%PKwAnLc7MMHc6(6bvZ~B$DsOG8{#CZS<}Ci(dWz z@epb%A-H!NH8bDrvWK*-GJiKCn0n2~Y^Uc9De{)`+;yd;HLsvXOE(~ka}|3jSJ1;G zN7g)RB5s6o4h8cX$UQ#+2f^50&;kwO9l_TV6EgNZ=^|)QLjl)elbqWRuD+1ChSDHf zeudJk)lVf)kq6Yh=*FG{P@M!PFBBsBLMQgY7IMKQ2a_V(H_k{9Dec#OW6vc^TGq%BXXzP7(k;gEU*_LA$;i zgRW<-6<9=lDwR4)kG~dRxV?25Uy2prxuPh02bcM^cp?qhR}{lX#8t)-*fYC)h5iz^ zd^S*aGN$r^N?-(?L0ZuA}^)-}F3|WVKeB>RC z=W~;;F>Zeg@TJWE1zIdny}?=9<;NDDpy+x1#b+r!Nh7*9Tkk!bWA_?IHwK=8ah)R* z@uwyB<%#(tY8*VShaIP8Ik;rB8~9D1B{;;H7%Yt`43dj+TNhsDoR_9K)<4M+ADmCd zzf(ee*fwk05!kg;sn%*9*`Z8VEgXTvRJUPjM)pp7{^L9>t8b$;4qD4t1}F}7-EV(6YX*KCL6(M3W-ZO(s}|{Aa)My6a;s-cVQ#L=Rp=4vho-ULWr_T zOBKK#hficddh8pwJX1Zr`I==c?H-RF0_BD8?9p0gdwDeOsr+~a__mei69#~X=Ru^8 z=Ikrta(#%>d=%Krd}R?|iy+H+!+DlTrEC}@u3@Os&#)UWft8alY(Ne*6fkz*n1ajs z9Gg$A44}C=4uT7L7NzUD!-XDn;wRi5)vCqgJwd7)Td;4CPrpyFd`6T}%m<}fqcU_(p4$&v?3%L2Yk zqr@45=T*C+$^&Ip6lDZel2^9kIUP+iN1(XZ+O{!9l0beLl~ZQOlu*7EhwBm$$s(b0 z2hZrW;qmT2YZAm=^v<*?;>_L(2dCqW$~DEsG@QI{qAt;dxOT|DXUoXIglc zjDv=0Z?2ZqgYA>d^c|P;l+2T@Y8^b1@=+Kf*WnTn4dZ}1G2q-W5VkU+UM(m#K!bsv z5Oal9Y};C70m}(A_Ld8^epCj?(^dP$Cmvr-?n&UhE-t6f+Gw20$gD({FM~CnSgUr( z0d3g(9z5KqdWk6c9u61QoSdWYo3mXg4%`GGmvv!tw_vNeIga{d2!7^y8(syD53up> zu{2vVb0h>yfb~*^7_(G{8k$kC3`M5(E-ee%;_{MirOC{$>aZSh*OnG?&VenbrMwf& z48W8Jv4E5*dt_EYP@_evf@5A^I}lWK=!)i9O`@1-i-2xWSaWQp9KL^NEJW~mIV!$_ z9%VBQ%Kv%U*YF8ji%0}Dflyrmw>hV|z5^m8tih;NmaBm_IYSL;3@eTInH;-~Mb%#! z4-PnZLeB80#emKC+0lUE-P6RN&5_p!DQ6A4WK7o8k?!y=BA1`LmZ*C~C7S-K!J`Ah zqbXl{)-4nLVN6Ds7dt>=y~O6jQ9dR^UB7UUdk+eDj98URn5+45s@ZGm<8@K!X z>;)}5rFKUTWIzuG5b!Ux1%F>~{{OD=5X&@q@6J|K2Uwjcvy>aLIzZGVunt|lQ`p-N zYfr1mXIDBwi)rMtPoXl1vZ;h-ds;)XKC2tp#)(%mJGENks-<)VM~h%42H0WQ^ezsQ zw7wmy`0palDaA)QZGfdkZ;eWld)S>NdwAsA1|5Xr4kyWvn4aAe8$`qcB+ff z?qPqAZgR?s7^lswPtVo7hs)5{TUxW^3Zlwj{Y=D#1#?1Reu$&*Bj$~{BXT)L`Ia_FyfQzsT^>5S$jlf>5AKnfkgSC5<5jk&h7s7ikqtQiGD#E_z04 z(n=&}1d$--9~%uI$qtTV8-3K~oty3%cAsG_?+PRnF6v8zOUM9f1=)Af2mY5r9Hgg5 z;*uS#on z)6%|`wMQqkQ}!(87jtOjJb6|ImUF# zvFTU@$b$N&M#w@G2_f$v60pB!4O}u*a;fFfC|#{;HQME?1YUh;w`{jIatXd`*DS4S zXG;4{5k{g`gDK4!rMlEKi$S_vrJ^cP$(U1`2c=TS){Ex=cD1$Zbj_M@BoPw5_f22+ z3IX_}2{%R`+yt7A&T1DM(@ z*Tft=@KV)kE4w_Lgbf=vYm}f$!%gp66`ItGueR|}n*a}R7sjhz&4=^$oZ2gr{D0@X z7o;F~z>5?mS`408aRlNCB@juJB$-4CDLEw-y)*_!CKgudGGxkPlP$+gcKI9%6)QpJ z9|Gcq5TVE4dBeY%gtt|+d<@gF9oMTzAgaTpY%+yPqcb97vDh3guNMOZLJd*0zF1SD zrLCi@r!Vc#z}S+EjIGH``hYYAWabJ!3+py)+G@_WoVqP zDFh0GBakRG28+WJh$J$FN~1HFEH;PB;|qi$u|z79E0ij=Myt~sj3%?iYO_0>E;n}% zPcLsDUq6>Tbx|>K36rKIot82Uk(QB_Gb68{sHCi-ss@FrYrr)TT1XTcgT>(qL=u@o zE#}a9+I)dfB*t|lQbI<`>53nctO!-p4b!q6*Av7#mSjcMbi=f4$MyUmY(#N0X|+4u zUOycSN8`0@GM&vYEY>$Rw?GI+Pz)zXie^}j7eq-`R82Qb%kFTx+#YXr{qb=PHx3VE zH5Cj-jZ@_CX)4fn@yYcEE@EV+gOlP4d<=zYMi$gm$oe286peA(o}w!{w62(y87<8n zyre6N;u|9RO_}^QNaV6N@#=3Yev*1E>8iSMX69Xsxc76vo&Vb1&4I^~B6Gzy7xrx8 zeZN-(^(>R}0I95cW^F9hD^3hnYmZDR?dDynzlfie(T&dmDrJNSi9xJwibFg6MPG0z zxEOoScfI?|(Esh^VCN5vmG!H}D{FW69N6Zd5rp2XCo?if2?VD> z5P>lkEm~uH+1h@>4-;{-VNp{-GzpVQkY*-Ky|dnhS@tY7u30C_r5#edRh9p_q7gs4${clsy-1e; zj?n#V*Uy!2lJJNMi25RVX(F3uRHN%h1dHJT8p*hkKW#HXw2>P(32=(^EvGLDnrxiU zs)DVFcs?)0Gzm;Bn?lsJ5KTnLpo=d4f)EU?E{{a)3ll=ZN`Qn|7+@rl!scBQoY=CZ6s{6U#0e(W4t*C= z4|H7k#G@GBBmHyxTUxweIsLctrE4O|Ct~kD2jjO$&O^bJr;$9FG+^uRZwC!?a1X57 zUYsR**o_xJ`#lEy<;t#ETJ-zs4p{o;9+cuXnKtQyeLUB9gE0kJphnS;$YX z{vpX26&(p^TmK?DyYtLih(Bae&zLp1L&fDB@72PvD2U=gY%MIP5rL*(I~p0`hOB|{YT zNX`J*86y@HP0~StlVmO@FJ)(gu#vkk#axLrzQf;wtzoEsk_9ZJHJY7yao@{$DdZz5 z$vJTM4IW2nN;?DVn?O85Lq*5NM8btd{C88lQ(VG>j5vRF2^XHb*C?^Ur~pBGkqlSp zh{O8yt<-#+V?+Sqgh>qL5ZMS>4rf`I)Lxh(5}?rRGN?inPBwBJAu3H;nMRYq=xg>F zH7kCE~8A^z7^5j+Y2RnwsR literal 0 HcmV?d00001 diff --git a/site/assets/fonts/space-grotesk-700-latin.woff2 b/site/assets/fonts/space-grotesk-700-latin.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..0f3474ee8af2f8253225f3b41bf79be986a1ae13 GIT binary patch literal 22288 zcmV)GK)%0sPew8T0RR9109OzI6aWAK0M5Js09K#?0RR9100000000000000000000 z0000QgCraJbR3CJKS)+VQiCZ5U_Vn-K~z{L9sq<|FGLXt3W0$z=64H(NB}VCSOGQy zBm;>I1Rw>3ZU>7B3D{ z{r~@GB*-Bn3HnE{ZS~!@APT9V5<7^B_Js`F5KNEO5xxvDEJe0@sBuD71qjHTQJWF7 z(lMhDs)UR{M{&~N@Z^*VS5!Xl6m8{zPv6RNJkc57kyX42LV}PWo#3o%&!1=O`wrRi z{k6E`ueYvPb_yx;@D(IGh?V@`PtxW9miG*&e+Qhx$IWOS<;ay01c;R>rFHU!EZv{$ z)t%T5-_o5z3g?aVb}Y0G-#O>40%MoQh^Sa6+Lz~_{AG6TtClo?Yy!2$$n?D-Fh&j+ zOxa>aKxGllIs5mqk67_x727`F@}1r^#1Y_uQ^( zuN$Qql~GIrggD7bauSjdLP&_(@7e6Vucl;6f~gvc!q36bY*8#CE)?JnFW@3CHq)sE}sq| zjlSHgqbT|GqYn=djFNdryF<{h$R-ezz1vH2&q9Dl1#oJ;nY`fpCt>w6Du7c_fWm-KiIc#if-K~hF($(M z{Jp7Z`yW8)mVyJIxa+u3TsXq17vb1au3S48-QT|p?tUy5Sm4qEAax)}TFV1Z2Eda9 zk_uRYcLUcREJG}vi>|g$?boVkzlcXlz0hu` zgigJAe~103$g;b)i+!~2)q$r{)mC+R7Ig(K0m-FA2wasE3KZ$c zljMd7i9liD^4B}eQyCEW&UXolX8E2VDu$A*peRn#EHBEcZj?3_qL@(TypZjCaohKY z*X}#W!>AC~l168~3yb^4Z;oRrfPgtd)Ru7K$!A_@`kmK3c(>_zpnDn!4!h%~`|tLt zpMu=G?)Y9Sy-0R1?H$@gS8tLM^XxYuxL(_AU+}=FIq>DI{HZVxTHweVdqdZ7cSZJ2 z_q9ufO?Bk{s@y??w4w%%{Oh5qQo7L``+=hO_@%DYhP}V+DkQO~YgcWo6}6yxs=eyVQ?}9+RvU{0wWCOtS_Jx^NBJ`EL%yDg#4`r@ zc=kcwoMTx78S-WJWgw9>B@kOQ!BQ4VG6MrCy!Ff-`QQuSxva4jG=np>&ytytL<2Lm z&*02UCFV({2s7sbGC<4DiXU_ew1|OyJ`S3HnHn#fVFFfddW9ze95VnX?9dXKsePnN zJYbohseNi^P{0xlGh+ZP5t%xIfc_qf2rviG259coxH zC0)g*|GAtH0n>k$d+#^;9{l57sHT7BQ79Pp9BC&($ZaVDIB-Xi#`@mZOX)CE>WP4a zeo-7*{i0J~^&X+h1IRT)rNxgQ&NU)WT=Oo01Z&I0`pk6Sm>A5)Gtc%w5s6V~`5=ZHu{7`mJw6{dt z4AAHV$%F{AC^m;L5Q-!+xk9DZyx_h#6H_yD3u_x&JBQP|X3p$sy&ry2g3p2vgLi`0 zBNM@sfcpWr0={0tQ1{tpP0#oK;dmDg=kWI!XZisj zMrSr>P=4GQhuziL>0R~bWOn{S0fz@PKkE^4)$22~;$69|Ssy1*=kt8|;?>?t)A}tA91WYOHf%1W4wHF|c~ThO^uIqupzT^e$Eo1^J1F`8^8%N#M{UwSM2WluI* z%z!V;crE9U=%ou)iVAndw4=}ZQ^F;lN+uem)7!N0`Td7?$G_|Cwg!z*<^SySX4(0jA|EE~$=Dp~wRfOLuBi~0#FE4NI;ce+BJ@T${A86;= zKCd1grMk;si|6C6Ypu+GI$yVPvANCV*(*n~sh$4Dx8+$~H|l-B@O=>ZteC;O(nn5V zEGnH4Ng2|L-R$7`0CC&n@I8`*tjVgJW=CEK$&c4R_&+=3!12^~bCXB#hrwsY-~Q65 zt)YdowS`mMk!X&z3cJg4_8&IQuRJEz*~~p&C+jTZ>yM(&$n;Qi(Yt3`+427X&HCp9 zmm~KdI*hyT-G+RNIU;a~$|%U*staM$`v;zhkAu?F-tI0)@yv#I4^n$yDDsch*wxEV z*QCV%eIM1Ne*qnsPXLr)l>8ThN0a7%YVALYG4qk}bnnebyYl5X6Z6S9;?9slZsD}0 z_pUO|=jXs5!nOu2M8&6JK`yYPFviKkf+EG zJO3}4akn%{-z93!4p{@~7$vvi^nV`4X>5GK`{uy`-M1rN?*k zyBqY&BjSr*T-m%b8EMRK?ko6LQ2d?YEsQiK?=+Qa|hs%0hl!a z3kTq^0oZo{rUqco0Bjn7l>>0>4xF?D$L+wx0PG!rB?B-s0OJ8TVgS|;Q0hy<6B7~b z(&#jr4xLUXNgad)9F7i;ry~$Rp^zsM0kPOzA`wcZ7BU$nmx~k%J*ASN(rD}JlLiLb zhK39yW2T8I!_1tpu+X-&B&@8ot*r?g8)R!s+S%#a+hYd@iKC;XlasEqv(&{!|oQ9)@VMbGkRK$}hno##Ary!WPy=$<&*3IDPc# zj!7tpAyUU1>S;Km%})hfsA77W2PESjIbS5OLNtU4e z1;Hw5#M=wc@73AduQnE{-=(-CbhG~9QB@fv?_`A(3Uc7zA_c1lNl*QB8j+wb%swJ`Cv-{GGE-d*sk6roq1_p`d~yZ;N)l)L|5nuPKrg39kOvXHr9Uf**(IjUmQzP;YV8vd7D18UR4va>mp`6@`I_tShpex!2XrTry@)E{N!7`S!f|abYy9fSW?Vofj96rE# zl0HPUcar5JD&bOP7xI{Qv>I=s>2@1qgtmpb8}$#%39D@->>CF&wsjnifTI{kU1d&RBNJg3Y__Ai?0?a^Ng~IcVMP8D5DOkpGRT0p>2~bUJ8p-9+zl$fg1xL4ZV--iX?6=4Msd?MOkeN_y9V9;*M_Fcs-HS0uvM{TeK>a3j@Z}$uOZh-8 zRc)=RAwgH>H~p0vQZQ|XDcm0-*8C0<=J(lJw=7_#rvyKqE%PM@JZ#_--yq90+ zEf$a!ZMRC+*Yk7bltlI0rUAJ$q_JD^ZVlSFvxd8Xu5_b2J?I$|+PO)sXkoK6uOc?Y z#ya)et&d)wLf<@QV~Hmmci|?Gbv^S$c*lk3pYiRcf$o_F3d56-k`W3wTzpE=(Njph z8Q@{*iOolBT%+A!QCKh(>xzQG|9=3w2gD-bwnoq%>1vLErW3U{_+tIh9^mL+9|NX7 zY)pqVfKcOu0x<%T@ZI0Oy)&hubmiwYjZ%-kHCn^ZUsCeoRAD~Mtqi9x!E)SR@9FlN zE5f&F8-`p7)C7c&8Yh}Wk|-gp^fWxVa6*;g1k1+>@)F0U6k`*rB5W#bAeF%OR;Pdt_jz4=>LVGtNc0*8amKW=hH&^wJ zoX;$#B#OQ+V)Q&jP!fbmKLu)l9Fw1Qp-x=B+3Obah40=xA zi4}R^lW+bc*UYB}yLr!XegeCgm&X`{k-M^9lWNMYe)z?xA4+-A3*7h7SHF`(3`W{A z5K_&EucKMd%u@~ERx4;f5Mfl5K$1^=6(*%ta#Lh%!+{6K08{+Oeurw%H6NnGqpbUTjIc+Bjj z!=7y1{G|#qd`X=o4@Y_bk}+CXgQtY3LcufTzLPciy=R}zfBB_0L38{M`jFE$^Bc2$L#`YzfMF>;@n*Z*A8y}afZtDt zXFsaQFo~dESpmQq$HKW9FGbcH9N-qf?E)uXyzf6xxn()_;Qu&`o(^>rpf>^edBwpd z3?Whkmf^uV+#|Q#`d|Q0SP%k0~L;DLwyd)!A4)z*fc6#mk>Sgv`LG2zitx< zeP=`3%L`(dWX69Xsxsh03dz)zB2|>3TF^X;Jns^h$4Y!q?wgCd;x$q4*M|+qcqU`E zO$=o&Wf^o~03#T~c{qTN-}Ix+h2dv5Z`qO>88Z*_nMFyKsYavu4mjh}X?L0^FW4$z16+gk z|HGyUtF!hvs3QviNjh@Kwh&9$)XT1$J z*=V#??kVf3tp~~j<$HIu_ht+ zs!;6GvUFpHEx8&_ZP9vXDJf@kmuQtOo0)dr!0@rJ!6s1~TCR1&?ZOk4bp@?eSL-Pz zqx?6pBsHR`E4QwC<(!8S^-LGnSME#Z!Egy_e8+C~2pkAVq^ww?oFD|GDdaC*<{C4U zN8t%oIUHNuhn47V!6CsYa8B}W(3-n}M~kN!Vm2~+(?+RL#iiglgMr0iwb0Et!7wf5 z{hLt1f9@L_l&AuT%|eeYn6UngxNjm}Y)5*kQs@~Qk=qC%5JaIV zQN~K1V5!XXMyac~!3rjYY}aOQ6%Rasl!Yh)^I9k&!xsR^=WgIQtn}imvs^Jd zPlq+&Y(Yf7+rX$=q0xn+MF=2QuZOt#*U-4a5O)+9NFNtLL>muqkL2VKF3A*5FYZmC z65~|r)(3z-x{_STNK3%5!u}z=Qx(2U1z2~OwZ09W$ROM))(htZ1hAaek<+iPwmOOl zjgy>Q%y=;D$*HWa*u}7hQ@PiNDD0K6ym8+qS}3n!L^~yh0bqg#^bm=vHd8RiWD3n> zo%U3+UG!h7w9=8Dm^QeC)mK#$LxE}dHd@n$Z4IRjHi**O8Pn&zYy30X;Rrf*hz~SR ztX=q!<5345ccJ)Qp>85m&}m(2C>x@81lqex0%8hcg^!b%BahTj~|7i!SNPeJ-b90DA6w}o9c|g5E{u7$3TN3 zWVJ&+@jE5V^^Xcg%kL+0!EdOh_1g|%5J3sC zu3?}4;MB)91D)_9+%nyMujWwivOBFH!A**YqC^AjNAy08ks(&P#w7M2^+7F&VL8Z& z7>^Q!2qkf~x0?g$j68U5dN7&s1vMG5(vUU`q`eoveiH4OEvkHSJeqs!4Zzc7mE$sF zmoa{&^#eMTB8yM!910{f@>(VgI7#XN9)&&(0-#Bv^|KmLlvSCwZ{-3S^B?rgPYfj1L=$p2Mua*?|kBen1Um14b`y+ z9X=vHj3b!RL^Vro;1M!pPkKv(c%hCMSZN_Bs)HFd~< z@6*UX@67(Evhv3-W;XAq+-c_*POfJA`_ND7NL{jHH+0?$8lnwQnIhe1(}Es#>%>Xj z>S(pTh2IxMF^s6|3Yy#WPmXT331Acr8{-C&3a}?*_8_#>8P(}4niDr-lW>wh$wPoa z05$W2$gV+kY0{fwzVANKSc&1Pbe`-jMYqgx{L{u#r_^<vK-B@=QWvPb1sX3DKv|lMEAY&k=j&b7ZySA}nZz@y?xEtCP*j zDUwioXj<&P-&g7N%RFAGuXST!b9F(g>A;HnBitC})D=!HUJ#1yHnBOvkGAFhqt0t~ z&bDW%xo7!ho~i++yy>QH3c}p0hU%SDBkyjKw=n%o z4B1)Zn!1F&P3t#uM@%ZsULGsckiLiJ_34_SVn$WOLCxxyU5;bPROzK>k&|JroMp5s zvC^{$<5{=^-&)7HRB*LU>qT!8s`awoY~_zldfYu{nz@wO+GiRHzh%#f61U+fS{-lM zt-uf;I%C87ZFkCJt<0dK8g+52$WLoy2MYB&yY-X-S9+*6(`R=D!fR(4uZCG-`-$8W zX{s&5L{9Gy;xQuzY~Vw2DVLYVoH>o#DM#d(+HcBgHJx>|xg#3eBNw__^&rqt0XFHu z^s&v2)=RFNH(4LnbEz(asBNSoko7w~g6{Db&fjIds;u!AI}2KZM3ZXjYq+UJy^Yov zfrffU3!2uBa;Q4Vc2QLX0U{}@V7>C&6t_ciTT+dz=C)+rd9zX;+UgQE~+EJ1uJKtO;qf0a1`5`hN@^? z`qyaj)(Sg(>8dX0zqUdVYVa|q3aOsFba9Y`g!+1-Tm{!?uC+O2wZ_o}7#=f?Mq7LK z?p+G2CDq}o{>B=c5`XB72R~ON%9~hXei>E4^7^q7E>D7)8ValJZM~bg0vx*>k^UF4mL6fX;85}PI3^Dif)e%pc zBCRo2>+{z+D$AA_$bbL8p~Ju?`IVin`-=PZP1RLZP1W_kY?r)qHXr=^>A3p!VYt!N z7Z!MS-ng=B8@zGb06L7W>>fU6BO6e^4SrQ^y~%=av8>=rJL?1=zRL&GGyXkdd8rO= zbc>hB0Q|uA0%#p}Z}Y)(2m=q13RfXp&Efv~EtS@W8hj7Q zBsO1Bz^6=u?ygqmyko7e^}^5bHB2^J#{)HpBOuqqRajigfbTstkp!x+RMu^Ut@7@$ z)FyDZhU*A*bjQFS0}K&jj>%=SO|W_MdqG65 z)3l?K4ijZxLUntSLt~Oj{h!+0rGL|ciMBeA$=Kil*GCTs53HfK(FTPPGI_~}aAXuz z{sdd)(Xd1*U&m+@)lahs6$Rus;K?71B%!iHB8&arr?9pfLTzj7q}EzOOz-$F1pec-K*2-WAAa2X@CQ4;9B~ks!W8g#N|sDw z5IljC^#Uc&SV}i=tx`Szkr=a@478k3R#n59PO0tWT>;QS6GMQQVsdG>88)~0dzR@* zjZxrhj#Lw>o%4A^31%4hC(o!b?r7n|yKFc<11f=u^ur{af91!PJ?-boeBl*62W;}L zSPSh2JM)B^oa_6%41PVz6{8A~Ql{d7Y$UM2jRa5h!MdDMse!{_YG$pzf8R(sT2|Sl zcez6*ST}#CiH(Ysbb9G|^nR9|{54D4W S8#S~?xaXqu;tAo2S~9su2vSq{fi^hG zZr7Po<bZN1nCG8(eo2YFxpm6EjkW4twrGK&5SvIKZ@KfiGC0Oe>gfDx<6UNyd=d<_-sH z5Gi7*Z0{Bt3=zJhzA{C__caI=>12nAxN( zUYjTH26PDhv^x7bBvQ68B|asjlmw#!uw&zZN%Gm?<9X=3jXjfs*WuE;fQgu*n6zDs z$f4?%Du*xF=qI>q8!gN|gw3`6chD6x;3KXI#lB%AO?rc+cC(d!8Mh_0rl*m{DlS5sZ%YgWq%@^jMnm;+@9M6Mn?smkrG zYTy*@k~SS|P_!1bx~Ql>+5Ed%9F0lL72gkc2n{FnfRN>QQNix7$o_mqzMnkIU!F%U zA?GdUgS4*-bGT+X@cUQ!ZTSX?(u|pv5(5hD{$#}_Y9gFSH5JR48dbC!CT!6DRn0QF zVNJJhwqf-*tA;-x*Ry1WWqHq1u|f1J{sP?WrOPcVW-n2ke~@JLY+tuwO(jU4Ol@8! zE6V`y6Oxn!ywS_j%aZ15J)pgOMjw*%f6liuVC*f+reqPxo}NuUd64b4n1T0rsyvl^ zi3Y#lp2;M65_$aB&L79k%uf#f>y;~ItpDs3F4r@wLL;Ed%QTg>U2KEClPB?uMRb#f zd+=XcO0MN(8S?$TTmZeOMlEmCzoNf#6!J>u$A|va{r_72@1StLb!+(nb!FW=?4=`} zxp~?Prbfh9J~a%DR03^YZs4n`fcq=76utA_KtJv0>gr{kJ!yZ;0N$-STw$g7K#Cm8EH`>W92pCCvp0ybSw+htHe9EWFU#LaVv{egq~J<-(eW4^jmLo;pqhhJs|~aT;J`Z% z0BBvA$SGkKDLdbXu4znasmN7B7cLhLNj(ZJYpybnw!2r_8xn?e?+fvl)PK6KUcLVY$Z`~p6}c0f0gu5@A8>IiDe3BvYcYHAdSaSo z(fnRYerx`wZtK{PUpgJ zCTmomqkvzH84a2?6zeb*>`e@`wm3CLnY8sMxr?r}%{HBe=kXe*S>S1jR1>N~5wF*F z6`{I)k9YrEpJ1zXn~Y6 zbhO5LOLE;Kn-i_ni(RyGHN7lvO)B9HViq#u(3GBJv&*$ED)3J(lQ4)6CRSbT7^B@e zix2M;Nmo5B(Bf&wyivhfx5y?C3TLK?*Kd!>Iv6oNmI2ByIG=; zve-(dfml1kt(Ij^{CtO(#NsF%g{bvUdKM|Pt2#R(+Laa419=xHG%F(=otjmu^)4lZ2j;G7U)2tT2_1Q%*R6Hr$}Muc z+)9nnrOc4z6|2ijxV&AgSW(G1J5!RO&^ZB2m)7%zbuwAOuV!hn@q)Fs)|zmZI%HiL z>Brt;Pfj{Rj|VhTSt8HK5V`xgPi0J>p8gaUB!Bd=UT_t^i_m{u62}Y2vE}jci*ZZg z^+HP=jJ>^rzv2|a+vwYSgq8f2r<76~!k$xmKx4zsoo91x3?`9hcJ18thmFKwMt*Z* z=ZOs@8BS4Ot zl68FDvT&?37~};HOXOmc(WBRyJf@Nz`_rZX1AkAvOa1IPe;I#iSG(1H z{TDOX@&J1Pl*AbCd<+aBV-@GeV(0ZfpAm2JdG#)MO?YGPYfH!GEZ{=C`5exC9>iVX zY^MIUSlD0IxmtcAy8=gYms(>SCIj$t?IaP{vRd zm~X?wWqby+qO7cf$>0NtlF#JNW7;JNlSY%Kq*M9g%#Sj&K5Xvm%UPMPggWu0Imjg` zVOW=1YL)`Y6J@{6*$)o9KrWPT|J$CKaU<=igIQFlgN@hH-Yw2ObYmM@h=Vt|{jj{* zUfQpNciPQx1Sk||zMPr$(u0m?WyW7Bb_8XAZkyjCl^}U-n)-yS%mZC8ar78(J8RmH zKej&mZ2e||9@7gp*B|uOdq?0dVs?pHq+sgju;y+t%gxtl3WHUAR|Ef&5G1jtUoI1a zx4(e0kH_0bDcH|F&h8@R$Jp#xKB)`LjkGLSuUa^$aBUwgWeuOxY}i)5mCyI^-Cgap z>I*CrF1t^oL&Bjsr19UbTNm3{z|>OHJzL{j;gdosZxxY2wq4rdOSvfsg;=A9+SX0(a7NK;mUctdG)Qn zl5_XO9=F2}FzL}`=qP?Uv+AeNaHVcWJKSmRE_cSg@5=W)>#zs2EHmX>K}BWZr+^(h zI2Zy&HPdgimEf$*hR;NHDjXF4v?U4PHjqc*$;TVsPbsjkICf_*+7fVb zoBQWAMl#Zx`wL5A>(choL{x>V!kRiSsQb6V58ua^uVA6?&Rf;}&m=dFNaErS2hQAM@3LRs z69&DvxmCRt;q>~KEAK*qC;O#oAvSM0XQD;$vM=`zHj>+;><60&WneSh>Jl>-6a=U{ZC}H z2S$M$$>cG`D6195b0RA-J5@+fm$q(1i}-qc!Nrcr=;boji=qf!S#fy-VZ9Npdu3}G z;3FQ=bG}j0*C6WwhE72wk;k+iifUCIqbL!LAPDopB-Evbs7lcyl|eJ1&TK(6K&?2U zjrw-`4j3P{mM_R-E1HWMqKz5{Ud+-Dcw!B}&qBQb3F|#bLyd=ON$r-JObuYV4=um} zz$$apt64-xgG2I3W=Pv2R)= zlPaVLN>>9eJO5)psK-&)z40dyB}Nx}I_ZOmbkLhYjrH07p5)MQ(5t2Hj=D6W?~b z)pNbk_q^sx$6Yx6pB~$D`-Dvyq6~S4mTDU5XNa{NDQnX=4gyBzR{ zr#|eGZTbdpG@*n@`Fa4D(H?#F>IfW{K z_B}x5`j6I?ND6hjjm8o#gH=uR2(<^*W`}P^j>xY@wH{aF#i1s0&5y$RW07~Yc_j>s z#e!I>Hs`vFf$ehTHjAQ;?D7r1Yx;K5(I$L zeMM?`jngu2o|l{_b$?xrYUOg49&Q-wfWDgx?@c^4KyR$NE>o=E>EE&Ik`Ee3 z15AvIaEuX@+H;7J*qsn4E@C0Nno@zlV+KPrh~W!E6|_rW+|?fMOqn$_*`5HH93i97 z*ieH!uWqCz(xGP0a6F`haLJooU?Jha%?@qVVYWUnH?niBF|ZoU@y}?+d>FAZ4IEie zAs}gpVi1u63nFK#sZ279rS_lua8`$e%aGKjLGUp3%*HI5+IuDm*67)rK=r^=^fo8#CMo+ZQL*zH-8Nu<%Z0VD%3itGrC7WzNDyvhh6QkMNT zBmF7yxyS!Hg^yXYvQi66IiIR_98^?X zNkOE?B|!>p_VPYp4PnVuB-A8@nW48CIj_9oNHsmwBbuKCoB&2!opu`V-7`V#&T=~@ za0cLVtkv355-D69a8Jh!S=(J{*cKFHI5N-k&LWCZd66BrGkhzFi#*{8l~Dj= zo^TL5J;hYf&Ooi52%<*|9h3eu0Fh(X9a~LltevEgl1O#L0snOBSo;egyu<0$`T~N^ z@IuY4N=xl-tdT{Dq}PCP^o3YeY^Na&W%h=_#dZRM|I5szM1=?yAFAV!x8Ys3i4&Y` zs2MsomPvI<+)8WT4GqbrQw&{A7MNBLo58Ue?gd|UNQ8X?{tT*6QU(lCDRQ9myp4wy zw5y#h0a|8gY@lT1hR23Fb6t?=q{f;HC|?}&rTO#}e9E5yQ#nEs?GGB#A^d6X^Zg^A z5%tR_p7Nn4yaJ%ImwQoo2i9P?=$8Za8cIFc` zTqcjQ=I14QwpVGc>shIgbR%+}%49{IR1A83$qo$XVCn#unTseFoxTFpvLTUu6O|W1 z4llGBDRx{G5C`ou;(cBt125l3V0eZT55rDx+`1u`>Rz|z>7qzOUPn>O0__Z&%jsZ4 zW~f3@bGZlOygJ*)_Z(~u*xz?>78Mv%8NS*#8+dAev9iXLWy-3y4*TtDO>(@b?G7VO zF{{f_YHP5RS>Ae>5}uH><>3rAb5g=$c)vDSFfs|N-vn8_DM&J@>Cw&XVk(mXm))eW z8mZ!44^y7_PkBEd$7AJ)QV2Y8C<@gj$3Zo#b-qOB=Hzu|bKRmnf_11QU6$iYJ#tM)&sjN12$wz)M_ztS-ehV zv0|bZlL}rz8;4OzU>i4UeSLDd$gO0`Qj57ZD~wMkT#)@=nz^Tt_$B%Znqw%>cL@(FY<|awP>1XQWM**9uW+ zKt1MZg+U-cP*yOVaINZ{IsNAHvjmkS_`w1z98M547eXl3f`Gtt5@mziS2OZ7-F0P} zP(&#-M8pm#<^Th zyUfY}o|TBzy)o1!Po!n-p;znn$WG{GnkaLvPKB6wsO(vlM?A(ewG?UkyTX$g2A^%x zJ;iK-bPc0$xp3;Fb>_ep$3dF#RMukS~vz-2R9^LQg0mPo5b3E?x7?&hfz6aW6*4Rfbo zC9wV=R6vNmgcVpi7TDqB?{M{M-sgO|-GiOA(4scdOWV0F=^90Z*W-lfReG5awfi|A z0M12{>hJ$d{e#*%n7< zD&nOLo_fmIh~2>0B*x0AftoxT10j8Nqw>kegSN)7Oh%TSD!kaLhYr6_)5g8r2Rv!C z=g@Ud&AJtqLd@$BTqs}|tbf?X=(HwLR4#gKZeGK9feG-iF~-hB*Uqy%4CJ2F_sWBT zeZsSxGHmn^bWSjlptwBk>#e~Te|#rK=o^M!(K6IVVt|k%-Pl!SHwKb;gqyYUkD|CbK~D)hoJP(!uqiR2`B z-1tT50qI22ys1RpvvZ5RrZ2SnpO;Z+fXYm_02O6 z2@JKH>+=C}xKz8STsai)x$YrrI9^>j=$Bm6urp+dG^vEqL#oEzxa9}6BZ9;hfXre7 z?iZIaBwcGgCzS0pL=nMY@Kk`|sG3o!s$y(Qn|-EDk8HDV{`wO~sfXhd7Pu2^((m;2 zKl~j_;xC}yluF`W>%wtFD*_od-sTS@ zUVI6#lO#ATGs%NE1Dj<7QD|&csaevdYtwDpSQTIdTJY3UWuX-l*0pE#Lj%{vLnM}t zvjcI*%F01-zcUIN5|lDLo17JP@O=XqpCr|N{4;#C%+g<)OuD_Hd zOZ}gCPy}sRXw;f@1MN*AjoSf+K{{CLhuu75FwRmI1TQQ=9$4frboqzXP)-R`e9JS^ zajs_=qJ?aO&X^ulO}-;Gnf$oi_5Gxn_#mf}3Oj_SMPFq%i0()8;z}}@n|Hby#+kY2 zhee+Q8VQT@`7=aAg3O71`m8=A4ZAO#tOG~eA%V(T;1Uo#Osrzo$GnjBXIo4_ZI+pl z;8jBc_S|WG96VZ(SAX6V&>8fZ1I+GDLxv-;|47YlePb>r!ID_zpw%{iAVMHwh%l7) z9!$2M$k}nlD^Ir=43Gc-bV`R&1_H4b+Cl5FQXdSZdSe7GzgAv+>V|%afB^KuBOfg( zcvp4VwERQ7Q$cuH>*AX^oxb<%2T^{E;SeDxr*Zq@b_ZexY+LFS@wjQr3UnFoPBeW0M_U@2Af3@D>jQdB0A+zRAN#XofX!m|y@gza?=YI?V z6r&Jb_g~)yD$WJa9PCL@}bCm?ig%Ju~n1H878S6*H&_SwHF-Lb-uj_a(5jH7g= zBIrjIU?t;ul;I0aTZq^kr*4L86P8zU9mt6)jC&+iU0PUJT8b*<_sDDSNe}fK zE5i07M%zQ1b)4dtB=AmmE-r_F6U2ze1m$fQocX`&2g?YT;w+c?Enm1^`#M(&rIKkr zNj(gceq5io3euLr>GjSq0&IV_!1_sjli_hY+a*RXF9VG^!wN_kn&Y}`1kH%W;@FRC zbF^Mq2vI#Q^0z(i)LgEB>oVj0Z)}3V4C7e4cINzm*fEgmS_mv3y;7|S{t6}SV}30;~IpuI8I86<(QtAv0+TT0_AxOHY7(lDzA!&@{9=? z3dVdI4XRwJ>jXj^;-5N8?v*ghsV>EQQ(W zR)%fm&-N_#s5{%a2=2%cl}hao&ru&<9uowy56XpOy9xk|<7~X#n*w*ENzwYzTD^y0 zBU&I@G+Mv63*6oah*dTatwuGif+U)-Y7E<|{nF|wgF!Z`X&ZW+p|mW!y?d26fL3CB zWM=s7lcX{k${~KgKjyb91<=y>t3C22)*Xq+muc1=%o_hb#Q3}CsNd>-rap@ zvW&xEt4XG3{nq4qn}D>^%HF{YX`}J0*1_kBD_^gy{t}m$*RsoPLg-rh)o*>}A6Odm z?)*ampq$~Q1TE8QX@^j0q5S(|M`3ioNpM`ZO-2Hpee4rI`dc#zUVkS{ zDophmMd^-WgY)N=>t+dd3(jW|b6X<<)S@v2y^%6UW;Pnsm6kFFqtTrrvkj{|dIXm6 z%F%|llLc+ioWgV2a;4JqxZo?y0h4(#W0FyWm0Ks)O#v#?ngxVn3;}|e>w1_x-L?4* ziNL1@HI+nRmM4u6xjI-IKUr=v2*I_wax^}g8gXjyl44UaIFS5zbCJkMUY zkvo|LoCl%I0;+|;&Xx{hjVc71 zBn2&P(5#r(SNPGCXe3c&>Y1vIg#@9bR+@1W$JSMuM%CUUKwAyU(VS>fG;!o0DAmn}3SkK~i zZp%?k4V423bi@@jFCjZ$u)TIb&x@~g=o}+cIW+WTC1_=DvRBAF( zal_LQbhD1NM+&vYw0Uf!E4*r3VO)s&7f3%PFesATKFFbp*2oZXQ%3k~VdWl_L2-V{ zRo~|u@*v0wG`v$|&icC+_lt_V#WT?`G^zlna34#(h4eTa3B|~_&D|qbz)6|e7~C)P zxUCmMBT}Aa6uVYU5vQe|)v6JvGpdx+FG0r;E{u3aF>^gZL2*lBl@TrIj%Y(+VCBbd zq#`$O_ap>kDZ$S^*|y{O)O+??c#4z-U76Bk8&M16xO$V%=YiVaqcKK}R6m7}=U1p+ zJgm$#mBz5>aA-=bP4f^HSvN1pq}Syc?h$lDP#tT5*Qv5g)W_z)lo=7BRpi0&;89~c zn;}ZJ_8iLnKX#$SWMcX5BnWcaU7nPb7u4u}{T=a;(W^gpp{AxNwiD>A%2@#lM&Zs{ ziagUCgfQC+Ub)wgvb@T(UnnY6Rgzq>JDSg0#5fA!07J%WfH44h%vz-YPc+v7aB|Zo z#avIrFc?Oru77B5R#}2Tj*tL8K-M zC>-!~rxX=VNU6EdttjBepDR97RRQWFUG<^&To4#6)0LMAYQ09smMEq|v_M~pbyc~o zaRrq>8o1VE3+C6rJkq53_IbI7K)yiCpYvtjK{s#_>lm9;`($ z`YYOrH0)JrgSqyPIa~#uXxP_mEP*ROWjDCkkmL><%oduu-UV_0MDJc}2o@6auT9ye z;L-8h2Y2hkba@eG^`cCnN^dL+UEK);s_dsiQZ`D^<*ls1SYE{Bz?$3!*Jlh)%p9%O zFe}v<630U2-QVlQ1g~nvyw5O!pD`hhnSZKjAWq!iK{W>%HADF)nYNt{Fyse!P6Y=D z?^)0^SmgiI4}FL6S)4f9Guv~{7wjDmE%eVpt_?f5S{62g>*Kn4{Ra2cL5HtuS3#nJ zC@9XTJ!_rj_kntd&5kI;^L_5&+o|WDdv_0GmACTm(z{!aRkd>Ta_{v*3um~wzJ4!A z&ucYz3|3RJaRlrn>ioEhEcENYdVf;&O{4^r3Bj?E?<*$#$S=Y0G|{QQ;yVEZDd zrg)n8JgDv%uOc`egI^*4?oA0b5OJCCyw=dQ`l?8bn^#$y#`l>y|JU$lK1jaYN?OwH zV&eftkbFH~&d*z23fc((?kl(dXwT0Gs-(64(ZH>%4RF6YsL#~4%MWc^=Nkw|lQ_0i zG|($4jLmcjw-I+L6_c7EY6RP6RO-2@=XyBf2KOj~iPT?Q=i8I>Mc`?v;({hlLNcd` z%sCJt8ExKx!q)BtATMyTl44ANwZP^^kzs?bp{7vt!hpR=x}cZ zgDi{YIUJPS*Ur@dys|REm*5pRS3~n-*N7vHF^7=xoyz^_@CH$ov8;}yEk-1ivIL6N z(jB<KDBx-ttq9J)S@~#hchlW-W$xAKPW( z>0LdVbF!Ysd2wnu8KkfBZ#9eEmsfntR^LASd z+l7w@{CFTAtO9t^VBL&OicMo6g+9%9++IXBYfhP<5f_CZB3-o{081auy?^<+%xUzoNq)V@<1ik3LNH9+rhisWcu`#Z;P2gOd}APS*%8P zlEJkB3NI0p2i~PqYYm5pD^r73$<& zuJ$kz(B~}&j+*`E2&}G%A%+Gfhca64r`rL2ZMnPCUpJ>wI5jg6j?ixb?ncp_E=s|5 z#%MhT7#VgC1P>c8hki@$IbUv_ZoR@Cm_%<*0%-}P`6LH$w8a38<SFcA)+Imr0z6j8jT0rhI z&0QgVVJ)v`ag4p>Zr>3}x0_7e&liUbBMphTuoc?1&4g#Q)Pm%cK?ANCNG$xN(;Ym*PAJsZ4l2tx1r65z18tL^&vjVGdAlBN3ToY>-`EYBey zS*eAfAhckZJQP-IEC;xfBS~aDS0kK3hd{uuMK+ZYJ?U2mOsxVaIazkZXuW||^0m`B z-UE|iIY^AK%u690G<*+DZ;aX2x`zNc80t~Aj1FiIJj;e0pECreY1_8wB>}UlKGV7Z zk5$2wH8U4!X$Qi%6oaa|j62Gq-Z}r$047tyN1V$9k;Dpvyzx+c0Vt%UyU7q27VKKE zXPOPg$JY;tUHx}|O?#iK)435RtTc(j__M`!p9d;Is7l(YX&DO7#3n^H&T$0(7hw5L^|(5dnbL^!gtp|Nf<6d zt(~p`Y^=0UkoL?rlNtma(H0DhV4P(PP(1mb6Z&CsS%{sKpHt1w+G>TM6&nNwzD#eG zS3q!wwFJzp(GY>nuvKXw5NyfR9prMZ$!hhg1Z40upp?FMtUwqHxFq%xeFoe1IzhJ@ zTi3Xq`n4kk4?;aV;hyh&|Eos>#>GeP|NeKrbYsLJToUm*lPDYPudC^f%hR9chnWl+ znL_Gr5*bEDT%-ciB6^yL7W*& z(o&6F+uRxmSuGYJPA0@jE9Z5&)6T6OZJc3DfV?7H+qBh`X~HXj14q#aTvNNpqd@`n z1y$+pYbj;zYhzi-?Xv`WK$Td}>k=-Lsl9f~PtV5n<$g>aG>aCXcx-KaR zKwilXxsS{I6O!ww+-7D!1+O#^%~{RdWZB5f1`&`!7%QCPPcyF8nhvAm&r|=S6t`Ak;l~U#2X}hDDV28qhW`ybc`;H*E}6w$SU*m1zq*b}BajpV3phRF@cv z7!jh*^_S5Um6^*HYk>>P!u=u|^@v+hZcj82imuND%{L=lWqoh)~WS%!r#2bIZp|;2Q-hhEh1CzUW#ydIm-&W)@a9b`DOy zAP7mrP(YRHUDvAPJL12cI(lg`)C(d~@Yc#V(g{QkI%K~C&bz>i2Lq#RczWSkxyt3b8}fDZmI62J(#a;f6>}@n+4tV*Dy&mf zM9cxbe5a3YJ$m))GhmKE^UO8hLJJ(U#}uP1GGvUmj(Tr}l_r{OnyID}J3(TCg~mHh z>YJ~=Q~BVd!^})9=E>A(#5md3yW_5z?s@2u)6RSkpwkSk3u%w8PX6LC+LszKnUg8ui+K37$7Nnab^7vp)a=jl0EgnD4+}{4?m5{0 z-kEP4;)Eu)a@sa(NvQnqtQ%ewTU6MffuSc`i!E literal 0 HcmV?d00001 diff --git a/site/contact.html b/site/contact.html index 71ec33b..267644d 100644 --- a/site/contact.html +++ b/site/contact.html @@ -7,9 +7,7 @@ - - - + diff --git a/site/css/fonts.css b/site/css/fonts.css new file mode 100644 index 0000000..0964958 --- /dev/null +++ b/site/css/fonts.css @@ -0,0 +1,16 @@ +/* Self-hosted web fonts (latin + latin-ext) — no third-party requests, no SRI needed. + Regenerate with the snippet in site/README.md if weights change. */ +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:400;font-display:swap;src:url(../assets/fonts/jetbrains-mono-400-latin-ext.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;} +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:400;font-display:swap;src:url(../assets/fonts/jetbrains-mono-400-latin.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;} +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:500;font-display:swap;src:url(../assets/fonts/jetbrains-mono-500-latin-ext.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;} +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:500;font-display:swap;src:url(../assets/fonts/jetbrains-mono-500-latin.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;} +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:700;font-display:swap;src:url(../assets/fonts/jetbrains-mono-700-latin-ext.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;} +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:700;font-display:swap;src:url(../assets/fonts/jetbrains-mono-700-latin.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;} +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:800;font-display:swap;src:url(../assets/fonts/jetbrains-mono-800-latin-ext.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;} +@font-face{font-family:'JetBrains Mono';font-style:normal;font-weight:800;font-display:swap;src:url(../assets/fonts/jetbrains-mono-800-latin.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;} +@font-face{font-family:'Space Grotesk';font-style:normal;font-weight:500;font-display:swap;src:url(../assets/fonts/space-grotesk-500-latin-ext.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;} +@font-face{font-family:'Space Grotesk';font-style:normal;font-weight:500;font-display:swap;src:url(../assets/fonts/space-grotesk-500-latin.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;} +@font-face{font-family:'Space Grotesk';font-style:normal;font-weight:600;font-display:swap;src:url(../assets/fonts/space-grotesk-600-latin-ext.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;} +@font-face{font-family:'Space Grotesk';font-style:normal;font-weight:600;font-display:swap;src:url(../assets/fonts/space-grotesk-600-latin.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;} +@font-face{font-family:'Space Grotesk';font-style:normal;font-weight:700;font-display:swap;src:url(../assets/fonts/space-grotesk-700-latin-ext.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;} +@font-face{font-family:'Space Grotesk';font-style:normal;font-weight:700;font-display:swap;src:url(../assets/fonts/space-grotesk-700-latin.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;} diff --git a/site/docs.html b/site/docs.html index a170012..e4895db 100644 --- a/site/docs.html +++ b/site/docs.html @@ -7,9 +7,7 @@ - - - + diff --git a/site/index.html b/site/index.html index 88d93b4..2d1178a 100644 --- a/site/index.html +++ b/site/index.html @@ -12,9 +12,7 @@ - - - + From 0e2144a14199a080657e971aedf71c61f062579a Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Sat, 23 May 2026 20:59:32 +0300 Subject: [PATCH 5/7] fix(docs): correct broken manual cross-links flagged in review Two internal links pointed at non-existent pages (caught by gemini-code-assist): - how-it-works (EN+TR): #/configuration/custom-rules -> #/detectors/custom-rules - installation (EN+TR): #/guides/docker -> #/ci-cd/docker-usage Regenerated the compiled manual bags. All 278 #/section/page cross-links now resolve against _meta.yaml. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/user-manuals/en/getting-started/how-it-works.md | 4 ++-- docs/user-manuals/en/getting-started/installation.md | 4 ++-- docs/user-manuals/tr/getting-started/how-it-works.md | 4 ++-- docs/user-manuals/tr/getting-started/installation.md | 4 ++-- site/js/manuals/en.js | 2 +- site/js/manuals/tr.js | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/user-manuals/en/getting-started/how-it-works.md b/docs/user-manuals/en/getting-started/how-it-works.md index 0c3e0a8..b019c06 100644 --- a/docs/user-manuals/en/getting-started/how-it-works.md +++ b/docs/user-manuals/en/getting-started/how-it-works.md @@ -63,7 +63,7 @@ Each shortlisted detector runs its compiled **regular expression** against the c - A **redacted** representation safe for output. - Optional extra metadata (e.g. account ID for an AWS key). -Leakwatch ships **63 built-in detectors** across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via [custom YAML rules](#/configuration/custom-rules). +Leakwatch ships **63 built-in detectors** across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via [custom YAML rules](#/detectors/custom-rules). All detectors are registered at compile time using Go's `init()` function and blank imports (ADR-0004). There is no plugin loader or dynamic discovery at runtime. @@ -160,4 +160,4 @@ The architecture reflects several deliberate choices documented as ADRs: - [How Verification Works](#/verification/how-verification-works) - [Configuration File](#/configuration/config-file) - [CLI Reference](#/reference/cli-reference) -- [Custom Rules](#/configuration/custom-rules) +- [Custom Rules](#/detectors/custom-rules) diff --git a/docs/user-manuals/en/getting-started/installation.md b/docs/user-manuals/en/getting-started/installation.md index 111e5cc..714c48d 100644 --- a/docs/user-manuals/en/getting-started/installation.md +++ b/docs/user-manuals/en/getting-started/installation.md @@ -53,7 +53,7 @@ Available tags: Mount the directory you want to scan to `/scan` inside the container. Flags and options work identically to the native binary — see [CLI Reference](#/reference/cli-reference) for the full list. :::tip -For Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see [Using Docker](#/guides/docker). +For Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see [Using Docker](#/ci-cd/docker-usage). ::: ## Prebuilt binary @@ -96,6 +96,6 @@ If the command is not found, check that the install directory is on your `PATH`. ## See also - [Quick Start](#/getting-started/quick-start) -- [Using Docker](#/guides/docker) +- [Using Docker](#/ci-cd/docker-usage) - [CLI Reference](#/reference/cli-reference) - [Configuration File](#/configuration/config-file) diff --git a/docs/user-manuals/tr/getting-started/how-it-works.md b/docs/user-manuals/tr/getting-started/how-it-works.md index d49cde1..b19648c 100644 --- a/docs/user-manuals/tr/getting-started/how-it-works.md +++ b/docs/user-manuals/tr/getting-started/how-it-works.md @@ -63,7 +63,7 @@ Kısa listeye alınan her dedektör, derlenmiş **düzenli ifadesini** parça ba - Çıktı için güvenli olan **maskelenmiş** bir gösterim. - İsteğe bağlı ek meta veri (örneğin bir AWS anahtarı için hesap kimliği). -Leakwatch, 60 paket genelinde **63 yerleşik dedektör** ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. [Özel YAML kuralları](#/configuration/custom-rules) aracılığıyla kendi desenlerinizi ekleyebilirsiniz. +Leakwatch, 60 paket genelinde **63 yerleşik dedektör** ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. [Özel YAML kuralları](#/detectors/custom-rules) aracılığıyla kendi desenlerinizi ekleyebilirsiniz. Tüm dedektörler, Go'nun `init()` işlevi ve boş importlar kullanılarak derleme zamanında kaydedilir (ADR-0004). Çalışma zamanında eklenti yükleyici veya dinamik keşif yoktur. @@ -160,4 +160,4 @@ Mimari, ADR'ler olarak belgelenmiş çeşitli bilinçli seçimleri yansıtır: - [Doğrulama Nasıl Çalışır](#/verification/how-verification-works) - [Yapılandırma Dosyası](#/configuration/config-file) - [CLI Referansı](#/reference/cli-reference) -- [Özel Kurallar](#/configuration/custom-rules) +- [Özel Kurallar](#/detectors/custom-rules) diff --git a/docs/user-manuals/tr/getting-started/installation.md b/docs/user-manuals/tr/getting-started/installation.md index 72f2efc..c510c00 100644 --- a/docs/user-manuals/tr/getting-started/installation.md +++ b/docs/user-manuals/tr/getting-started/installation.md @@ -53,7 +53,7 @@ Kullanılabilir etiketler: Taramak istediğiniz dizini konteyner içindeki `/scan` dizinine bağlayın. Bayraklar ve seçenekler yerel ikili dosyayla tamamen aynı şekilde çalışır — tam liste için [CLI Referansı](#/reference/cli-reference) sayfasına bakın. :::tip -Uzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için [Docker Kullanımı](#/guides/docker) sayfasına bakın. +Uzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için [Docker Kullanımı](#/ci-cd/docker-usage) sayfasına bakın. ::: ## Hazır ikili dosya @@ -96,6 +96,6 @@ Komut bulunamazsa kurulum dizininin `PATH` değişkeninde olup olmadığını ko ## Ayrıca bakın - [Hızlı Başlangıç](#/getting-started/quick-start) -- [Docker Kullanımı](#/guides/docker) +- [Docker Kullanımı](#/ci-cd/docker-usage) - [CLI Referansı](#/reference/cli-reference) - [Yapılandırma Dosyası](#/configuration/config-file) diff --git a/site/js/manuals/en.js b/site/js/manuals/en.js index 148ac68..940073a 100644 --- a/site/js/manuals/en.js +++ b/site/js/manuals/en.js @@ -1,3 +1,3 @@ // Generated by tools/site-build. Do not edit by hand. window.LW_MANUAL = window.LW_MANUAL || {}; -window.LW_MANUAL["en"] = {"ci-cd/docker-usage":{"title":"Docker Usage","description":"Run Leakwatch scans inside a container using the official Docker image.","html":"\u003ch1 id=\"docker-usage\"\u003eDocker Usage\u003c/h1\u003e\n\u003cp\u003eThe official Leakwatch container image lets you run scans without installing anything on the host machine. Because the image is statically compiled with \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e and runs as a non-root user, it is safe to use in locked-down CI environments and on shared machines where you do not want to modify the host system.\u003c/p\u003e\n\u003ch2 id=\"image-reference\"\u003eImage reference\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe image is based on Alpine, runs as the non-root user \u003ccode\u003eleakwatch\u003c/code\u003e, uses \u003ccode\u003e/scan\u003c/code\u003e as the working directory, and has \u003ccode\u003eleakwatch\u003c/code\u003e as its entrypoint.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause the entrypoint is \u003ccode\u003eleakwatch\u003c/code\u003e, you append the subcommand and flags directly after the image name — for example, \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. There is no need to repeat the binary name.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"scanning-a-local-directory\"\u003eScanning a local directory\u003c/h2\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo write results to a file on the host, write the output file into the mounted volume:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe file \u003ccode\u003eleakwatch.sarif\u003c/code\u003e appears in the current directory on your host after the container exits.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-remote-git-repository\"\u003eScanning a remote Git repository\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo volume mount is required for remote Git repositories — Leakwatch clones them into a temporary directory inside the container.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-container-image\"\u003eScanning a container image\u003c/h2\u003e\n\u003cp\u003eLeakwatch is daemonless: it pulls image layers directly from the registry without a Docker daemon. This means you can scan a remote image from within the Leakwatch container without mounting the host Docker socket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor private registries, pass the credentials as environment variables consumed by the registry client (for example, \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e pointing to a mounted credentials file, or the standard registry environment variables your registry supports).\u003c/p\u003e\n\u003ch2 id=\"passing-a-configuration-file\"\u003ePassing a configuration file\u003c/h2\u003e\n\u003cp\u003eMount \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e into \u003ccode\u003e/scan\u003c/code\u003e so Leakwatch picks it up automatically:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAs long as \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is in the mounted directory, Leakwatch finds it because \u003ccode\u003e/scan\u003c/code\u003e is both the working directory and the path passed to the scan. If your config file lives elsewhere, mount it explicitly and use \u003ccode\u003e--config\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-environment-variables\"\u003ePassing environment variables\u003c/h2\u003e\n\u003cp\u003eEnvironment variables for cloud scanning and token-based authentication can be injected with \u003ccode\u003e-e\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# S3 scan with AWS credentials\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor CI environments, prefer injecting secrets as masked CI variables rather than embedding them in the command line.\u003c/p\u003e\n\u003ch2 id=\"output-file-pattern\"\u003eOutput file pattern\u003c/h2\u003e\n\u003cp\u003eA common Docker pattern in CI is to write results into the mounted volume and then upload or archive the file as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install the native binary instead of using Docker.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e flags and behavior.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eContainer Images\u003c/a\u003e — scanning OCI/Docker image layers for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — using the Docker image in GitLab CI and other pipelines.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — complete flag reference for all subcommands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"Use the official Leakwatch GitHub Action to scan for secrets in your GitHub workflows.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eEvery push to your repository is an opportunity for a secret to slip through. The official \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e) integrates Leakwatch directly into your GitHub workflow — it installs the tool, runs a scan, maps exit codes, and optionally uploads SARIF results to GitHub Code Scanning, all without any external service dependency.\u003c/p\u003e\n\u003ch2 id=\"quick-start\"\u003eQuick start\u003c/h2\u003e\n\u003cp\u003eThe minimal configuration blocks the workflow when secrets are found:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Secret scan (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith only the defaults, the action scans the filesystem (\u003ccode\u003escan-type: fs\u003c/code\u003e), produces SARIF output, skips live verification (\u003ccode\u003eno-verify: true\u003c/code\u003e), and fails the job if any finding is reported.\u003c/p\u003e\n\u003ch2 id=\"full-example-with-sarif-upload\"\u003eFull example with SARIF upload\u003c/h2\u003e\n\u003cp\u003eThe following workflow enables SARIF upload to GitHub Code Scanning, which surfaces findings as security alerts inside the repository:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Secret scan\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # required for SARIF upload\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Scan for secrets\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF upload requires the job to declare \u003ccode\u003epermissions: security-events: write\u003c/code\u003e. Without it, the upload step fails with a 403 error. The \u003ccode\u003econtents: read\u003c/code\u003e permission is also needed for \u003ccode\u003eactions/checkout@v4\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inputs\"\u003eInputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eInput\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan type to run: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e, or \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to scan (for \u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e) or image reference (for \u003ccode\u003eimage\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification (no outbound calls to providers).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUpload SARIF results to GitHub Code Scanning after the scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFail the workflow step when findings are reported (exit code 1). When \u003ccode\u003efalse\u003c/code\u003e, a \u003ccode\u003e::warning::\u003c/code\u003e annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code 2) always fail the step regardless of this setting.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLeakwatch version to install. Use a tag such as \u003ccode\u003ev1.5.0\u003c/code\u003e to pin a specific release.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"outputs\"\u003eOutputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eOutput\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e if no findings were reported; \u003ccode\u003e1\u003c/code\u003e if findings were reported. Mirrors the Leakwatch exit code.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the SARIF output file on the runner (set when \u003ccode\u003eformat: sarif\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"verification-in-ci\"\u003eVerification in CI\u003c/h2\u003e\n\u003cp\u003eBy default, \u003ccode\u003eno-verify\u003c/code\u003e is \u003ccode\u003etrue\u003c/code\u003e — live verification is \u003cstrong\u003eoff\u003c/strong\u003e in CI. This keeps the scan fast and avoids making outbound network calls to provider APIs from CI runners, which may be behind a firewall or have rate-limited credentials.\u003c/p\u003e\n\u003cp\u003eTo enable verification in CI, set \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnabling verification in CI causes Leakwatch to make authenticated API calls to providers (AWS, GitHub, Stripe, etc.) for each candidate finding. Be aware of provider rate limits and ensure the runner has outbound internet access.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"how-sarif-upload-works\"\u003eHow SARIF upload works\u003c/h2\u003e\n\u003cp\u003eWhen \u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e and \u003ccode\u003eformat: sarif\u003c/code\u003e, the action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTells Leakwatch to write output to \u003ccode\u003eresults.sarif\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter the scan, calls \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e with \u003ccode\u003ecategory: leakwatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGitHub processes the file and surfaces findings as \u003cstrong\u003eCode Scanning alerts\u003c/strong\u003e under the repository's \u003cstrong\u003eSecurity\u003c/strong\u003e tab.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe upload step runs with \u003ccode\u003eif: always()\u003c/code\u003e, so results are uploaded even when \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e causes the scan step to set a failure.\u003c/p\u003e\n\u003ch2 id=\"using-action-outputs\"\u003eUsing action outputs\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Scan for secrets\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # let the workflow continue\n\n- name: Print result\n run: echo \u0026quot;Findings reported: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"pinning-a-specific-version\"\u003ePinning a specific version\u003c/h2\u003e\n\u003cp\u003eFor reproducible builds, pin \u003ccode\u003eversion\u003c/code\u003e to a specific tag:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis installs exactly \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e via \u003ccode\u003ego install\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — understanding JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — when and how Leakwatch calls provider APIs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Hook\u003c/a\u003e — catch secrets before they are committed.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — GitLab CI, Jenkins, and generic shell integration.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Other CI Systems","description":"Integrate Leakwatch into GitLab CI, Jenkins, Bitbucket Pipelines, and any other CI system.","html":"\u003ch1 id=\"other-ci-systems\"\u003eOther CI Systems\u003c/h1\u003e\n\u003cp\u003eBecause Leakwatch is a single static binary with no runtime dependencies, it runs in any CI environment that can execute a shell command — GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps, and others. There is no built-in integration for these systems beyond what is described on this page; the pattern is always: install the binary, run the scan, act on the exit code.\u003c/p\u003e\n\u003ch2 id=\"installing-leakwatch-in-ci\"\u003eInstalling Leakwatch in CI\u003c/h2\u003e\n\u003cp\u003eChoose the method that best suits your runner environment:\u003c/p\u003e\n\u003ch3 id=\"via-go-install-requires-go-on-the-runner\"\u003evia \u003ccode\u003ego install\u003c/code\u003e (requires Go on the runner)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePin to a specific version for reproducible builds:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"via-the-docker-image-no-go-required\"\u003evia the Docker image (no Go required)\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e as a job image or run it with \u003ccode\u003edocker run\u003c/code\u003e. See \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e for the full pattern.\u003c/p\u003e\n\u003ch3 id=\"via-a-prebuilt-release-binary\"\u003evia a prebuilt release binary\u003c/h3\u003e\n\u003cp\u003eDownload the appropriate tarball from \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e, extract, and place on \u003ccode\u003ePATH\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch exits with one of three codes, which is the primary mechanism for failing a CI build:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended CI action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo findings\u003c/td\u003e\n\u003ctd\u003ePass the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSecrets found\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHard error (bad config, unreadable path, etc.)\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA generic shell snippet that branches on the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;No secrets found.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Secrets found — failing build.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Scan error (exit $EXIT_CODE) — failing build.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-example\"\u003eGitLab CI example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e job installs Leakwatch, runs a filesystem scan, and stores the JSON report as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 days\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (the default) means exit code \u003ccode\u003e1\u003c/code\u003e fails the pipeline stage. Set \u003ccode\u003eallow_failure: true\u003c/code\u003e if you want the scan to report without blocking the merge.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab supports SAST report artifacts. Leakwatch produces SARIF (\u003ccode\u003e--format sarif\u003c/code\u003e), not GitLab's native SAST JSON schema, so use the \u003ccode\u003epaths:\u003c/code\u003e artifact approach rather than the \u003ccode\u003ereports: sast:\u003c/code\u003e key.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"recommendations-for-ci-runners\"\u003eRecommendations for CI runners\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eUse \u003ccode\u003e--no-verify\u003c/code\u003e on runners without outbound internet access.\u003c/strong\u003e Verification makes live API calls to providers (AWS, GitHub, Stripe, etc.). On air-gapped or firewall-restricted runners, these calls time out and slow the scan. Pass \u003ccode\u003e--no-verify\u003c/code\u003e to skip verification entirely:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSave output as an artifact.\u003c/strong\u003e Use \u003ccode\u003e--format sarif\u003c/code\u003e or \u003ccode\u003e--format json\u003c/code\u003e with \u003ccode\u003e--output\u003c/code\u003e to write a file that can be stored, uploaded to a vulnerability management platform, or reviewed after the job completes.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSet \u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e to focus on the secrets that matter most. In a noisy codebase, start with \u003ccode\u003e--min-severity high\u003c/code\u003e and lower the threshold once you have cleared the backlog.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-example\"\u003eAzure DevOps example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch secret scan\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-results\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-example\"\u003eJenkins example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Secret scan') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — full reference for all exit code meanings.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e — use the container image instead of installing the binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — the official action for GitHub workflows.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Hook","description":"Use the Leakwatch pre-commit hook to scan for secrets before every commit.","html":"\u003ch1 id=\"pre-commit-hook\"\u003ePre-commit Hook\u003c/h1\u003e\n\u003cp\u003eThe cheapest time to catch a secret is before it enters the repository at all. Leakwatch ships a native \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e hook that runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e automatically on every \u003ccode\u003egit commit\u003c/code\u003e, so a leaked API key or password fails the commit rather than appearing in history.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eYou need:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit is a Python tool).\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e installed globally (\u003ccode\u003epip install pre-commit\u003c/code\u003e or \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGo 1.25+ on \u003ccode\u003ePATH\u003c/code\u003e — the hook language is \u003ccode\u003egolang\u003c/code\u003e, so pre-commit compiles Leakwatch from source on first run.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"configuration\"\u003eConfiguration\u003c/h2\u003e\n\u003cp\u003eAdd a \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e file to the root of your repository (or extend an existing one):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInstall the hooks into the local Git repo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThat is all. From this point on, every \u003ccode\u003egit commit\u003c/code\u003e triggers a filesystem scan. If Leakwatch finds any secrets, the commit is blocked and the findings are printed to the terminal.\u003c/p\u003e\n\u003ch2 id=\"running-manually\"\u003eRunning manually\u003c/h2\u003e\n\u003cp\u003eTo scan the entire repository (not just staged files) at any time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo run only the Leakwatch hook without triggering others:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-extra-arguments\"\u003ePassing extra arguments\u003c/h2\u003e\n\u003cp\u003eThe hook's default behavior matches \u003ccode\u003eleakwatch scan fs\u003c/code\u003e with no additional flags. You can pass extra arguments via the \u003ccode\u003eargs:\u003c/code\u003e key:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis example reports only high-severity secrets that Leakwatch has confirmed are still active — a strict policy suitable for teams that want to avoid false-positive noise without sacrificing coverage.\u003c/p\u003e\n\u003cp\u003eOther useful arguments:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # skip live verification for faster commits\n - --min-severity\n - medium # suppress low-severity noise\n - --format\n - table # human-readable output in the terminal\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003epass_filenames: false\u003c/code\u003e is set in the hook definition, which means the hook always scans the full working tree rather than only the files staged for the current commit. This guarantees that secrets already present in unstaged files are also detected.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-the-hook-scans\"\u003eWhat the hook scans\u003c/h2\u003e\n\u003cp\u003eThe hook runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e against the repository working directory. It uses the same detection pipeline as the CLI: Aho-Corasick pre-filtering, regex validation, entropy calculation, and (unless \u003ccode\u003e--no-verify\u003c/code\u003e is set) live verification.\u003c/p\u003e\n\u003cp\u003eConfiguration in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is respected automatically — exclusion patterns, entropy thresholds, and verification settings all apply without any extra hook configuration.\u003c/p\u003e\n\u003ch2 id=\"skipping-the-hook-temporarily\"\u003eSkipping the hook temporarily\u003c/h2\u003e\n\u003cp\u003eTo commit without running the hook (for example, when committing a controlled test fixture that contains a redacted secret):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: add test fixture\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUsing \u003ccode\u003eSKIP=leakwatch\u003c/code\u003e bypasses all secret scanning for that commit. Use it only when you have confirmed the content is safe, and prefer \u003ccode\u003e.leakwatchignore\u003c/code\u003e or inline \u003ccode\u003eleakwatch:ignore\u003c/code\u003e comments for permanent suppressions instead.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"keeping-the-hook-version-pinned\"\u003eKeeping the hook version pinned\u003c/h2\u003e\n\u003cp\u003ePin \u003ccode\u003erev:\u003c/code\u003e to a specific tag rather than a branch name. This ensures all developers on the team use the same detector set and the hook does not silently upgrade mid-sprint:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # pin; do not use 'main' or 'HEAD'\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUpdate by running:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ewhich bumps \u003ccode\u003erev\u003c/code\u003e to the latest tag and lets you review the change before committing it.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — the underlying scan command the hook runs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — control exclusions, entropy, and verification in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — scan on every push and pull request in GitHub CI.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Configuration File","description":"How to configure Leakwatch with .leakwatch.yaml — full schema, defaults, validation rules, environment overrides, and the leakwatch init command.","html":"\u003ch1 id=\"configuration-file\"\u003eConfiguration File\u003c/h1\u003e\n\u003cp\u003eLeakwatch's behaviour across every scan command is driven by a single YAML file named \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e. Understanding this file lets you tune concurrency, verification, output format, and path filtering once — and have every scan pick it up automatically.\u003c/p\u003e\n\u003ch2 id=\"file-discovery\"\u003eFile discovery\u003c/h2\u003e\n\u003cp\u003eLeakwatch resolves the config file in the following order:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e flag\u003c/strong\u003e — use an explicit path regardless of the working directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCurrent directory\u003c/strong\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the directory where the command is run.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHome directory\u003c/strong\u003e — \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e as a fallback.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf no file is found, built-in defaults are used for every setting.\u003c/p\u003e\n\u003ch2 id=\"generating-a-starter-file\"\u003eGenerating a starter file\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003eleakwatch init\u003c/code\u003e command writes a ready-to-edit file with recommended defaults:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default the file is written to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory. Use \u003ccode\u003e--output\u003c/code\u003e to choose a different path:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the target file already exists, \u003ccode\u003eleakwatch init\u003c/code\u003e will refuse to overwrite it and exit with an error. Pass \u003ccode\u003e--force\u003c/code\u003e to overwrite:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"environment-variable-overrides\"\u003eEnvironment variable overrides\u003c/h2\u003e\n\u003cp\u003eEvery config key can be overridden with an environment variable. The naming rule is:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrefix: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eReplace \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eUppercase\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eExamples:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003cth\u003eEnvironment variable\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence\"\u003ePrecedence\u003c/h2\u003e\n\u003cp\u003eWhen the same setting is specified in multiple places, the highest-priority source wins:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCommand-line flag (highest)\u003c/li\u003e\n\u003cli\u003eEnvironment variable\u003c/li\u003e\n\u003cli\u003eConfig file value\u003c/li\u003e\n\u003cli\u003eBuilt-in default (lowest)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"full-schema\"\u003eFull schema\u003c/h2\u003e\n\u003cp\u003eThe annotated schema below shows every supported key, its default value, and valid range.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Scan engine ──────────────────────────────────────────────────────────────\n\nscan:\n # Number of concurrent file-processing workers.\n # Defaults to the number of logical CPU cores on the host.\n # Must be \u0026gt;= 1.\n concurrency: 8\n\n # Maximum file size to scan, in bytes. Files larger than this limit are\n # skipped entirely. Default is 10 MB (10485760). Must be \u0026gt;= 1.\n max-file-size: 10485760\n\n# ── Detection ─────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Enable Shannon entropy calculation for each candidate match.\n enabled: true\n\n # Entropy threshold used for display and custom-rule gating.\n # Range: 0–8. Default: 4.0.\n # See note below about built-in findings.\n threshold: 4.0\n\n# ── Verification ─────────────────────────────────────────────────────────────\n\nverification:\n # Enable live verification against provider APIs.\n enabled: true\n\n # Per-request HTTP timeout. Must be \u0026gt;= 1ms when verification is enabled.\n # Use a duration string (e.g. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — a bare integer is\n # treated as nanoseconds and will fail validation.\n timeout: 10s\n\n # Number of concurrent verification workers. Must be \u0026gt;= 1.\n concurrency: 4\n\n # Maximum verification requests per second (token-bucket rate limiter).\n # Must be \u0026gt; 0.\n rate-limit: 10.0\n\n# ── Filtering ─────────────────────────────────────────────────────────────────\n\nfilter:\n # Glob patterns for paths to exclude from scanning.\n # Supported glob styles: filepath.Match patterns, ** double-star spanning\n # zero or more path segments, and trailing-slash dir/ patterns that match\n # the named directory at any depth. Each pattern is tested against both the\n # full path and the base filename, so simple patterns like \u0026quot;*.min.js\u0026quot; match\n # nested files without a leading path prefix.\n # Applies to all scan sources. (On `scan fs` the --exclude flag also sets this.)\n # Default: [] (no exclusions beyond the built-in binary/lock-file skips).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Detector IDs to disable entirely. Findings from listed detectors are never\n # produced regardless of other settings. Default: [].\n exclude-detectors: []\n\n# ── Output ────────────────────────────────────────────────────────────────────\n\noutput:\n # Output format. One of: json, sarif, csv, table. Default: json.\n # The --format / -f flag overrides this at run time.\n format: json\n\n # Write output to this file path instead of stdout. Default: \u0026quot;\u0026quot; (stdout).\n # The --output / -o flag overrides this at run time.\n file: \u0026quot;\u0026quot;\n\n # Drop findings below this severity level.\n # One of: low, medium, high, critical. Default: \u0026quot;\u0026quot; (show all).\n # The --min-severity flag overrides this at run time.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Include the unredacted secret value in output.\n # Default: false. The --show-raw flag overrides this at run time.\n show-raw: false\n\n# ── Custom rules ──────────────────────────────────────────────────────────────\n\n# Define your own detectors as YAML rules. See the custom rules page for the\n# full rule schema.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e controls which entropy value is displayed alongside a finding and acts as a gate for custom rules (a custom rule match whose entropy falls below the threshold is suppressed). It does \u003cstrong\u003enot\u003c/strong\u003e suppress findings from built-in detectors — built-in detectors have their own match criteria and are never dropped by this setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"validation\"\u003eValidation\u003c/h2\u003e\n\u003cp\u003eLeakwatch validates the loaded configuration before starting a scan and exits with an error for any of the following:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCondition\u003c/th\u003e\n\u003cth\u003eError\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid concurrency value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid max-file-size value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e not in \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnsupported output format\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e outside 0–8\u003c/td\u003e\n\u003ctd\u003eInvalid entropy threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e not a valid level (when non-empty)\u003c/td\u003e\n\u003ctd\u003eInvalid severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification timeout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification concurrency\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Ignoring Findings","description":"Suppress false positives with .leakwatchignore files, inline ignore markers, and built-in binary and lock-file skips.","html":"\u003ch1 id=\"ignoring-findings\"\u003eIgnoring Findings\u003c/h1\u003e\n\u003cp\u003eNo scanner has zero false positives. Leakwatch gives you three layered mechanisms to suppress the noise: a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file for path-based exclusions, inline markers for line-level suppression, and a set of always-on built-in skips for binary files and common lock files.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-file\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e file\u003c/h2\u003e\n\u003cp\u003eCreate a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your repository root (or in the current directory) to exclude paths from the scan results. It uses a gitignore-style syntax:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLines starting with \u003ccode\u003e#\u003c/code\u003e are comments.\u003c/li\u003e\n\u003cli\u003eBlank lines are skipped.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003e!\u003c/code\u003e prefix \u003cstrong\u003enegates\u003c/strong\u003e a pattern, re-including a path that a previous pattern would have excluded.\u003c/li\u003e\n\u003cli\u003eThe \u003cstrong\u003elast matching pattern wins\u003c/strong\u003e — order matters.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"loading-order\"\u003eLoading order\u003c/h3\u003e\n\u003cp\u003eLeakwatch loads \u003ccode\u003e.leakwatchignore\u003c/code\u003e from the scan root first, then from the current working directory. If both exist and contain patterns for the same path, the current-directory file's patterns take precedence because they are evaluated last.\u003c/p\u003e\n\u003ch3 id=\"glob-syntax\"\u003eGlob syntax\u003c/h3\u003e\n\u003cp\u003eThree pattern styles are supported:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStyle\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003cth\u003eExample\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandard glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e-style, matched against both the full path and the base filename\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDouble-star \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpans zero or more path segments\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTrailing slash \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMatches every file inside the named directory at any depth\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-leakwatchignore\"\u003eExample \u003ccode\u003e.leakwatchignore\u003c/code\u003e\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Ignore all test fixture files\ntest/fixtures/**\n\n# Ignore known placeholder keys in documentation\ndocs/examples/\n\n# Ignore files with a specific extension anywhere in the tree\n*.pem.example\n\n# Re-include a specific file excluded by the rule above\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtering is applied \u003cstrong\u003eafter\u003c/strong\u003e the scan completes, based on the file path of each finding. It does not prevent files from being read — it suppresses the findings they produce. To skip files before they are read at all, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file or \u003ccode\u003e--exclude\u003c/code\u003e on \u003ccode\u003escan fs\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inline-ignore-markers\"\u003eInline ignore markers\u003c/h2\u003e\n\u003cp\u003ePlace a marker directly on any source line to suppress detectors for that specific line. The marker can appear anywhere on the line — typically inside a comment — and is applied by the engine \u003cstrong\u003ebefore\u003c/strong\u003e verification, so an ignored line never triggers a network call.\u003c/p\u003e\n\u003ch3 id=\"suppress-all-detectors-on-a-line\"\u003eSuppress all detectors on a line\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Payment processing configuration\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"suppress-a-specific-detector-on-a-line\"\u003eSuppress a specific detector on a line\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e to suppress only one detector while leaving others active:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// This token is intentionally a placeholder for documentation\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# CI environment variable set by the platform — not a real secret\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePrefer the detector-specific form (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) over the generic one whenever possible. It documents which detector you are suppressing and keeps all other detectors active on that line.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"built-in-skips-always-applied\"\u003eBuilt-in skips (always applied)\u003c/h2\u003e\n\u003cp\u003eLeakwatch unconditionally skips the following before running any detector:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary file extensions\u003c/strong\u003e — files with extensions such as \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e, and others are never scanned.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary content detection\u003c/strong\u003e — any file whose first 8 KB contains a null byte is treated as binary and skipped, regardless of extension.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCommon lock files\u003c/strong\u003e — the following filenames are always skipped because they contain hashes and checksums that produce high rates of false positives:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFile\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThese built-in skips cannot be disabled. They are separate from the \u003ccode\u003efilter.exclude-paths\u003c/code\u003e setting and run before any config-based filtering.\u003c/p\u003e\n\u003ch2 id=\"path-based-exclusion-before-scanning\"\u003ePath-based exclusion before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before they are even read by the scan engine, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in your config file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis setting applies to \u003cstrong\u003eall scan sources\u003c/strong\u003e (filesystem, Git history, container images, cloud storage, Slack). On the \u003ccode\u003escan fs\u003c/code\u003e command you can also pass \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e on the command line, which is the flag-equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full config schema and \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e for detector-level and severity-level filtering.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Severity \u0026 Filtering","description":"Control which findings reach your output using severity thresholds, verified-only mode, detector exclusions, and path exclusions.","html":"\u003ch1 id=\"severity--filtering\"\u003eSeverity \u0026amp; Filtering\u003c/h1\u003e\n\u003cp\u003eA busy codebase can produce many findings. Leakwatch provides several independent filters you can combine to focus on the signals that matter most: severity thresholds drop low-priority noise, verified-only mode surfaces only confirmed live secrets, detector exclusions silence known false-positive sources, and path exclusions remove entire directory trees from scope.\u003c/p\u003e\n\u003ch2 id=\"severity-levels\"\u003eSeverity levels\u003c/h2\u003e\n\u003cp\u003eEvery built-in detector ships with a default severity. The four levels, from lowest to highest priority, are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eLevel\u003c/th\u003e\n\u003cth\u003eTypical use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric patterns with a higher false-positive rate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRecognizable credential formats, unconfirmed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWell-structured secrets where exposure is likely significant\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLive secrets confirmed or formats with near-zero false-positive rates\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe severity assigned to each detector is listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-drop-findings-below-a-threshold\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: drop findings below a threshold\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e to discard findings whose severity is below the specified level. Only findings at or above the threshold reach the output.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Show only high and critical findings\nleakwatch scan fs . --min-severity high\n\n# Show medium, high, and critical findings\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYou can set a persistent default in the config file under \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e. The \u003ccode\u003e--min-severity\u003c/code\u003e flag overrides the config value at run time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-confirmed-active-secrets-only\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: confirmed active secrets only\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--only-verified\u003c/code\u003e to keep only findings whose verification status is \u003ccode\u003everified_active\u003c/code\u003e — secrets that Leakwatch confirmed are still valid by making a controlled read-only call to the provider API. All other findings (unverified, verified-inactive, or verify-error) are dropped.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis flag is most useful in CI pipelines where you want to fail the build \u003cstrong\u003eonly\u003c/strong\u003e on confirmed incidents, not on suspicious patterns that may be placeholders or already-rotated credentials.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for which detectors support live verification.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-disable-specific-detectors\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: disable specific detectors\u003c/h2\u003e\n\u003cp\u003eTo permanently disable one or more detectors, list their IDs under \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in the config file. Findings from listed detectors are never produced, regardless of any other setting:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDetector IDs are listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e. Use this setting when a detector consistently produces false positives for your codebase and other suppression mechanisms (inline ignores or \u003ccode\u003e.leakwatchignore\u003c/code\u003e) are not granular enough.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-skip-paths-before-scanning\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: skip paths before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before the scan engine reads them, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file. The patterns use the same glob syntax as \u003ccode\u003e.leakwatchignore\u003c/code\u003e (standard globs, \u003ccode\u003e**\u003c/code\u003e double-star, and trailing-slash directory patterns), and apply to \u003cstrong\u003eall scan sources\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOn the \u003ccode\u003escan fs\u003c/code\u003e command, the \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e flag is the command-line equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. The \u003ccode\u003e--exclude\u003c/code\u003e flag exists \u003cstrong\u003eonly\u003c/strong\u003e on \u003ccode\u003escan fs\u003c/code\u003e — for all other sources, use the config file setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"combining-filters-in-ci\"\u003eCombining filters in CI\u003c/h2\u003e\n\u003cp\u003eIn a CI pipeline you typically want a low-noise, high-signal run that fails only on real incidents. A recommended combination:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith a config file handling the persistent path exclusions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThen override just the format and destination at the command line for CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for verification details, \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for inline and file-based suppression, and \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full schema.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Custom Rules","description":"How to define your own secret detection patterns in YAML and add them to a Leakwatch scan alongside the 63 built-in detectors.","html":"\u003ch1 id=\"custom-rules\"\u003eCustom Rules\u003c/h1\u003e\n\u003cp\u003eThe 63 built-in detectors cover widely used credential formats, but every organisation has internal tokens, proprietary service keys, or environment-specific patterns that no generic tool can anticipate. Custom rules let you extend Leakwatch with your own patterns — defined in plain YAML, loaded at runtime — without modifying source code or rebuilding the binary.\u003c/p\u003e\n\u003ch2 id=\"where-custom-rules-live\"\u003eWhere custom rules live\u003c/h2\u003e\n\u003cp\u003eCustom rules are defined under a top-level \u003ccode\u003ecustom-rules:\u003c/code\u003e list in your \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe rules are registered at runtime when Leakwatch starts. They run alongside the built-in detectors using the same Aho-Corasick pre-filter pipeline.\u003c/p\u003e\n\u003ch2 id=\"rule-fields\"\u003eRule fields\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eRequired\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eUnique detector ID. Used in output and in \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e. Must not collide with a built-in detector ID or another custom rule ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eHuman-readable description shown in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2-compatible regular expression. Maximum 4096 characters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003elist of strings\u003c/td\u003e\n\u003ctd\u003eAho-Corasick pre-filter keywords. The regex only runs on chunks that contain at least one of these strings. Omitting this field causes the regex to run on every chunk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, or \u003ccode\u003elow\u003c/code\u003e. Defaults to \u003ccode\u003emedium\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropy threshold (0–8). Matches whose entropy is \u003cstrong\u003ebelow\u003c/strong\u003e this value are discarded. Useful for filtering low-randomness false positives.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eAlways supply \u003ccode\u003ekeywords\u003c/code\u003e. Even a single short keyword (like a token prefix) dramatically reduces the number of chunks the regex engine processes, keeping scans fast on large repositories. For example, if all your internal tokens begin with \u003ccode\u003eacme_\u003c/code\u003e, set \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003eentropy\u003c/code\u003e to suppress matches on placeholder values like \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e that satisfy the pattern but are clearly not real secrets. A threshold around 3.0–3.5 is a good starting point.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"collision-handling\"\u003eCollision handling\u003c/h2\u003e\n\u003cp\u003eIf a custom rule's \u003ccode\u003eid\u003c/code\u003e matches an already-registered detector — either a built-in detector or a previously loaded custom rule — the duplicate is \u003cstrong\u003eskipped\u003c/strong\u003e and an error is logged. Leakwatch does not crash; the rest of the rules load normally. Check the log output if a custom rule appears to have no effect.\u003c/p\u003e\n\u003ch2 id=\"verification\"\u003eVerification\u003c/h2\u003e\n\u003cp\u003eCustom rules have no paired verifier. Findings from custom rules are always reported with status \u003ccode\u003eunverified\u003c/code\u003e — they never become \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"complete-example\"\u003eComplete example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e defines two custom rules: one for an internal service token and one for a signing secret used in webhooks.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook signing secret (format: whsec_ + 40 base64url chars)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRun a scan with this config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSample JSON output for a custom-rule finding (secret value redacted):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe \u003ccode\u003eraw_redacted\u003c/code\u003e field always masks the actual secret. The raw value is never written to output unless you explicitly pass \u003ccode\u003e--show-raw\u003c/code\u003e (not recommended outside controlled environments).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"excluding-a-custom-rule\"\u003eExcluding a custom rule\u003c/h2\u003e\n\u003cp\u003eCustom rules participate in the same filtering as built-in detectors. To disable a custom rule without removing it from config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, including where \u003ccode\u003ecustom-rules:\u003c/code\u003e sits in the document structure.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the 63 built-in detectors, to check for ID conflicts before naming your custom rule.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the Aho-Corasick pre-filter pipeline that \u003ccode\u003ekeywords\u003c/code\u003e plugs into.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Detector Catalog","description":"All 63 built-in detectors grouped by category, with their IDs, what they detect, and their default severity.","html":"\u003ch1 id=\"detector-catalog\"\u003eDetector Catalog\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e that cover a wide range of credential types — from cloud provider access keys and AI API tokens to database connection strings and private cryptographic keys. Each detector has a stable ID, a default severity, and (for most) a paired verifier that can confirm whether a found secret is still live.\u003c/p\u003e\n\u003cp\u003eThis page lists every built-in detector. For verification coverage details see \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e. To add your own patterns, see \u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"how-to-read-this-catalog\"\u003eHow to read this catalog\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — the stable string identifier used in config and output. Pass it to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e to skip a detector, or use it with \u003ccode\u003e--min-severity\u003c/code\u003e filtering (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetects\u003c/strong\u003e — what the detector is looking for.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSeverity\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e, \u003ccode\u003eHigh\u003c/code\u003e, or \u003ccode\u003eMedium\u003c/code\u003e. This is the default; it feeds the \u003ccode\u003e--min-severity\u003c/code\u003e flag and the \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e config key.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"cloud-and-infrastructure\"\u003eCloud and Infrastructure\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Service Account Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID Client Secret\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Service Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ai--ml\"\u003eAI / ML\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"payments-and-commerce\"\u003ePayments and Commerce\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Live API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dev-tools-ci-and-packages\"\u003eDev Tools, CI, and Packages\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket App Password\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Personal API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"communication-and-collaboration\"\u003eCommunication and Collaboration\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/User Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Incoming Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Internal Integration Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"email-and-messaging-delivery\"\u003eEmail and Messaging Delivery\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Server API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"monitoring-and-observability\"\u003eMonitoring and Observability\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Auth Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"databases-and-connection-strings\"\u003eDatabases and Connection Strings\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabase Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Connection Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Service Role Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"identity-and-access\"\u003eIdentity and Access\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bind Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"generic-and-cryptographic\"\u003eGeneric and Cryptographic\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric API Key\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePrivate Key (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eTotal: 63 built-in detectors.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"filtering-by-severity\"\u003eFiltering by severity\u003c/h2\u003e\n\u003cp\u003eFindings are filterable by severity using \u003ccode\u003e--min-severity\u003c/code\u003e at the command line or \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e in config. Only findings at or above the specified level are included in the output. See \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"excluding-specific-detectors\"\u003eExcluding specific detectors\u003c/h2\u003e\n\u003cp\u003eTo skip one or more detectors entirely, add their IDs to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for the full filtering reference.\u003c/p\u003e\n\u003ch2 id=\"verification-coverage\"\u003eVerification coverage\u003c/h2\u003e\n\u003cp\u003eSome detectors have a live verifier; others are format-validated only; nine have no verifier at all. See \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e for the complete breakdown.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e — define your own detection patterns in YAML.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detectors can be live-verified.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e — filtering findings by severity or detector.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"How It Works","description":"Architecture of the Leakwatch scan pipeline: sources, detection, verification, and output.","html":"\u003ch1 id=\"how-it-works\"\u003eHow It Works\u003c/h1\u003e\n\u003cp\u003eUnderstanding the Leakwatch pipeline helps you tune performance, interpret results, and decide which flags to reach for. This page explains what happens from the moment you run a scan command to the moment a finding appears in your output.\u003c/p\u003e\n\u003ch2 id=\"the-pipeline-at-a-glance\"\u003eThe pipeline at a glance\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Source\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[Worker Pool\\n—concurrency workers]\n B --\u0026gt; C[Aho-Corasick\\nPre-filter]\n C --\u0026gt; D[Regex\\nDetectors]\n D --\u0026gt; E[Inline-ignore\\nCheck]\n E --\u0026gt; F[Verification\\nPool\\n4 workers / 10 rps]\n F --\u0026gt; G[Post-scan\\nFilters]\n G --\u0026gt; H([Output\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach stage is described in detail below.\u003c/p\u003e\n\u003ch2 id=\"1-source\"\u003e1. Source\u003c/h2\u003e\n\u003cp\u003eEvery scan starts with a \u003cstrong\u003eSource\u003c/strong\u003e — an abstraction that emits chunks of data for the engine to process. Leakwatch ships six sources:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it emits\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFile contents from a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLayer contents of an OCI/Docker image, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text from channels and DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e. The contents of files uploaded to Slack are not scanned.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eChunks flow into a buffered channel consumed by the worker pool.\u003c/p\u003e\n\u003ch2 id=\"2-worker-pool\"\u003e2. Worker pool\u003c/h2\u003e\n\u003cp\u003eThe engine maintains a fixed pool of \u003cstrong\u003egoroutines\u003c/strong\u003e — one per \u003ccode\u003e--concurrency\u003c/code\u003e value (default: number of CPUs). Each worker pulls a chunk from the channel and runs the detection pipeline independently. Because workers share no mutable state, the pool scales linearly with concurrency up to the limits of I/O and memory.\u003c/p\u003e\n\u003cp\u003eScans respond to \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e: when a cancellation signal arrives, the context is cancelled, workers drain their current chunk and stop, and partial results are collected before output is written.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-keyword-pre-filter\"\u003e3. Aho-Corasick keyword pre-filter\u003c/h2\u003e\n\u003cp\u003eRunning 63 regex patterns on every chunk would be slow. Instead, the engine builds a single \u003cstrong\u003eAho-Corasick multi-pattern automaton\u003c/strong\u003e at startup from the keyword lists declared by each detector. For each chunk, this automaton does a single linear pass and returns only the detectors whose keywords appeared in the chunk's bytes.\u003c/p\u003e\n\u003cp\u003eThis means most detectors never run their regex on most chunks. Detectors that declare no keywords always run (they skip the pre-filter and proceed directly to regex).\u003c/p\u003e\n\u003cp\u003eThe Aho-Corasick implementation comes from \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"4-regex-detectors\"\u003e4. Regex detectors\u003c/h2\u003e\n\u003cp\u003eEach shortlisted detector runs its compiled \u003cstrong\u003eregular expression\u003c/strong\u003e against the chunk bytes. When a pattern matches, the detector returns a \u003ccode\u003eRawFinding\u003c/code\u003e containing:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe raw secret bytes (held in memory only for verification; never logged or written to disk).\u003c/li\u003e\n\u003cli\u003eA \u003cstrong\u003eredacted\u003c/strong\u003e representation safe for output.\u003c/li\u003e\n\u003cli\u003eOptional extra metadata (e.g. account ID for an AWS key).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via \u003ca href=\"#/configuration/custom-rules\"\u003ecustom YAML rules\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eAll detectors are registered at compile time using Go's \u003ccode\u003einit()\u003c/code\u003e function and blank imports (ADR-0004). There is no plugin loader or dynamic discovery at runtime.\u003c/p\u003e\n\u003ch2 id=\"5-inline-ignore-check\"\u003e5. Inline-ignore check\u003c/h2\u003e\n\u003cp\u003eBefore a finding is sent to verification, the engine checks whether the source line contains an \u003cstrong\u003einline ignore marker\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eor a detector-scoped variant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the marker is present, the finding is silently dropped \u003cstrong\u003ebefore any network call is made\u003c/strong\u003e. This is intentional: ignored secrets should never trigger a live API request.\u003c/p\u003e\n\u003ch2 id=\"6-verification\"\u003e6. Verification\u003c/h2\u003e\n\u003cp\u003eAfter detection completes for all chunks, the engine passes findings to a separate \u003cstrong\u003everification worker pool\u003c/strong\u003e (default 4 workers). Verification:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIs guarded by a global \u003cstrong\u003erate limiter\u003c/strong\u003e (default 10 requests per second) shared across all workers.\u003c/li\u003e\n\u003cli\u003eApplies a \u003cstrong\u003eper-request timeout\u003c/strong\u003e (default 10 seconds) to every API call.\u003c/li\u003e\n\u003cli\u003eMakes only \u003cstrong\u003eread-only, non-destructive\u003c/strong\u003e calls to the provider (e.g. \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys).\u003c/li\u003e\n\u003cli\u003eMarks each finding with one of four statuses: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e54 verifiers\u003c/strong\u003e, covering 85.7% of the 63 built-in detector types. The remaining 9 types (such as JWTs and generic API keys) cannot be safely verified and are always reported as \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003ePass \u003ccode\u003e--no-verify\u003c/code\u003e to skip this stage entirely — useful for fast, offline scans.\u003c/p\u003e\n\u003cp\u003eFor a deep dive into verification behavior and status meanings, see \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"7-finding-id-and-entropy\"\u003e7. Finding ID and entropy\u003c/h2\u003e\n\u003cp\u003eEach finding receives a \u003cstrong\u003edeterministic ID\u003c/strong\u003e computed as:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(detectorID + redacted + filePath + line) → truncated to 16 hex characters\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe same secret at the same location always produces the same ID, making it safe to deduplicate findings across runs or track them in issue trackers.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropy\u003c/strong\u003e (range 0–8) is computed for each finding and exposed in output for informational purposes. At the engine level, entropy does \u003cstrong\u003enot\u003c/strong\u003e gate or drop built-in findings — a low-entropy match still appears in results. Entropy thresholds only apply inside custom rules, where each rule can declare its own minimum.\u003c/p\u003e\n\u003ch2 id=\"8-post-scan-filters\"\u003e8. Post-scan filters\u003c/h2\u003e\n\u003cp\u003eAfter verification, two filters apply:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — drops all findings that are not \u003ccode\u003everified:active\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — drops findings below the specified severity level (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; default \u003ccode\u003elow\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth filters run after verification so that verification status is available when \u003ccode\u003e--only-verified\u003c/code\u003e is evaluated.\u003c/p\u003e\n\u003ch2 id=\"9-output\"\u003e9. Output\u003c/h2\u003e\n\u003cp\u003eSurviving findings are passed to one of four \u003cstrong\u003eformatters\u003c/strong\u003e:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFormat\u003c/th\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eCommon use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (default)\u003c/td\u003e\n\u003ctd\u003eMachine-readable, pipeline-friendly\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, security dashboards\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpreadsheets, data analysis\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTable\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal review, color-coded by severity\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eOutput goes to stdout by default; use \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e to write to a file.\u003c/p\u003e\n\u003cp\u003eA \u003cstrong\u003escan summary\u003c/strong\u003e (date, source type, target, files scanned, duration, findings count, interrupted status) is always printed to \u003cstrong\u003estderr\u003c/strong\u003e after every scan, regardless of format or output destination.\u003c/p\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eLeakwatch is designed so that discovered secrets never leave the process boundary except for verification calls:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRaw secret bytes live only in memory during detection and verification.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e--show-raw\u003c/code\u003e flag is \u003ccode\u003efalse\u003c/code\u003e by default; without it, only the redacted representation appears in output.\u003c/li\u003e\n\u003cli\u003eSecrets are never written to disk, logged via \u003ccode\u003eslog\u003c/code\u003e, or cached between runs.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"design-decisions\"\u003eDesign decisions\u003c/h2\u003e\n\u003cp\u003eThe architecture reflects several deliberate choices documented as ADRs:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO disabled\u003c/strong\u003e (ADR-0001) — single static binary, no runtime dependencies, cross-compiles to all platforms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — hierarchical CLI with \u003ccode\u003eflag \u0026gt; env \u0026gt; config \u0026gt; default\u003c/code\u003e precedence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — pure Go Git library; no external \u003ccode\u003egit\u003c/code\u003e binary required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompile-time detector registration\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + blank imports; type-safe, no runtime plugin loader.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hybrid matching\u003c/strong\u003e (ADR-0005) — pre-filter eliminates most regex work on irrelevant chunks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonless layer analysis; no Docker daemon required to scan images.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWorker pool\u003c/strong\u003e (ADR-0008) — fixed goroutine count, channel-based fan-out; predictable memory and CPU usage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Installation","description":"Install Leakwatch via Homebrew, go install, Docker, or a prebuilt binary.","html":"\u003ch1 id=\"installation\"\u003eInstallation\u003c/h1\u003e\n\u003cp\u003eGetting Leakwatch onto your machine takes less than a minute. Choose the method that best fits your workflow: Homebrew is the simplest option on macOS and Linux, \u003ccode\u003ego install\u003c/code\u003e is ideal if you already have a Go toolchain, Docker keeps your host system clean, and prebuilt binaries work everywhere without any toolchain at all.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-and-linux\"\u003eHomebrew (macOS and Linux)\u003c/h2\u003e\n\u003cp\u003eThe official tap supports macOS and Linux on both amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe tap is hosted at \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e. Homebrew handles upgrades with \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003eGo install\u003c/h2\u003e\n\u003cp\u003eIf you have Go 1.25 or later installed, you can build and install the latest release directly from source:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe binary is placed in \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e. Make sure that directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e always fetches the latest tagged release. To pin a specific version, replace \u003ccode\u003e@latest\u003c/code\u003e with a tag such as \u003ccode\u003e@v1.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eA minimal, multi-stage Alpine image is published to the GitHub Container Registry. The image runs as a non-root user (\u003ccode\u003eleakwatch\u003c/code\u003e), has CGO disabled, and uses \u003ccode\u003e/scan\u003c/code\u003e as its working directory.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAvailable tags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container. Flags and options work identically to the native binary — see \u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e for the full list.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFor Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see \u003ca href=\"#/guides/docker\"\u003eUsing Docker\u003c/a\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"prebuilt-binary\"\u003ePrebuilt binary\u003c/h2\u003e\n\u003cp\u003eEvery release publishes tarballs for all supported platforms on the \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e page. Download the archive for your platform, extract it, and place the binary on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSupported platforms:\u003c/strong\u003e Linux, macOS, and Windows on amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Example for Linux amd64 — replace OS and ARCH to match your platform\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform naming follows the pattern \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e where \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e is \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e, or \u003ccode\u003eWindows\u003c/code\u003e and \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e is \u003ccode\u003eamd64\u003c/code\u003e or \u003ccode\u003earm64\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"verifying-your-installation\"\u003eVerifying your installation\u003c/h2\u003e\n\u003cp\u003eAfter any installation method, confirm the binary is reachable and check the version:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExpected output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the command is not found, check that the install directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind a Leakwatch scan.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — customize scan behavior with \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/guides/docker\"\u003eUsing Docker\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Introduction","description":"What Leakwatch is, what it scans, and how it detects and verifies leaked secrets.","html":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e is a high-performance, open-source (MIT) security tool that \u003cstrong\u003edetects, verifies, and reports leaked secrets\u003c/strong\u003e — API keys, tokens, passwords, connection strings, and private keys — across your codebases, Git history, container images, cloud storage, and Slack workspaces.\u003c/p\u003e\n\u003cp\u003eIt is written in Go, ships as a single static binary with no runtime dependencies (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e), and is built to run anywhere: a developer laptop, a pre-commit hook, or a CI/CD pipeline.\u003c/p\u003e\n\u003ch2 id=\"why-leakwatch\"\u003eWhy Leakwatch\u003c/h2\u003e\n\u003cp\u003eA leaked credential in a single commit — even one later deleted — can stay reachable in Git history forever and be exploited within minutes of being pushed. Leakwatch is designed to catch those secrets early and tell you which ones are \u003cem\u003eactually dangerous\u003c/em\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBroad detection\u003c/strong\u003e — 63 built-in detectors covering cloud providers, AI APIs, payment platforms, databases, messaging tools, and more, plus your own YAML custom rules.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification, not just detection\u003c/strong\u003e — for 54 detector types Leakwatch can confirm whether a found secret is \u003cem\u003estill live\u003c/em\u003e by making a controlled, read-only call to the provider. A verified-active key is an incident; an inactive one is noise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMany sources\u003c/strong\u003e — scan a local filesystem, a full Git history, an OCI/Docker image, AWS S3, Google Cloud Storage, and Slack messages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-native output\u003c/strong\u003e — JSON, SARIF (for GitHub Code Scanning), CSV, and a colorized terminal table.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecret-safe by design\u003c/strong\u003e — discovered secrets are redacted by default and are never logged, cached, or written to disk.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"what-it-scans\"\u003eWhat it scans\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it covers\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFiles in a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history (local or remote)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker image layers, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text in channels and (optionally) DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eMultiple repos\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSeveral Git repositories at once\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-detection-works-briefly\"\u003eHow detection works, briefly\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses a layered pipeline so it stays fast even on large inputs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick keyword pre-filter\u003c/strong\u003e — a single multi-pattern automaton quickly decides which detectors \u003cem\u003ecould\u003c/em\u003e match a chunk, so most detectors never run their regex.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex validation\u003c/strong\u003e — only the shortlisted detectors run their precise patterns.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropy\u003c/strong\u003e — Shannon entropy is computed for display (and used by custom rules to drop low-randomness matches).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification\u003c/strong\u003e — eligible findings are checked against the live provider API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYou don't have to understand the pipeline to use Leakwatch — but it explains why scans are fast and why some findings show a verification status while others don't. See \u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e for the full picture.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-leakwatch-is-not\"\u003eWhat Leakwatch is \u003cem\u003enot\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eTo set expectations accurately:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIt does \u003cstrong\u003enot\u003c/strong\u003e rewrite Git history or remove secrets for you — it finds and reports them, and (with \u003ccode\u003e--remediation\u003c/code\u003e) tells you how to rotate them.\u003c/li\u003e\n\u003cli\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e; scanning the \u003cem\u003econtents\u003c/em\u003e of uploaded files is not implemented.\u003c/li\u003e\n\u003cli\u003eVerification is available for many but not all secret types — 9 detector types (such as JWTs and generic API keys) cannot be safely verified and are always reported as unverified.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install via Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker, or a prebuilt binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind the scan.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Quick Start","description":"Run your first Leakwatch scan in under a minute.","html":"\u003ch1 id=\"quick-start\"\u003eQuick Start\u003c/h1\u003e\n\u003cp\u003eThe fastest way to understand what Leakwatch can do is to point it at a real directory. This page walks you through your first scan, explains what the output means, and shows the flags you will reach for most often.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eLeakwatch must be installed and accessible on your \u003ccode\u003ePATH\u003c/code\u003e. If you have not done that yet, see \u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"your-first-scan\"\u003eYour first scan\u003c/h2\u003e\n\u003cp\u003eScan the current directory with one command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default, output is JSON written to stdout. To get a human-readable, colorized table instead, add \u003ccode\u003e--format table\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHere is what a result looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe scan summary is always printed to \u003cstrong\u003estderr\u003c/strong\u003e, so it never interferes with piped or redirected output.\u003c/p\u003e\n\u003ch2 id=\"understanding-a-finding\"\u003eUnderstanding a finding\u003c/h2\u003e\n\u003cp\u003eEach row in the table (or object in JSON) represents one finding. The key fields are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHow critical the secret type is: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eThe detector that matched — identifies the secret type (e.g. \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the file where the secret was found, relative to the scan root\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eLine number of the match\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eA masked representation of the secret — never the raw value unless \u003ccode\u003e--show-raw\u003c/code\u003e is set\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eVerification outcome: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA \u003ccode\u003everified:active\u003c/code\u003e status means Leakwatch confirmed the secret is still live by making a read-only API call to the provider. \u003cstrong\u003eTreat every \u003ccode\u003everified:active\u003c/code\u003e finding as an open incident.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"common-scan-options\"\u003eCommon scan options\u003c/h2\u003e\n\u003ch3 id=\"focus-on-confirmed-secrets-only\"\u003eFocus on confirmed secrets only\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis hides unverified and inactive findings, leaving only those confirmed live. Useful for triage when you have many results.\u003c/p\u003e\n\u003ch3 id=\"skip-network-verification-for-a-fast-offline-scan\"\u003eSkip network verification for a fast offline scan\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVerification is skipped entirely — no outbound network calls are made. Results appear faster and work without internet access, but all findings are marked \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"add-remediation-guidance\"\u003eAdd remediation guidance\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach finding gains a \u003cstrong\u003eREMEDIATION\u003c/strong\u003e column explaining how to rotate or revoke the specific secret type. The same data is included in JSON, SARIF, and CSV output when the flag is set.\u003c/p\u003e\n\u003ch3 id=\"filter-by-minimum-severity\"\u003eFilter by minimum severity\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnly findings at \u003ccode\u003ehigh\u003c/code\u003e or \u003ccode\u003ecritical\u003c/code\u003e severity are reported.\u003c/p\u003e\n\u003ch3 id=\"save-results-to-a-file\"\u003eSave results to a file\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe \u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e flag writes to a file instead of stdout. SARIF output is compatible with \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"generate-a-configuration-file\"\u003eGenerate a configuration file\u003c/h2\u003e\n\u003cp\u003eRunning Leakwatch with defaults is fine for a first try, but for repeated use you will want a project-level configuration:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis writes \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory with recommended defaults for concurrency, entropy, verification, output format, and common path exclusions. Use \u003ccode\u003e--force\u003c/code\u003e to overwrite an existing file, or \u003ccode\u003e--output\u003c/code\u003e to write to a different path.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for a full explanation of every option.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses distinct exit codes so CI scripts can act on results without parsing output:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — no findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — one or more secrets found\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed due to an error\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA typical CI gate looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Active secrets found — failing build\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is returned whenever \u003cem\u003eany\u003c/em\u003e finding passes the active filters (including \u003ccode\u003e--min-severity\u003c/code\u003e and \u003ccode\u003e--only-verified\u003c/code\u003e). A clean exit code \u003ccode\u003e0\u003c/code\u003e means no findings matched — not that no secrets exist in the codebase.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cancelling-a-scan\"\u003eCancelling a scan\u003c/h2\u003e\n\u003cp\u003ePress \u003ccode\u003eCtrl+C\u003c/code\u003e (or send \u003ccode\u003eSIGTERM\u003c/code\u003e) to cancel a running scan. Leakwatch stops gracefully: in-flight chunks finish, partial results are written, and the summary indicates \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Output Formats","description":"The four output formats Leakwatch supports — JSON, SARIF, CSV, and table — with examples and guidance on when to use each.","html":"\u003ch1 id=\"output-formats\"\u003eOutput Formats\u003c/h1\u003e\n\u003cp\u003eLeakwatch supports four output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, and human-readable terminal review. Select a format with \u003ccode\u003e--format\u003c/code\u003e (or \u003ccode\u003e-f\u003c/code\u003e); write to a file instead of stdout with \u003ccode\u003e--output\u003c/code\u003e (or \u003ccode\u003e-o\u003c/code\u003e).\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe default format is \u003ccode\u003ejson\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON is the default format and the most complete representation. Leakwatch writes a JSON \u003cstrong\u003earray\u003c/strong\u003e of finding objects to stdout (or to the file given by \u003ccode\u003e--output\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003eThe raw secret value is \u003cstrong\u003enever\u003c/strong\u003e serialized unless \u003ccode\u003e--show-raw\u003c/code\u003e is explicitly set. With \u003ccode\u003e--show-raw\u003c/code\u003e, a \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e field is added to each object.\u003c/p\u003e\n\u003ch3 id=\"example-invocation\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-finding-object\"\u003eExample finding object\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--remediation\u003c/code\u003e is also set, a \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e object is nested inside each finding. See \u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003esarif\u003c/code\u003e format produces a SARIF v2.1.0 document, designed for upload to \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e. The tool name is \u003ccode\u003eLeakwatch\u003c/code\u003e and \u003ccode\u003einformationUri\u003c/code\u003e points to \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eEach detector that appears in the findings becomes a \u003cstrong\u003erule\u003c/strong\u003e in the SARIF driver, complete with \u003ccode\u003ehelp\u003c/code\u003e text (populated from remediation steps when \u003ccode\u003e--remediation\u003c/code\u003e is set) and a \u003ccode\u003ehelpUri\u003c/code\u003e pointing to the provider documentation. Results carry a \u003ccode\u003eleakwatch/v1\u003c/code\u003e partial fingerprint computed from the detector ID, redacted value, and file path — this lets GitHub Code Scanning track the same alert even when surrounding code shifts.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-1\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"uploading-to-github-code-scanning\"\u003eUploading to GitHub Code Scanning\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# In a GitHub Actions workflow step:\n- name: Upload SARIF results\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e for the full CI setup.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003ecsv\u003c/code\u003e format writes a header row followed by one row per finding, using standard comma-separated values. Every cell is sanitized against spreadsheet formula injection before writing.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns (default):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eraw\u003c/code\u003e column is appended.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003eremediation\u003c/code\u003e column contains the remediation title (e.g. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) when \u003ccode\u003e--remediation\u003c/code\u003e is set, and is empty otherwise.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-2\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"table\"\u003eTable\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003etable\u003c/code\u003e format writes a human-readable tab-aligned table, best suited for interactive terminal sessions where you want a quick visual scan of the results.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eRAW\u003c/code\u003e column is appended. A summary line is printed at the bottom of the table (e.g. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI color\u003c/strong\u003e is applied to the \u003ccode\u003eSEVERITY\u003c/code\u003e column automatically, but only when all four conditions are met:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e is selected\u003c/li\u003e\n\u003cli\u003eOutput goes to stdout (no \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003estdout is a TTY (not a pipe or redirect)\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNO_COLOR\u003c/code\u003e environment variable is unset\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003cth\u003eColor\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBold red\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYellow\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBlue\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-invocation-3\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output-1\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"common-output-flags\"\u003eCommon output flags\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (default \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite to file instead of stdout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eInclude unredacted secret value in output\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eDrop findings below this severity level\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eKeep only \u003ccode\u003everified_active\u003c/code\u003e findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eEnrich findings with provider remediation guidance\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Remediation Guidance","description":"Use --remediation to enrich findings with provider-specific rotation and revocation steps, urgency ratings, and official documentation links.","html":"\u003ch1 id=\"remediation-guidance\"\u003eRemediation Guidance\u003c/h1\u003e\n\u003cp\u003eKnowing a secret is leaked is only half the work — you also need to know what to do about it. Passing \u003ccode\u003e--remediation\u003c/code\u003e to any scan command enriches each finding with structured, provider-specific guidance: the steps to rotate or revoke the credential, a link to the provider's documentation, a link to the management console, an urgency rating, and a verification checklist.\u003c/p\u003e\n\u003ch2 id=\"how-to-enable-it\"\u003eHow to enable it\u003c/h2\u003e\n\u003cp\u003eAdd \u003ccode\u003e--remediation\u003c/code\u003e to any scan command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRemediation enrichment is disabled by default. When the flag is absent, the \u003ccode\u003eremediation\u003c/code\u003e field in each finding is \u003ccode\u003enull\u003c/code\u003e and no extra data is fetched or computed.\u003c/p\u003e\n\u003ch2 id=\"what-it-contains\"\u003eWhat it contains\u003c/h2\u003e\n\u003cp\u003eEach remediation entry includes the following fields:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShort name of the remediation action (e.g. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOrdered list of steps to rotate or revoke the secret\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLink to the provider's official credential-management documentation\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDirect link to the provider's management console page\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHow quickly to act: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e, or \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePost-rotation verification steps (e.g. review audit logs, notify the security team)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch ships 63 remediation entries — one for every built-in detector. All 63 entries are included in the binary; no network calls are made to fetch guidance.\u003c/p\u003e\n\u003ch2 id=\"how-it-appears-in-each-format\"\u003eHow it appears in each format\u003c/h2\u003e\n\u003cp\u003eEnrichment adds the guidance to the finding object in memory. How it surfaces depends on the output format:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — the full structured \u003ccode\u003eremediation\u003c/code\u003e object is nested inside each finding:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — the \u003ccode\u003esteps\u003c/code\u003e are embedded in the rule's \u003ccode\u003ehelp.text\u003c/code\u003e field, and \u003ccode\u003edoc_url\u003c/code\u003e is set as the rule's \u003ccode\u003ehelpUri\u003c/code\u003e. This surfaces directly in GitHub Code Scanning's alert details panel.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is written to the \u003ccode\u003eremediation\u003c/code\u003e column. The full structured guidance is not included in the CSV output.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is shown in the \u003ccode\u003eREMEDIATION\u003c/code\u003e column.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--remediation --format json\u003c/code\u003e when you need the full structured guidance for automated incident-response workflows. Use \u003ccode\u003e--remediation --format table\u003c/code\u003e for a quick human-readable triage session in the terminal.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnrichment runs only when \u003ccode\u003e--remediation\u003c/code\u003e is set. Without the flag, the \u003ccode\u003eremediation\u003c/code\u003e field is absent from JSON and SARIF output, and the CSV and table \u003ccode\u003eremediation\u003c/code\u003e columns are empty. The flag does not modify the original scan results — it adds a layer on top.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Reference","description":"Complete reference for every Leakwatch command, subcommand, and flag.","html":"\u003ch1 id=\"cli-reference\"\u003eCLI Reference\u003c/h1\u003e\n\u003cp\u003eThis page is the authoritative reference for all Leakwatch commands and flags. For conceptual explanations and worked examples, follow the cross-links to the relevant scanning or configuration pages.\u003c/p\u003e\n\u003ch2 id=\"global-flags\"\u003eGlobal flags\u003c/h2\u003e\n\u003cp\u003eThese flags are available on every command and subcommand.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eauto-discovered \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a configuration file. When omitted, Leakwatch searches the current directory and its parents for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLogging verbosity: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e, or \u003ccode\u003eerror\u003c/code\u003e. Log output goes to stderr and does not affect scan results.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003ePrints the binary version, commit hash, and build timestamp, then exits.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGenerates a \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file in the current directory with recommended defaults.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite the config file to this path instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOverwrite an existing config file. Without this flag, \u003ccode\u003einit\u003c/code\u003e exits with an error if the output file already exists.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Generate the default config\nleakwatch init\n\n# Overwrite an existing config\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eParent command for all scan subcommands. Has no behavior on its own; run a subcommand.\u003c/p\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003cp\u003eThe following flags are available on \u003cstrong\u003eall\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e subcommands.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file path instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files or blobs larger than this number of bytes.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw (unredacted) secret value in output. Use with caution.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable live secret verification. No outbound API calls are made.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings that Leakwatch has confirmed are active via live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to include in output: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance (rotation/revocation steps) to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans a local directory tree.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e defaults to \u003ccode\u003e.\u003c/code\u003e. Accepts at most one positional argument.\u003c/p\u003e\n\u003ch4 id=\"filesystem-specific-flags\"\u003eFilesystem-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob pattern for paths to exclude. Repeatable.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory, print a colorized table\nleakwatch scan fs . --format table\n\n# Save SARIF output, exclude test files and vendor\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the full commit history of a local or remote Git repository.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required: a local path or an HTTP/HTTPS/SSH URL.\u003c/p\u003e\n\u003ch4 id=\"git-specific-flags\"\u003eGit-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;name\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default branch.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eShallow clone depth for remote repositories. \u003ccode\u003e0\u003c/code\u003e fetches the full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-1\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan full local history\nleakwatch scan git . --format table\n\n# Scan only commits added by a pull request\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the layers of an OCI/Docker image for secrets. Leakwatch is daemonless and pulls directly from the registry — no Docker socket is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"examples-2\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a public image\nleakwatch scan image nginx:latest --format table\n\n# Scan a private registry image and save JSON output\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in an AWS S3 bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket. Falls back to \u003ccode\u003eAWS_REGION\u003c/code\u003e environment variable or the AWS SDK default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-3\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire bucket\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Scan only a specific prefix\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in a Google Cloud Storage bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID. Required when the bucket's project cannot be inferred from the default credentials.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-4\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire GCS bucket\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Scan a prefix\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans message text in a Slack workspace.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo positional arguments.\u003c/p\u003e\n\u003ch4 id=\"slack-specific-flags\"\u003eSlack-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token. Can also be set via \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to scan. Scans all accessible channels when omitted.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only messages posted after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude direct messages (requires additional OAuth scopes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-5\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan all accessible channels\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Scan specific channels since a date\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans multiple Git repositories in parallel.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRequires at least two positional arguments (repository URLs or local paths).\u003c/p\u003e\n\u003ch4 id=\"repos-specific-flags\"\u003eRepos-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan concurrently.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eWorker concurrency within each repository scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-6\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan two repositories in parallel\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Increase parallelism for a large set of repos\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e — configure Leakwatch without flags.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — detailed \u003ccode\u003escan fs\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — detailed \u003ccode\u003escan git\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Environment Variables","description":"Environment variables that configure Leakwatch behavior without flags.","html":"\u003ch1 id=\"environment-variables\"\u003eEnvironment Variables\u003c/h1\u003e\n\u003cp\u003eLeakwatch reads configuration from three sources in priority order: \u003cstrong\u003ecommand-line flags\u003c/strong\u003e override \u003cstrong\u003eenvironment variables\u003c/strong\u003e, which override the \u003cstrong\u003econfig file\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e), which falls back to built-in \u003cstrong\u003edefaults\u003c/strong\u003e. Environment variables are useful in CI environments where you cannot modify a config file or pass flags to every invocation.\u003c/p\u003e\n\u003ch2 id=\"configuration-variable-pattern\"\u003eConfiguration variable pattern\u003c/h2\u003e\n\u003cp\u003eAny key from \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e can be set as an environment variable by:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eUppercasing the key name.\u003c/li\u003e\n\u003cli\u003eReplacing \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrepending \u003ccode\u003eLEAKWATCH_\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor example, the config key \u003ccode\u003escan.concurrency\u003c/code\u003e becomes \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"variable-reference\"\u003eVariable reference\u003c/h2\u003e\n\u003ch3 id=\"leakwatch-specific-variables\"\u003eLeakwatch-specific variables\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack bot token for \u003ccode\u003escan slack\u003c/code\u003e. Equivalent to \u003ccode\u003e--token\u003c/code\u003e. Set this instead of passing the token as a flag to avoid it appearing in shell history or CI logs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers. Equivalent to \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSet to \u003ccode\u003efalse\u003c/code\u003e to disable live verification globally. Equivalent to \u003ccode\u003e--no-verify\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum verification requests per second across all verifiers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault output format (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e). Equivalent to \u003ccode\u003e--format\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum Shannon entropy for a match to be reported. Float value, e.g. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"display-variable\"\u003eDisplay variable\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWhen set to any non-empty value, disables ANSI color codes in the \u003ccode\u003etable\u003c/code\u003e output formatter. Follows the \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e convention.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-variables-for-scan-s3-and-aws-secret-verification\"\u003eAWS variables (for \u003ccode\u003escan s3\u003c/code\u003e and AWS secret verification)\u003c/h3\u003e\n\u003cp\u003eThese are standard AWS SDK environment variables. Leakwatch passes them through to the AWS SDK v2 default credential chain.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS access key ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS secret access key.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS session token (for temporary credentials).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault AWS region.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNamed profile from \u003ccode\u003e~/.aws/credentials\u003c/code\u003e to use.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-variable-for-scan-gcs\"\u003eGCS variable (for \u003ccode\u003escan gcs\u003c/code\u003e)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a Google service-account JSON key file. Used by Application Default Credentials when scanning a GCS bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence-example\"\u003ePrecedence example\u003c/h2\u003e\n\u003cp\u003eGiven this setup:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e sets \u003ccode\u003eoutput.format: table\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e is set in the environment\u003c/li\u003e\n\u003cli\u003eThe command is run as \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e (no \u003ccode\u003e--format\u003c/code\u003e flag)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe effective format is \u003ccode\u003ejson\u003c/code\u003e because the environment variable overrides the config file.\u003c/p\u003e\n\u003cp\u003eIf the command is run as \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e, the effective format is \u003ccode\u003esarif\u003c/code\u003e because the flag overrides everything.\u003c/p\u003e\n\u003ch2 id=\"credentials-for-verification-vs-credentials-for-scanning\"\u003eCredentials for verification vs. credentials for scanning\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe AWS and GCP variables above are consumed to \u003cstrong\u003eauthenticate Leakwatch itself\u003c/strong\u003e when it connects to S3 or GCS to retrieve objects for scanning. They are not used to verify found secrets. Verification of a discovered AWS key, for example, uses that discovered key itself to call AWS STS — not the runner's credentials.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"passing-secrets-safely-in-ci\"\u003ePassing secrets safely in CI\u003c/h2\u003e\n\u003cp\u003eIn GitHub Actions, use encrypted secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIn GitLab CI, use masked CI/CD variables:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # defined as a masked variable in project settings\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNever hard-code token values in workflow files or Dockerfiles.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — full \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e key reference.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eCloud Storage Scanning\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e and \u003ccode\u003escan gcs\u003c/code\u003e credentials.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Scanning\u003c/a\u003e — Slack token scopes and permissions.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — equivalent command-line flags.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Exit Codes","description":"Leakwatch exit code reference and how to use them in scripts and CI pipelines.","html":"\u003ch1 id=\"exit-codes\"\u003eExit Codes\u003c/h1\u003e\n\u003cp\u003eLeakwatch uses a small, well-defined set of exit codes so that CI pipelines and shell scripts can act on scan results without parsing output. Every scan subcommand exits with one of three codes.\u003c/p\u003e\n\u003ch2 id=\"code-reference\"\u003eCode reference\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eName\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eClean\u003c/td\u003e\n\u003ctd\u003eThe scan completed successfully and no findings passed the active filters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFindings\u003c/td\u003e\n\u003ctd\u003eThe scan completed and one or more secrets were found (and passed the active filters).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eError\u003c/td\u003e\n\u003ctd\u003eA hard error occurred — for example, an invalid flag, an unreadable path, or an authentication failure. An \u003ccode\u003eError: ...\u003c/code\u003e message and a usage hint are printed to stderr.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-filters-affect-exit-code-1\"\u003eHow filters affect exit code 1\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is only emitted when at least one finding survives all active output filters. The two most relevant filters are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — findings below the threshold are suppressed. If all findings are \u003ccode\u003elow\u003c/code\u003e severity and you run with \u003ccode\u003e--min-severity high\u003c/code\u003e, exit code \u003ccode\u003e0\u003c/code\u003e is returned even though secrets exist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — only findings confirmed active by live verification are reported. If no active secrets are found, exit code \u003ccode\u003e0\u003c/code\u003e is returned.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis means exit code \u003ccode\u003e0\u003c/code\u003e means \u0026quot;no findings matched your current filter settings\u0026quot; — not necessarily that the codebase contains no secrets at all.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eA clean \u003ccode\u003e0\u003c/code\u003e exit under \u003ccode\u003e--only-verified\u003c/code\u003e does not guarantee the codebase is secret-free. Secrets for which verification is unavailable (9 detector types) are always reported as unverified and are suppressed by \u003ccode\u003e--only-verified\u003c/code\u003e. Pair \u003ccode\u003e--only-verified\u003c/code\u003e with a separate unfiltered scan if you need full coverage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"using-exit-codes-in-shell-scripts\"\u003eUsing exit codes in shell scripts\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;No secrets found. Build continues.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Secrets found — review leakwatch.json and remediate before merging.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch encountered an error (exit $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eset +e\u003c/code\u003e before the scan prevents the shell from exiting on non-zero codes, giving you the chance to capture and handle the code yourself.\u003c/p\u003e\n\u003ch2 id=\"using-exit-codes-in-ci-pipelines\"\u003eUsing exit codes in CI pipelines\u003c/h2\u003e\n\u003cp\u003eMost CI systems treat any non-zero exit code as a step failure. Since Leakwatch exits \u003ccode\u003e1\u003c/code\u003e when secrets are found, the pipeline fails automatically without any extra configuration — simply run the scan command.\u003c/p\u003e\n\u003cp\u003eTo allow the pipeline to continue even when secrets are found (for example, to collect the report without blocking the build), explicitly ignore the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in GitLab CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in the GitHub Action, set \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"exit-code-2-in-practice\"\u003eExit code 2 in practice\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e2\u003c/code\u003e indicates a configuration or runtime error that prevented the scan from running at all. Common causes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn invalid flag value (for example, \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA path that does not exist or is not readable.\u003c/li\u003e\n\u003cli\u003eA missing required argument (for example, \u003ccode\u003escan git\u003c/code\u003e with no URL).\u003c/li\u003e\n\u003cli\u003eAn authentication error when connecting to a cloud source.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe error message is printed to stderr and includes context to help diagnose the problem:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — how to wire exit codes into GitLab CI, Jenkins, and others.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — how the official action maps exit codes to step outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Cloud Storage (S3 \u0026 GCS)","description":"Scan AWS S3 and Google Cloud Storage buckets for leaked secrets.","html":"\u003ch1 id=\"cloud-storage-s3--gcs\"\u003eCloud Storage (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSecrets regularly end up in cloud storage — exported database dumps, environment files, CI artefacts, and log archives all flow into buckets that may be readable by more people than intended. Leakwatch can scan AWS S3 and Google Cloud Storage buckets object-by-object and flag any secrets it finds before they become an incident.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"usage\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003es3://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses the standard \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS default credential chain\u003c/a\u003e:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eEnvironment variables (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared credentials file (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared configuration file (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIAM role attached to the instance or task (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNo additional configuration is required if you are already authenticated with the AWS CLI (\u003ccode\u003eaws configure\u003c/code\u003e or an assumed role).\u003c/p\u003e\n\u003ch3 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eFrom AWS config\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-examples\"\u003eS3 examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific key prefix in a given region:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--prefix\u003c/code\u003e to limit the scan to a relevant sub-path. Scanning a large bucket with millions of objects can be slow and may incur S3 GET request costs. Narrow the prefix to what actually matters — for example \u003ccode\u003econfigs/\u003c/code\u003e or \u003ccode\u003eexports/\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"usage-1\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003egs://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication-1\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e. The credential search order is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e environment variable pointing to a service-account key file.\u003c/li\u003e\n\u003cli\u003eUser credentials set up by \u003ccode\u003egcloud auth application-default login\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eService account attached to a Google Compute Engine instance, Cloud Run service, or GKE workload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID (required by some ADC configurations).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-examples\"\u003eGCS examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket with a specific GCP project:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific prefix:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOutput as CSV:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h2\u003e\n\u003cp\u003eBoth \u003ccode\u003es3\u003c/code\u003e and \u003ccode\u003egcs\u003c/code\u003e support the same common scan flags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip objects larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions (applied to object keys) are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (authentication error, bucket not found, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Container Images","description":"Scan OCI and Docker image layers for leaked secrets without a Docker daemon.","html":"\u003ch1 id=\"container-images\"\u003eContainer Images\u003c/h1\u003e\n\u003cp\u003eContainer images are a common hiding place for secrets: API keys baked into environment variables, credentials embedded in build layers, and configuration files copied into image layers and then forgotten. \u003ccode\u003eleakwatch scan image\u003c/code\u003e inspects every layer of an OCI or Docker image and surfaces those secrets before the image is deployed.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: an image reference in standard \u003ccode\u003ename:tag\u003c/code\u003e notation. Leakwatch uses \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e to pull and inspect images \u003cstrong\u003edaemonlessly\u003c/strong\u003e — no running Docker daemon is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a Docker Hub image\nleakwatch scan image nginx:latest\n\n# Scan a private GitHub Container Registry image\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Scan an Amazon ECR image\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"supported-registries\"\u003eSupported registries\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eRegistry\u003c/th\u003e\n\u003cth\u003eExample reference\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAny OCI-compatible registry\u003c/td\u003e\n\u003ctd\u003eStandard \u003ccode\u003eregistry/name:tag\u003c/code\u003e form\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses the standard credential keychain used by Docker and other OCI tools. If you are already authenticated via \u003ccode\u003edocker login\u003c/code\u003e (or an equivalent tool such as \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, or cloud-provider credential helpers), Leakwatch will use those credentials automatically.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Log in to GHCR first\ndocker login ghcr.io\n\n# Then scan — credentials are picked up automatically\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor Amazon ECR, configure the ECR credential helper or set \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e and related environment variables before scanning.\u003c/p\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch pulls the image manifest, iterates over each layer in order, and extracts the files within each layer. Each file's content is run through the same detection pipeline as a filesystem scan. Path exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply here, limiting which file paths inside layers are examined.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003cp\u003eThere are no image-specific flags. All common scan flags apply:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e for details.\u003c/p\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan a Docker Hub image and print results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a private registry image and save SARIF output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan and show only verified active secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInclude remediation guidance in JSON output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from an image scan includes layer metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe image reference that was scanned.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe layer digest where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe path of the file within the layer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIntegrate container image scanning into your CI/CD pipeline's build stage to catch secrets before the image is pushed to a registry. Use \u003ccode\u003e--format sarif\u003c/code\u003e to upload results directly to GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (image not found, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Filesystem","description":"Scan a local directory tree for leaked secrets with leakwatch scan fs.","html":"\u003ch1 id=\"filesystem\"\u003eFilesystem\u003c/h1\u003e\n\u003cp\u003eLocal source code is where secrets most often appear first. The \u003ccode\u003eleakwatch scan fs\u003c/code\u003e command walks every file in a directory tree, runs the full detection pipeline on each one, and reports any findings before they can be committed — or after the fact on an existing codebase.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e is optional. When omitted, Leakwatch scans the current working directory (\u003ccode\u003e.\u003c/code\u003e). Only one path argument is accepted.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory\nleakwatch scan fs\n\n# Scan a specific project folder\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"what-the-filesystem-source-skips-automatically\"\u003eWhat the filesystem source skips automatically\u003c/h2\u003e\n\u003cp\u003eTo keep scans fast and noise-free, the filesystem source skips the following without any configuration:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBinary files\u003c/strong\u003e — detected by the presence of a null byte in the first 8 KB of the file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKnown binary extensions\u003c/strong\u003e — common compiled, image, audio, video, and archive formats.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLock files\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e, and similar.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"filesystem-specific\"\u003eFilesystem-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (repeatable)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob patterns for paths to exclude. Can be repeated or comma-separated.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the current directory and print a colorized table to the terminal:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude test files and vendor directories, then save SARIF output for GitHub Code Scanning:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eLimit file size to 5 MB and increase worker count for a large monorepo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eShow only high-severity findings and include rotation instructions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"excluding-paths\"\u003eExcluding paths\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003e--exclude\u003c/code\u003e flag accepts glob patterns and can be specified multiple times or as a comma-separated list:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Two separate flags\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Comma-separated\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor permanent exclusion rules shared across your team, add them to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Those rules apply to every source, not just filesystem scans. You can also create a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your project root. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e and \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (configuration error, unreadable path, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary (source type, target, file count, duration, and finding count) is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eRun \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e during development to get a quick visual overview. Switch to \u003ccode\u003e--format sarif\u003c/code\u003e in CI pipelines to integrate with GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure default format, exclusions, and more.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e and inline suppression.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history, not just the working tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git History","description":"Scan the full commit history of a local or remote Git repository for leaked secrets.","html":"\u003ch1 id=\"git-history\"\u003eGit History\u003c/h1\u003e\n\u003cp\u003eA secret that was committed and then deleted is still present in every earlier commit, reachable to anyone with repository access. \u003ccode\u003eleakwatch scan git\u003c/code\u003e walks the \u003cem\u003eentire\u003c/em\u003e commit history of a repository — local or remote — and surfaces those secrets before they can be exploited.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: either a \u003cstrong\u003elocal filesystem path\u003c/strong\u003e to a repository (\u003ccode\u003e.\u003c/code\u003e for the current directory) or a \u003cstrong\u003eremote HTTP/HTTPS or SSH URL\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e for all Git operations — a pure Go implementation with no dependency on a system \u003ccode\u003egit\u003c/code\u003e binary.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the local repository in the current directory\nleakwatch scan git .\n\n# Scan a remote repository over HTTPS\nleakwatch scan git https://github.com/org/repo.git\n\n# Scan over SSH\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch walks every commit in the history and examines the blobs introduced by each commit. \u003cstrong\u003eBlob-hash deduplication\u003c/strong\u003e ensures that identical file content is scanned only once, no matter how many commits reference it. This keeps scan time proportional to the \u003cem\u003eunique content\u003c/em\u003e in the repository rather than to the raw commit count.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause Leakwatch examines commit-by-commit diffs, it finds secrets that were introduced and later deleted — content that is invisible in the current working tree.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"git-specific\"\u003eGit-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD (diff-based).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eClone depth for \u003cstrong\u003eremote repositories only\u003c/strong\u003e. \u003ccode\u003e0\u003c/code\u003e means full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the full history of the local repository and print a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only commits made after a specific date on the \u003ccode\u003edevelop\u003c/code\u003e branch:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan changes introduced since a specific commit (useful in CI to check only new commits):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDo a shallow clone of a large remote repository to speed up the initial scan:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a remote repository and save verified findings only as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Git scan includes commit metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eURL or path of the scanned repository (credentials stripped).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit hash where the secret was introduced.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit author name and email.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit timestamp.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBranch context (when available).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--since-commit\u003c/code\u003e in pull-request CI jobs to scan only the commits added by the PR. Use \u003ccode\u003e--since \u0026lt;date\u0026gt;\u003c/code\u003e for scheduled nightly scans covering recent activity.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eWhen a repository URL contains embedded credentials (for example \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch strips those credentials before writing anything to logs or output, so the token never appears in scan results or CI traces.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (invalid URL, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eMultiple Repositories\u003c/a\u003e — scan several repositories in one command.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan the working tree instead of history.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Multiple Repositories","description":"Scan several Git repositories concurrently and combine results into a single report.","html":"\u003ch1 id=\"multiple-repositories\"\u003eMultiple Repositories\u003c/h1\u003e\n\u003cp\u003eWhen an organization grows, secrets can land in any of dozens or hundreds of repositories. Checking them one by one is impractical. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e accepts multiple repository URLs and scans them concurrently, merging all findings into a single output — one command, one report.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command requires \u003cstrong\u003eat least two\u003c/strong\u003e repository URLs. All repositories are cloned, scanned, and cleaned up automatically. The combined finding count and a single scan summary are reported at the end.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-works\"\u003eHow it works\u003c/h2\u003e\n\u003cp\u003eLeakwatch spawns up to \u003ccode\u003e--parallel\u003c/code\u003e repository scans at once. Each repository is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCloned from the provided URL (credentials are stripped from logs and output for safety).\u003c/li\u003e\n\u003cli\u003eScanned with the full detection pipeline, using \u003ccode\u003e--concurrency\u003c/code\u003e workers for that repository.\u003c/li\u003e\n\u003cli\u003eCleaned up (the temporary clone is deleted) once the scan completes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAll findings from all repositories are collected and written as a single output, as if the scan had been a single-source run. The displayed target is \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"multi-repo-specific\"\u003eMulti-repo-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan in parallel.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers \u003cstrong\u003eper repository\u003c/strong\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply to all repositories. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan two repositories and display results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan five repositories with higher parallelism and save the combined results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan with more workers per repository and show only verified findings:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tuning-parallelism\"\u003eTuning parallelism\u003c/h2\u003e\n\u003cp\u003eTwo knobs control throughput:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e controls how many repository clones and scans run simultaneously. The default of \u003ccode\u003e3\u003c/code\u003e is appropriate for most workloads. Raise it when network bandwidth and CPU headroom allow; lower it on constrained machines.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e) controls how many worker goroutines process file blobs \u003cem\u003ewithin\u003c/em\u003e each individual repository. This is the same flag available on all scan commands.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTotal concurrent operations at peak = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf one or more repository scans fail (for example, due to a network error or authentication failure), Leakwatch logs the error and continues scanning the remaining repositories. The exit code will be \u003ccode\u003e2\u003c/code\u003e if any individual repo scan failed, even if other repos produced findings.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eAny embedded credentials in repository URLs (e.g. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e) are stripped before the URL is written to logs, output, or the scan summary.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOne or more repository scans failed, or a configuration error occurred.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan a single repository in depth.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure shared defaults for all sources.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Workspace","description":"Scan Slack channel and DM message text for leaked secrets.","html":"\u003ch1 id=\"slack-workspace\"\u003eSlack Workspace\u003c/h1\u003e\n\u003cp\u003eDevelopers frequently share credentials in chat — a token pasted into a channel for a quick test, a password sent in a DM, or an API key mentioned in an incident thread. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e reads message text across your Slack workspace and flags any secrets it finds.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch scans \u003cstrong\u003emessage text only\u003c/strong\u003e. Scanning the contents of uploaded files (attachments, snippets) is not implemented. Only the text body of messages is analysed.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis command takes \u003cstrong\u003eno positional arguments\u003c/strong\u003e. All configuration is provided through flags or environment variables.\u003c/p\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eA Slack Bot Token is required. Provide it via the \u003ccode\u003e--token\u003c/code\u003e flag or the \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e environment variable. Using an environment variable is recommended so the token never appears in shell history or process listings.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"required-bot-token-scopes\"\u003eRequired bot token scopes\u003c/h3\u003e\n\u003cp\u003eThe bot token must be associated with a Slack app that has the following OAuth scopes:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eScope\u003c/th\u003e\n\u003cth\u003ePurpose\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in public channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in private channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead group direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"slack-specific\"\u003eSlack-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. Prefer \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e env var.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eall channels\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan messages posted on or after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAlso scan direct messages and group DMs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eInternal chunk size limit (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan all channels the bot has access to, using an environment variable for the token:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan specific channels and limit to messages since the start of the year:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude noisy channels and include direct messages:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eReduce the API request rate to avoid Slack rate-limit errors on large workspaces:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave only verified active findings to a JSON file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Slack scan includes message and channel metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe channel name where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack message timestamp (unique message ID).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack user ID of the message author.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performance-considerations\"\u003ePerformance considerations\u003c/h2\u003e\n\u003cp\u003eSlack API requests are subject to rate limits enforced by Slack. The \u003ccode\u003e--rate-limit\u003c/code\u003e flag (default \u003ccode\u003e20\u003c/code\u003e requests/second) controls how aggressively Leakwatch makes requests. Lower this value if you see \u003ccode\u003e429 Too Many Requests\u003c/code\u003e errors, especially on large workspaces.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003e--channels\u003c/code\u003e to target specific channels rather than scanning the entire workspace on every run. Combine with \u003ccode\u003e--since\u003c/code\u003e to scan only recent messages incrementally.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (missing token, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure defaults in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"How Verification Works","description":"How Leakwatch confirms whether a detected secret is still active, which verification modes it uses, and how to configure or disable verification.","html":"\u003ch1 id=\"how-verification-works\"\u003eHow Verification Works\u003c/h1\u003e\n\u003cp\u003eFinding a secret in a codebase is only half the story. A key that was rotated six months ago is noise; a key that is still live is an active incident. Verification is the step that draws that line — it takes each detected finding and, where possible, confirms whether the secret is currently valid at the provider.\u003c/p\u003e\n\u003ch2 id=\"from-detection-to-verification\"\u003eFrom detection to verification\u003c/h2\u003e\n\u003cp\u003eAfter the scan engine collects findings, the verifier pool picks them up. Each finding carries a \u003ccode\u003edetector_id\u003c/code\u003e; Leakwatch looks up whether a verifier is registered for that ID:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIf a verifier exists, it runs and returns a status.\u003c/li\u003e\n\u003cli\u003eIf no verifier is registered for that detector type, the finding passes through unchanged with status \u003ccode\u003eunverified\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"two-verification-modes\"\u003eTwo verification modes\u003c/h2\u003e\n\u003cp\u003eNot all secrets can be verified the same way. Leakwatch uses two distinct approaches depending on what is safe for each credential type.\u003c/p\u003e\n\u003ch3 id=\"live-api-verification\"\u003eLive API verification\u003c/h3\u003e\n\u003cp\u003eFor approximately 49 detector types, Leakwatch makes a \u003cstrong\u003econtrolled, read-only API call\u003c/strong\u003e to the provider — for example, calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys or \u003ccode\u003eGET /user\u003c/code\u003e for GitHub tokens. The call uses only the minimum endpoint required to confirm identity; it never modifies data, creates resources, or triggers billing events.\u003c/p\u003e\n\u003cp\u003eIf the provider returns a success response, the finding is marked \u003ccode\u003everified_active\u003c/code\u003e. If the provider rejects the credential (for example with HTTP 401 or 403), the finding is marked \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"format-validation-only\"\u003eFormat validation only\u003c/h3\u003e\n\u003cp\u003eFor five credential types, no safe live check exists — the provider has no anonymous identity endpoint, or a real call would have side effects. For these, Leakwatch validates the structure of the credential without making any network request:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e fields present\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check only — a valid format proves nothing, result is always \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEven when the format check passes, the result remains \u003ccode\u003eunverified\u003c/code\u003e. A structurally valid credential may be expired or revoked. These findings always require manual triage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"verification-statuses\"\u003eVerification statuses\u003c/h2\u003e\n\u003cp\u003eEvery finding in Leakwatch output carries one of four statuses:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStatus\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe secret was confirmed live by the provider.\u003c/td\u003e\n\u003ctd\u003eTreat as an active incident. Rotate immediately.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe provider rejected the credential.\u003c/td\u003e\n\u003ctd\u003eLikely already rotated. Review context and close.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo verifier exists for this type, or format validation returned no result, or verification was disabled.\u003c/td\u003e\n\u003ctd\u003eTriage manually; context determines risk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe verifier ran but encountered a network error, timeout, or unexpected response.\u003c/td\u003e\n\u003ctd\u003eTreat as potentially active. Retry or triage manually.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"the-verification-engine\"\u003eThe verification engine\u003c/h2\u003e\n\u003cp\u003eVerification runs in a dedicated concurrent worker pool, isolated from the scan worker pool. The defaults are conservative to avoid triggering provider rate limits:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSetting\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eWorker count\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal rate limit\u003c/td\u003e\n\u003ctd\u003e10 requests/second\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003ePer-request timeout\u003c/td\u003e\n\u003ctd\u003e10 s\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eAll three values are tunable under the \u003ccode\u003everification:\u003c/code\u003e block in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # requests per second (global)\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf you are scanning a repository that triggers hundreds of findings, consider lowering \u003ccode\u003erate-limit\u003c/code\u003e to 5 or enabling \u003ccode\u003e--only-verified\u003c/code\u003e to keep the verified-active set small and actionable.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"controlling-verification-at-the-command-line\"\u003eControlling verification at the command line\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eDisable verification entirely\u003c/strong\u003e with \u003ccode\u003e--no-verify\u003c/code\u003e (or set \u003ccode\u003everification.enabled: false\u003c/code\u003e in config). Every finding passes through as \u003ccode\u003eunverified\u003c/code\u003e. Use this for offline or air-gapped environments, or when you want the fastest possible scan without touching any provider API.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eShow only confirmed-live secrets\u003c/strong\u003e with \u003ccode\u003e--only-verified\u003c/code\u003e. Everything that is not \u003ccode\u003everified_active\u003c/code\u003e is dropped from the output. This is the fastest way to triage a large result set — you see only the keys you must act on now.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e silently drops \u003ccode\u003eunverified\u003c/code\u003e and \u003ccode\u003everify_error\u003c/code\u003e findings. Do not use it as your sole filter in a compliance context — some credential types (JWTs, generic API keys, private keys) can never be verified and would always be excluded.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eVerification is designed so that the raw secret value never leaves the process boundary in an unsafe way:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eVerifiers pass the secret directly to the provider's HTTP endpoint over TLS — it is never written to disk, emitted to a log, or cached between runs.\u003c/li\u003e\n\u003cli\u003eA verifier that fails to initialise or encounters a panic is caught by the engine, which marks the finding \u003ccode\u003everify_error\u003c/code\u003e and continues rather than crashing the scan.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detector types are live-verified, format-validated, or not verifiable at all.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for the \u003ccode\u003everification:\u003c/code\u003e block.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — how the verification status appears in JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Verification Coverage","description":"Which of the 63 built-in detectors are live-verified, format-validated only, or not verifiable — and what that means for triage.","html":"\u003ch1 id=\"verification-coverage\"\u003eVerification Coverage\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships 63 built-in detectors and 54 verifiers, giving a coverage rate of \u003cstrong\u003e85.7%\u003c/strong\u003e (54 of 63 detector types have some form of verification). This page maps every detector to its verification status so you know what to expect in your output.\u003c/p\u003e\n\u003ch2 id=\"live-verified-49-detector-types\"\u003eLive-verified (49 detector types)\u003c/h2\u003e\n\u003cp\u003eFor these types, Leakwatch makes a controlled, read-only API call to the provider and returns \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e. No data is created or modified; the call uses the minimum endpoint needed to confirm identity.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector type\u003c/th\u003e\n\u003cth\u003eProvider\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"format-validated-only-5-detector-types\"\u003eFormat-validated only (5 detector types)\u003c/h2\u003e\n\u003cp\u003eThese verifiers run entirely offline. No network request is made. Because a valid format does not prove a credential is active, all five always return \u003ccode\u003eunverified\u003c/code\u003e regardless of whether the format check passes or fails.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003cth\u003eWhy no live check\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eLive check requires a GCP OAuth2 token exchange, which has side effects\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003ctd\u003eNo public unauthenticated health endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePassword length and host substring check\u003c/td\u003e\n\u003ctd\u003eLive check requires a JDBC/ODBC database connection\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eRequires per-account HMAC signing; no generic identity endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eClient credential flow would create sessions\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"not-verifiable-9-detector-types\"\u003eNot verifiable (9 detector types)\u003c/h2\u003e\n\u003cp\u003eThese detector types have no verifier at all. Findings from them are always \u003ccode\u003eunverified\u003c/code\u003e. This is \u003cstrong\u003enot\u003c/strong\u003e because they are unimportant — they are detected and reported in full — but because no public verification API exists, or because any verification attempt would have side effects.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eReason\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eA JWT can be issued by any party; there is no universal validation endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo provider to call; active use cannot be detected remotely\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnknown provider by definition\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would create sessions on the target database\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would open a live connection to the Redis instance\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo safe read-only FTP probe\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind would create an authenticated session\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConfirming a webhook is active requires sending a message\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token validation requires knowing the Vault endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Not verifiable\u0026quot; does not mean \u0026quot;not found\u0026quot;. All 9 of these types are still detected and appear in your output. They require manual triage to determine whether the credential is live and whether it needs rotation.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"coverage-summary\"\u003eCoverage summary\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCategory\u003c/th\u003e\n\u003cth\u003eCount\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eLive-verified\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eFormat-validated only\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eNot verifiable\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eTotal detectors\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eVerifiers (any coverage)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (85.7%)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — the two verification modes, statuses, and the verification engine.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the full list of built-in detectors with severities.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; +window.LW_MANUAL["en"] = {"ci-cd/docker-usage":{"title":"Docker Usage","description":"Run Leakwatch scans inside a container using the official Docker image.","html":"\u003ch1 id=\"docker-usage\"\u003eDocker Usage\u003c/h1\u003e\n\u003cp\u003eThe official Leakwatch container image lets you run scans without installing anything on the host machine. Because the image is statically compiled with \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e and runs as a non-root user, it is safe to use in locked-down CI environments and on shared machines where you do not want to modify the host system.\u003c/p\u003e\n\u003ch2 id=\"image-reference\"\u003eImage reference\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe image is based on Alpine, runs as the non-root user \u003ccode\u003eleakwatch\u003c/code\u003e, uses \u003ccode\u003e/scan\u003c/code\u003e as the working directory, and has \u003ccode\u003eleakwatch\u003c/code\u003e as its entrypoint.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause the entrypoint is \u003ccode\u003eleakwatch\u003c/code\u003e, you append the subcommand and flags directly after the image name — for example, \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. There is no need to repeat the binary name.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"scanning-a-local-directory\"\u003eScanning a local directory\u003c/h2\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo write results to a file on the host, write the output file into the mounted volume:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe file \u003ccode\u003eleakwatch.sarif\u003c/code\u003e appears in the current directory on your host after the container exits.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-remote-git-repository\"\u003eScanning a remote Git repository\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo volume mount is required for remote Git repositories — Leakwatch clones them into a temporary directory inside the container.\u003c/p\u003e\n\u003ch2 id=\"scanning-a-container-image\"\u003eScanning a container image\u003c/h2\u003e\n\u003cp\u003eLeakwatch is daemonless: it pulls image layers directly from the registry without a Docker daemon. This means you can scan a remote image from within the Leakwatch container without mounting the host Docker socket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor private registries, pass the credentials as environment variables consumed by the registry client (for example, \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e pointing to a mounted credentials file, or the standard registry environment variables your registry supports).\u003c/p\u003e\n\u003ch2 id=\"passing-a-configuration-file\"\u003ePassing a configuration file\u003c/h2\u003e\n\u003cp\u003eMount \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e into \u003ccode\u003e/scan\u003c/code\u003e so Leakwatch picks it up automatically:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAs long as \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is in the mounted directory, Leakwatch finds it because \u003ccode\u003e/scan\u003c/code\u003e is both the working directory and the path passed to the scan. If your config file lives elsewhere, mount it explicitly and use \u003ccode\u003e--config\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-environment-variables\"\u003ePassing environment variables\u003c/h2\u003e\n\u003cp\u003eEnvironment variables for cloud scanning and token-based authentication can be injected with \u003ccode\u003e-e\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# S3 scan with AWS credentials\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor CI environments, prefer injecting secrets as masked CI variables rather than embedding them in the command line.\u003c/p\u003e\n\u003ch2 id=\"output-file-pattern\"\u003eOutput file pattern\u003c/h2\u003e\n\u003cp\u003eA common Docker pattern in CI is to write results into the mounted volume and then upload or archive the file as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install the native binary instead of using Docker.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e flags and behavior.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eContainer Images\u003c/a\u003e — scanning OCI/Docker image layers for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — using the Docker image in GitLab CI and other pipelines.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — complete flag reference for all subcommands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"Use the official Leakwatch GitHub Action to scan for secrets in your GitHub workflows.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eEvery push to your repository is an opportunity for a secret to slip through. The official \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e) integrates Leakwatch directly into your GitHub workflow — it installs the tool, runs a scan, maps exit codes, and optionally uploads SARIF results to GitHub Code Scanning, all without any external service dependency.\u003c/p\u003e\n\u003ch2 id=\"quick-start\"\u003eQuick start\u003c/h2\u003e\n\u003cp\u003eThe minimal configuration blocks the workflow when secrets are found:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Secret scan (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith only the defaults, the action scans the filesystem (\u003ccode\u003escan-type: fs\u003c/code\u003e), produces SARIF output, skips live verification (\u003ccode\u003eno-verify: true\u003c/code\u003e), and fails the job if any finding is reported.\u003c/p\u003e\n\u003ch2 id=\"full-example-with-sarif-upload\"\u003eFull example with SARIF upload\u003c/h2\u003e\n\u003cp\u003eThe following workflow enables SARIF upload to GitHub Code Scanning, which surfaces findings as security alerts inside the repository:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Secret scan\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # required for SARIF upload\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Scan for secrets\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF upload requires the job to declare \u003ccode\u003epermissions: security-events: write\u003c/code\u003e. Without it, the upload step fails with a 403 error. The \u003ccode\u003econtents: read\u003c/code\u003e permission is also needed for \u003ccode\u003eactions/checkout@v4\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inputs\"\u003eInputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eInput\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan type to run: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e, or \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to scan (for \u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e) or image reference (for \u003ccode\u003eimage\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification (no outbound calls to providers).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUpload SARIF results to GitHub Code Scanning after the scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFail the workflow step when findings are reported (exit code 1). When \u003ccode\u003efalse\u003c/code\u003e, a \u003ccode\u003e::warning::\u003c/code\u003e annotation is emitted instead so the scan does not block the pipeline. Hard errors (exit code 2) always fail the step regardless of this setting.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLeakwatch version to install. Use a tag such as \u003ccode\u003ev1.5.0\u003c/code\u003e to pin a specific release.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"outputs\"\u003eOutputs\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eOutput\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e if no findings were reported; \u003ccode\u003e1\u003c/code\u003e if findings were reported. Mirrors the Leakwatch exit code.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the SARIF output file on the runner (set when \u003ccode\u003eformat: sarif\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"verification-in-ci\"\u003eVerification in CI\u003c/h2\u003e\n\u003cp\u003eBy default, \u003ccode\u003eno-verify\u003c/code\u003e is \u003ccode\u003etrue\u003c/code\u003e — live verification is \u003cstrong\u003eoff\u003c/strong\u003e in CI. This keeps the scan fast and avoids making outbound network calls to provider APIs from CI runners, which may be behind a firewall or have rate-limited credentials.\u003c/p\u003e\n\u003cp\u003eTo enable verification in CI, set \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnabling verification in CI causes Leakwatch to make authenticated API calls to providers (AWS, GitHub, Stripe, etc.) for each candidate finding. Be aware of provider rate limits and ensure the runner has outbound internet access.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"how-sarif-upload-works\"\u003eHow SARIF upload works\u003c/h2\u003e\n\u003cp\u003eWhen \u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e and \u003ccode\u003eformat: sarif\u003c/code\u003e, the action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTells Leakwatch to write output to \u003ccode\u003eresults.sarif\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter the scan, calls \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e with \u003ccode\u003ecategory: leakwatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGitHub processes the file and surfaces findings as \u003cstrong\u003eCode Scanning alerts\u003c/strong\u003e under the repository's \u003cstrong\u003eSecurity\u003c/strong\u003e tab.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThe upload step runs with \u003ccode\u003eif: always()\u003c/code\u003e, so results are uploaded even when \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e causes the scan step to set a failure.\u003c/p\u003e\n\u003ch2 id=\"using-action-outputs\"\u003eUsing action outputs\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Scan for secrets\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # let the workflow continue\n\n- name: Print result\n run: echo \u0026quot;Findings reported: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"pinning-a-specific-version\"\u003ePinning a specific version\u003c/h2\u003e\n\u003cp\u003eFor reproducible builds, pin \u003ccode\u003eversion\u003c/code\u003e to a specific tag:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis installs exactly \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e via \u003ccode\u003ego install\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — understanding JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — when and how Leakwatch calls provider APIs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Hook\u003c/a\u003e — catch secrets before they are committed.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — GitLab CI, Jenkins, and generic shell integration.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Other CI Systems","description":"Integrate Leakwatch into GitLab CI, Jenkins, Bitbucket Pipelines, and any other CI system.","html":"\u003ch1 id=\"other-ci-systems\"\u003eOther CI Systems\u003c/h1\u003e\n\u003cp\u003eBecause Leakwatch is a single static binary with no runtime dependencies, it runs in any CI environment that can execute a shell command — GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps, and others. There is no built-in integration for these systems beyond what is described on this page; the pattern is always: install the binary, run the scan, act on the exit code.\u003c/p\u003e\n\u003ch2 id=\"installing-leakwatch-in-ci\"\u003eInstalling Leakwatch in CI\u003c/h2\u003e\n\u003cp\u003eChoose the method that best suits your runner environment:\u003c/p\u003e\n\u003ch3 id=\"via-go-install-requires-go-on-the-runner\"\u003evia \u003ccode\u003ego install\u003c/code\u003e (requires Go on the runner)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePin to a specific version for reproducible builds:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"via-the-docker-image-no-go-required\"\u003evia the Docker image (no Go required)\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e as a job image or run it with \u003ccode\u003edocker run\u003c/code\u003e. See \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e for the full pattern.\u003c/p\u003e\n\u003ch3 id=\"via-a-prebuilt-release-binary\"\u003evia a prebuilt release binary\u003c/h3\u003e\n\u003cp\u003eDownload the appropriate tarball from \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e, extract, and place on \u003ccode\u003ePATH\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch exits with one of three codes, which is the primary mechanism for failing a CI build:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended CI action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo findings\u003c/td\u003e\n\u003ctd\u003ePass the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSecrets found\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHard error (bad config, unreadable path, etc.)\u003c/td\u003e\n\u003ctd\u003eFail the pipeline stage\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA generic shell snippet that branches on the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;No secrets found.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Secrets found — failing build.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Scan error (exit $EXIT_CODE) — failing build.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-example\"\u003eGitLab CI example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e job installs Leakwatch, runs a filesystem scan, and stores the JSON report as a pipeline artifact:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 days\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (the default) means exit code \u003ccode\u003e1\u003c/code\u003e fails the pipeline stage. Set \u003ccode\u003eallow_failure: true\u003c/code\u003e if you want the scan to report without blocking the merge.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab supports SAST report artifacts. Leakwatch produces SARIF (\u003ccode\u003e--format sarif\u003c/code\u003e), not GitLab's native SAST JSON schema, so use the \u003ccode\u003epaths:\u003c/code\u003e artifact approach rather than the \u003ccode\u003ereports: sast:\u003c/code\u003e key.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"recommendations-for-ci-runners\"\u003eRecommendations for CI runners\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eUse \u003ccode\u003e--no-verify\u003c/code\u003e on runners without outbound internet access.\u003c/strong\u003e Verification makes live API calls to providers (AWS, GitHub, Stripe, etc.). On air-gapped or firewall-restricted runners, these calls time out and slow the scan. Pass \u003ccode\u003e--no-verify\u003c/code\u003e to skip verification entirely:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSave output as an artifact.\u003c/strong\u003e Use \u003ccode\u003e--format sarif\u003c/code\u003e or \u003ccode\u003e--format json\u003c/code\u003e with \u003ccode\u003e--output\u003c/code\u003e to write a file that can be stored, uploaded to a vulnerability management platform, or reviewed after the job completes.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSet \u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e to focus on the secrets that matter most. In a noisy codebase, start with \u003ccode\u003e--min-severity high\u003c/code\u003e and lower the threshold once you have cleared the backlog.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-example\"\u003eAzure DevOps example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch secret scan\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-results\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-example\"\u003eJenkins example\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Secret scan') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — full reference for all exit code meanings.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Usage\u003c/a\u003e — use the container image instead of installing the binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — the official action for GitHub workflows.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Hook","description":"Use the Leakwatch pre-commit hook to scan for secrets before every commit.","html":"\u003ch1 id=\"pre-commit-hook\"\u003ePre-commit Hook\u003c/h1\u003e\n\u003cp\u003eThe cheapest time to catch a secret is before it enters the repository at all. Leakwatch ships a native \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e hook that runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e automatically on every \u003ccode\u003egit commit\u003c/code\u003e, so a leaked API key or password fails the commit rather than appearing in history.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eYou need:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit is a Python tool).\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e installed globally (\u003ccode\u003epip install pre-commit\u003c/code\u003e or \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGo 1.25+ on \u003ccode\u003ePATH\u003c/code\u003e — the hook language is \u003ccode\u003egolang\u003c/code\u003e, so pre-commit compiles Leakwatch from source on first run.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"configuration\"\u003eConfiguration\u003c/h2\u003e\n\u003cp\u003eAdd a \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e file to the root of your repository (or extend an existing one):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInstall the hooks into the local Git repo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThat is all. From this point on, every \u003ccode\u003egit commit\u003c/code\u003e triggers a filesystem scan. If Leakwatch finds any secrets, the commit is blocked and the findings are printed to the terminal.\u003c/p\u003e\n\u003ch2 id=\"running-manually\"\u003eRunning manually\u003c/h2\u003e\n\u003cp\u003eTo scan the entire repository (not just staged files) at any time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTo run only the Leakwatch hook without triggering others:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"passing-extra-arguments\"\u003ePassing extra arguments\u003c/h2\u003e\n\u003cp\u003eThe hook's default behavior matches \u003ccode\u003eleakwatch scan fs\u003c/code\u003e with no additional flags. You can pass extra arguments via the \u003ccode\u003eargs:\u003c/code\u003e key:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis example reports only high-severity secrets that Leakwatch has confirmed are still active — a strict policy suitable for teams that want to avoid false-positive noise without sacrificing coverage.\u003c/p\u003e\n\u003cp\u003eOther useful arguments:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # skip live verification for faster commits\n - --min-severity\n - medium # suppress low-severity noise\n - --format\n - table # human-readable output in the terminal\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003epass_filenames: false\u003c/code\u003e is set in the hook definition, which means the hook always scans the full working tree rather than only the files staged for the current commit. This guarantees that secrets already present in unstaged files are also detected.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-the-hook-scans\"\u003eWhat the hook scans\u003c/h2\u003e\n\u003cp\u003eThe hook runs \u003ccode\u003eleakwatch scan fs\u003c/code\u003e against the repository working directory. It uses the same detection pipeline as the CLI: Aho-Corasick pre-filtering, regex validation, entropy calculation, and (unless \u003ccode\u003e--no-verify\u003c/code\u003e is set) live verification.\u003c/p\u003e\n\u003cp\u003eConfiguration in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e is respected automatically — exclusion patterns, entropy thresholds, and verification settings all apply without any extra hook configuration.\u003c/p\u003e\n\u003ch2 id=\"skipping-the-hook-temporarily\"\u003eSkipping the hook temporarily\u003c/h2\u003e\n\u003cp\u003eTo commit without running the hook (for example, when committing a controlled test fixture that contains a redacted secret):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: add test fixture\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUsing \u003ccode\u003eSKIP=leakwatch\u003c/code\u003e bypasses all secret scanning for that commit. Use it only when you have confirmed the content is safe, and prefer \u003ccode\u003e.leakwatchignore\u003c/code\u003e or inline \u003ccode\u003eleakwatch:ignore\u003c/code\u003e comments for permanent suppressions instead.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"keeping-the-hook-version-pinned\"\u003eKeeping the hook version pinned\u003c/h2\u003e\n\u003cp\u003ePin \u003ccode\u003erev:\u003c/code\u003e to a specific tag rather than a branch name. This ensures all developers on the team use the same detector set and the hook does not silently upgrade mid-sprint:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # pin; do not use 'main' or 'HEAD'\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUpdate by running:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ewhich bumps \u003ccode\u003erev\u003c/code\u003e to the latest tag and lets you review the change before committing it.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — the underlying scan command the hook runs.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — control exclusions, entropy, and verification in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — scan on every push and pull request in GitHub CI.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Configuration File","description":"How to configure Leakwatch with .leakwatch.yaml — full schema, defaults, validation rules, environment overrides, and the leakwatch init command.","html":"\u003ch1 id=\"configuration-file\"\u003eConfiguration File\u003c/h1\u003e\n\u003cp\u003eLeakwatch's behaviour across every scan command is driven by a single YAML file named \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e. Understanding this file lets you tune concurrency, verification, output format, and path filtering once — and have every scan pick it up automatically.\u003c/p\u003e\n\u003ch2 id=\"file-discovery\"\u003eFile discovery\u003c/h2\u003e\n\u003cp\u003eLeakwatch resolves the config file in the following order:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e flag\u003c/strong\u003e — use an explicit path regardless of the working directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCurrent directory\u003c/strong\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the directory where the command is run.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHome directory\u003c/strong\u003e — \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e as a fallback.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIf no file is found, built-in defaults are used for every setting.\u003c/p\u003e\n\u003ch2 id=\"generating-a-starter-file\"\u003eGenerating a starter file\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003eleakwatch init\u003c/code\u003e command writes a ready-to-edit file with recommended defaults:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default the file is written to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory. Use \u003ccode\u003e--output\u003c/code\u003e to choose a different path:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the target file already exists, \u003ccode\u003eleakwatch init\u003c/code\u003e will refuse to overwrite it and exit with an error. Pass \u003ccode\u003e--force\u003c/code\u003e to overwrite:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"environment-variable-overrides\"\u003eEnvironment variable overrides\u003c/h2\u003e\n\u003cp\u003eEvery config key can be overridden with an environment variable. The naming rule is:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrefix: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eReplace \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eUppercase\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eExamples:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003cth\u003eEnvironment variable\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence\"\u003ePrecedence\u003c/h2\u003e\n\u003cp\u003eWhen the same setting is specified in multiple places, the highest-priority source wins:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCommand-line flag (highest)\u003c/li\u003e\n\u003cli\u003eEnvironment variable\u003c/li\u003e\n\u003cli\u003eConfig file value\u003c/li\u003e\n\u003cli\u003eBuilt-in default (lowest)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"full-schema\"\u003eFull schema\u003c/h2\u003e\n\u003cp\u003eThe annotated schema below shows every supported key, its default value, and valid range.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Scan engine ──────────────────────────────────────────────────────────────\n\nscan:\n # Number of concurrent file-processing workers.\n # Defaults to the number of logical CPU cores on the host.\n # Must be \u0026gt;= 1.\n concurrency: 8\n\n # Maximum file size to scan, in bytes. Files larger than this limit are\n # skipped entirely. Default is 10 MB (10485760). Must be \u0026gt;= 1.\n max-file-size: 10485760\n\n# ── Detection ─────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Enable Shannon entropy calculation for each candidate match.\n enabled: true\n\n # Entropy threshold used for display and custom-rule gating.\n # Range: 0–8. Default: 4.0.\n # See note below about built-in findings.\n threshold: 4.0\n\n# ── Verification ─────────────────────────────────────────────────────────────\n\nverification:\n # Enable live verification against provider APIs.\n enabled: true\n\n # Per-request HTTP timeout. Must be \u0026gt;= 1ms when verification is enabled.\n # Use a duration string (e.g. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — a bare integer is\n # treated as nanoseconds and will fail validation.\n timeout: 10s\n\n # Number of concurrent verification workers. Must be \u0026gt;= 1.\n concurrency: 4\n\n # Maximum verification requests per second (token-bucket rate limiter).\n # Must be \u0026gt; 0.\n rate-limit: 10.0\n\n# ── Filtering ─────────────────────────────────────────────────────────────────\n\nfilter:\n # Glob patterns for paths to exclude from scanning.\n # Supported glob styles: filepath.Match patterns, ** double-star spanning\n # zero or more path segments, and trailing-slash dir/ patterns that match\n # the named directory at any depth. Each pattern is tested against both the\n # full path and the base filename, so simple patterns like \u0026quot;*.min.js\u0026quot; match\n # nested files without a leading path prefix.\n # Applies to all scan sources. (On `scan fs` the --exclude flag also sets this.)\n # Default: [] (no exclusions beyond the built-in binary/lock-file skips).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Detector IDs to disable entirely. Findings from listed detectors are never\n # produced regardless of other settings. Default: [].\n exclude-detectors: []\n\n# ── Output ────────────────────────────────────────────────────────────────────\n\noutput:\n # Output format. One of: json, sarif, csv, table. Default: json.\n # The --format / -f flag overrides this at run time.\n format: json\n\n # Write output to this file path instead of stdout. Default: \u0026quot;\u0026quot; (stdout).\n # The --output / -o flag overrides this at run time.\n file: \u0026quot;\u0026quot;\n\n # Drop findings below this severity level.\n # One of: low, medium, high, critical. Default: \u0026quot;\u0026quot; (show all).\n # The --min-severity flag overrides this at run time.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Include the unredacted secret value in output.\n # Default: false. The --show-raw flag overrides this at run time.\n show-raw: false\n\n# ── Custom rules ──────────────────────────────────────────────────────────────\n\n# Define your own detectors as YAML rules. See the custom rules page for the\n# full rule schema.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e controls which entropy value is displayed alongside a finding and acts as a gate for custom rules (a custom rule match whose entropy falls below the threshold is suppressed). It does \u003cstrong\u003enot\u003c/strong\u003e suppress findings from built-in detectors — built-in detectors have their own match criteria and are never dropped by this setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"validation\"\u003eValidation\u003c/h2\u003e\n\u003cp\u003eLeakwatch validates the loaded configuration before starting a scan and exits with an error for any of the following:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCondition\u003c/th\u003e\n\u003cth\u003eError\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid concurrency value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInvalid max-file-size value\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e not in \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnsupported output format\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e outside 0–8\u003c/td\u003e\n\u003ctd\u003eInvalid entropy threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e not a valid level (when non-empty)\u003c/td\u003e\n\u003ctd\u003eInvalid severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification timeout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification concurrency\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (when verification enabled)\u003c/td\u003e\n\u003ctd\u003eInvalid verification rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Ignoring Findings","description":"Suppress false positives with .leakwatchignore files, inline ignore markers, and built-in binary and lock-file skips.","html":"\u003ch1 id=\"ignoring-findings\"\u003eIgnoring Findings\u003c/h1\u003e\n\u003cp\u003eNo scanner has zero false positives. Leakwatch gives you three layered mechanisms to suppress the noise: a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file for path-based exclusions, inline markers for line-level suppression, and a set of always-on built-in skips for binary files and common lock files.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-file\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e file\u003c/h2\u003e\n\u003cp\u003eCreate a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your repository root (or in the current directory) to exclude paths from the scan results. It uses a gitignore-style syntax:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLines starting with \u003ccode\u003e#\u003c/code\u003e are comments.\u003c/li\u003e\n\u003cli\u003eBlank lines are skipped.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003e!\u003c/code\u003e prefix \u003cstrong\u003enegates\u003c/strong\u003e a pattern, re-including a path that a previous pattern would have excluded.\u003c/li\u003e\n\u003cli\u003eThe \u003cstrong\u003elast matching pattern wins\u003c/strong\u003e — order matters.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"loading-order\"\u003eLoading order\u003c/h3\u003e\n\u003cp\u003eLeakwatch loads \u003ccode\u003e.leakwatchignore\u003c/code\u003e from the scan root first, then from the current working directory. If both exist and contain patterns for the same path, the current-directory file's patterns take precedence because they are evaluated last.\u003c/p\u003e\n\u003ch3 id=\"glob-syntax\"\u003eGlob syntax\u003c/h3\u003e\n\u003cp\u003eThree pattern styles are supported:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStyle\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003cth\u003eExample\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandard glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e-style, matched against both the full path and the base filename\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDouble-star \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpans zero or more path segments\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTrailing slash \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMatches every file inside the named directory at any depth\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-leakwatchignore\"\u003eExample \u003ccode\u003e.leakwatchignore\u003c/code\u003e\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Ignore all test fixture files\ntest/fixtures/**\n\n# Ignore known placeholder keys in documentation\ndocs/examples/\n\n# Ignore files with a specific extension anywhere in the tree\n*.pem.example\n\n# Re-include a specific file excluded by the rule above\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtering is applied \u003cstrong\u003eafter\u003c/strong\u003e the scan completes, based on the file path of each finding. It does not prevent files from being read — it suppresses the findings they produce. To skip files before they are read at all, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file or \u003ccode\u003e--exclude\u003c/code\u003e on \u003ccode\u003escan fs\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"inline-ignore-markers\"\u003eInline ignore markers\u003c/h2\u003e\n\u003cp\u003ePlace a marker directly on any source line to suppress detectors for that specific line. The marker can appear anywhere on the line — typically inside a comment — and is applied by the engine \u003cstrong\u003ebefore\u003c/strong\u003e verification, so an ignored line never triggers a network call.\u003c/p\u003e\n\u003ch3 id=\"suppress-all-detectors-on-a-line\"\u003eSuppress all detectors on a line\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Payment processing configuration\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"suppress-a-specific-detector-on-a-line\"\u003eSuppress a specific detector on a line\u003c/h3\u003e\n\u003cp\u003eUse \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e to suppress only one detector while leaving others active:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// This token is intentionally a placeholder for documentation\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# CI environment variable set by the platform — not a real secret\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePrefer the detector-specific form (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) over the generic one whenever possible. It documents which detector you are suppressing and keeps all other detectors active on that line.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"built-in-skips-always-applied\"\u003eBuilt-in skips (always applied)\u003c/h2\u003e\n\u003cp\u003eLeakwatch unconditionally skips the following before running any detector:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary file extensions\u003c/strong\u003e — files with extensions such as \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e, and others are never scanned.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBinary content detection\u003c/strong\u003e — any file whose first 8 KB contains a null byte is treated as binary and skipped, regardless of extension.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCommon lock files\u003c/strong\u003e — the following filenames are always skipped because they contain hashes and checksums that produce high rates of false positives:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFile\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThese built-in skips cannot be disabled. They are separate from the \u003ccode\u003efilter.exclude-paths\u003c/code\u003e setting and run before any config-based filtering.\u003c/p\u003e\n\u003ch2 id=\"path-based-exclusion-before-scanning\"\u003ePath-based exclusion before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before they are even read by the scan engine, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in your config file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis setting applies to \u003cstrong\u003eall scan sources\u003c/strong\u003e (filesystem, Git history, container images, cloud storage, Slack). On the \u003ccode\u003escan fs\u003c/code\u003e command you can also pass \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e on the command line, which is the flag-equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full config schema and \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e for detector-level and severity-level filtering.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity \u0026amp; Filtering\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Severity \u0026 Filtering","description":"Control which findings reach your output using severity thresholds, verified-only mode, detector exclusions, and path exclusions.","html":"\u003ch1 id=\"severity--filtering\"\u003eSeverity \u0026amp; Filtering\u003c/h1\u003e\n\u003cp\u003eA busy codebase can produce many findings. Leakwatch provides several independent filters you can combine to focus on the signals that matter most: severity thresholds drop low-priority noise, verified-only mode surfaces only confirmed live secrets, detector exclusions silence known false-positive sources, and path exclusions remove entire directory trees from scope.\u003c/p\u003e\n\u003ch2 id=\"severity-levels\"\u003eSeverity levels\u003c/h2\u003e\n\u003cp\u003eEvery built-in detector ships with a default severity. The four levels, from lowest to highest priority, are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eLevel\u003c/th\u003e\n\u003cth\u003eTypical use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric patterns with a higher false-positive rate\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRecognizable credential formats, unconfirmed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWell-structured secrets where exposure is likely significant\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLive secrets confirmed or formats with near-zero false-positive rates\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe severity assigned to each detector is listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-drop-findings-below-a-threshold\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: drop findings below a threshold\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e to discard findings whose severity is below the specified level. Only findings at or above the threshold reach the output.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Show only high and critical findings\nleakwatch scan fs . --min-severity high\n\n# Show medium, high, and critical findings\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYou can set a persistent default in the config file under \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e. The \u003ccode\u003e--min-severity\u003c/code\u003e flag overrides the config value at run time:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-confirmed-active-secrets-only\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: confirmed active secrets only\u003c/h2\u003e\n\u003cp\u003ePass \u003ccode\u003e--only-verified\u003c/code\u003e to keep only findings whose verification status is \u003ccode\u003everified_active\u003c/code\u003e — secrets that Leakwatch confirmed are still valid by making a controlled read-only call to the provider API. All other findings (unverified, verified-inactive, or verify-error) are dropped.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis flag is most useful in CI pipelines where you want to fail the build \u003cstrong\u003eonly\u003c/strong\u003e on confirmed incidents, not on suspicious patterns that may be placeholders or already-rotated credentials.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for which detectors support live verification.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-disable-specific-detectors\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: disable specific detectors\u003c/h2\u003e\n\u003cp\u003eTo permanently disable one or more detectors, list their IDs under \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in the config file. Findings from listed detectors are never produced, regardless of any other setting:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDetector IDs are listed in the \u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e. Use this setting when a detector consistently produces false positives for your codebase and other suppression mechanisms (inline ignores or \u003ccode\u003e.leakwatchignore\u003c/code\u003e) are not granular enough.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-skip-paths-before-scanning\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: skip paths before scanning\u003c/h2\u003e\n\u003cp\u003eTo exclude paths before the scan engine reads them, use \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in the config file. The patterns use the same glob syntax as \u003ccode\u003e.leakwatchignore\u003c/code\u003e (standard globs, \u003ccode\u003e**\u003c/code\u003e double-star, and trailing-slash directory patterns), and apply to \u003cstrong\u003eall scan sources\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOn the \u003ccode\u003escan fs\u003c/code\u003e command, the \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e flag is the command-line equivalent of \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. The \u003ccode\u003e--exclude\u003c/code\u003e flag exists \u003cstrong\u003eonly\u003c/strong\u003e on \u003ccode\u003escan fs\u003c/code\u003e — for all other sources, use the config file setting.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"combining-filters-in-ci\"\u003eCombining filters in CI\u003c/h2\u003e\n\u003cp\u003eIn a CI pipeline you typically want a low-noise, high-signal run that fails only on real incidents. A recommended combination:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWith a config file handling the persistent path exclusions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThen override just the format and destination at the command line for CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e for verification details, \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for inline and file-based suppression, and \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for the full schema.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Custom Rules","description":"How to define your own secret detection patterns in YAML and add them to a Leakwatch scan alongside the 63 built-in detectors.","html":"\u003ch1 id=\"custom-rules\"\u003eCustom Rules\u003c/h1\u003e\n\u003cp\u003eThe 63 built-in detectors cover widely used credential formats, but every organisation has internal tokens, proprietary service keys, or environment-specific patterns that no generic tool can anticipate. Custom rules let you extend Leakwatch with your own patterns — defined in plain YAML, loaded at runtime — without modifying source code or rebuilding the binary.\u003c/p\u003e\n\u003ch2 id=\"where-custom-rules-live\"\u003eWhere custom rules live\u003c/h2\u003e\n\u003cp\u003eCustom rules are defined under a top-level \u003ccode\u003ecustom-rules:\u003c/code\u003e list in your \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe rules are registered at runtime when Leakwatch starts. They run alongside the built-in detectors using the same Aho-Corasick pre-filter pipeline.\u003c/p\u003e\n\u003ch2 id=\"rule-fields\"\u003eRule fields\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eRequired\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eUnique detector ID. Used in output and in \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e. Must not collide with a built-in detector ID or another custom rule ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eHuman-readable description shown in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYes\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2-compatible regular expression. Maximum 4096 characters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003elist of strings\u003c/td\u003e\n\u003ctd\u003eAho-Corasick pre-filter keywords. The regex only runs on chunks that contain at least one of these strings. Omitting this field causes the regex to run on every chunk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, or \u003ccode\u003elow\u003c/code\u003e. Defaults to \u003ccode\u003emedium\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropy threshold (0–8). Matches whose entropy is \u003cstrong\u003ebelow\u003c/strong\u003e this value are discarded. Useful for filtering low-randomness false positives.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eAlways supply \u003ccode\u003ekeywords\u003c/code\u003e. Even a single short keyword (like a token prefix) dramatically reduces the number of chunks the regex engine processes, keeping scans fast on large repositories. For example, if all your internal tokens begin with \u003ccode\u003eacme_\u003c/code\u003e, set \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003eentropy\u003c/code\u003e to suppress matches on placeholder values like \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e that satisfy the pattern but are clearly not real secrets. A threshold around 3.0–3.5 is a good starting point.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"collision-handling\"\u003eCollision handling\u003c/h2\u003e\n\u003cp\u003eIf a custom rule's \u003ccode\u003eid\u003c/code\u003e matches an already-registered detector — either a built-in detector or a previously loaded custom rule — the duplicate is \u003cstrong\u003eskipped\u003c/strong\u003e and an error is logged. Leakwatch does not crash; the rest of the rules load normally. Check the log output if a custom rule appears to have no effect.\u003c/p\u003e\n\u003ch2 id=\"verification\"\u003eVerification\u003c/h2\u003e\n\u003cp\u003eCustom rules have no paired verifier. Findings from custom rules are always reported with status \u003ccode\u003eunverified\u003c/code\u003e — they never become \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"complete-example\"\u003eComplete example\u003c/h2\u003e\n\u003cp\u003eThe following \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e defines two custom rules: one for an internal service token and one for a signing secret used in webhooks.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook signing secret (format: whsec_ + 40 base64url chars)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRun a scan with this config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSample JSON output for a custom-rule finding (secret value redacted):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp internal service token (format: acme_ + 32 hex chars)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe \u003ccode\u003eraw_redacted\u003c/code\u003e field always masks the actual secret. The raw value is never written to output unless you explicitly pass \u003ccode\u003e--show-raw\u003c/code\u003e (not recommended outside controlled environments).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"excluding-a-custom-rule\"\u003eExcluding a custom rule\u003c/h2\u003e\n\u003cp\u003eCustom rules participate in the same filtering as built-in detectors. To disable a custom rule without removing it from config:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, including where \u003ccode\u003ecustom-rules:\u003c/code\u003e sits in the document structure.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the 63 built-in detectors, to check for ID conflicts before naming your custom rule.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the Aho-Corasick pre-filter pipeline that \u003ccode\u003ekeywords\u003c/code\u003e plugs into.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Detector Catalog","description":"All 63 built-in detectors grouped by category, with their IDs, what they detect, and their default severity.","html":"\u003ch1 id=\"detector-catalog\"\u003eDetector Catalog\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e that cover a wide range of credential types — from cloud provider access keys and AI API tokens to database connection strings and private cryptographic keys. Each detector has a stable ID, a default severity, and (for most) a paired verifier that can confirm whether a found secret is still live.\u003c/p\u003e\n\u003cp\u003eThis page lists every built-in detector. For verification coverage details see \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e. To add your own patterns, see \u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"how-to-read-this-catalog\"\u003eHow to read this catalog\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — the stable string identifier used in config and output. Pass it to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e to skip a detector, or use it with \u003ccode\u003e--min-severity\u003c/code\u003e filtering (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetects\u003c/strong\u003e — what the detector is looking for.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSeverity\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e, \u003ccode\u003eHigh\u003c/code\u003e, or \u003ccode\u003eMedium\u003c/code\u003e. This is the default; it feeds the \u003ccode\u003e--min-severity\u003c/code\u003e flag and the \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e config key.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"cloud-and-infrastructure\"\u003eCloud and Infrastructure\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Service Account Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID Client Secret\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Service Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ai--ml\"\u003eAI / ML\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"payments-and-commerce\"\u003ePayments and Commerce\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Live API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dev-tools-ci-and-packages\"\u003eDev Tools, CI, and Packages\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket App Password\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Personal API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Personal Access Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"communication-and-collaboration\"\u003eCommunication and Collaboration\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/User Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Incoming Webhook URL\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Internal Integration Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Personal Access Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"email-and-messaging-delivery\"\u003eEmail and Messaging Delivery\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Server API Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"monitoring-and-observability\"\u003eMonitoring and Observability\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Auth Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"databases-and-connection-strings\"\u003eDatabases and Connection Strings\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabase Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Connection String\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Connection Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Service Role Key\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"identity-and-access\"\u003eIdentity and Access\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bind Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Key\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"generic-and-cryptographic\"\u003eGeneric and Cryptographic\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eDetects\u003c/th\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeneric API Key\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePrivate Key (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Credentials\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eTotal: 63 built-in detectors.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"filtering-by-severity\"\u003eFiltering by severity\u003c/h2\u003e\n\u003cp\u003eFindings are filterable by severity using \u003ccode\u003e--min-severity\u003c/code\u003e at the command line or \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e in config. Only findings at or above the specified level are included in the output. See \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"excluding-specific-detectors\"\u003eExcluding specific detectors\u003c/h2\u003e\n\u003cp\u003eTo skip one or more detectors entirely, add their IDs to \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e for the full filtering reference.\u003c/p\u003e\n\u003ch2 id=\"verification-coverage\"\u003eVerification coverage\u003c/h2\u003e\n\u003cp\u003eSome detectors have a live verifier; others are format-validated only; nine have no verifier at all. See \u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e for the complete breakdown.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e — define your own detection patterns in YAML.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detectors can be live-verified.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eSeverity and Filtering\u003c/a\u003e — filtering findings by severity or detector.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"How It Works","description":"Architecture of the Leakwatch scan pipeline: sources, detection, verification, and output.","html":"\u003ch1 id=\"how-it-works\"\u003eHow It Works\u003c/h1\u003e\n\u003cp\u003eUnderstanding the Leakwatch pipeline helps you tune performance, interpret results, and decide which flags to reach for. This page explains what happens from the moment you run a scan command to the moment a finding appears in your output.\u003c/p\u003e\n\u003ch2 id=\"the-pipeline-at-a-glance\"\u003eThe pipeline at a glance\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Source\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[Worker Pool\\n—concurrency workers]\n B --\u0026gt; C[Aho-Corasick\\nPre-filter]\n C --\u0026gt; D[Regex\\nDetectors]\n D --\u0026gt; E[Inline-ignore\\nCheck]\n E --\u0026gt; F[Verification\\nPool\\n4 workers / 10 rps]\n F --\u0026gt; G[Post-scan\\nFilters]\n G --\u0026gt; H([Output\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach stage is described in detail below.\u003c/p\u003e\n\u003ch2 id=\"1-source\"\u003e1. Source\u003c/h2\u003e\n\u003cp\u003eEvery scan starts with a \u003cstrong\u003eSource\u003c/strong\u003e — an abstraction that emits chunks of data for the engine to process. Leakwatch ships six sources:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it emits\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFile contents from a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLayer contents of an OCI/Docker image, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObject contents from a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text from channels and DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e. The contents of files uploaded to Slack are not scanned.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eChunks flow into a buffered channel consumed by the worker pool.\u003c/p\u003e\n\u003ch2 id=\"2-worker-pool\"\u003e2. Worker pool\u003c/h2\u003e\n\u003cp\u003eThe engine maintains a fixed pool of \u003cstrong\u003egoroutines\u003c/strong\u003e — one per \u003ccode\u003e--concurrency\u003c/code\u003e value (default: number of CPUs). Each worker pulls a chunk from the channel and runs the detection pipeline independently. Because workers share no mutable state, the pool scales linearly with concurrency up to the limits of I/O and memory.\u003c/p\u003e\n\u003cp\u003eScans respond to \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e: when a cancellation signal arrives, the context is cancelled, workers drain their current chunk and stop, and partial results are collected before output is written.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-keyword-pre-filter\"\u003e3. Aho-Corasick keyword pre-filter\u003c/h2\u003e\n\u003cp\u003eRunning 63 regex patterns on every chunk would be slow. Instead, the engine builds a single \u003cstrong\u003eAho-Corasick multi-pattern automaton\u003c/strong\u003e at startup from the keyword lists declared by each detector. For each chunk, this automaton does a single linear pass and returns only the detectors whose keywords appeared in the chunk's bytes.\u003c/p\u003e\n\u003cp\u003eThis means most detectors never run their regex on most chunks. Detectors that declare no keywords always run (they skip the pre-filter and proceed directly to regex).\u003c/p\u003e\n\u003cp\u003eThe Aho-Corasick implementation comes from \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"4-regex-detectors\"\u003e4. Regex detectors\u003c/h2\u003e\n\u003cp\u003eEach shortlisted detector runs its compiled \u003cstrong\u003eregular expression\u003c/strong\u003e against the chunk bytes. When a pattern matches, the detector returns a \u003ccode\u003eRawFinding\u003c/code\u003e containing:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe raw secret bytes (held in memory only for verification; never logged or written to disk).\u003c/li\u003e\n\u003cli\u003eA \u003cstrong\u003eredacted\u003c/strong\u003e representation safe for output.\u003c/li\u003e\n\u003cli\u003eOptional extra metadata (e.g. account ID for an AWS key).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e63 built-in detectors\u003c/strong\u003e across 60 packages, covering cloud providers, AI APIs, payment platforms, databases, messaging tools, version control, and more. You can add your own patterns via \u003ca href=\"#/detectors/custom-rules\"\u003ecustom YAML rules\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eAll detectors are registered at compile time using Go's \u003ccode\u003einit()\u003c/code\u003e function and blank imports (ADR-0004). There is no plugin loader or dynamic discovery at runtime.\u003c/p\u003e\n\u003ch2 id=\"5-inline-ignore-check\"\u003e5. Inline-ignore check\u003c/h2\u003e\n\u003cp\u003eBefore a finding is sent to verification, the engine checks whether the source line contains an \u003cstrong\u003einline ignore marker\u003c/strong\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eor a detector-scoped variant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the marker is present, the finding is silently dropped \u003cstrong\u003ebefore any network call is made\u003c/strong\u003e. This is intentional: ignored secrets should never trigger a live API request.\u003c/p\u003e\n\u003ch2 id=\"6-verification\"\u003e6. Verification\u003c/h2\u003e\n\u003cp\u003eAfter detection completes for all chunks, the engine passes findings to a separate \u003cstrong\u003everification worker pool\u003c/strong\u003e (default 4 workers). Verification:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIs guarded by a global \u003cstrong\u003erate limiter\u003c/strong\u003e (default 10 requests per second) shared across all workers.\u003c/li\u003e\n\u003cli\u003eApplies a \u003cstrong\u003eper-request timeout\u003c/strong\u003e (default 10 seconds) to every API call.\u003c/li\u003e\n\u003cli\u003eMakes only \u003cstrong\u003eread-only, non-destructive\u003c/strong\u003e calls to the provider (e.g. \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys).\u003c/li\u003e\n\u003cli\u003eMarks each finding with one of four statuses: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch ships \u003cstrong\u003e54 verifiers\u003c/strong\u003e, covering 85.7% of the 63 built-in detector types. The remaining 9 types (such as JWTs and generic API keys) cannot be safely verified and are always reported as \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003ePass \u003ccode\u003e--no-verify\u003c/code\u003e to skip this stage entirely — useful for fast, offline scans.\u003c/p\u003e\n\u003cp\u003eFor a deep dive into verification behavior and status meanings, see \u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"7-finding-id-and-entropy\"\u003e7. Finding ID and entropy\u003c/h2\u003e\n\u003cp\u003eEach finding receives a \u003cstrong\u003edeterministic ID\u003c/strong\u003e computed as:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(detectorID + redacted + filePath + line) → truncated to 16 hex characters\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe same secret at the same location always produces the same ID, making it safe to deduplicate findings across runs or track them in issue trackers.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropy\u003c/strong\u003e (range 0–8) is computed for each finding and exposed in output for informational purposes. At the engine level, entropy does \u003cstrong\u003enot\u003c/strong\u003e gate or drop built-in findings — a low-entropy match still appears in results. Entropy thresholds only apply inside custom rules, where each rule can declare its own minimum.\u003c/p\u003e\n\u003ch2 id=\"8-post-scan-filters\"\u003e8. Post-scan filters\u003c/h2\u003e\n\u003cp\u003eAfter verification, two filters apply:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — drops all findings that are not \u003ccode\u003everified:active\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — drops findings below the specified severity level (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; default \u003ccode\u003elow\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth filters run after verification so that verification status is available when \u003ccode\u003e--only-verified\u003c/code\u003e is evaluated.\u003c/p\u003e\n\u003ch2 id=\"9-output\"\u003e9. Output\u003c/h2\u003e\n\u003cp\u003eSurviving findings are passed to one of four \u003cstrong\u003eformatters\u003c/strong\u003e:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFormat\u003c/th\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eCommon use\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (default)\u003c/td\u003e\n\u003ctd\u003eMachine-readable, pipeline-friendly\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, security dashboards\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSpreadsheets, data analysis\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTable\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal review, color-coded by severity\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eOutput goes to stdout by default; use \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e to write to a file.\u003c/p\u003e\n\u003cp\u003eA \u003cstrong\u003escan summary\u003c/strong\u003e (date, source type, target, files scanned, duration, findings count, interrupted status) is always printed to \u003cstrong\u003estderr\u003c/strong\u003e after every scan, regardless of format or output destination.\u003c/p\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eLeakwatch is designed so that discovered secrets never leave the process boundary except for verification calls:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRaw secret bytes live only in memory during detection and verification.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e--show-raw\u003c/code\u003e flag is \u003ccode\u003efalse\u003c/code\u003e by default; without it, only the redacted representation appears in output.\u003c/li\u003e\n\u003cli\u003eSecrets are never written to disk, logged via \u003ccode\u003eslog\u003c/code\u003e, or cached between runs.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"design-decisions\"\u003eDesign decisions\u003c/h2\u003e\n\u003cp\u003eThe architecture reflects several deliberate choices documented as ADRs:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO disabled\u003c/strong\u003e (ADR-0001) — single static binary, no runtime dependencies, cross-compiles to all platforms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — hierarchical CLI with \u003ccode\u003eflag \u0026gt; env \u0026gt; config \u0026gt; default\u003c/code\u003e precedence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — pure Go Git library; no external \u003ccode\u003egit\u003c/code\u003e binary required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCompile-time detector registration\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + blank imports; type-safe, no runtime plugin loader.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hybrid matching\u003c/strong\u003e (ADR-0005) — pre-filter eliminates most regex work on irrelevant chunks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonless layer analysis; no Docker daemon required to scan images.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWorker pool\u003c/strong\u003e (ADR-0008) — fixed goroutine count, channel-based fan-out; predictable memory and CPU usage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eCustom Rules\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Installation","description":"Install Leakwatch via Homebrew, go install, Docker, or a prebuilt binary.","html":"\u003ch1 id=\"installation\"\u003eInstallation\u003c/h1\u003e\n\u003cp\u003eGetting Leakwatch onto your machine takes less than a minute. Choose the method that best fits your workflow: Homebrew is the simplest option on macOS and Linux, \u003ccode\u003ego install\u003c/code\u003e is ideal if you already have a Go toolchain, Docker keeps your host system clean, and prebuilt binaries work everywhere without any toolchain at all.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-and-linux\"\u003eHomebrew (macOS and Linux)\u003c/h2\u003e\n\u003cp\u003eThe official tap supports macOS and Linux on both amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe tap is hosted at \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e. Homebrew handles upgrades with \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003eGo install\u003c/h2\u003e\n\u003cp\u003eIf you have Go 1.25 or later installed, you can build and install the latest release directly from source:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe binary is placed in \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e. Make sure that directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e always fetches the latest tagged release. To pin a specific version, replace \u003ccode\u003e@latest\u003c/code\u003e with a tag such as \u003ccode\u003e@v1.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eA minimal, multi-stage Alpine image is published to the GitHub Container Registry. The image runs as a non-root user (\u003ccode\u003eleakwatch\u003c/code\u003e), has CGO disabled, and uses \u003ccode\u003e/scan\u003c/code\u003e as its working directory.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAvailable tags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eTag\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMost recent release\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eExact version pin\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinor-version pin (tracks patch releases)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eMount the directory you want to scan to \u003ccode\u003e/scan\u003c/code\u003e inside the container. Flags and options work identically to the native binary — see \u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e for the full list.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFor Docker-specific usage patterns, including scanning remote Git repositories and passing credentials securely, see \u003ca href=\"#/ci-cd/docker-usage\"\u003eUsing Docker\u003c/a\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"prebuilt-binary\"\u003ePrebuilt binary\u003c/h2\u003e\n\u003cp\u003eEvery release publishes tarballs for all supported platforms on the \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e page. Download the archive for your platform, extract it, and place the binary on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSupported platforms:\u003c/strong\u003e Linux, macOS, and Windows on amd64 and arm64.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Example for Linux amd64 — replace OS and ARCH to match your platform\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform naming follows the pattern \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e where \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e is \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e, or \u003ccode\u003eWindows\u003c/code\u003e and \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e is \u003ccode\u003eamd64\u003c/code\u003e or \u003ccode\u003earm64\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"verifying-your-installation\"\u003eVerifying your installation\u003c/h2\u003e\n\u003cp\u003eAfter any installation method, confirm the binary is reachable and check the version:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExpected output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIf the command is not found, check that the install directory is on your \u003ccode\u003ePATH\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind a Leakwatch scan.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — customize scan behavior with \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eUsing Docker\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Introduction","description":"What Leakwatch is, what it scans, and how it detects and verifies leaked secrets.","html":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e is a high-performance, open-source (MIT) security tool that \u003cstrong\u003edetects, verifies, and reports leaked secrets\u003c/strong\u003e — API keys, tokens, passwords, connection strings, and private keys — across your codebases, Git history, container images, cloud storage, and Slack workspaces.\u003c/p\u003e\n\u003cp\u003eIt is written in Go, ships as a single static binary with no runtime dependencies (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e), and is built to run anywhere: a developer laptop, a pre-commit hook, or a CI/CD pipeline.\u003c/p\u003e\n\u003ch2 id=\"why-leakwatch\"\u003eWhy Leakwatch\u003c/h2\u003e\n\u003cp\u003eA leaked credential in a single commit — even one later deleted — can stay reachable in Git history forever and be exploited within minutes of being pushed. Leakwatch is designed to catch those secrets early and tell you which ones are \u003cem\u003eactually dangerous\u003c/em\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBroad detection\u003c/strong\u003e — 63 built-in detectors covering cloud providers, AI APIs, payment platforms, databases, messaging tools, and more, plus your own YAML custom rules.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification, not just detection\u003c/strong\u003e — for 54 detector types Leakwatch can confirm whether a found secret is \u003cem\u003estill live\u003c/em\u003e by making a controlled, read-only call to the provider. A verified-active key is an incident; an inactive one is noise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMany sources\u003c/strong\u003e — scan a local filesystem, a full Git history, an OCI/Docker image, AWS S3, Google Cloud Storage, and Slack messages.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-native output\u003c/strong\u003e — JSON, SARIF (for GitHub Code Scanning), CSV, and a colorized terminal table.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecret-safe by design\u003c/strong\u003e — discovered secrets are redacted by default and are never logged, cached, or written to disk.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"what-it-scans\"\u003eWhat it scans\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSource\u003c/th\u003e\n\u003cth\u003eCommand\u003c/th\u003e\n\u003cth\u003eWhat it covers\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eFilesystem\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFiles in a local directory tree\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit history\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvery blob across the full commit history (local or remote)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eContainer image\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker image layers, daemonless\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in an S3 bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eObjects in a GCS bucket\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMessage text in channels and (optionally) DMs\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eMultiple repos\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSeveral Git repositories at once\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-detection-works-briefly\"\u003eHow detection works, briefly\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses a layered pipeline so it stays fast even on large inputs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick keyword pre-filter\u003c/strong\u003e — a single multi-pattern automaton quickly decides which detectors \u003cem\u003ecould\u003c/em\u003e match a chunk, so most detectors never run their regex.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex validation\u003c/strong\u003e — only the shortlisted detectors run their precise patterns.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropy\u003c/strong\u003e — Shannon entropy is computed for display (and used by custom rules to drop low-randomness matches).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerification\u003c/strong\u003e — eligible findings are checked against the live provider API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYou don't have to understand the pipeline to use Leakwatch — but it explains why scans are fast and why some findings show a verification status while others don't. See \u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e for the full picture.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"what-leakwatch-is-not\"\u003eWhat Leakwatch is \u003cem\u003enot\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eTo set expectations accurately:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIt does \u003cstrong\u003enot\u003c/strong\u003e rewrite Git history or remove secrets for you — it finds and reports them, and (with \u003ccode\u003e--remediation\u003c/code\u003e) tells you how to rotate them.\u003c/li\u003e\n\u003cli\u003eSlack scanning covers \u003cstrong\u003emessage text only\u003c/strong\u003e; scanning the \u003cem\u003econtents\u003c/em\u003e of uploaded files is not implemented.\u003c/li\u003e\n\u003cli\u003eVerification is available for many but not all secret types — 9 detector types (such as JWTs and generic API keys) cannot be safely verified and are always reported as unverified.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"next-steps\"\u003eNext steps\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e — install via Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker, or a prebuilt binary.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e — the architecture behind the scan.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Quick Start","description":"Run your first Leakwatch scan in under a minute.","html":"\u003ch1 id=\"quick-start\"\u003eQuick Start\u003c/h1\u003e\n\u003cp\u003eThe fastest way to understand what Leakwatch can do is to point it at a real directory. This page walks you through your first scan, explains what the output means, and shows the flags you will reach for most often.\u003c/p\u003e\n\u003ch2 id=\"prerequisites\"\u003ePrerequisites\u003c/h2\u003e\n\u003cp\u003eLeakwatch must be installed and accessible on your \u003ccode\u003ePATH\u003c/code\u003e. If you have not done that yet, see \u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"your-first-scan\"\u003eYour first scan\u003c/h2\u003e\n\u003cp\u003eScan the current directory with one command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBy default, output is JSON written to stdout. To get a human-readable, colorized table instead, add \u003ccode\u003e--format table\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHere is what a result looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe scan summary is always printed to \u003cstrong\u003estderr\u003c/strong\u003e, so it never interferes with piped or redirected output.\u003c/p\u003e\n\u003ch2 id=\"understanding-a-finding\"\u003eUnderstanding a finding\u003c/h2\u003e\n\u003cp\u003eEach row in the table (or object in JSON) represents one finding. The key fields are:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eHow critical the secret type is: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eThe detector that matched — identifies the secret type (e.g. \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003ePath to the file where the secret was found, relative to the scan root\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eLine number of the match\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eA masked representation of the secret — never the raw value unless \u003ccode\u003e--show-raw\u003c/code\u003e is set\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eVerification outcome: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e, or \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA \u003ccode\u003everified:active\u003c/code\u003e status means Leakwatch confirmed the secret is still live by making a read-only API call to the provider. \u003cstrong\u003eTreat every \u003ccode\u003everified:active\u003c/code\u003e finding as an open incident.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"common-scan-options\"\u003eCommon scan options\u003c/h2\u003e\n\u003ch3 id=\"focus-on-confirmed-secrets-only\"\u003eFocus on confirmed secrets only\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis hides unverified and inactive findings, leaving only those confirmed live. Useful for triage when you have many results.\u003c/p\u003e\n\u003ch3 id=\"skip-network-verification-for-a-fast-offline-scan\"\u003eSkip network verification for a fast offline scan\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVerification is skipped entirely — no outbound network calls are made. Results appear faster and work without internet access, but all findings are marked \u003ccode\u003eunverified\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"add-remediation-guidance\"\u003eAdd remediation guidance\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEach finding gains a \u003cstrong\u003eREMEDIATION\u003c/strong\u003e column explaining how to rotate or revoke the specific secret type. The same data is included in JSON, SARIF, and CSV output when the flag is set.\u003c/p\u003e\n\u003ch3 id=\"filter-by-minimum-severity\"\u003eFilter by minimum severity\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOnly findings at \u003ccode\u003ehigh\u003c/code\u003e or \u003ccode\u003ecritical\u003c/code\u003e severity are reported.\u003c/p\u003e\n\u003ch3 id=\"save-results-to-a-file\"\u003eSave results to a file\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe \u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e flag writes to a file instead of stdout. SARIF output is compatible with \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"generate-a-configuration-file\"\u003eGenerate a configuration file\u003c/h2\u003e\n\u003cp\u003eRunning Leakwatch with defaults is fine for a first try, but for repeated use you will want a project-level configuration:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis writes \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e in the current directory with recommended defaults for concurrency, entropy, verification, output format, and common path exclusions. Use \u003ccode\u003e--force\u003c/code\u003e to overwrite an existing file, or \u003ccode\u003e--output\u003c/code\u003e to write to a different path.\u003c/p\u003e\n\u003cp\u003eSee \u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e for a full explanation of every option.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses distinct exit codes so CI scripts can act on results without parsing output:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — no findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed — one or more secrets found\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed due to an error\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA typical CI gate looks like:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Active secrets found — failing build\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is returned whenever \u003cem\u003eany\u003c/em\u003e finding passes the active filters (including \u003ccode\u003e--min-severity\u003c/code\u003e and \u003ccode\u003e--only-verified\u003c/code\u003e). A clean exit code \u003ccode\u003e0\u003c/code\u003e means no findings matched — not that no secrets exist in the codebase.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cancelling-a-scan\"\u003eCancelling a scan\u003c/h2\u003e\n\u003cp\u003ePress \u003ccode\u003eCtrl+C\u003c/code\u003e (or send \u003ccode\u003eSIGTERM\u003c/code\u003e) to cancel a running scan. Leakwatch stops gracefully: in-flight chunks finish, partial results are written, and the summary indicates \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eInstallation\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eHow It Works\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Output Formats","description":"The four output formats Leakwatch supports — JSON, SARIF, CSV, and table — with examples and guidance on when to use each.","html":"\u003ch1 id=\"output-formats\"\u003eOutput Formats\u003c/h1\u003e\n\u003cp\u003eLeakwatch supports four output formats, covering machine-readable pipelines, security tooling integrations, spreadsheet exports, and human-readable terminal review. Select a format with \u003ccode\u003e--format\u003c/code\u003e (or \u003ccode\u003e-f\u003c/code\u003e); write to a file instead of stdout with \u003ccode\u003e--output\u003c/code\u003e (or \u003ccode\u003e-o\u003c/code\u003e).\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe default format is \u003ccode\u003ejson\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON is the default format and the most complete representation. Leakwatch writes a JSON \u003cstrong\u003earray\u003c/strong\u003e of finding objects to stdout (or to the file given by \u003ccode\u003e--output\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003eThe raw secret value is \u003cstrong\u003enever\u003c/strong\u003e serialized unless \u003ccode\u003e--show-raw\u003c/code\u003e is explicitly set. With \u003ccode\u003e--show-raw\u003c/code\u003e, a \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e field is added to each object.\u003c/p\u003e\n\u003ch3 id=\"example-invocation\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-finding-object\"\u003eExample finding object\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--remediation\u003c/code\u003e is also set, a \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e object is nested inside each finding. See \u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003esarif\u003c/code\u003e format produces a SARIF v2.1.0 document, designed for upload to \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e. The tool name is \u003ccode\u003eLeakwatch\u003c/code\u003e and \u003ccode\u003einformationUri\u003c/code\u003e points to \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eEach detector that appears in the findings becomes a \u003cstrong\u003erule\u003c/strong\u003e in the SARIF driver, complete with \u003ccode\u003ehelp\u003c/code\u003e text (populated from remediation steps when \u003ccode\u003e--remediation\u003c/code\u003e is set) and a \u003ccode\u003ehelpUri\u003c/code\u003e pointing to the provider documentation. Results carry a \u003ccode\u003eleakwatch/v1\u003c/code\u003e partial fingerprint computed from the detector ID, redacted value, and file path — this lets GitHub Code Scanning track the same alert even when surrounding code shifts.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-1\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"uploading-to-github-code-scanning\"\u003eUploading to GitHub Code Scanning\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# In a GitHub Actions workflow step:\n- name: Upload SARIF results\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSee \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e for the full CI setup.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003ecsv\u003c/code\u003e format writes a header row followed by one row per finding, using standard comma-separated values. Every cell is sanitized against spreadsheet formula injection before writing.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns (default):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eraw\u003c/code\u003e column is appended.\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003eremediation\u003c/code\u003e column contains the remediation title (e.g. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) when \u003ccode\u003e--remediation\u003c/code\u003e is set, and is empty otherwise.\u003c/p\u003e\n\u003ch3 id=\"example-invocation-2\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"table\"\u003eTable\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003etable\u003c/code\u003e format writes a human-readable tab-aligned table, best suited for interactive terminal sessions where you want a quick visual scan of the results.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eColumns:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eWhen \u003ccode\u003e--show-raw\u003c/code\u003e is set, a trailing \u003ccode\u003eRAW\u003c/code\u003e column is appended. A summary line is printed at the bottom of the table (e.g. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI color\u003c/strong\u003e is applied to the \u003ccode\u003eSEVERITY\u003c/code\u003e column automatically, but only when all four conditions are met:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e is selected\u003c/li\u003e\n\u003cli\u003eOutput goes to stdout (no \u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003estdout is a TTY (not a pipe or redirect)\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNO_COLOR\u003c/code\u003e environment variable is unset\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeverity\u003c/th\u003e\n\u003cth\u003eColor\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBold red\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRed\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYellow\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBlue\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"example-invocation-3\"\u003eExample invocation\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"example-output-1\"\u003eExample output\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"common-output-flags\"\u003eCommon output flags\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (default \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite to file instead of stdout\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eInclude unredacted secret value in output\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eDrop findings below this severity level\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eKeep only \u003ccode\u003everified_active\u003c/code\u003e findings\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eEnrich findings with provider remediation guidance\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eRemediation Guidance\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Remediation Guidance","description":"Use --remediation to enrich findings with provider-specific rotation and revocation steps, urgency ratings, and official documentation links.","html":"\u003ch1 id=\"remediation-guidance\"\u003eRemediation Guidance\u003c/h1\u003e\n\u003cp\u003eKnowing a secret is leaked is only half the work — you also need to know what to do about it. Passing \u003ccode\u003e--remediation\u003c/code\u003e to any scan command enriches each finding with structured, provider-specific guidance: the steps to rotate or revoke the credential, a link to the provider's documentation, a link to the management console, an urgency rating, and a verification checklist.\u003c/p\u003e\n\u003ch2 id=\"how-to-enable-it\"\u003eHow to enable it\u003c/h2\u003e\n\u003cp\u003eAdd \u003ccode\u003e--remediation\u003c/code\u003e to any scan command:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRemediation enrichment is disabled by default. When the flag is absent, the \u003ccode\u003eremediation\u003c/code\u003e field in each finding is \u003ccode\u003enull\u003c/code\u003e and no extra data is fetched or computed.\u003c/p\u003e\n\u003ch2 id=\"what-it-contains\"\u003eWhat it contains\u003c/h2\u003e\n\u003cp\u003eEach remediation entry includes the following fields:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShort name of the remediation action (e.g. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOrdered list of steps to rotate or revoke the secret\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLink to the provider's official credential-management documentation\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDirect link to the provider's management console page\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHow quickly to act: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e, or \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePost-rotation verification steps (e.g. review audit logs, notify the security team)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch ships 63 remediation entries — one for every built-in detector. All 63 entries are included in the binary; no network calls are made to fetch guidance.\u003c/p\u003e\n\u003ch2 id=\"how-it-appears-in-each-format\"\u003eHow it appears in each format\u003c/h2\u003e\n\u003cp\u003eEnrichment adds the guidance to the finding object in memory. How it surfaces depends on the output format:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — the full structured \u003ccode\u003eremediation\u003c/code\u003e object is nested inside each finding:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — the \u003ccode\u003esteps\u003c/code\u003e are embedded in the rule's \u003ccode\u003ehelp.text\u003c/code\u003e field, and \u003ccode\u003edoc_url\u003c/code\u003e is set as the rule's \u003ccode\u003ehelpUri\u003c/code\u003e. This surfaces directly in GitHub Code Scanning's alert details panel.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is written to the \u003ccode\u003eremediation\u003c/code\u003e column. The full structured guidance is not included in the CSV output.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable\u003c/strong\u003e — only the remediation \u003ccode\u003etitle\u003c/code\u003e is shown in the \u003ccode\u003eREMEDIATION\u003c/code\u003e column.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--remediation --format json\u003c/code\u003e when you need the full structured guidance for automated incident-response workflows. Use \u003ccode\u003e--remediation --format table\u003c/code\u003e for a quick human-readable triage session in the terminal.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEnrichment runs only when \u003ccode\u003e--remediation\u003c/code\u003e is set. Without the flag, the \u003ccode\u003eremediation\u003c/code\u003e field is absent from JSON and SARIF output, and the CSV and table \u003ccode\u003eremediation\u003c/code\u003e columns are empty. The flag does not modify the original scan results — it adds a layer on top.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Reference","description":"Complete reference for every Leakwatch command, subcommand, and flag.","html":"\u003ch1 id=\"cli-reference\"\u003eCLI Reference\u003c/h1\u003e\n\u003cp\u003eThis page is the authoritative reference for all Leakwatch commands and flags. For conceptual explanations and worked examples, follow the cross-links to the relevant scanning or configuration pages.\u003c/p\u003e\n\u003ch2 id=\"global-flags\"\u003eGlobal flags\u003c/h2\u003e\n\u003cp\u003eThese flags are available on every command and subcommand.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eauto-discovered \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a configuration file. When omitted, Leakwatch searches the current directory and its parents for \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLogging verbosity: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e, or \u003ccode\u003eerror\u003c/code\u003e. Log output goes to stderr and does not affect scan results.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003ePrints the binary version, commit hash, and build timestamp, then exits.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGenerates a \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e configuration file in the current directory with recommended defaults.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWrite the config file to this path instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOverwrite an existing config file. Without this flag, \u003ccode\u003einit\u003c/code\u003e exits with an error if the output file already exists.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Generate the default config\nleakwatch init\n\n# Overwrite an existing config\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eParent command for all scan subcommands. Has no behavior on its own; run a subcommand.\u003c/p\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003cp\u003eThe following flags are available on \u003cstrong\u003eall\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e subcommands.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file path instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files or blobs larger than this number of bytes.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw (unredacted) secret value in output. Use with caution.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable live secret verification. No outbound API calls are made.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings that Leakwatch has confirmed are active via live verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to include in output: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, or \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance (rotation/revocation steps) to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans a local directory tree.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e defaults to \u003ccode\u003e.\u003c/code\u003e. Accepts at most one positional argument.\u003c/p\u003e\n\u003ch4 id=\"filesystem-specific-flags\"\u003eFilesystem-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob pattern for paths to exclude. Repeatable.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory, print a colorized table\nleakwatch scan fs . --format table\n\n# Save SARIF output, exclude test files and vendor\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the full commit history of a local or remote Git repository.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required: a local path or an HTTP/HTTPS/SSH URL.\u003c/p\u003e\n\u003ch4 id=\"git-specific-flags\"\u003eGit-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;name\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default branch.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eShallow clone depth for remote repositories. \u003ccode\u003e0\u003c/code\u003e fetches the full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-1\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan full local history\nleakwatch scan git . --format table\n\n# Scan only commits added by a pull request\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans the layers of an OCI/Docker image for secrets. Leakwatch is daemonless and pulls directly from the registry — no Docker socket is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"examples-2\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a public image\nleakwatch scan image nginx:latest --format table\n\n# Scan a private registry image and save JSON output\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in an AWS S3 bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket. Falls back to \u003ccode\u003eAWS_REGION\u003c/code\u003e environment variable or the AWS SDK default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-3\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire bucket\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Scan only a specific prefix\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans objects in a Google Cloud Storage bucket.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExactly one positional argument is required.\u003c/p\u003e\n\u003ch4 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eLimit the scan to objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID. Required when the bucket's project cannot be inferred from the default credentials.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-4\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan an entire GCS bucket\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Scan a prefix\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans message text in a Slack workspace.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNo positional arguments.\u003c/p\u003e\n\u003ch4 id=\"slack-specific-flags\"\u003eSlack-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token. Can also be set via \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to scan. Scans all accessible channels when omitted.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names or IDs to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only messages posted after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude direct messages (requires additional OAuth scopes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-5\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan all accessible channels\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Scan specific channels since a date\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eScans multiple Git repositories in parallel.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [flags]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eRequires at least two positional arguments (repository URLs or local paths).\u003c/p\u003e\n\u003ch4 id=\"repos-specific-flags\"\u003eRepos-specific flags\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan concurrently.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eWorker concurrency within each repository scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"examples-6\"\u003eExamples\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan two repositories in parallel\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Increase parallelism for a large set of repos\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eExit Codes\u003c/a\u003e — how exit codes map to scan outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eEnvironment Variables\u003c/a\u003e — configure Leakwatch without flags.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem Scanning\u003c/a\u003e — detailed \u003ccode\u003escan fs\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — detailed \u003ccode\u003escan git\u003c/code\u003e guide.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Environment Variables","description":"Environment variables that configure Leakwatch behavior without flags.","html":"\u003ch1 id=\"environment-variables\"\u003eEnvironment Variables\u003c/h1\u003e\n\u003cp\u003eLeakwatch reads configuration from three sources in priority order: \u003cstrong\u003ecommand-line flags\u003c/strong\u003e override \u003cstrong\u003eenvironment variables\u003c/strong\u003e, which override the \u003cstrong\u003econfig file\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e), which falls back to built-in \u003cstrong\u003edefaults\u003c/strong\u003e. Environment variables are useful in CI environments where you cannot modify a config file or pass flags to every invocation.\u003c/p\u003e\n\u003ch2 id=\"configuration-variable-pattern\"\u003eConfiguration variable pattern\u003c/h2\u003e\n\u003cp\u003eAny key from \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e can be set as an environment variable by:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eUppercasing the key name.\u003c/li\u003e\n\u003cli\u003eReplacing \u003ccode\u003e.\u003c/code\u003e and \u003ccode\u003e-\u003c/code\u003e with \u003ccode\u003e_\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrepending \u003ccode\u003eLEAKWATCH_\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor example, the config key \u003ccode\u003escan.concurrency\u003c/code\u003e becomes \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"variable-reference\"\u003eVariable reference\u003c/h2\u003e\n\u003ch3 id=\"leakwatch-specific-variables\"\u003eLeakwatch-specific variables\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack bot token for \u003ccode\u003escan slack\u003c/code\u003e. Equivalent to \u003ccode\u003e--token\u003c/code\u003e. Set this instead of passing the token as a flag to avoid it appearing in shell history or CI logs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent scan workers. Equivalent to \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSet to \u003ccode\u003efalse\u003c/code\u003e to disable live verification globally. Equivalent to \u003ccode\u003e--no-verify\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum verification requests per second across all verifiers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault output format (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, or \u003ccode\u003etable\u003c/code\u003e). Equivalent to \u003ccode\u003e--format\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum Shannon entropy for a match to be reported. Float value, e.g. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"display-variable\"\u003eDisplay variable\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWhen set to any non-empty value, disables ANSI color codes in the \u003ccode\u003etable\u003c/code\u003e output formatter. Follows the \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e convention.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-variables-for-scan-s3-and-aws-secret-verification\"\u003eAWS variables (for \u003ccode\u003escan s3\u003c/code\u003e and AWS secret verification)\u003c/h3\u003e\n\u003cp\u003eThese are standard AWS SDK environment variables. Leakwatch passes them through to the AWS SDK v2 default credential chain.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS access key ID.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS secret access key.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS session token (for temporary credentials).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDefault AWS region.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNamed profile from \u003ccode\u003e~/.aws/credentials\u003c/code\u003e to use.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-variable-for-scan-gcs\"\u003eGCS variable (for \u003ccode\u003escan gcs\u003c/code\u003e)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eVariable\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePath to a Google service-account JSON key file. Used by Application Default Credentials when scanning a GCS bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"precedence-example\"\u003ePrecedence example\u003c/h2\u003e\n\u003cp\u003eGiven this setup:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e sets \u003ccode\u003eoutput.format: table\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e is set in the environment\u003c/li\u003e\n\u003cli\u003eThe command is run as \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e (no \u003ccode\u003e--format\u003c/code\u003e flag)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe effective format is \u003ccode\u003ejson\u003c/code\u003e because the environment variable overrides the config file.\u003c/p\u003e\n\u003cp\u003eIf the command is run as \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e, the effective format is \u003ccode\u003esarif\u003c/code\u003e because the flag overrides everything.\u003c/p\u003e\n\u003ch2 id=\"credentials-for-verification-vs-credentials-for-scanning\"\u003eCredentials for verification vs. credentials for scanning\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eThe AWS and GCP variables above are consumed to \u003cstrong\u003eauthenticate Leakwatch itself\u003c/strong\u003e when it connects to S3 or GCS to retrieve objects for scanning. They are not used to verify found secrets. Verification of a discovered AWS key, for example, uses that discovered key itself to call AWS STS — not the runner's credentials.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"passing-secrets-safely-in-ci\"\u003ePassing secrets safely in CI\u003c/h2\u003e\n\u003cp\u003eIn GitHub Actions, use encrypted secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eIn GitLab CI, use masked CI/CD variables:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # defined as a masked variable in project settings\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eNever hard-code token values in workflow files or Dockerfiles.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration File\u003c/a\u003e — full \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e key reference.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eCloud Storage Scanning\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e and \u003ccode\u003escan gcs\u003c/code\u003e credentials.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Scanning\u003c/a\u003e — Slack token scopes and permissions.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — equivalent command-line flags.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Exit Codes","description":"Leakwatch exit code reference and how to use them in scripts and CI pipelines.","html":"\u003ch1 id=\"exit-codes\"\u003eExit Codes\u003c/h1\u003e\n\u003cp\u003eLeakwatch uses a small, well-defined set of exit codes so that CI pipelines and shell scripts can act on scan results without parsing output. Every scan subcommand exits with one of three codes.\u003c/p\u003e\n\u003ch2 id=\"code-reference\"\u003eCode reference\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eName\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eClean\u003c/td\u003e\n\u003ctd\u003eThe scan completed successfully and no findings passed the active filters.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFindings\u003c/td\u003e\n\u003ctd\u003eThe scan completed and one or more secrets were found (and passed the active filters).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eError\u003c/td\u003e\n\u003ctd\u003eA hard error occurred — for example, an invalid flag, an unreadable path, or an authentication failure. An \u003ccode\u003eError: ...\u003c/code\u003e message and a usage hint are printed to stderr.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"how-filters-affect-exit-code-1\"\u003eHow filters affect exit code 1\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e1\u003c/code\u003e is only emitted when at least one finding survives all active output filters. The two most relevant filters are:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — findings below the threshold are suppressed. If all findings are \u003ccode\u003elow\u003c/code\u003e severity and you run with \u003ccode\u003e--min-severity high\u003c/code\u003e, exit code \u003ccode\u003e0\u003c/code\u003e is returned even though secrets exist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — only findings confirmed active by live verification are reported. If no active secrets are found, exit code \u003ccode\u003e0\u003c/code\u003e is returned.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis means exit code \u003ccode\u003e0\u003c/code\u003e means \u0026quot;no findings matched your current filter settings\u0026quot; — not necessarily that the codebase contains no secrets at all.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eA clean \u003ccode\u003e0\u003c/code\u003e exit under \u003ccode\u003e--only-verified\u003c/code\u003e does not guarantee the codebase is secret-free. Secrets for which verification is unavailable (9 detector types) are always reported as unverified and are suppressed by \u003ccode\u003e--only-verified\u003c/code\u003e. Pair \u003ccode\u003e--only-verified\u003c/code\u003e with a separate unfiltered scan if you need full coverage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"using-exit-codes-in-shell-scripts\"\u003eUsing exit codes in shell scripts\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;No secrets found. Build continues.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Secrets found — review leakwatch.json and remediate before merging.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch encountered an error (exit $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eset +e\u003c/code\u003e before the scan prevents the shell from exiting on non-zero codes, giving you the chance to capture and handle the code yourself.\u003c/p\u003e\n\u003ch2 id=\"using-exit-codes-in-ci-pipelines\"\u003eUsing exit codes in CI pipelines\u003c/h2\u003e\n\u003cp\u003eMost CI systems treat any non-zero exit code as a step failure. Since Leakwatch exits \u003ccode\u003e1\u003c/code\u003e when secrets are found, the pipeline fails automatically without any extra configuration — simply run the scan command.\u003c/p\u003e\n\u003cp\u003eTo allow the pipeline to continue even when secrets are found (for example, to collect the report without blocking the build), explicitly ignore the exit code:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in GitLab CI:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOr, in the GitHub Action, set \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"exit-code-2-in-practice\"\u003eExit code 2 in practice\u003c/h2\u003e\n\u003cp\u003eExit code \u003ccode\u003e2\u003c/code\u003e indicates a configuration or runtime error that prevented the scan from running at all. Common causes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn invalid flag value (for example, \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA path that does not exist or is not readable.\u003c/li\u003e\n\u003cli\u003eA missing required argument (for example, \u003ccode\u003escan git\u003c/code\u003e with no URL).\u003c/li\u003e\n\u003cli\u003eAn authentication error when connecting to a cloud source.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe error message is printed to stderr and includes context to help diagnose the problem:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eOther CI Systems\u003c/a\u003e — how to wire exit codes into GitLab CI, Jenkins, and others.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — how the official action maps exit codes to step outcomes.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Cloud Storage (S3 \u0026 GCS)","description":"Scan AWS S3 and Google Cloud Storage buckets for leaked secrets.","html":"\u003ch1 id=\"cloud-storage-s3--gcs\"\u003eCloud Storage (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSecrets regularly end up in cloud storage — exported database dumps, environment files, CI artefacts, and log archives all flow into buckets that may be readable by more people than intended. Leakwatch can scan AWS S3 and Google Cloud Storage buckets object-by-object and flag any secrets it finds before they become an incident.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"usage\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003es3://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses the standard \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS default credential chain\u003c/a\u003e:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eEnvironment variables (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared credentials file (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eShared configuration file (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIAM role attached to the instance or task (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNo additional configuration is required if you are already authenticated with the AWS CLI (\u003ccode\u003eaws configure\u003c/code\u003e or an assumed role).\u003c/p\u003e\n\u003ch3 id=\"s3-specific-flags\"\u003eS3-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose key starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eFrom AWS config\u003c/td\u003e\n\u003ctd\u003eAWS region of the bucket.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-examples\"\u003eS3 examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific key prefix in a given region:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--prefix\u003c/code\u003e to limit the scan to a relevant sub-path. Scanning a large bucket with millions of objects can be slow and may incur S3 GET request costs. Narrow the prefix to what actually matters — for example \u003ccode\u003econfigs/\u003c/code\u003e or \u003ccode\u003eexports/\u003c/code\u003e.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"usage-1\"\u003eUsage\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: the \u003cstrong\u003ebucket name\u003c/strong\u003e (without the \u003ccode\u003egs://\u003c/code\u003e prefix). The scan target is displayed as \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"authentication-1\"\u003eAuthentication\u003c/h3\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e. The credential search order is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e environment variable pointing to a service-account key file.\u003c/li\u003e\n\u003cli\u003eUser credentials set up by \u003ccode\u003egcloud auth application-default login\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eService account attached to a Google Compute Engine instance, Cloud Run service, or GKE workload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcs-specific-flags\"\u003eGCS-specific flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only objects whose name starts with this prefix.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP project ID (required by some ADC configurations).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-examples\"\u003eGCS examples\u003c/h3\u003e\n\u003cp\u003eScan an entire bucket with a specific GCP project:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only objects under a specific prefix:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOutput as CSV:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h2\u003e\n\u003cp\u003eBoth \u003ccode\u003es3\u003c/code\u003e and \u003ccode\u003egcs\u003c/code\u003e support the same common scan flags:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip objects larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions (applied to object keys) are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (authentication error, bucket not found, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Container Images","description":"Scan OCI and Docker image layers for leaked secrets without a Docker daemon.","html":"\u003ch1 id=\"container-images\"\u003eContainer Images\u003c/h1\u003e\n\u003cp\u003eContainer images are a common hiding place for secrets: API keys baked into environment variables, credentials embedded in build layers, and configuration files copied into image layers and then forgotten. \u003ccode\u003eleakwatch scan image\u003c/code\u003e inspects every layer of an OCI or Docker image and surfaces those secrets before the image is deployed.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: an image reference in standard \u003ccode\u003ename:tag\u003c/code\u003e notation. Leakwatch uses \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e to pull and inspect images \u003cstrong\u003edaemonlessly\u003c/strong\u003e — no running Docker daemon is required.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan a Docker Hub image\nleakwatch scan image nginx:latest\n\n# Scan a private GitHub Container Registry image\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Scan an Amazon ECR image\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"supported-registries\"\u003eSupported registries\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eRegistry\u003c/th\u003e\n\u003cth\u003eExample reference\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAny OCI-compatible registry\u003c/td\u003e\n\u003ctd\u003eStandard \u003ccode\u003eregistry/name:tag\u003c/code\u003e form\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eLeakwatch uses the standard credential keychain used by Docker and other OCI tools. If you are already authenticated via \u003ccode\u003edocker login\u003c/code\u003e (or an equivalent tool such as \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, or cloud-provider credential helpers), Leakwatch will use those credentials automatically.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Log in to GHCR first\ndocker login ghcr.io\n\n# Then scan — credentials are picked up automatically\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor Amazon ECR, configure the ECR credential helper or set \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e and related environment variables before scanning.\u003c/p\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch pulls the image manifest, iterates over each layer in order, and extracts the files within each layer. Each file's content is run through the same detection pipeline as a filesystem scan. Path exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply here, limiting which file paths inside layers are examined.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003cp\u003eThere are no image-specific flags. All common scan flags apply:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath-based exclusions are configured in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e for details.\u003c/p\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan a Docker Hub image and print results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a private registry image and save SARIF output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan and show only verified active secrets:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eInclude remediation guidance in JSON output:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from an image scan includes layer metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe image reference that was scanned.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe layer digest where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe path of the file within the layer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIntegrate container image scanning into your CI/CD pipeline's build stage to catch secrets before the image is pushed to a registry. Use \u003ccode\u003e--format sarif\u003c/code\u003e to upload results directly to GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (image not found, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan a local directory tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure exclusions and other defaults.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Filesystem","description":"Scan a local directory tree for leaked secrets with leakwatch scan fs.","html":"\u003ch1 id=\"filesystem\"\u003eFilesystem\u003c/h1\u003e\n\u003cp\u003eLocal source code is where secrets most often appear first. The \u003ccode\u003eleakwatch scan fs\u003c/code\u003e command walks every file in a directory tree, runs the full detection pipeline on each one, and reports any findings before they can be committed — or after the fact on an existing codebase.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e is optional. When omitted, Leakwatch scans the current working directory (\u003ccode\u003e.\u003c/code\u003e). Only one path argument is accepted.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the current directory\nleakwatch scan fs\n\n# Scan a specific project folder\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"what-the-filesystem-source-skips-automatically\"\u003eWhat the filesystem source skips automatically\u003c/h2\u003e\n\u003cp\u003eTo keep scans fast and noise-free, the filesystem source skips the following without any configuration:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBinary files\u003c/strong\u003e — detected by the presence of a null byte in the first 8 KB of the file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKnown binary extensions\u003c/strong\u003e — common compiled, image, audio, video, and archive formats.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLock files\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e, and similar.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"filesystem-specific\"\u003eFilesystem-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (repeatable)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGlob patterns for paths to exclude. Can be repeated or comma-separated.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip files larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the current directory and print a colorized table to the terminal:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude test files and vendor directories, then save SARIF output for GitHub Code Scanning:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eLimit file size to 5 MB and increase worker count for a large monorepo:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eShow only high-severity findings and include rotation instructions:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"excluding-paths\"\u003eExcluding paths\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003e--exclude\u003c/code\u003e flag accepts glob patterns and can be specified multiple times or as a comma-separated list:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Two separate flags\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Comma-separated\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eFor permanent exclusion rules shared across your team, add them to \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e under \u003ccode\u003efilter.exclude-paths\u003c/code\u003e. Those rules apply to every source, not just filesystem scans. You can also create a \u003ccode\u003e.leakwatchignore\u003c/code\u003e file in your project root. See \u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e and \u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (configuration error, unreadable path, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary (source type, target, file count, duration, and finding count) is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eRun \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e during development to get a quick visual overview. Switch to \u003ccode\u003e--format sarif\u003c/code\u003e in CI pipelines to integrate with GitHub Code Scanning.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure default format, exclusions, and more.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e and inline suppression.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history, not just the working tree.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git History","description":"Scan the full commit history of a local or remote Git repository for leaked secrets.","html":"\u003ch1 id=\"git-history\"\u003eGit History\u003c/h1\u003e\n\u003cp\u003eA secret that was committed and then deleted is still present in every earlier commit, reachable to anyone with repository access. \u003ccode\u003eleakwatch scan git\u003c/code\u003e walks the \u003cem\u003eentire\u003c/em\u003e commit history of a repository — local or remote — and surfaces those secrets before they can be exploited.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command takes exactly one argument: either a \u003cstrong\u003elocal filesystem path\u003c/strong\u003e to a repository (\u003ccode\u003e.\u003c/code\u003e for the current directory) or a \u003cstrong\u003eremote HTTP/HTTPS or SSH URL\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch uses \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e for all Git operations — a pure Go implementation with no dependency on a system \u003ccode\u003egit\u003c/code\u003e binary.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Scan the local repository in the current directory\nleakwatch scan git .\n\n# Scan a remote repository over HTTPS\nleakwatch scan git https://github.com/org/repo.git\n\n# Scan over SSH\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-scans\"\u003eHow it scans\u003c/h2\u003e\n\u003cp\u003eLeakwatch walks every commit in the history and examines the blobs introduced by each commit. \u003cstrong\u003eBlob-hash deduplication\u003c/strong\u003e ensures that identical file content is scanned only once, no matter how many commits reference it. This keeps scan time proportional to the \u003cem\u003eunique content\u003c/em\u003e in the repository rather than to the raw commit count.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBecause Leakwatch examines commit-by-commit diffs, it finds secrets that were introduced and later deleted — content that is invisible in the current working tree.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"git-specific\"\u003eGit-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only commits after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan only changes from this commit hash to HEAD (diff-based).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTarget a specific branch instead of the default.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (full)\u003c/td\u003e\n\u003ctd\u003eClone depth for \u003cstrong\u003eremote repositories only\u003c/strong\u003e. \u003ccode\u003e0\u003c/code\u003e means full history.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan the full history of the local repository and print a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan only commits made after a specific date on the \u003ccode\u003edevelop\u003c/code\u003e branch:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan changes introduced since a specific commit (useful in CI to check only new commits):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDo a shallow clone of a large remote repository to speed up the initial scan:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan a remote repository and save verified findings only as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Git scan includes commit metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eURL or path of the scanned repository (credentials stripped).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit hash where the secret was introduced.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit author name and email.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit timestamp.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBranch context (when available).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUse \u003ccode\u003e--since-commit\u003c/code\u003e in pull-request CI jobs to scan only the commits added by the PR. Use \u003ccode\u003e--since \u0026lt;date\u0026gt;\u003c/code\u003e for scheduled nightly scans covering recent activity.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eWhen a repository URL contains embedded credentials (for example \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch strips those credentials before writing anything to logs or output, so the token never appears in scan results or CI traces.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (invalid URL, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eMultiple Repositories\u003c/a\u003e — scan several repositories in one command.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eFilesystem\u003c/a\u003e — scan the working tree instead of history.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Multiple Repositories","description":"Scan several Git repositories concurrently and combine results into a single report.","html":"\u003ch1 id=\"multiple-repositories\"\u003eMultiple Repositories\u003c/h1\u003e\n\u003cp\u003eWhen an organization grows, secrets can land in any of dozens or hundreds of repositories. Checking them one by one is impractical. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e accepts multiple repository URLs and scans them concurrently, merging all findings into a single output — one command, one report.\u003c/p\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe command requires \u003cstrong\u003eat least two\u003c/strong\u003e repository URLs. All repositories are cloned, scanned, and cleaned up automatically. The combined finding count and a single scan summary are reported at the end.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"how-it-works\"\u003eHow it works\u003c/h2\u003e\n\u003cp\u003eLeakwatch spawns up to \u003ccode\u003e--parallel\u003c/code\u003e repository scans at once. Each repository is:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCloned from the provided URL (credentials are stripped from logs and output for safety).\u003c/li\u003e\n\u003cli\u003eScanned with the full detection pipeline, using \u003ccode\u003e--concurrency\u003c/code\u003e workers for that repository.\u003c/li\u003e\n\u003cli\u003eCleaned up (the temporary clone is deleted) once the scan completes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAll findings from all repositories are collected and written as a single output, as if the scan had been a single-source run. The displayed target is \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"multi-repo-specific\"\u003eMulti-repo-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNumber of repositories to scan in parallel.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers \u003cstrong\u003eper repository\u003c/strong\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eSkip blobs larger than this value (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003ePath exclusions from \u003ccode\u003efilter.exclude-paths\u003c/code\u003e in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e apply to all repositories. Root-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan two repositories and display results as a table:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan five repositories with higher parallelism and save the combined results as SARIF:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan with more workers per repository and show only verified findings:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tuning-parallelism\"\u003eTuning parallelism\u003c/h2\u003e\n\u003cp\u003eTwo knobs control throughput:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e controls how many repository clones and scans run simultaneously. The default of \u003ccode\u003e3\u003c/code\u003e is appropriate for most workloads. Raise it when network bandwidth and CPU headroom allow; lower it on constrained machines.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e) controls how many worker goroutines process file blobs \u003cem\u003ewithin\u003c/em\u003e each individual repository. This is the same flag available on all scan commands.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTotal concurrent operations at peak = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf one or more repository scans fail (for example, due to a network error or authentication failure), Leakwatch logs the error and continues scanning the remaining repositories. The exit code will be \u003ccode\u003e2\u003c/code\u003e if any individual repo scan failed, even if other repos produced findings.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"credential-safety\"\u003eCredential safety\u003c/h2\u003e\n\u003cp\u003eAny embedded credentials in repository URLs (e.g. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e) are stripped before the URL is written to logs, output, or the scan summary.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAll scans completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOne or more repository scans failed, or a configuration error occurred.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan a single repository in depth.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure shared defaults for all sources.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Workspace","description":"Scan Slack channel and DM message text for leaked secrets.","html":"\u003ch1 id=\"slack-workspace\"\u003eSlack Workspace\u003c/h1\u003e\n\u003cp\u003eDevelopers frequently share credentials in chat — a token pasted into a channel for a quick test, a password sent in a DM, or an API key mentioned in an incident thread. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e reads message text across your Slack workspace and flags any secrets it finds.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch scans \u003cstrong\u003emessage text only\u003c/strong\u003e. Scanning the contents of uploaded files (attachments, snippets) is not implemented. Only the text body of messages is analysed.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic usage\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThis command takes \u003cstrong\u003eno positional arguments\u003c/strong\u003e. All configuration is provided through flags or environment variables.\u003c/p\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cp\u003eA Slack Bot Token is required. Provide it via the \u003ccode\u003e--token\u003c/code\u003e flag or the \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e environment variable. Using an environment variable is recommended so the token never appears in shell history or process listings.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"required-bot-token-scopes\"\u003eRequired bot token scopes\u003c/h3\u003e\n\u003cp\u003eThe bot token must be associated with a Slack app that has the following OAuth scopes:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eScope\u003c/th\u003e\n\u003cth\u003ePurpose\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in public channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead messages in private channels the bot has joined.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRead group direct messages (required only with \u003ccode\u003e--include-dms\u003c/code\u003e).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ch3 id=\"slack-specific\"\u003eSlack-specific\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eType\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. Prefer \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e env var.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eall channels\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to scan.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eComma-separated list of channel names to skip.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eScan messages posted on or after this date.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAlso scan direct messages and group DMs.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaximum Slack API requests per second.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"common-scan-flags\"\u003eCommon scan flags\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eFlag\u003c/th\u003e\n\u003cth\u003eShort\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eWrite results to this file instead of stdout.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU count\u003c/td\u003e\n\u003ctd\u003eNumber of concurrent workers.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eInternal chunk size limit (bytes).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInclude the raw secret value in output.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDisable secret verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eReport only findings confirmed active by verification.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMinimum severity to report: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAttach remediation guidance to each finding.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eRoot-level flags \u003ccode\u003e--config\u003c/code\u003e and \u003ccode\u003e--log-level\u003c/code\u003e (default \u003ccode\u003ewarn\u003c/code\u003e) also apply.\u003c/p\u003e\n\u003ch2 id=\"examples\"\u003eExamples\u003c/h2\u003e\n\u003cp\u003eScan all channels the bot has access to, using an environment variable for the token:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eScan specific channels and limit to messages since the start of the year:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eExclude noisy channels and include direct messages:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eReduce the API request rate to avoid Slack rate-limit errors on large workspaces:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSave only verified active findings to a JSON file:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"finding-metadata\"\u003eFinding metadata\u003c/h2\u003e\n\u003cp\u003eEach finding from a Slack scan includes message and channel metadata:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eField\u003c/th\u003e\n\u003cth\u003eDescription\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe channel name where the finding was detected.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack message timestamp (unique message ID).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack user ID of the message author.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performance-considerations\"\u003ePerformance considerations\u003c/h2\u003e\n\u003cp\u003eSlack API requests are subject to rate limits enforced by Slack. The \u003ccode\u003e--rate-limit\u003c/code\u003e flag (default \u003ccode\u003e20\u003c/code\u003e requests/second) controls how aggressively Leakwatch makes requests. Lower this value if you see \u003ccode\u003e429 Too Many Requests\u003c/code\u003e errors, especially on large workspaces.\u003c/p\u003e\n\u003cp\u003eUse \u003ccode\u003e--channels\u003c/code\u003e to target specific channels rather than scanning the entire workspace on every run. Combine with \u003ccode\u003e--since\u003c/code\u003e to scan only recent messages incrementally.\u003c/p\u003e\n\u003ch2 id=\"exit-codes\"\u003eExit codes\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCode\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, no findings.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan completed, findings reported.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eScan failed (missing token, authentication error, etc.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eA scan summary is printed to stderr after every run. Scans cancel gracefully on SIGINT/SIGTERM.\u003c/p\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eQuick Start\u003c/a\u003e — run your first scan in under a minute.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfig File\u003c/a\u003e — configure defaults in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eIgnoring Findings\u003c/a\u003e — suppress known false positives.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — understand verification statuses.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit History\u003c/a\u003e — scan committed history for secrets.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Reference\u003c/a\u003e — full flag reference for all commands.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"How Verification Works","description":"How Leakwatch confirms whether a detected secret is still active, which verification modes it uses, and how to configure or disable verification.","html":"\u003ch1 id=\"how-verification-works\"\u003eHow Verification Works\u003c/h1\u003e\n\u003cp\u003eFinding a secret in a codebase is only half the story. A key that was rotated six months ago is noise; a key that is still live is an active incident. Verification is the step that draws that line — it takes each detected finding and, where possible, confirms whether the secret is currently valid at the provider.\u003c/p\u003e\n\u003ch2 id=\"from-detection-to-verification\"\u003eFrom detection to verification\u003c/h2\u003e\n\u003cp\u003eAfter the scan engine collects findings, the verifier pool picks them up. Each finding carries a \u003ccode\u003edetector_id\u003c/code\u003e; Leakwatch looks up whether a verifier is registered for that ID:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIf a verifier exists, it runs and returns a status.\u003c/li\u003e\n\u003cli\u003eIf no verifier is registered for that detector type, the finding passes through unchanged with status \u003ccode\u003eunverified\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"two-verification-modes\"\u003eTwo verification modes\u003c/h2\u003e\n\u003cp\u003eNot all secrets can be verified the same way. Leakwatch uses two distinct approaches depending on what is safe for each credential type.\u003c/p\u003e\n\u003ch3 id=\"live-api-verification\"\u003eLive API verification\u003c/h3\u003e\n\u003cp\u003eFor approximately 49 detector types, Leakwatch makes a \u003cstrong\u003econtrolled, read-only API call\u003c/strong\u003e to the provider — for example, calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e for AWS keys or \u003ccode\u003eGET /user\u003c/code\u003e for GitHub tokens. The call uses only the minimum endpoint required to confirm identity; it never modifies data, creates resources, or triggers billing events.\u003c/p\u003e\n\u003cp\u003eIf the provider returns a success response, the finding is marked \u003ccode\u003everified_active\u003c/code\u003e. If the provider rejects the credential (for example with HTTP 401 or 403), the finding is marked \u003ccode\u003everified_inactive\u003c/code\u003e.\u003c/p\u003e\n\u003ch3 id=\"format-validation-only\"\u003eFormat validation only\u003c/h3\u003e\n\u003cp\u003eFor five credential types, no safe live check exists — the provider has no anonymous identity endpoint, or a real call would have side effects. For these, Leakwatch validates the structure of the credential without making any network request:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e fields present\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check only — a valid format proves nothing, result is always \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eEven when the format check passes, the result remains \u003ccode\u003eunverified\u003c/code\u003e. A structurally valid credential may be expired or revoked. These findings always require manual triage.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"verification-statuses\"\u003eVerification statuses\u003c/h2\u003e\n\u003cp\u003eEvery finding in Leakwatch output carries one of four statuses:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStatus\u003c/th\u003e\n\u003cth\u003eMeaning\u003c/th\u003e\n\u003cth\u003eRecommended action\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe secret was confirmed live by the provider.\u003c/td\u003e\n\u003ctd\u003eTreat as an active incident. Rotate immediately.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe provider rejected the credential.\u003c/td\u003e\n\u003ctd\u003eLikely already rotated. Review context and close.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo verifier exists for this type, or format validation returned no result, or verification was disabled.\u003c/td\u003e\n\u003ctd\u003eTriage manually; context determines risk.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eThe verifier ran but encountered a network error, timeout, or unexpected response.\u003c/td\u003e\n\u003ctd\u003eTreat as potentially active. Retry or triage manually.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"the-verification-engine\"\u003eThe verification engine\u003c/h2\u003e\n\u003cp\u003eVerification runs in a dedicated concurrent worker pool, isolated from the scan worker pool. The defaults are conservative to avoid triggering provider rate limits:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSetting\u003c/th\u003e\n\u003cth\u003eDefault\u003c/th\u003e\n\u003cth\u003eConfig key\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eWorker count\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal rate limit\u003c/td\u003e\n\u003ctd\u003e10 requests/second\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003ePer-request timeout\u003c/td\u003e\n\u003ctd\u003e10 s\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eAll three values are tunable under the \u003ccode\u003everification:\u003c/code\u003e block in \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # requests per second (global)\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eTip\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eIf you are scanning a repository that triggers hundreds of findings, consider lowering \u003ccode\u003erate-limit\u003c/code\u003e to 5 or enabling \u003ccode\u003e--only-verified\u003c/code\u003e to keep the verified-active set small and actionable.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"controlling-verification-at-the-command-line\"\u003eControlling verification at the command line\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eDisable verification entirely\u003c/strong\u003e with \u003ccode\u003e--no-verify\u003c/code\u003e (or set \u003ccode\u003everification.enabled: false\u003c/code\u003e in config). Every finding passes through as \u003ccode\u003eunverified\u003c/code\u003e. Use this for offline or air-gapped environments, or when you want the fastest possible scan without touching any provider API.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eShow only confirmed-live secrets\u003c/strong\u003e with \u003ccode\u003e--only-verified\u003c/code\u003e. Everything that is not \u003ccode\u003everified_active\u003c/code\u003e is dropped from the output. This is the fastest way to triage a large result set — you see only the keys you must act on now.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eWarning\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e silently drops \u003ccode\u003eunverified\u003c/code\u003e and \u003ccode\u003everify_error\u003c/code\u003e findings. Do not use it as your sole filter in a compliance context — some credential types (JWTs, generic API keys, private keys) can never be verified and would always be excluded.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"secret-safety\"\u003eSecret safety\u003c/h2\u003e\n\u003cp\u003eVerification is designed so that the raw secret value never leaves the process boundary in an unsafe way:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eVerifiers pass the secret directly to the provider's HTTP endpoint over TLS — it is never written to disk, emitted to a log, or cached between runs.\u003c/li\u003e\n\u003cli\u003eA verifier that fails to initialise or encounters a panic is caught by the engine, which marks the finding \u003ccode\u003everify_error\u003c/code\u003e and continues rather than crashing the scan.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eVerification Coverage\u003c/a\u003e — which detector types are live-verified, format-validated, or not verifiable at all.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eConfiguration: Config File\u003c/a\u003e — full reference for the \u003ccode\u003everification:\u003c/code\u003e block.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eOutput Formats\u003c/a\u003e — how the verification status appears in JSON, SARIF, CSV, and table output.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Verification Coverage","description":"Which of the 63 built-in detectors are live-verified, format-validated only, or not verifiable — and what that means for triage.","html":"\u003ch1 id=\"verification-coverage\"\u003eVerification Coverage\u003c/h1\u003e\n\u003cp\u003eLeakwatch ships 63 built-in detectors and 54 verifiers, giving a coverage rate of \u003cstrong\u003e85.7%\u003c/strong\u003e (54 of 63 detector types have some form of verification). This page maps every detector to its verification status so you know what to expect in your output.\u003c/p\u003e\n\u003ch2 id=\"live-verified-49-detector-types\"\u003eLive-verified (49 detector types)\u003c/h2\u003e\n\u003cp\u003eFor these types, Leakwatch makes a controlled, read-only API call to the provider and returns \u003ccode\u003everified_active\u003c/code\u003e or \u003ccode\u003everified_inactive\u003c/code\u003e. No data is created or modified; the call uses the minimum endpoint needed to confirm identity.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector type\u003c/th\u003e\n\u003cth\u003eProvider\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"format-validated-only-5-detector-types\"\u003eFormat-validated only (5 detector types)\u003c/h2\u003e\n\u003cp\u003eThese verifiers run entirely offline. No network request is made. Because a valid format does not prove a credential is active, all five always return \u003ccode\u003eunverified\u003c/code\u003e regardless of whether the format check passes or fails.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eWhat is validated\u003c/th\u003e\n\u003cth\u003eWhy no live check\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON structure (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eLive check requires a GCP OAuth2 token exchange, which has side effects\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL parsed successfully\u003c/td\u003e\n\u003ctd\u003eNo public unauthenticated health endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePassword length and host substring check\u003c/td\u003e\n\u003ctd\u003eLive check requires a JDBC/ODBC database connection\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eRequires per-account HMAC signing; no generic identity endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat check\u003c/td\u003e\n\u003ctd\u003eClient credential flow would create sessions\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"not-verifiable-9-detector-types\"\u003eNot verifiable (9 detector types)\u003c/h2\u003e\n\u003cp\u003eThese detector types have no verifier at all. Findings from them are always \u003ccode\u003eunverified\u003c/code\u003e. This is \u003cstrong\u003enot\u003c/strong\u003e because they are unimportant — they are detected and reported in full — but because no public verification API exists, or because any verification attempt would have side effects.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDetector ID\u003c/th\u003e\n\u003cth\u003eReason\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eA JWT can be issued by any party; there is no universal validation endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo provider to call; active use cannot be detected remotely\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eUnknown provider by definition\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would create sessions on the target database\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConnecting would open a live connection to the Redis instance\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNo safe read-only FTP probe\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind would create an authenticated session\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eConfirming a webhook is active requires sending a message\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token validation requires knowing the Vault endpoint\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNote\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Not verifiable\u0026quot; does not mean \u0026quot;not found\u0026quot;. All 9 of these types are still detected and appear in your output. They require manual triage to determine whether the credential is live and whether it needs rotation.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"coverage-summary\"\u003eCoverage summary\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eCategory\u003c/th\u003e\n\u003cth\u003eCount\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eLive-verified\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eFormat-validated only\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eNot verifiable\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eTotal detectors\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eVerifiers (any coverage)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (85.7%)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"see-also\"\u003eSee also\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eHow Verification Works\u003c/a\u003e — the two verification modes, statuses, and the verification engine.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDetector Catalog\u003c/a\u003e — the full list of built-in detectors with severities.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; diff --git a/site/js/manuals/tr.js b/site/js/manuals/tr.js index 8153453..93148ce 100644 --- a/site/js/manuals/tr.js +++ b/site/js/manuals/tr.js @@ -1,3 +1,3 @@ // Generated by tools/site-build. Do not edit by hand. window.LW_MANUAL = window.LW_MANUAL || {}; -window.LW_MANUAL["tr"] = {"ci-cd/docker-usage":{"title":"Docker Kullanımı","description":"Resmi Docker imajını kullanarak Leakwatch taramalarını bir konteyner içinde çalıştırın.","html":"\u003ch1 id=\"docker-kullanm\"\u003eDocker Kullanımı\u003c/h1\u003e\n\u003cp\u003eResmi Leakwatch konteyner imajı, ana makineye herhangi bir şey kurmadan tarama yapmanızı sağlar. İmaj \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e ile statik olarak derlenmiş ve root olmayan bir kullanıcı olarak çalışır; bu nedenle kilitli CI ortamlarında ve ana sistemi değiştirmek istemediğiniz paylaşımlı makinelerde güvenle kullanılabilir.\u003c/p\u003e\n\u003ch2 id=\"maj-referans\"\u003eİmaj referansı\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eİmaj Alpine tabanlıdır, root olmayan \u003ccode\u003eleakwatch\u003c/code\u003e kullanıcısı olarak çalışır, çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır ve giriş noktası olarak \u003ccode\u003eleakwatch\u003c/code\u003e'ı ayarlar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGiriş noktası \u003ccode\u003eleakwatch\u003c/code\u003e olduğundan alt komutu ve bayrakları doğrudan imaj adının ardına eklersiniz — örneğin \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. İkili dosya adını tekrar yazmanıza gerek yoktur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerel-dizin-tarama\"\u003eYerel dizin tarama\u003c/h2\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAna makinedeki bir dosyaya sonuç yazmak için çıktı dosyasını bağlı birime yazın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch.sarif\u003c/code\u003e dosyası, konteyner çıktıktan sonra ana makinedeki geçerli dizinde görünür.\u003c/p\u003e\n\u003ch2 id=\"uzak-git-deposu-tarama\"\u003eUzak Git deposu tarama\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak Git depoları için birim bağlaması gerekli değildir — Leakwatch bunları konteyner içindeki geçici bir dizine klonlar.\u003c/p\u003e\n\u003ch2 id=\"konteyner-imaj-tarama\"\u003eKonteyner imajı tarama\u003c/h2\u003e\n\u003cp\u003eLeakwatch daemonsuz çalışır: imaj katmanlarını Docker daemon'ına ihtiyaç duymadan doğrudan kayıt defterinden çeker. Bu, Leakwatch konteynerinden, ana makine Docker soketini bağlamadan uzak bir imajı tarayabileceğiniz anlamına gelir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt defterleri için kimlik bilgilerini, kayıt defterinizin desteklediği standart ortam değişkenleri aracılığıyla geçirin (örneğin, bağlı bir kimlik bilgisi dosyasına işaret eden \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e).\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-geirme\"\u003eYapılandırma dosyası geçirme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasını \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın; Leakwatch onu otomatik olarak bulur:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e bağlanan dizinde olduğu sürece Leakwatch onu bulur çünkü \u003ccode\u003e/scan\u003c/code\u003e hem çalışma dizini hem de taramaya geçirilen yoldur. Yapılandırma dosyanız başka bir yerdeyse onu ayrıca bağlayın ve \u003ccode\u003e--config\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikenleri-geirme\"\u003eOrtam değişkenleri geçirme\u003c/h2\u003e\n\u003cp\u003eBulut taraması ve token tabanlı kimlik doğrulama için ortam değişkenleri \u003ccode\u003e-e\u003c/code\u003e ile enjekte edilebilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# AWS kimlik bilgileriyle S3 taraması\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCI ortamlarında, kimlik bilgilerini komut satırına gömmek yerine maskelenmiş CI değişkenleri olarak enjekte etmeyi tercih edin.\u003c/p\u003e\n\u003ch2 id=\"kt-dosyas-kalb\"\u003eÇıktı dosyası kalıbı\u003c/h2\u003e\n\u003cp\u003eCI'da yaygın bir Docker kalıbı, sonuçları bağlı birime yazmak ve ardından dosyayı bir pipeline artifact'i olarak yüklemek veya arşivlemektir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Docker kullanmak yerine yerel ikili dosyayı kurma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e bayrakları ve davranışı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eKonteyner İmajları\u003c/a\u003e — OCI/Docker imaj katmanlarını sır açısından tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI ve diğer pipeline'larda Docker imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm alt komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"GitHub iş akışlarında sır taraması yapmak için resmi Leakwatch GitHub Action'ını kullanın.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eDeponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. Resmi \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e), Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder — aracı kurar, taramayı çalıştırır, çıkış kodlarını işler ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler; bunların hepsini harici bir servis bağımlılığı olmadan yapar.\u003c/p\u003e\n\u003ch2 id=\"hzl-balang\"\u003eHızlı başlangıç\u003c/h2\u003e\n\u003cp\u003eSır bulunduğunda iş akışını engelleyen minimal yapılandırma:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Sır taraması (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca varsayılan değerlerle action, dosya sistemi taraması yapar (\u003ccode\u003escan-type: fs\u003c/code\u003e), SARIF çıktısı üretir, canlı doğrulamayı atlar (\u003ccode\u003eno-verify: true\u003c/code\u003e) ve herhangi bir bulgu raporlandığında işi başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"sarif-ykleme-ile-tam-rnek\"\u003eSARIF yükleme ile tam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki iş akışı, GitHub Code Scanning'e SARIF yüklemeyi etkinleştirir ve bulguları depo içinde güvenlik uyarıları olarak gösterir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Sır taraması\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # SARIF yüklemesi için gerekli\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Sırları tara\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF yüklemesi, işin \u003ccode\u003epermissions: security-events: write\u003c/code\u003e bildirmesini gerektirir. Bu olmadan yükleme adımı 403 hatasıyla başarısız olur. \u003ccode\u003eactions/checkout@v4\u003c/code\u003e için \u003ccode\u003econtents: read\u003c/code\u003e izni de gereklidir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"girdiler\"\u003eGirdiler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eGirdi\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇalıştırılacak tarama türü: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e veya \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranacak yol (\u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e için) veya imaj referansı (\u003ccode\u003eimage\u003c/code\u003e için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak (sağlayıcılara giden ağ çağrısı yapılmaz).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. \u003ccode\u003efalse\u003c/code\u003e olarak ayarlandığında adım başarısız olmak yerine \u003ccode\u003e::warning::\u003c/code\u003e ek açıklaması yayar. Ciddi hatalar (çıkış kodu 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKurulacak Leakwatch sürümü. Belirli bir sürümü sabitlemek için \u003ccode\u003ev1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ktlar\"\u003eÇıktılar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÇıktı\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu raporlanmadıysa \u003ccode\u003e0\u003c/code\u003e; bulgu raporlandıysa \u003ccode\u003e1\u003c/code\u003e. Leakwatch çıkış kodunu yansıtır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRunner üzerindeki SARIF çıktı dosyasının yolu (\u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda ayarlanır).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"cida-dorulama\"\u003eCI'da doğrulama\u003c/h2\u003e\n\u003cp\u003eVarsayılan olarak \u003ccode\u003eno-verify\u003c/code\u003e değeri \u003ccode\u003etrue\u003c/code\u003e'dur — CI'da canlı doğrulama \u003cstrong\u003ekapalıdır\u003c/strong\u003e. Bu, taramayı hızlı tutar ve CI runner'larından sağlayıcı API'lerine giden ağ çağrılarını önler; runner'lar güvenlik duvarı arkasında olabilir veya hız sınırlı kimlik bilgilerine sahip olabilir.\u003c/p\u003e\n\u003cp\u003eCI'da doğrulamayı etkinleştirmek için \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eCI'da doğrulamayı etkinleştirmek, Leakwatch'ın her aday bulgu için sağlayıcılara (AWS, GitHub, Stripe vb.) kimlik doğrulamalı API çağrıları yapmasına neden olur. Sağlayıcı hız limitlerinden haberdar olun ve runner'ın giden internet erişimine sahip olduğundan emin olun.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sarif-yklemesi-nasl-alr\"\u003eSARIF yüklemesi nasıl çalışır\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e ve \u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLeakwatch'a çıktıyı \u003ccode\u003eresults.sarif\u003c/code\u003e dosyasına yazmasını söyler.\u003c/li\u003e\n\u003cli\u003eTaramanın ardından \u003ccode\u003ecategory: leakwatch\u003c/code\u003e ile \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e'ü çağırır.\u003c/li\u003e\n\u003cli\u003eGitHub dosyayı işler ve bulguları deponun \u003cstrong\u003eSecurity\u003c/strong\u003e sekmesinde \u003cstrong\u003eCode Scanning uyarıları\u003c/strong\u003e olarak gösterir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eYükleme adımı \u003ccode\u003eif: always()\u003c/code\u003e ile çalışır; dolayısıyla \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e tarama adımını başarısız kılsa bile sonuçlar yüklenir.\u003c/p\u003e\n\u003ch2 id=\"action-ktlarn-kullanmak\"\u003eAction çıktılarını kullanmak\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Sırları tara\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # iş akışının devam etmesine izin ver\n\n- name: Sonucu yazdır\n run: echo \u0026quot;Raporlanan bulgular: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"belirli-bir-srm-sabitleme\"\u003eBelirli bir sürümü sabitleme\u003c/h2\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için \u003ccode\u003eversion\u003c/code\u003e değerini belirli bir etikete sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu, \u003ccode\u003ego install\u003c/code\u003e aracılığıyla tam olarak \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e'ı kurar.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısını anlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — Leakwatch'ın sağlayıcı API'lerini ne zaman ve nasıl çağırdığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Kancası\u003c/a\u003e — commit edilmeden önce sırları yakalama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI, Jenkins ve genel kabuk entegrasyonu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Diğer CI Sistemleri","description":"Leakwatch'ı GitLab CI, Jenkins, Bitbucket Pipelines ve diğer CI sistemlerine entegre edin.","html":"\u003ch1 id=\"dier-ci-sistemleri\"\u003eDiğer CI Sistemleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olduğundan, kabuk komutu çalıştırabilen herhangi bir CI ortamında çalışır: GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps ve diğerleri. Bu sayfada açıklananların ötesinde bu sistemler için yerleşik bir entegrasyon yoktur; kalıp her zaman aynıdır: ikili dosyayı kur, taramayı çalıştır, çıkış koduna göre hareket et.\u003c/p\u003e\n\u003ch2 id=\"cida-leakwatch-kurma\"\u003eCI'da Leakwatch kurma\u003c/h2\u003e\n\u003cp\u003eRunner ortamınıza en uygun yöntemi seçin:\u003c/p\u003e\n\u003ch3 id=\"go-install-araclyla-runnerda-go-gerektirir\"\u003e\u003ccode\u003ego install\u003c/code\u003e aracılığıyla (runner'da Go gerektirir)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için belirli bir sürüme sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"docker-imaj-araclyla-go-gerekmez\"\u003eDocker imajı aracılığıyla (Go gerekmez)\u003c/h3\u003e\n\u003cp\u003e\u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e'i iş imajı olarak kullanın veya \u003ccode\u003edocker run\u003c/code\u003e ile çalıştırın. Tam kalıp için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch3 id=\"hazr-bir-srm-ikili-dosyas-araclyla\"\u003eHazır bir sürüm ikili dosyası aracılığıyla\u003c/h3\u003e\n\u003cp\u003eUygun tar arşivini \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasından indirin, çıkarın ve \u003ccode\u003ePATH\u003c/code\u003e'e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için iyi tanımlanmış üç çıkış kodu kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen CI eylemi\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu yok\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını geç\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırlar bulundu\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCiddi hata (hatalı yapılandırma, okunamaz yol vb.)\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıkış koduna göre dallanma yapan genel bir kabuk parçacığı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;Sır bulunamadı.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Sırlar bulundu — derlemeyi başarısız kılıyorum.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Tarama hatası (çıkış $EXIT_CODE) — derlemeyi başarısız kılıyorum.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-rnei\"\u003eGitLab CI örneği\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e işi Leakwatch'ı kurar, dosya sistemi taraması çalıştırır ve JSON raporunu pipeline artifact'i olarak saklar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 gün\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (varsayılan) değeri, çıkış kodu \u003ccode\u003e1\u003c/code\u003e'in pipeline aşamasını başarısız kılması anlamına gelir. Taramanın merge işlemini engellemeden raporlamasını istiyorsanız \u003ccode\u003eallow_failure: true\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab, SAST raporu artifact'larını destekler. Leakwatch SARIF üretir (\u003ccode\u003e--format sarif\u003c/code\u003e) ancak GitLab'ın yerel SAST JSON şemasını değil; bu nedenle \u003ccode\u003ereports: sast:\u003c/code\u003e anahtarı yerine \u003ccode\u003epaths:\u003c/code\u003e artifact yaklaşımını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ci-runnerlar-iin-neriler\"\u003eCI runner'ları için öneriler\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eGiden internet erişimi olmayan runner'larda \u003ccode\u003e--no-verify\u003c/code\u003e kullanın.\u003c/strong\u003e Doğrulama, sağlayıcılara (AWS, GitHub, Stripe vb.) canlı API çağrıları yapar. Hava boşluklu veya güvenlik duvarıyla kısıtlanmış runner'larda bu çağrılar zaman aşımına uğrar ve taramayı yavaşlatır. Doğrulamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eÇıktıyı artifact olarak kaydedin.\u003c/strong\u003e İşi tamamlandıktan sonra saklanabilecek, bir güvenlik açığı yönetim platformuna yüklenebilecek veya incelenebilecek bir dosya yazmak için \u003ccode\u003e--format sarif\u003c/code\u003e ya da \u003ccode\u003e--format json\u003c/code\u003e ile birlikte \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e değerini en çok önem taşıyan sırlara odaklanmak için ayarlayın. Gürültülü bir kod tabanında \u003ccode\u003e--min-severity high\u003c/code\u003e ile başlayın ve birikmiş öğeleri temizledikten sonra eşiği düşürün.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-rnei\"\u003eAzure DevOps örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch sır taraması\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-sonuclari\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-rnei\"\u003eJenkins örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Sır taraması') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — tüm çıkış kodlarının tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e — ikili dosyayı kurmak yerine konteyner imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub iş akışları için resmi action.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Kancası","description":"Her commit'ten önce sır taraması yapmak için Leakwatch pre-commit kancasını kullanın.","html":"\u003ch1 id=\"pre-commit-kancas\"\u003ePre-commit Kancası\u003c/h1\u003e\n\u003cp\u003eBir sırrı yakalamak için en ucuz an, onu depoya girmeden önce durdurmaktır. Leakwatch, her \u003ccode\u003egit commit\u003c/code\u003e işleminde \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutunu otomatik olarak çalıştıran yerel bir \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e kancası sunar; böylece sızan bir API anahtarı veya parola, geçmişte yer almak yerine commit işlemini başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eŞunlara ihtiyacınız var:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit bir Python aracıdır).\u003c/li\u003e\n\u003cli\u003eGenel olarak kurulmuş \u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e (\u003ccode\u003epip install pre-commit\u003c/code\u003e veya \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePATH\u003c/code\u003e üzerinde Go 1.25+ — kanca dili \u003ccode\u003egolang\u003c/code\u003e olduğundan pre-commit, ilk çalıştırmada Leakwatch'ı kaynaktan derler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"yaplandrma\"\u003eYapılandırma\u003c/h2\u003e\n\u003cp\u003eDeponuzun köküne bir \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e dosyası ekleyin (veya mevcut olanı genişletin):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKancaları yerel Git deposuna kurun:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHepsi bu kadar. Bundan itibaren her \u003ccode\u003egit commit\u003c/code\u003e işlemi bir dosya sistemi taraması tetikler. Leakwatch herhangi bir sır bulursa commit engellenir ve bulgular terminale yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"elle-altrma\"\u003eElle çalıştırma\u003c/h2\u003e\n\u003cp\u003eTüm depoyu (yalnızca staged dosyaları değil) istediğiniz zaman taramak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDiğerlerini tetiklemeden yalnızca Leakwatch kancasını çalıştırmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ek-argmanlar-geirme\"\u003eEk argümanlar geçirme\u003c/h2\u003e\n\u003cp\u003eKancanın varsayılan davranışı, ek bayrak olmadan \u003ccode\u003eleakwatch scan fs\u003c/code\u003e'e karşılık gelir. \u003ccode\u003eargs:\u003c/code\u003e anahtarı aracılığıyla ek argümanlar geçirebilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu örnek, yalnızca Leakwatch'ın hâlâ etkin olduğunu doğruladığı yüksek önem dereceli sırları raporlar — yanlış pozitif gürültüsünden kaçınmak isteyen ancak kapsam kaybetmek istemeyen ekipler için uygun katı bir politika.\u003c/p\u003e\n\u003cp\u003eDiğer kullanışlı argümanlar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # daha hızlı commit'ler için canlı doğrulamayı atla\n - --min-severity\n - medium # düşük önem dereceli gürültüyü bastır\n - --format\n - table # terminalde insan tarafından okunabilir çıktı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eKanca tanımında \u003ccode\u003epass_filenames: false\u003c/code\u003e ayarlandığından kanca, yalnızca mevcut commit için staged dosyaları değil her zaman tam çalışma ağacını tarar. Bu, staged olmayan dosyalarda halihazırda bulunan sırların da tespit edileceğini garanti eder.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kancann-taradklar\"\u003eKancanın taradıkları\u003c/h2\u003e\n\u003cp\u003eKanca, depo çalışma dizinine karşı \u003ccode\u003eleakwatch scan fs\u003c/code\u003e çalıştırır. CLI ile aynı tespit hattını kullanır: Aho-Corasick ön filtreleme, regex doğrulama, entropi hesaplama ve (\u003ccode\u003e--no-verify\u003c/code\u003e ayarlanmadıkça) canlı doğrulama.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki yapılandırma otomatik olarak uygulanır — dışlama kalıpları, entropi eşikleri ve doğrulama ayarları, herhangi bir ek kanca yapılandırması olmadan geçerli olur.\u003c/p\u003e\n\u003ch2 id=\"kancay-geici-olarak-atlama\"\u003eKancayı geçici olarak atlama\u003c/h2\u003e\n\u003cp\u003eKancayı çalıştırmadan commit yapmak için (örneğin, maskelenmiş sır içeren bir test sabiti commit edilirken):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: test sabiti ekle\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eSKIP=leakwatch\u003c/code\u003e kullanmak, o commit için tüm sır taramasını devre dışı bırakır. Yalnızca içeriğin güvenli olduğunu teyit ettiğinizde kullanın; kalıcı bastırmalar için bunun yerine \u003ccode\u003e.leakwatchignore\u003c/code\u003e veya satır içi \u003ccode\u003eleakwatch:ignore\u003c/code\u003e yorumlarını tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kanca-srmn-sabitli-tutma\"\u003eKanca sürümünü sabitli tutma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003erev:\u003c/code\u003e değerini dal adı yerine belirli bir etikete sabitleyin. Bu, ekipteki tüm geliştiricilerin aynı dedektör setini kullandığını ve kancanın sprint ortasında sessizce yükseltilmediğini garantiler:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # sabitle; 'main' veya 'HEAD' kullanmayın\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGüncellemek için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003ccode\u003erev\u003c/code\u003e değerini en son etikete yükseltir ve siz onu commit etmeden önce değişikliği inceleme fırsatı tanır.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — kancanın çalıştırdığı temel tarama komutu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'da dışlamaları, entropiyi ve doğrulamayı kontrol etme.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub CI'da her push ve pull request'te tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Yapılandırma Dosyası","description":"Leakwatch'ı .leakwatch.yaml ile yapılandırma — tam şema, varsayılanlar, doğrulama kuralları, ortam değişkeni geçersiz kılmaları ve leakwatch init komutu.","html":"\u003ch1 id=\"yaplandrma-dosyas\"\u003eYapılandırma Dosyası\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın her tarama komutundaki davranışı, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e adlı tek bir YAML dosyasıyla yönetilir. Bu dosyayı anlamak; eşzamanlılık, doğrulama, çıktı biçimi ve yol filtrelemeyi bir kez ayarlamanızı ve her taramanın bu ayarları otomatik olarak almasını sağlar.\u003c/p\u003e\n\u003ch2 id=\"dosya-kefi\"\u003eDosya keşfi\u003c/h2\u003e\n\u003cp\u003eLeakwatch, yapılandırma dosyasını aşağıdaki sırayla çözer:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e bayrağı\u003c/strong\u003e — çalışma dizininden bağımsız olarak açık bir yol kullanır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGeçerli dizin\u003c/strong\u003e — komutun çalıştırıldığı dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAna dizin\u003c/strong\u003e — yedek olarak \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eHiçbir dosya bulunamazsa, her ayar için yerleşik varsayılanlar kullanılır.\u003c/p\u003e\n\u003ch2 id=\"balang-dosyas-oluturma\"\u003eBaşlangıç dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e komutu, önerilen varsayılanlarla düzenlemeye hazır bir dosya yazar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak dosya, geçerli dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e konumuna yazılır. Farklı bir yol seçmek için \u003ccode\u003e--output\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHedef dosya zaten mevcutsa, \u003ccode\u003eleakwatch init\u003c/code\u003e üzerine yazmayı reddeder ve hata vererek çıkar. Üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikeni-geersiz-klmalar\"\u003eOrtam değişkeni geçersiz kılmaları\u003c/h2\u003e\n\u003cp\u003eHer yapılandırma anahtarı bir ortam değişkeniyle geçersiz kılınabilir. İsimlendirme kuralı şudur:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eÖnek: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştirin\u003c/li\u003e\n\u003cli\u003eBüyük harfe çevirin\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eÖrnekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003cth\u003eOrtam değişkeni\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-sras\"\u003eÖncelik sırası\u003c/h2\u003e\n\u003cp\u003eAynı ayar birden fazla yerde belirtildiğinde, en yüksek öncelikli kaynak kazanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eKomut satırı bayrağı (en yüksek)\u003c/li\u003e\n\u003cli\u003eOrtam değişkeni\u003c/li\u003e\n\u003cli\u003eYapılandırma dosyası değeri\u003c/li\u003e\n\u003cli\u003eYerleşik varsayılan (en düşük)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"tam-ema\"\u003eTam şema\u003c/h2\u003e\n\u003cp\u003eAşağıdaki açıklamalı şema, desteklenen her anahtarı, varsayılan değerini ve geçerli aralığını göstermektedir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Tarama motoru ─────────────────────────────────────────────────────────────\n\nscan:\n # Eşzamanlı dosya işleme worker sayısı.\n # Varsayılan olarak ana makinedeki mantıksal CPU çekirdeği sayısı kullanılır.\n # \u0026gt;= 1 olmalıdır.\n concurrency: 8\n\n # Taranacak maksimum dosya boyutu (bayt cinsinden). Bu sınırı aşan dosyalar\n # tamamen atlanır. Varsayılan: 10 MB (10485760). \u0026gt;= 1 olmalıdır.\n max-file-size: 10485760\n\n# ── Tespit ────────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Her aday eşleşme için Shannon entropi hesaplamasını etkinleştirir.\n enabled: true\n\n # Gösterim ve özel kural kapısı için kullanılan entropi eşiği.\n # Aralık: 0–8. Varsayılan: 4.0.\n # Yerleşik bulgular hakkındaki nota bakın.\n threshold: 4.0\n\n# ── Doğrulama ─────────────────────────────────────────────────────────────────\n\nverification:\n # Sağlayıcı API'lerine karşı canlı doğrulamayı etkinleştirir.\n enabled: true\n\n # İstek başına HTTP zaman aşımı. Doğrulama etkinleştirildiğinde \u0026gt;= 1ms olmalıdır.\n # Süre dizesi kullanın (örn. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — tam sayı nanosaniye olarak\n # yorumlanır ve doğrulama başarısız olur.\n timeout: 10s\n\n # Eşzamanlı doğrulama worker sayısı. \u0026gt;= 1 olmalıdır.\n concurrency: 4\n\n # Saniyedeki maksimum doğrulama isteği (token-bucket hız sınırlayıcı).\n # \u0026gt; 0 olmalıdır.\n rate-limit: 10.0\n\n# ── Filtreleme ────────────────────────────────────────────────────────────────\n\nfilter:\n # Taramadan hariç tutulacak yollar için glob desenleri.\n # Desteklenen glob stilleri: filepath.Match desenleri, sıfır veya daha fazla\n # yol segmentini kapsayan ** çift yıldız ve herhangi bir derinlikte adlandırılmış\n # dizini eşleştiren sondaki eğik çizgili dir/ desenleri. Her desen hem tam yol\n # hem de temel dosya adına karşı test edilir.\n # Tüm tarama kaynaklarına uygulanır. (`scan fs` komutunda --exclude bayrağı da bunu ayarlar.)\n # Varsayılan: [] (yerleşik ikili/kilit dosya atlamalarının ötesinde hariç tutma yok).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Tamamen devre dışı bırakılacak dedektör ID'leri. Listelenen dedektörlerden\n # gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez.\n # Varsayılan: [].\n exclude-detectors: []\n\n# ── Çıktı ─────────────────────────────────────────────────────────────────────\n\noutput:\n # Çıktı biçimi. Şunlardan biri: json, sarif, csv, table. Varsayılan: json.\n # --format / -f bayrağı bunu çalışma zamanında geçersiz kılar.\n format: json\n\n # Çıktıyı stdout yerine bu dosya yoluna yaz. Varsayılan: \u0026quot;\u0026quot; (stdout).\n # --output / -o bayrağı bunu çalışma zamanında geçersiz kılar.\n file: \u0026quot;\u0026quot;\n\n # Bu önem seviyesinin altındaki bulguları bırak.\n # Şunlardan biri: low, medium, high, critical. Varsayılan: \u0026quot;\u0026quot; (tümünü göster).\n # --min-severity bayrağı bunu çalışma zamanında geçersiz kılar.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Çıktıda maskelenmemiş sır değerini dahil et.\n # Varsayılan: false. --show-raw bayrağı bunu çalışma zamanında geçersiz kılar.\n show-raw: false\n\n# ── Özel kurallar ─────────────────────────────────────────────────────────────\n\n# Kendi dedektörlerinizi YAML kuralları olarak tanımlayın. Tam kural şeması\n# için özel kurallar sayfasına bakın.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e, bir bulgunun yanında gösterilen entropi değerini kontrol eder ve özel kurallar için bir kapı görevi görür (entropisi eşiğin altına düşen özel kural eşleşmeleri bastırılır). Yerleşik dedektörlerin bulgularını \u003cstrong\u003ebastırmaz\u003c/strong\u003e — yerleşik dedektörlerin kendi eşleşme kriterleri vardır ve bu ayar tarafından hiçbir zaman bırakılmazlar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, taramaya başlamadan önce yüklenen yapılandırmayı doğrular ve aşağıdaki durumların herhangi birinde hata vererek çıkar:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKoşul\u003c/th\u003e\n\u003cth\u003eHata\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz eşzamanlılık değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz max-file-size değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e içinde değil\u003c/td\u003e\n\u003ctd\u003eDesteklenmeyen çıktı biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e 0–8 dışında\u003c/td\u003e\n\u003ctd\u003eGeçersiz entropi eşiği\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e geçerli bir seviye değil (boş değilse)\u003c/td\u003e\n\u003ctd\u003eGeçersiz severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama zaman aşımı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama eşzamanlılığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Bulguları Yok Sayma","description":".leakwatchignore dosyaları, satır içi yok sayma işaretçileri ve yerleşik ikili dosya ve kilit dosyası atlamaları ile yanlış pozitifleri bastırın.","html":"\u003ch1 id=\"bulgular-yok-sayma\"\u003eBulguları Yok Sayma\u003c/h1\u003e\n\u003cp\u003eHiçbir tarayıcının yanlış pozitif oranı sıfır değildir. Leakwatch, gürültüyü bastırmak için size üç katmanlı mekanizma sunar: yol tabanlı dışlamalar için bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası, satır düzeyinde bastırma için satır içi işaretçiler ve ikili dosyalar ile yaygın kilit dosyaları için her zaman etkin olan yerleşik atlamalar.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-dosyas\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası\u003c/h2\u003e\n\u003cp\u003eTarama sonuçlarından yolları hariç tutmak için depo kökünüze (veya geçerli dizine) bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası oluşturun. Gitignore stilinde söz dizimi kullanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e#\u003c/code\u003e ile başlayan satırlar yorum satırlarıdır.\u003c/li\u003e\n\u003cli\u003eBoş satırlar atlanır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e!\u003c/code\u003e öneki bir deseni \u003cstrong\u003egeçersiz kılar\u003c/strong\u003e; önceki bir desen tarafından dışlanmış olacak bir yolu yeniden dahil eder.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSon eşleşen desen kazanır\u003c/strong\u003e — sıra önemlidir.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"ykleme-sras\"\u003eYükleme sırası\u003c/h3\u003e\n\u003cp\u003eLeakwatch, \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyasını önce tarama kökünden, ardından geçerli çalışma dizininden yükler. Her ikisi de aynı yol için desen içeriyorsa, geçerli dizin dosyasının desenleri öncelik kazanır çünkü son değerlendirilenler bunlardır.\u003c/p\u003e\n\u003ch3 id=\"glob-sz-dizimi\"\u003eGlob söz dizimi\u003c/h3\u003e\n\u003cp\u003eÜç desen stili desteklenir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStil\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003cth\u003eÖrnek\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandart glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e stili, hem tam yola hem de temel dosya adına karşı eşleştirilen\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇift yıldız \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSıfır veya daha fazla yol segmentini kapsar\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSondaki eğik çizgi \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAdlandırılmış dizinin herhangi bir derinliğindeki her dosyayla eşleşir\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"leakwatchignore-rnei\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e örneği\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Tüm test fixture dosyalarını yok say\ntest/fixtures/**\n\n# Dokümantasyondaki bilinen yer tutucu anahtarları yok say\ndocs/examples/\n\n# Ağaçtaki herhangi bir yerdeki belirli uzantılı dosyaları yok say\n*.pem.example\n\n# Yukarıdaki kural tarafından dışlanan belirli bir dosyayı yeniden dahil et\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtrelemesi, her bulgunun dosya yoluna göre tarama tamamlandıktan \u003cstrong\u003esonra\u003c/strong\u003e uygulanır. Dosyaların okunmasını engellemez — ürettikleri bulguları bastırır. Dosyaları okunmadan önce atlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e veya \u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"satr-ii-yok-sayma-iaretileri\"\u003eSatır içi yok sayma işaretçileri\u003c/h2\u003e\n\u003cp\u003eSöz konusu satırdaki dedektörleri bastırmak için herhangi bir kaynak satırına doğrudan bir işaretçi koyun. İşaretçi satırın herhangi bir yerine yerleştirilebilir — genellikle bir yorum içinde — ve motor tarafından doğrulamadan \u003cstrong\u003eönce\u003c/strong\u003e uygulanır; böylece yok sayılan bir satır hiçbir zaman ağ çağrısını tetiklemez.\u003c/p\u003e\n\u003ch3 id=\"bir-satrdaki-tm-dedektrleri-bastr\"\u003eBir satırdaki tüm dedektörleri bastır\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Ödeme işleme yapılandırması\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"bir-satrdaki-belirli-bir-dedektr-bastr\"\u003eBir satırdaki belirli bir dedektörü bastır\u003c/h3\u003e\n\u003cp\u003eYalnızca bir dedektörü bastırırken diğerlerini etkin bırakmak için \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// Bu token dokümantasyon için kasıtlı olarak bir yer tutucudur\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Platform tarafından ayarlanan CI ortam değişkeni — gerçek bir sır değil\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eMümkün olduğunda genel form yerine dedektöre özgü formu (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) tercih edin. Hangi dedektörü bastırdığınızı belgeler ve diğer tüm dedektörleri o satırda etkin bırakır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerleik-atlamalar-her-zaman-uygulanr\"\u003eYerleşik atlamalar (her zaman uygulanır)\u003c/h2\u003e\n\u003cp\u003eLeakwatch, herhangi bir dedektörü çalıştırmadan önce aşağıdakileri koşulsuz olarak atlar:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili dosya uzantıları\u003c/strong\u003e — \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e ve diğerleri gibi uzantılara sahip dosyalar hiçbir zaman taranmaz.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili içerik tespiti\u003c/strong\u003e — ilk 8 KB'ı null bayt içeren herhangi bir dosya, uzantısından bağımsız olarak ikili olarak kabul edilir ve atlanır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eYaygın kilit dosyaları\u003c/strong\u003e — aşağıdaki dosya adları, yüksek oranda yanlış pozitif üreten hash ve sağlama toplamları içerdikleri için her zaman atlanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDosya\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eBu yerleşik atlamalar devre dışı bırakılamaz. \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ayarından ayrıdır ve yapılandırma tabanlı filtrelemeden önce çalışır.\u003c/p\u003e\n\u003ch2 id=\"tarama-ncesi-yol-tabanl-dlama\"\u003eTarama öncesi yol tabanlı dışlama\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru tarafından okunmadan önce dışlamak için yapılandırma dosyanızda \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu ayar \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır (dosya sistemi, Git geçmişi, konteyner imajları, bulut depolama, Slack). \u003ccode\u003escan fs\u003c/code\u003e komutunda ayrıca komut satırında \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e parametresi de geçirebilirsiniz; bu, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile eşdeğer bir bayraktır.\u003c/p\u003e\n\u003cp\u003eTam yapılandırma şeması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e, dedektör düzeyinde ve önem derecesi düzeyinde filtreleme için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Önem Derecesi \u0026 Filtreleme","description":"Önem eşikleri, yalnızca doğrulanmış mod, dedektör dışlamaları ve yol dışlamaları kullanarak hangi bulguların çıktınıza ulaşacağını kontrol edin.","html":"\u003ch1 id=\"nem-derecesi--filtreleme\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/h1\u003e\n\u003cp\u003eYoğun bir kod tabanı çok sayıda bulgu üretebilir. Leakwatch, en önemli sinyallere odaklanmak için birleştirebileceğiniz birkaç bağımsız filtre sunar: önem eşikleri düşük öncelikli gürültüyü eler, yalnızca doğrulanmış mod yalnızca onaylanmış canlı sırları ortaya çıkarır, dedektör dışlamaları bilinen yanlış pozitif kaynakları susturur ve yol dışlamaları tüm dizin ağaçlarını kapsamın dışında bırakır.\u003c/p\u003e\n\u003ch2 id=\"nem-seviyeleri\"\u003eÖnem seviyeleri\u003c/h2\u003e\n\u003cp\u003eHer yerleşik dedektör, varsayılan bir önem derecesiyle birlikte gelir. En düşükten en yüksek önceliğe doğru dört seviye şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeviye\u003c/th\u003e\n\u003cth\u003eTipik kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDaha yüksek yanlış pozitif oranına sahip genel desenler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanınabilir kimlik bilgisi biçimleri, doğrulanmamış\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaruziyetin büyük olasılıkla önemli olduğu iyi yapılandırılmış sırlar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOnaylanmış canlı sırlar veya neredeyse sıfır yanlış pozitif oranlı biçimler\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer dedektöre atanan önem derecesi \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-eiin-altndaki-bulgular-brak\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: eşiğin altındaki bulguları bırak\u003c/h2\u003e\n\u003cp\u003eBelirtilen seviyenin altındaki önem derecesine sahip bulguları atmak için \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e parametresini kullanın. Yalnızca eşik değerinde veya üzerindeki bulgular çıktıya ulaşır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Yalnızca high ve critical bulguları göster\nleakwatch scan fs . --min-severity high\n\n# medium, high ve critical bulguları göster\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e altında yapılandırma dosyasında kalıcı bir varsayılan ayarlayabilirsiniz. \u003ccode\u003e--min-severity\u003c/code\u003e bayrağı, çalışma zamanında yapılandırma değerini geçersiz kılar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-yalnzca-onaylanm-aktif-srlar\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: yalnızca onaylanmış aktif sırlar\u003c/h2\u003e\n\u003cp\u003eYalnızca doğrulama durumu \u003ccode\u003everified_active\u003c/code\u003e olan bulguları, yani Leakwatch'ın sağlayıcı API'sine kontrollü bir salt-okunur çağrı yaparak hâlâ geçerli olduğunu doğruladığı sırları tutmak için \u003ccode\u003e--only-verified\u003c/code\u003e parametresini kullanın. Diğer tüm bulgular (doğrulanmamış, doğrulanmış-etkin değil veya doğrulama hatası) bırakılır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu bayrak, derlemeyi yalnızca onaylanmış olaylar üzerinde, yer tutucu veya zaten döndürülmüş kimlik bilgileri olabilecek şüpheli desenler üzerinde değil, başarısız kılmak istediğiniz CI hatlarında en kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eHangi dedektörlerin canlı doğrulamayı desteklediği için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-belirli-dedektrleri-devre-d-brak\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: belirli dedektörleri devre dışı bırak\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü kalıcı olarak devre dışı bırakmak için ID'lerini yapılandırma dosyasındaki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e altında listeleyin. Listelenen dedektörlerden gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDedektör ID'leri \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir. Bir dedektör sürekli olarak kod tabanınız için yanlış pozitifler ürettiğinde ve diğer bastırma mekanizmaları (satır içi yok saymalar veya \u003ccode\u003e.leakwatchignore\u003c/code\u003e) yeterince ayrıntılı olmadığında bu ayarı kullanın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-tarama-ncesi-yollar-atla\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: tarama öncesi yolları atla\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru okumadan önce dışlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın. Desenler, \u003ccode\u003e.leakwatchignore\u003c/code\u003e ile aynı glob söz dizimini kullanır (standart globlar, \u003ccode\u003e**\u003c/code\u003e çift yıldız ve sondaki eğik çizgili dizin desenleri) ve \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e bayrağı, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile komut satırı eşdeğeridir. \u003ccode\u003e--exclude\u003c/code\u003e bayrağı \u003cstrong\u003eyalnızca\u003c/strong\u003e \u003ccode\u003escan fs\u003c/code\u003e komutunda mevcuttur — diğer tüm kaynaklar için yapılandırma dosyası ayarını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-filtreleri-birletirme\"\u003eCI'da filtreleri birleştirme\u003c/h2\u003e\n\u003cp\u003eBir CI hattında genellikle yalnızca gerçek olaylarda başarısız olan, düşük gürültülü ve yüksek sinyalli bir çalışma istersiniz. Önerilen bir kombinasyon:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYapılandırma dosyasının kalıcı yol dışlamalarını yönetmesiyle:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eArdından CI için yalnızca biçimi ve hedefi komut satırında geçersiz kılın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama ayrıntıları için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e, satır içi ve dosya tabanlı bastırma için \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e ve tam şema için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Özel Kurallar","description":"YAML ile kendi sır tespit kalıplarınızı nasıl tanımlayacağınız ve 63 yerleşik dedektörün yanında bir Leakwatch taramasına nasıl ekleyeceğiniz.","html":"\u003ch1 id=\"zel-kurallar\"\u003eÖzel Kurallar\u003c/h1\u003e\n\u003cp\u003e63 yerleşik dedektör yaygın kullanılan kimlik bilgisi formatlarını kapsar; ancak her kuruluşun dahili token'ları, özel servis anahtarları veya hiçbir genel aracın önceden tahmin edemeyeceği ortama özgü kalıpları vardır. Özel kurallar, kaynak kodu değiştirmeden veya ikili dosyayı yeniden derlemeden kendi kalıplarınızı düz YAML ile tanımlamanıza ve çalışma zamanında yüklemenize olanak tanıyarak Leakwatch'ı genişletmenizi sağlar.\u003c/p\u003e\n\u003ch2 id=\"zel-kurallar-nerede-tanmlanr\"\u003eÖzel kurallar nerede tanımlanır\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyanızda en üst düzey bir \u003ccode\u003ecustom-rules:\u003c/code\u003e listesi altında tanımlanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKurallar, Leakwatch başladığında çalışma zamanında kaydedilir. Aynı Aho-Corasick ön-filtre hattını kullanarak yerleşik dedektörlerle birlikte çalışırlar.\u003c/p\u003e\n\u003ch2 id=\"kural-alanlar\"\u003eKural alanları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eZorunlu\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eBenzersiz dedektör ID'si. Çıktıda ve \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e içinde kullanılır. Yerleşik dedektör ID'si veya başka bir özel kural ID'si ile çakışmamalıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eÇıktıda gösterilen insan tarafından okunabilir açıklama.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2 uyumlu düzenli ifade. Maksimum 4096 karakter.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring listesi\u003c/td\u003e\n\u003ctd\u003eAho-Corasick ön-filtre anahtar kelimeleri. Regex yalnızca bu dizelerden en az birini içeren parçalar üzerinde çalışır. Bu alanın atlanması regex'in her parça üzerinde çalışmasına neden olur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e veya \u003ccode\u003elow\u003c/code\u003e. Varsayılan \u003ccode\u003emedium\u003c/code\u003e'dur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropi eşiği (0–8). Entropisi bu değerin \u003cstrong\u003ealtında\u003c/strong\u003e olan eşleşmeler atılır. Düşük rastgelelikli yanlış pozitifleri filtrelemek için kullanışlıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eHer zaman \u003ccode\u003ekeywords\u003c/code\u003e belirtin. Tek kısa bir anahtar kelime bile (token ön eki gibi) regex motorunun işlediği parça sayısını önemli ölçüde azaltır ve büyük depolarda taramaların hızlı kalmasını sağlar. Örneğin tüm dahili token'larınız \u003ccode\u003eacme_\u003c/code\u003e ile başlıyorsa \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e ayarlayın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eentropy\u003c/code\u003e kullanarak \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e gibi kalıbı karşılayan ancak açıkça gerçek sır olmayan yer tutucu değerlerdeki eşleşmeleri bastırın. 3,0–3,5 civarı bir eşik iyi bir başlangıç noktasıdır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"akma-ynetimi\"\u003eÇakışma yönetimi\u003c/h2\u003e\n\u003cp\u003eBir özel kuralın \u003ccode\u003eid\u003c/code\u003e'si zaten kayıtlı bir dedektörle eşleşirse — yerleşik dedektör veya daha önce yüklenen özel kural olsun fark etmez — yinelenen kural \u003cstrong\u003eatlanır\u003c/strong\u003e ve bir hata loglanır. Leakwatch çökmez; geri kalan kurallar normal şekilde yüklenir. Bir özel kuralın etkisiz göründüğü durumlarda log çıktısını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eÖzel kuralların eşleştirilmiş doğrulayıcısı yoktur. Özel kurallardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e durumuyla raporlanır — hiçbir zaman \u003ccode\u003everified_active\u003c/code\u003e veya \u003ccode\u003everified_inactive\u003c/code\u003e olmaz.\u003c/p\u003e\n\u003ch2 id=\"tam-rnek\"\u003eTam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, iki özel kural tanımlar: biri dahili servis token'ı, diğeri webhook'larda kullanılan imzalama sırrı için.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook imzalama sırrı (format: whsec_ + 40 base64url karakter)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu yapılandırmayla bir tarama çalıştırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kural bulgusu için örnek JSON çıktısı (sır değeri maskelenmiştir):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eraw_redacted\u003c/code\u003e alanı gerçek sırrı her zaman maskeler. Ham değer, açıkça \u003ccode\u003e--show-raw\u003c/code\u003e geçilmedikçe çıktıya asla yazılmaz (kontrollü ortamlar dışında önerilmez).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kural-hari-tutma\"\u003eÖzel kuralı hariç tutma\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, yerleşik dedektörlerle aynı filtrelemeye katılır. Bir özel kuralı yapılandırmadan kaldırmadan devre dışı bırakmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003ecustom-rules:\u003c/code\u003e öğesinin belge yapısındaki yeri dahil \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e için tam referans.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — özel kuralınızı adlandırmadan önce ID çakışmalarını kontrol etmek için 63 yerleşik dedektör.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — \u003ccode\u003ekeywords\u003c/code\u003e öğesinin bağlandığı Aho-Corasick ön-filtre hattı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Dedektör Kataloğu","description":"Kategorilere göre gruplanmış tüm 63 yerleşik dedektör; ID'leri, ne tespit ettikleri ve varsayılan şiddet seviyeleri ile.","html":"\u003ch1 id=\"dedektr-katalou\"\u003eDedektör Kataloğu\u003c/h1\u003e\n\u003cp\u003eLeakwatch, bulut sağlayıcısı erişim anahtarlarından ve yapay zekâ API token'larından veritabanı bağlantı dizelerine ve özel kriptografik anahtarlara kadar geniş bir kimlik bilgisi türü yelpazesini kapsayan \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile gelir. Her dedektörün kararlı bir ID'si, varsayılan bir şiddet seviyesi ve (çoğu için) bulunan sırrın hâlâ canlı olup olmadığını teyit edebilen eşleştirilmiş bir doğrulayıcısı vardır.\u003c/p\u003e\n\u003cp\u003eBu sayfa her yerleşik dedektörü listeler. Doğrulama kapsamı ayrıntıları için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın. Kendi kalıplarınızı eklemek için \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"bu-katalogu-nasl-okuyacaksnz\"\u003eBu katalogu nasıl okuyacaksınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — yapılandırma ve çıktıda kullanılan kararlı dize tanımlayıcısı. Bir dedektörü atlamak için \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin veya \u003ccode\u003e--min-severity\u003c/code\u003e filtrelemesiyle birlikte kullanın (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTespit eder\u003c/strong\u003e — dedektörün ne aradığı.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eŞiddet\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e (Kritik), \u003ccode\u003eHigh\u003c/code\u003e (Yüksek) veya \u003ccode\u003eMedium\u003c/code\u003e (Orta). Bu varsayılandır; \u003ccode\u003e--min-severity\u003c/code\u003e bayrağını ve \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e yapılandırma anahtarını besler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"bulut-ve-altyap\"\u003eBulut ve Altyapı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Servis Hesabı Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID İstemci Sırrı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Servis Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yapay-zek--makine-renimi\"\u003eYapay Zekâ / Makine Öğrenimi\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"demeler-ve-ticaret\"\u003eÖdemeler ve Ticaret\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Canlı API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"gelitirme-aralar-ci-ve-paketler\"\u003eGeliştirme Araçları, CI ve Paketler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket Uygulama Parolası\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Kişisel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"letiim-ve-birlii\"\u003eİletişim ve İşbirliği\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/Kullanıcı Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Gelen Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Dahili Entegrasyon Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"e-posta-ve-mesajlama-teslimat\"\u003eE-posta ve Mesajlaşma Teslimatı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Sunucu API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"zleme-ve-gzlemlenebilirlik\"\u003eİzleme ve Gözlemlenebilirlik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Kimlik Doğrulama Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"veritabanlar-ve-balant-dizeleri\"\u003eVeritabanları ve Bağlantı Dizeleri\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVeritabanı Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Bağlantı Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Servis Rolü Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-ve-eriim\"\u003eKimlik ve Erişim\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Yönetim API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bağlama Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"genel-ve-kriptografik\"\u003eGenel ve Kriptografik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGenel API Anahtarı\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÖzel Anahtar (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eToplam: 63 yerleşik dedektör.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"iddete-gre-filtreleme\"\u003eŞiddete göre filtreleme\u003c/h2\u003e\n\u003cp\u003eBulgular, komut satırında \u003ccode\u003e--min-severity\u003c/code\u003e veya yapılandırmada \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e kullanılarak şiddet seviyesine göre filtrelenebilir. Yalnızca belirtilen seviyede veya üzerindeki bulgular çıktıya dahil edilir. Ayrıntılar için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"belirli-dedektrleri-hari-tutma\"\u003eBelirli dedektörleri hariç tutma\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü tamamen atlamak için ID'lerini \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam filtreleme referansı için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kapsam\"\u003eDoğrulama kapsamı\u003c/h2\u003e\n\u003cp\u003eBazı dedektörlerin canlı doğrulayıcısı vardır; bazıları yalnızca format doğrulamasına tabi tutulur; dokuzu ise hiç doğrulayıcıya sahip değildir. Tam döküm için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e — YAML ile kendi tespit kalıplarınızı tanımlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektörlerin canlı doğrulanabileceği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e — bulguları şiddet seviyesine veya dedektöre göre filtreleme.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"Nasıl Çalışır","description":"Leakwatch tarama hattının mimarisi: kaynaklar, tespit, doğrulama ve çıktı.","html":"\u003ch1 id=\"nasl-alr\"\u003eNasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eLeakwatch hattını anlamak, performansı ayarlamanıza, sonuçları yorumlamanıza ve hangi bayrakları kullanacağınıza karar vermenize yardımcı olur. Bu sayfa, bir tarama komutunu çalıştırdığınız andan bir bulgunun çıktınızda göründüğü ana kadar neler olduğunu açıklar.\u003c/p\u003e\n\u003ch2 id=\"hatta-genel-bak\"\u003eHatta genel bakış\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Kaynak\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[İşçi Havuzu\\n—concurrency işçi]\n B --\u0026gt; C[Aho-Corasick\\nÖn-Filtre]\n C --\u0026gt; D[Regex\\nDedektörler]\n D --\u0026gt; E[Satır İçi İgnore\\nKontrolü]\n E --\u0026gt; F[Doğrulama\\nHavuzu\\n4 işçi / 10 rps]\n F --\u0026gt; G[Tarama Sonrası\\nFiltreler]\n G --\u0026gt; H([Çıktı\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer aşama aşağıda ayrıntılı olarak açıklanmaktadır.\u003c/p\u003e\n\u003ch2 id=\"1-kaynak\"\u003e1. Kaynak\u003c/h2\u003e\n\u003cp\u003eHer tarama, motorun işlemesi için veri parçaları yayan bir soyutlama olan \u003cstrong\u003eKaynak\u003c/strong\u003e ile başlar. Leakwatch altı kaynak ile birlikte gelir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNe yayar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosya içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir OCI/Docker imajının katman içerikleri, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanal ve DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar. Slack'e yüklenen dosyaların içerikleri taranmaz.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eParçalar, işçi havuzu tarafından tüketilen tamponlu bir kanala akar.\u003c/p\u003e\n\u003ch2 id=\"2-i-havuzu\"\u003e2. İşçi havuzu\u003c/h2\u003e\n\u003cp\u003eMotor, sabit sayıda \u003cstrong\u003egoroutine\u003c/strong\u003e içeren bir havuz yönetir — her biri \u003ccode\u003e--concurrency\u003c/code\u003e değerine karşılık gelir (varsayılan: CPU sayısı). Her işçi kanaldan bir parça alır ve tespit hattını bağımsız olarak çalıştırır. İşçiler değişebilir durum paylaşmadığından havuz, I/O ve bellek sınırlarına kadar eşzamanlılıkla doğrusal ölçeklenir.\u003c/p\u003e\n\u003cp\u003eTaramalar \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e'e yanıt verir: iptal sinyali geldiğinde bağlam iptal edilir, işçiler mevcut parçalarını tamamlayıp durur ve kısmi sonuçlar çıktı yazılmadan önce toplanır.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-anahtar-kelime-n-filtresi\"\u003e3. Aho-Corasick anahtar kelime ön-filtresi\u003c/h2\u003e\n\u003cp\u003eHer parça üzerinde 63 regex desenini çalıştırmak yavaş olur. Bunun yerine motor, başlangıçta her dedektörün bildirdiği anahtar kelime listelerinden tek bir \u003cstrong\u003eAho-Corasick çok-desenli otomat\u003c/strong\u003e oluşturur. Her parça için bu otomat tek bir doğrusal geçiş yapar ve yalnızca anahtar kelimeleri parçanın baytlarında görünen dedektörleri döndürür.\u003c/p\u003e\n\u003cp\u003eBu, çoğu dedektörün çoğu parça üzerinde regex'ini hiç çalıştırmadığı anlamına gelir. Anahtar kelime bildirmeyen dedektörler her zaman çalışır (ön filtreyi atlayarak doğrudan regex'e geçerler).\u003c/p\u003e\n\u003cp\u003eAho-Corasick uygulaması \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e kütüphanesinden gelmektedir.\u003c/p\u003e\n\u003ch2 id=\"4-regex-dedektrler\"\u003e4. Regex dedektörler\u003c/h2\u003e\n\u003cp\u003eKısa listeye alınan her dedektör, derlenmiş \u003cstrong\u003edüzenli ifadesini\u003c/strong\u003e parça baytları üzerinde çalıştırır. Bir desen eşleştiğinde dedektör şunları içeren bir \u003ccode\u003eRawFinding\u003c/code\u003e döndürür:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları (yalnızca doğrulama için bellekte tutulur; asla loglanmaz veya diske yazılmaz).\u003c/li\u003e\n\u003cli\u003eÇıktı için güvenli olan \u003cstrong\u003emaskelenmiş\u003c/strong\u003e bir gösterim.\u003c/li\u003e\n\u003cli\u003eİsteğe bağlı ek meta veri (örneğin bir AWS anahtarı için hesap kimliği).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch, 60 paket genelinde \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. \u003ca href=\"#/configuration/custom-rules\"\u003eÖzel YAML kuralları\u003c/a\u003e aracılığıyla kendi desenlerinizi ekleyebilirsiniz.\u003c/p\u003e\n\u003cp\u003eTüm dedektörler, Go'nun \u003ccode\u003einit()\u003c/code\u003e işlevi ve boş importlar kullanılarak derleme zamanında kaydedilir (ADR-0004). Çalışma zamanında eklenti yükleyici veya dinamik keşif yoktur.\u003c/p\u003e\n\u003ch2 id=\"5-satr-ii-ignore-kontrol\"\u003e5. Satır içi ignore kontrolü\u003c/h2\u003e\n\u003cp\u003eBir bulgu doğrulamaya gönderilmeden önce motor, kaynak satırın bir \u003cstrong\u003esatır içi ignore işareti\u003c/strong\u003e içerip içermediğini kontrol eder:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eveya dedektöre özgü bir varyant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİşaret mevcutsa bulgu, \u003cstrong\u003eherhangi bir ağ çağrısı yapılmadan önce\u003c/strong\u003e sessizce bırakılır. Bu kasıtlıdır: yoksayılan sırlar asla canlı bir API isteğini tetiklememeli.\u003c/p\u003e\n\u003ch2 id=\"6-dorulama\"\u003e6. Doğrulama\u003c/h2\u003e\n\u003cp\u003eTüm parçalar için tespit tamamlandıktan sonra motor, bulguları ayrı bir \u003cstrong\u003edoğrulama işçi havuzuna\u003c/strong\u003e geçirir (varsayılan 4 işçi). Doğrulama:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eTüm işçiler arasında paylaşılan global bir \u003cstrong\u003ehız sınırlayıcı\u003c/strong\u003e (varsayılan saniyede 10 istek) ile korunur.\u003c/li\u003e\n\u003cli\u003eHer API çağrısına \u003cstrong\u003eistek başına zaman aşımı\u003c/strong\u003e (varsayılan 10 saniye) uygular.\u003c/li\u003e\n\u003cli\u003eSağlayıcıya yalnızca \u003cstrong\u003esalt-okunur, yıkıcı olmayan\u003c/strong\u003e çağrılar yapar (örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHer bulguyu dört durumdan biriyle işaretler: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch \u003cstrong\u003e54 doğrulayıcı\u003c/strong\u003e ile birlikte gelir; 63 yerleşik dedektör türünün %85,7'sini kapsar. Kalan 9 tür (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman \u003ccode\u003eunverified\u003c/code\u003e olarak raporlanır.\u003c/p\u003e\n\u003cp\u003eBu aşamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin — hızlı, çevrimdışı taramalar için kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eDoğrulama davranışı ve durum anlamları hakkında derinlemesine bilgi için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"7-bulgu-kimlii-ve-entropi\"\u003e7. Bulgu kimliği ve entropi\u003c/h2\u003e\n\u003cp\u003eHer bulgu, şu şekilde hesaplanan \u003cstrong\u003edeterministik bir kimlik\u003c/strong\u003e alır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(dedektörID + maskelendi + dosyaYolu + satır) → 16 hex karaktere kısaltıldı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAynı konumdaki aynı sır her zaman aynı kimliği üretir; bu da bulguları çalıştırmalar arasında yinelenenleri kaldırmayı veya sorun izleyicilerde takip etmeyi güvenli kılar.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropisi\u003c/strong\u003e (aralık 0–8) her bulgu için hesaplanır ve bilgilendirme amacıyla çıktıda gösterilir. Motor düzeyinde entropi, yerleşik bulguları \u003cstrong\u003eengellemez veya düşürmez\u003c/strong\u003e — düşük entropili bir eşleşme yine de sonuçlarda görünür. Entropi eşikleri yalnızca özel kuralların içinde geçerlidir; her kural kendi minimumunu bildirebilir.\u003c/p\u003e\n\u003ch2 id=\"8-tarama-sonras-filtreler\"\u003e8. Tarama sonrası filtreler\u003c/h2\u003e\n\u003cp\u003eDoğrulamadan sonra iki filtre uygulanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — \u003ccode\u003everified:active\u003c/code\u003e olmayan tüm bulguları bırakır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — belirtilen önem düzeyinin (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; varsayılan \u003ccode\u003elow\u003c/code\u003e) altındaki bulguları bırakır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHer iki filtre de doğrulama sonrasında çalışır; böylece \u003ccode\u003e--only-verified\u003c/code\u003e değerlendirildiğinde doğrulama durumu kullanılabilir olur.\u003c/p\u003e\n\u003ch2 id=\"9-kt\"\u003e9. Çıktı\u003c/h2\u003e\n\u003cp\u003eHayatta kalan bulgular dört \u003cstrong\u003ebiçimleyiciden\u003c/strong\u003e birine iletilir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBiçim\u003c/th\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eYaygın kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (varsayılan)\u003c/td\u003e\n\u003ctd\u003eMakine tarafından okunabilir, hat dostu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, güvenlik panoları\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eElektronik tablolar, veri analizi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTablo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal incelemesi, önem derecesine göre renklendirilmiş\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıktı varsayılan olarak stdout'a gider; bir dosyaya yazmak için \u003ccode\u003e--output \u0026lt;dosya\u0026gt;\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eBiçim veya çıktı hedefi ne olursa olsun, her taramadan sonra bir \u003cstrong\u003etarama özeti\u003c/strong\u003e (tarih, kaynak türü, hedef, taranan dosyalar, süre, bulgu sayısı, kesme durumu) her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eLeakwatch, bulunan sırların doğrulama çağrıları dışında süreç sınırını asla terk etmemesi için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları yalnızca tespit ve doğrulama sırasında bellekte yaşar.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--show-raw\u003c/code\u003e bayrağı varsayılan olarak \u003ccode\u003efalse\u003c/code\u003e'tur; bu olmadan çıktıda yalnızca maskelenmiş gösterim görünür.\u003c/li\u003e\n\u003cli\u003eSırlar asla diske yazılmaz, \u003ccode\u003eslog\u003c/code\u003e aracılığıyla loglanmaz veya çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"tasarm-kararlar\"\u003eTasarım kararları\u003c/h2\u003e\n\u003cp\u003eMimari, ADR'ler olarak belgelenmiş çeşitli bilinçli seçimleri yansıtır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO devre dışı\u003c/strong\u003e (ADR-0001) — tek statik ikili dosya, çalışma zamanı bağımlılığı yok, tüm platformlara çapraz derlenir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — \u003ccode\u003ebayrak \u0026gt; env \u0026gt; yapılandırma \u0026gt; varsayılan\u003c/code\u003e önceliğiyle hiyerarşik CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — saf Go Git kütüphanesi; harici \u003ccode\u003egit\u003c/code\u003e ikili dosyası gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDerleme zamanı dedektör kaydı\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + boş importlar; tür güvenli, çalışma zamanı eklenti yükleyicisi yok.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hibrit eşleştirme\u003c/strong\u003e (ADR-0005) — ön filtre, alakasız parçalardaki regex çalışmasının çoğunu ortadan kaldırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonsuz katman analizi; imajları taramak için Docker daemon gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eİşçi havuzu\u003c/strong\u003e (ADR-0008) — sabit goroutine sayısı, kanal tabanlı fan-out; öngörülebilir bellek ve CPU kullanımı.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Kurulum","description":"Leakwatch'ı Homebrew, go install, Docker veya hazır bir ikili dosya ile kurun.","html":"\u003ch1 id=\"kurulum\"\u003eKurulum\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ı makinenize kurmak bir dakikadan az sürer. İş akışınıza en uygun yöntemi seçin: Homebrew macOS ve Linux'ta en basit seçenektir, \u003ccode\u003ego install\u003c/code\u003e halihazırda bir Go araç zinciriniz varsa idealdir, Docker ana sisteminizi temiz tutar ve hazır ikili dosyalar herhangi bir araç zinciri gerektirmeden her yerde çalışır.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-ve-linux\"\u003eHomebrew (macOS ve Linux)\u003c/h2\u003e\n\u003cp\u003eResmi tap, amd64 ve arm64 mimarilerinde macOS ve Linux'u destekler.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTap, \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e adresinde barındırılmaktadır. Homebrew ile yükseltmek için \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e komutunu kullanın.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003ego install\u003c/h2\u003e\n\u003cp\u003eGo 1.25 veya daha yeni bir sürümü yüklüyse, en son sürümü doğrudan kaynaktan derleyip kurabilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİkili dosya \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e dizinine yerleştirilir. Bu dizinin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olduğundan emin olun.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e her zaman en son etiketli sürümü getirir. Belirli bir sürüme sabitlemek için \u003ccode\u003e@latest\u003c/code\u003e yerine \u003ccode\u003e@v1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eMinimal, çok aşamalı bir Alpine imajı GitHub Container Registry'de yayımlanmaktadır. İmaj, root olmayan bir kullanıcı (\u003ccode\u003eleakwatch\u003c/code\u003e) olarak çalışır, CGO devre dışıdır ve çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKullanılabilir etiketler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın. Bayraklar ve seçenekler yerel ikili dosyayla tamamen aynı şekilde çalışır — tam liste için \u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için \u003ca href=\"#/guides/docker\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"hazr-ikili-dosya\"\u003eHazır ikili dosya\u003c/h2\u003e\n\u003cp\u003eHer sürüm, desteklenen tüm platformlar için \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasında tar arşivleri yayımlar. Platformunuza ait arşivi indirin, açın ve ikili dosyayı \u003ccode\u003ePATH\u003c/code\u003e değişkeninizdeki bir dizine taşıyın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDesteklenen platformlar:\u003c/strong\u003e amd64 ve arm64 mimarilerinde Linux, macOS ve Windows.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Linux amd64 örneği — OS ve ARCH değerlerini platformunuza göre değiştirin\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform adlandırması \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e kalıbını izler; \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e değeri \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e veya \u003ccode\u003eWindows\u003c/code\u003e, \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e değeri ise \u003ccode\u003eamd64\u003c/code\u003e veya \u003ccode\u003earm64\u003c/code\u003e olabilir.\u003c/p\u003e\n\u003ch2 id=\"kurulumu-dorulama\"\u003eKurulumu doğrulama\u003c/h2\u003e\n\u003cp\u003eHerhangi bir kurulum yönteminin ardından ikili dosyanın erişilebilir olduğunu doğrulayın ve sürümü kontrol edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeklenen çıktı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut bulunamazsa kurulum dizininin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olup olmadığını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — Leakwatch taramasının arkasındaki mimari.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile tarama davranışını özelleştirin.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/guides/docker\"\u003eDocker Kullanımı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Tanıtım","description":"Leakwatch nedir, neyi tarar ve sızan sırları nasıl tespit edip doğrular.","html":"\u003ch1 id=\"tantm\"\u003eTanıtım\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e, sızan sırları — API anahtarları, token'lar, parolalar, bağlantı dizeleri ve özel anahtarlar — kod tabanlarınızda, Git geçmişinizde, konteyner imajlarınızda, bulut depolamanızda ve Slack çalışma alanlarınızda \u003cstrong\u003etespit eden, doğrulayan ve raporlayan\u003c/strong\u003e yüksek performanslı, açık kaynaklı (MIT) bir güvenlik aracıdır.\u003c/p\u003e\n\u003cp\u003eGo ile yazılmıştır, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olarak dağıtılır (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e) ve her yerde çalışacak şekilde tasarlanmıştır: bir geliştirici dizüstü bilgisayarı, bir pre-commit kancası veya bir CI/CD hattı.\u003c/p\u003e\n\u003ch2 id=\"neden-leakwatch\"\u003eNeden Leakwatch\u003c/h2\u003e\n\u003cp\u003eTek bir commit'te sızan bir kimlik bilgisi — sonradan silinse bile — Git geçmişinde sonsuza dek erişilebilir kalabilir ve push edildikten dakikalar sonra istismar edilebilir. Leakwatch, bu sırları erken yakalamak ve hangilerinin \u003cem\u003egerçekten tehlikeli\u003c/em\u003e olduğunu söylemek için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGeniş tespit\u003c/strong\u003e — bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını ve daha fazlasını kapsayan 63 yerleşik dedektör; ayrıca kendi YAML özel kurallarınız.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eYalnızca tespit değil, doğrulama\u003c/strong\u003e — 54 dedektör türü için Leakwatch, bulunan bir sırrın \u003cem\u003ehâlâ etkin\u003c/em\u003e olup olmadığını sağlayıcıya kontrollü, salt-okunur bir çağrı yaparak teyit edebilir. Etkin olduğu doğrulanmış bir anahtar bir olaydır; etkin olmayan bir anahtar ise gürültüdür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eÇok sayıda kaynak\u003c/strong\u003e — yerel dosya sistemi, eksiksiz bir Git geçmişi, bir OCI/Docker imajı, AWS S3, Google Cloud Storage ve Slack mesajları.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-uyumlu çıktı\u003c/strong\u003e — JSON, SARIF (GitHub Code Scanning için), CSV ve renklendirilmiş terminal tablosu.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTasarımı gereği sır-güvenli\u003c/strong\u003e — bulunan sırlar varsayılan olarak maskelenir ve asla loglanmaz, önbelleğe alınmaz veya diske yazılmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"neleri-tarar\"\u003eNeleri tarar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNeyi kapsar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosyalar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob (yerel veya uzak)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker imaj katmanları, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanallardaki ve (isteğe bağlı) DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇoklu depo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAynı anda birden fazla Git deposu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"tespit-ksaca-nasl-alr\"\u003eTespit kısaca nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch, büyük girdilerde bile hızlı kalmak için katmanlı bir hat kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick anahtar kelime ön-filtresi\u003c/strong\u003e — tek bir çok-desenli otomat, bir parçayı hangi dedektörlerin eşleştirebileceğine hızla karar verir; böylece dedektörlerin çoğu regex'ini hiç çalıştırmaz.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex doğrulaması\u003c/strong\u003e — yalnızca kısa listeye alınan dedektörler kesin desenlerini çalıştırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropi\u003c/strong\u003e — Shannon entropisi gösterim için hesaplanır (ve özel kurallar tarafından düşük rastgelelikteki eşleşmeleri elemek için kullanılır).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDoğrulama\u003c/strong\u003e — uygun bulgular canlı sağlayıcı API'sine karşı kontrol edilir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch'ı kullanmak için bu hattı anlamanız gerekmez — ancak taramaların neden hızlı olduğunu ve bazı bulguların neden bir doğrulama durumu gösterirken bazılarının göstermediğini açıklar. Tam tablo için \u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"leakwatch-ne-deildir\"\u003eLeakwatch \u003cem\u003ene değildir\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eBeklentileri doğru belirlemek için:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGit geçmişini yeniden yazmaz veya sırları sizin için \u003cstrong\u003ekaldırmaz\u003c/strong\u003e — onları bulup raporlar ve (\u003ccode\u003e--remediation\u003c/code\u003e ile) nasıl döndüreceğinizi söyler.\u003c/li\u003e\n\u003cli\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar; yüklenen dosyaların \u003cem\u003eiçeriğini\u003c/em\u003e taramak uygulanmamıştır.\u003c/li\u003e\n\u003cli\u003eDoğrulama, birçok sır türü için mevcuttur ancak hepsi için değil — 9 dedektör türü (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman doğrulanmamış olarak raporlanır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker veya hazır bir ikili dosya ile kurun.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — taramanın arkasındaki mimari.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Hızlı Başlangıç","description":"İlk Leakwatch taramanızı bir dakikadan kısa sürede çalıştırın.","html":"\u003ch1 id=\"hzl-balang\"\u003eHızlı Başlangıç\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın neler yapabileceğini anlamanın en hızlı yolu, onu gerçek bir dizine yönlendirmektir. Bu sayfa ilk taramanızda size rehberlik eder, çıktının ne anlama geldiğini açıklar ve en sık kullanacağınız bayrakları gösterir.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eLeakwatch kurulu ve \u003ccode\u003ePATH\u003c/code\u003e değişkeninizde erişilebilir olmalıdır. Henüz yapmadıysanız \u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"lk-taramanz\"\u003eİlk taramanız\u003c/h2\u003e\n\u003cp\u003eMevcut dizini tek bir komutla tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak çıktı JSON biçiminde stdout'a yazılır. Bunun yerine okunabilir, renklendirilmiş bir tablo almak için \u003ccode\u003e--format table\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBir sonucun nasıl göründüğü aşağıdadır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTarama özeti her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır; bu nedenle pipe veya yeniden yönlendirilen çıktıyla hiçbir zaman çakışmaz.\u003c/p\u003e\n\u003ch2 id=\"bulguyu-anlamak\"\u003eBulguyu anlamak\u003c/h2\u003e\n\u003cp\u003eTablodaki her satır (veya JSON'daki her nesne) bir bulguyu temsil eder. Temel alanlar şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSır türünün ne kadar kritik olduğu: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşen dedektör — sır türünü tanımlar (örneğin \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın bulunduğu dosyanın tarama köküne göreli yolu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşmenin satır numarası\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın maskelenmiş gösterimi — \u003ccode\u003e--show-raw\u003c/code\u003e ayarlanmadıkça ham değer hiçbir zaman gösterilmez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulama sonucu: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003everified:active\u003c/code\u003e durumu, Leakwatch'ın sağlayıcıya salt-okunur bir API çağrısı yaparak sırrın hâlâ etkin olduğunu doğruladığı anlamına gelir. \u003cstrong\u003eHer \u003ccode\u003everified:active\u003c/code\u003e bulgusunu açık bir olay olarak değerlendirin.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"yaygn-tarama-seenekleri\"\u003eYaygın tarama seçenekleri\u003c/h2\u003e\n\u003ch3 id=\"yalnzca-onaylanm-srlara-odaklann\"\u003eYalnızca onaylanmış sırlara odaklanın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu seçenek doğrulanmamış ve etkin olmayan bulguları gizler; yalnızca etkin olduğu onaylananları bırakır. Çok sayıda sonucunuz olduğunda önceliklendirme için kullanışlıdır.\u003c/p\u003e\n\u003ch3 id=\"hzl-evrimd-tarama-iin-a-dorulamasn-atlayn\"\u003eHızlı çevrimdışı tarama için ağ doğrulamasını atlayın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama tamamen atlanır — hiçbir giden ağ çağrısı yapılmaz. Sonuçlar daha hızlı görünür ve internet bağlantısı olmadan çalışır, ancak tüm bulgular \u003ccode\u003eunverified\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"dzeltme-klavuzu-ekleyin\"\u003eDüzeltme kılavuzu ekleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer bulgu, söz konusu sır türünü nasıl döndüreceğinizi veya iptal edeceğinizi açıklayan bir \u003cstrong\u003eREMEDIATION\u003c/strong\u003e sütunu kazanır. Bayrak ayarlandığında aynı veriler JSON, SARIF ve CSV çıktısına da dahil edilir.\u003c/p\u003e\n\u003ch3 id=\"minimum-nem-derecesine-gre-filtreleyin\"\u003eMinimum önem derecesine göre filtreleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e önem derecesindeki bulgular raporlanır.\u003c/p\u003e\n\u003ch3 id=\"sonular-dosyaya-kaydedin\"\u003eSonuçları dosyaya kaydedin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e bayrağı stdout yerine bir dosyaya yazar. SARIF çıktısı \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e ile uyumludur.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-oluturma\"\u003eYapılandırma dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003eİlk denemede varsayılanlarla çalıştırmak uygundur; ancak tekrarlayan kullanım için proje düzeyinde bir yapılandırma isteyeceksiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut, eşzamanlılık, entropi, doğrulama, çıktı biçimi ve yaygın yol dışlamaları için önerilen varsayılanlarla mevcut dizine \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yazar. Mevcut bir dosyanın üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e, farklı bir yola yazmak için \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eHer seçeneğin tam açıklaması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI betiklerinin çıktıyı ayrıştırmadan sonuçlara göre hareket edebilmesi için farklı çıkış kodları kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bulgu yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bir veya daha fazla sır bulundu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama bir hata nedeniyle başarısız oldu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTipik bir CI kapısı şöyle görünür:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Etkin sırlar bulundu — derleme başarısız\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, etkin filtreleri geçen (\u003ccode\u003e--min-severity\u003c/code\u003e ve \u003ccode\u003e--only-verified\u003c/code\u003e dahil) \u003cem\u003eherhangi bir\u003c/em\u003e bulgu olduğunda döndürülür. Temiz çıkış kodu \u003ccode\u003e0\u003c/code\u003e, hiçbir bulgunun eşleşmediği anlamına gelir — kod tabanında sır olmadığı anlamına gelmez.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"taramay-iptal-etme\"\u003eTaramayı iptal etme\u003c/h2\u003e\n\u003cp\u003eÇalışan bir taramayı iptal etmek için \u003ccode\u003eCtrl+C\u003c/code\u003e tuşuna basın (veya \u003ccode\u003eSIGTERM\u003c/code\u003e gönderin). Leakwatch düzgün biçimde durur: işlemdeki parçalar tamamlanır, kısmi sonuçlar yazılır ve özet \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Çıktı Formatları","description":"Leakwatch'ın desteklediği dört çıktı formatı — JSON, SARIF, CSV ve tablo — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik.","html":"\u003ch1 id=\"kt-formatlar\"\u003eÇıktı Formatları\u003c/h1\u003e\n\u003cp\u003eLeakwatch dört çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları ve insan tarafından okunabilir terminal incelemesi. \u003ccode\u003e--format\u003c/code\u003e (veya \u003ccode\u003e-f\u003c/code\u003e) ile bir format seçin; stdout yerine bir dosyaya yazmak için \u003ccode\u003e--output\u003c/code\u003e (veya \u003ccode\u003e-o\u003c/code\u003e) kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan format \u003ccode\u003ejson\u003c/code\u003e'dur.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON varsayılan format ve en eksiksiz temsil biçimidir. Leakwatch, stdout'a (veya \u003ccode\u003e--output\u003c/code\u003e ile verilen dosyaya) bulgu nesnelerinden oluşan bir JSON \u003cstrong\u003edizisi\u003c/strong\u003e yazar.\u003c/p\u003e\n\u003cp\u003eHam sır değeri, \u003ccode\u003e--show-raw\u003c/code\u003e açıkça ayarlanmadıkça \u003cstrong\u003ehiçbir zaman\u003c/strong\u003e serileştirilmez. \u003ccode\u003e--show-raw\u003c/code\u003e ile her nesneye bir \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e alanı eklenir.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-bulgu-nesnesi\"\u003eÖrnek bulgu nesnesi\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--remediation\u003c/code\u003e de ayarlandığında her bulgunun içine iç içe bir \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e nesnesi yerleştirilir. Bkz. \u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif\u003c/code\u003e formatı, \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e'e yüklenmek üzere tasarlanmış bir SARIF v2.1.0 belgesi üretir. Araç adı \u003ccode\u003eLeakwatch\u003c/code\u003e'tır ve \u003ccode\u003einformationUri\u003c/code\u003e \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e adresine işaret eder.\u003c/p\u003e\n\u003cp\u003eBulgularda görünen her dedektör, SARIF sürücüsünde bir \u003cstrong\u003ekural\u003c/strong\u003e haline gelir; \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme adımlarından doldurulan \u003ccode\u003ehelp\u003c/code\u003e metni ve sağlayıcı belgelerine işaret eden bir \u003ccode\u003ehelpUri\u003c/code\u003e ile birlikte. Sonuçlar, dedektör ID'si, maskelenmiş değer ve dosya yolundan hesaplanan bir \u003ccode\u003eleakwatch/v1\u003c/code\u003e kısmi parmak izi taşır — bu, çevresindeki kod kaydığında bile GitHub Code Scanning'in aynı uyarıyı takip etmesini sağlar.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-1\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"github-code-scanninge-ykleme\"\u003eGitHub Code Scanning'e yükleme\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Bir GitHub Actions iş akışı adımında:\n- name: SARIF sonuçlarını yükle\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam CI kurulumu için \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003ecsv\u003c/code\u003e formatı, bir başlık satırı ve ardından bulgu başına bir satır yazar; standart virgülle ayrılmış değerler kullanır. Her hücre yazılmadan önce elektronik tablo formül enjeksiyonuna karşı sterilize edilir.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar (varsayılan):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eraw\u003c/code\u003e sütunu eklenir.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eremediation\u003c/code\u003e sütunu, \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme başlığını (örn. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) içerir, aksi hâlde boş kalır.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-2\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tablo\"\u003eTablo\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003etable\u003c/code\u003e formatı, insan tarafından okunabilir sekme hizalı bir tablo yazar; sonuçların hızlı görsel taramasını istediğiniz etkileşimli terminal oturumları için en uygun formattır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eRAW\u003c/code\u003e sütunu eklenir. Tablonun altına bir özet satırı yazdırılır (örn. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI rengi\u003c/strong\u003e, \u003ccode\u003eSEVERITY\u003c/code\u003e sütununa otomatik olarak uygulanır, ancak yalnızca dört koşulun tamamı sağlandığında:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e seçilmiş\u003c/li\u003e\n\u003cli\u003eÇıktı stdout'a gidiyor (\u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e yok)\u003c/li\u003e\n\u003cli\u003estdout bir TTY (pipe veya yönlendirme değil)\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e ortam değişkeni ayarlanmamış\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÖnem derecesi\u003c/th\u003e\n\u003cth\u003eRenk\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKalın kırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSarı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMavi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"rnek-ar-3\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt-1\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yaygn-kt-bayraklar\"\u003eYaygın çıktı bayrakları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı formatı: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (varsayılan \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout yerine dosyaya yaz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya maskelenmemiş sır değerini dahil et\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBu önem seviyesinin altındaki bulguları bırak\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca \u003ccode\u003everified_active\u003c/code\u003e bulgularını tut\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBulguları sağlayıcı düzeltme rehberiyle zenginleştir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Düzeltme Rehberi","description":"Bulguları sağlayıcıya özgü döndürme ve iptal adımları, aciliyet dereceleri ve resmi dokümantasyon bağlantılarıyla zenginleştirmek için --remediation kullanın.","html":"\u003ch1 id=\"dzeltme-rehberi\"\u003eDüzeltme Rehberi\u003c/h1\u003e\n\u003cp\u003eBir sırrın sızdığını bilmek işin yalnızca yarısıdır — ayrıca ne yapacağınızı da bilmeniz gerekir. Herhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e eklemek, her bulguyu yapılandırılmış, sağlayıcıya özgü rehberlikle zenginleştirir: kimlik bilgisini döndürme veya iptal etme adımları, sağlayıcının belgelerine bağlantı, yönetim konsoluna bağlantı, aciliyet derecelendirmesi ve bir doğrulama kontrol listesi.\u003c/p\u003e\n\u003ch2 id=\"nasl-etkinletirilir\"\u003eNasıl etkinleştirilir\u003c/h2\u003e\n\u003cp\u003eHerhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDüzeltme zenginleştirmesi varsayılan olarak devre dışıdır. Bayrak yoksa, her bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı \u003ccode\u003enull\u003c/code\u003e olur ve fazladan veri alınmaz veya hesaplanmaz.\u003c/p\u003e\n\u003ch2 id=\"ne-ierir\"\u003eNe içerir\u003c/h2\u003e\n\u003cp\u003eHer düzeltme girişi aşağıdaki alanları içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDüzeltme eyleminin kısa adı (örn. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrı döndürmek veya iptal etmek için sıralı adımlar listesi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının resmi kimlik bilgisi yönetimi belgelerine bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının yönetim konsolu sayfasına doğrudan bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNe kadar hızlı harekete geçileceği: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e veya \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDöndürme sonrası doğrulama adımları (örn. denetim günlüklerini inceleyin, güvenlik ekibini bilgilendirin)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch, her yerleşik dedektör için bir tane olmak üzere 63 düzeltme girişiyle birlikte gelir. 63 girişin tamamı ikili dosyaya dahildir; rehberliği almak için herhangi bir ağ çağrısı yapılmaz. Bu, çevrimdışı ortamlarda veya hava boşluklu ağlarda bile düzeltme rehberliğinin sorunsuz çalışması anlamına gelir.\u003c/p\u003e\n\u003ch2 id=\"her-formatta-nasl-grnr\"\u003eHer formatta nasıl görünür\u003c/h2\u003e\n\u003cp\u003eZenginleştirme, rehberliği bellekteki bulgu nesnesine ekler. Nasıl göründüğü çıktı formatına bağlıdır:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — tam yapılandırılmış \u003ccode\u003eremediation\u003c/code\u003e nesnesi her bulgunun içine yerleştirilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — \u003ccode\u003esteps\u003c/code\u003e alanları, kuralın \u003ccode\u003ehelp.text\u003c/code\u003e alanına yerleştirilir ve \u003ccode\u003edoc_url\u003c/code\u003e, kuralın \u003ccode\u003ehelpUri\u003c/code\u003e'si olarak ayarlanır. Bu, GitHub Code Scanning'in uyarı ayrıntıları panelinde doğrudan görünür.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı \u003ccode\u003eremediation\u003c/code\u003e sütununa yazılır. Tam yapılandırılmış rehberlik CSV çıktısına dahil edilmez.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTablo\u003c/strong\u003e — \u003ccode\u003eREMEDIATION\u003c/code\u003e sütununda yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı gösterilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOtomatik olay müdahale iş akışları için tam yapılandırılmış rehberliğe ihtiyaç duyduğunuzda \u003ccode\u003e--remediation --format json\u003c/code\u003e kullanın. Terminalde hızlı, insan tarafından okunabilir bir önceliklendirme oturumu için \u003ccode\u003e--remediation --format table\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eZenginleştirme yalnızca \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında çalışır. Bayrak olmadan, \u003ccode\u003eremediation\u003c/code\u003e alanı JSON ve SARIF çıktısında yoktur ve CSV ile tablo \u003ccode\u003eremediation\u003c/code\u003e sütunları boştur. Bayrak, orijinal tarama sonuçlarını değiştirmez — bunların üzerine bir katman ekler.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kurallar-ve-dzeltme\"\u003eÖzel kurallar ve düzeltme\u003c/h2\u003e\n\u003cp\u003eÖzel kural tanımları bir \u003ccode\u003eremediation\u003c/code\u003e bloğunu desteklemez — düzeltme rehberliği yalnızca yerleşik dedektörler için mevcuttur. Özel bir kural tarafından tetiklenen bulgu için \u003ccode\u003e--remediation\u003c/code\u003e bayrağı geçildiğinde, o bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı boş kalır; diğer alanlar etkilenmez.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Başvurusu","description":"Her Leakwatch komutu, alt komutu ve bayrağı için tam başvuru kaynağı.","html":"\u003ch1 id=\"cli-bavurusu\"\u003eCLI Başvurusu\u003c/h1\u003e\n\u003cp\u003eBu sayfa, tüm Leakwatch komutları ve bayrakları için yetkili başvuru kaynağıdır. Kavramsal açıklamalar ve çalışma örnekleri için ilgili tarama veya yapılandırma sayfalarındaki çapraz bağlantıları takip edin.\u003c/p\u003e\n\u003ch2 id=\"global-bayraklar\"\u003eGlobal bayraklar\u003c/h2\u003e\n\u003cp\u003eBu bayraklar her komut ve alt komut üzerinde kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOtomatik olarak bulunan \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasının yolu. Atlandığında Leakwatch, geçerli dizinde ve üst dizinlerinde \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e arar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGünlük ayrıntı düzeyi: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e veya \u003ccode\u003eerror\u003c/code\u003e. Günlük çıktısı stderr'e gider ve tarama sonuçlarını etkilemez.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eİkili dosya sürümünü, commit karmasını ve derleme zaman damgasını yazdırır, ardından çıkar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGeçerli dizinde önerilen varsayılanlarla bir \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyası oluşturur.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasını varsayılan yerine bu yola yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMevcut bir yapılandırma dosyasının üzerine yaz. Bu bayrak olmadan, çıktı dosyası zaten mevcutsa \u003ccode\u003einit\u003c/code\u003e hatayla çıkar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Varsayılan yapılandırmayı oluştur\nleakwatch init\n\n# Mevcut yapılandırmanın üzerine yaz\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eTüm tarama alt komutları için üst komut. Kendi başına davranışı yoktur; bir alt komut çalıştırın.\u003c/p\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003cp\u003eAşağıdaki bayraklar \u003cstrong\u003etüm\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e alt komutlarında kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosya yoluna yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu bayt sayısından büyük dosyaları veya blob'ları atla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya ham (maskelenmemiş) sır değerini dahil et. Dikkatli kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı sır doğrulamasını devre dışı bırak. Giden API çağrısı yapılmaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya dahil edilecek minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi (dönüşüm/iptal adımları) ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel bir dizin ağacını tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e varsayılan olarak \u003ccode\u003e.\u003c/code\u003e'dır. En fazla bir konumsal argüman kabul eder.\u003c/p\u003e\n\u003ch4 id=\"dosya-sistemine-zg-bayraklar\"\u003eDosya sistemine özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;kalıp\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob kalıbı. Tekrarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara, renklendirilmiş tablo yazdır\nleakwatch scan fs . --format table\n\n# SARIF çıktısını kaydet, test dosyalarını ve vendor'ı dışla\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel veya uzak bir Git deposunun tam commit geçmişini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir: yerel bir yol veya HTTP/HTTPS/SSH URL'si.\u003c/p\u003e\n\u003ch4 id=\"gite-zg-bayraklar\"\u003eGit'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit karmasından HEAD'e kadar olan değişiklikleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;ad\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan dal yerine belirli bir dalı hedefle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003eUzak depolar için sığ klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi getirir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-1\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tam yerel geçmişi tara\nleakwatch scan git . --format table\n\n# Bir pull request tarafından eklenen commit'leri tara\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir OCI/Docker imajının katmanlarını sırlar açısından tarar. Leakwatch daemonsuz çalışır ve kayıt defterinden doğrudan çeker — Docker soketi gerekmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"rnekler-2\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Genel bir imajı tara\nleakwatch scan image nginx:latest --format table\n\n# Özel kayıt defteri imajını tara, JSON çıktısını kaydet\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir AWS S3 kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, anahtarı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi. \u003ccode\u003eAWS_REGION\u003c/code\u003e ortam değişkenine veya AWS SDK varsayılanına geri döner.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-3\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm kovayı tara\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Belirli bir ön eki tara\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Google Cloud Storage kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"gcsye-zg-bayraklar\"\u003eGCS'ye özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, adı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği. Varsayılan kimlik bilgilerinden proje çıkarılamadığında gereklidir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-4\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm GCS kovasını tara\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Ön ek tara\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Slack çalışma alanındaki mesaj metnini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKonumsal argüman yoktur.\u003c/p\u003e\n\u003ch4 id=\"slacke-zg-bayraklar\"\u003eSlack'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token'ı. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni ile de ayarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adları veya kimliklerinin virgülle ayrılmış listesi. Atlandığında erişilebilir tüm kanalları tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adları veya kimliklerinin virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonra gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları dahil et (ek OAuth kapsamları gerektirir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-5\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Erişilebilir tüm kanalları tara\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Belirli kanalları belirli bir tarihten itibaren tara\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBirden fazla Git deposunu paralel olarak tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEn az iki konumsal argüman (depo URL'leri veya yerel yollar) gereklidir.\u003c/p\u003e\n\u003ch4 id=\"reposa-zg-bayraklar\"\u003eRepos'a özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eHer depo taramasındaki çalışan eşzamanlılığı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-6\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki depoyu paralel olarak tara\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Büyük bir depo seti için paralellizmi artır\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e — Leakwatch'ı bayrak kullanmadan yapılandırma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — ayrıntılı \u003ccode\u003escan fs\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — ayrıntılı \u003ccode\u003escan git\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Ortam Değişkenleri","description":"Leakwatch davranışını bayrak kullanmadan yapılandıran ortam değişkenleri.","html":"\u003ch1 id=\"ortam-deikenleri\"\u003eOrtam Değişkenleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, yapılandırmayı öncelik sırasına göre üç kaynaktan okur: \u003cstrong\u003ekomut satırı bayrakları\u003c/strong\u003e, \u003cstrong\u003eortam değişkenlerini\u003c/strong\u003e geçersiz kılar; ortam değişkenleri \u003cstrong\u003eyapılandırma dosyasını\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e) geçersiz kılar; yapılandırma dosyası yerleşik \u003cstrong\u003evarsayılanlara\u003c/strong\u003e geri döner. Ortam değişkenleri, bir yapılandırma dosyasını değiştiremeyeceğiniz veya her çağrıya bayrak geçiremeyeceğiniz CI ortamlarında kullanışlıdır.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-deikeni-kalb\"\u003eYapılandırma değişkeni kalıbı\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki herhangi bir anahtar, ortam değişkeni olarak şu şekilde ayarlanabilir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAnahtar adını büyük harfe çevir.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştir.\u003c/li\u003e\n\u003cli\u003eBaşına \u003ccode\u003eLEAKWATCH_\u003c/code\u003e ekle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eÖrneğin, \u003ccode\u003escan.concurrency\u003c/code\u003e yapılandırma anahtarı \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"deiken-bavurusu\"\u003eDeğişken başvurusu\u003c/h2\u003e\n\u003ch3 id=\"leakwatcha-zg-deikenler\"\u003eLeakwatch'a özgü değişkenler\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e için Slack bot token'ı. \u003ccode\u003e--token\u003c/code\u003e'a eşdeğer. Token'ın kabuk geçmişinde veya CI günlüklerinde görünmesini önlemek için bayrak olarak geçirmek yerine bunu ayarlayın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı. \u003ccode\u003e--concurrency\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı doğrulamayı genel olarak devre dışı bırakmak için \u003ccode\u003efalse\u003c/code\u003e olarak ayarlayın. \u003ccode\u003e--no-verify\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm doğrulayıcılar genelinde saniye başına maksimum doğrulama isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan çıktı biçimi (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e). \u003ccode\u003e--format\u003c/code\u003e'a eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir eşleşmenin raporlanması için gereken minimum Shannon entropisi. Float değer, örn. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"grntleme-deikeni\"\u003eGörüntüleme değişkeni\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBoş olmayan herhangi bir değere ayarlandığında, \u003ccode\u003etable\u003c/code\u003e çıktı biçimlendiricisindeki ANSI renk kodlarını devre dışı bırakır. \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e kuralını izler.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-deikenleri-scan-s3-ve-aws-sr-dorulamas-iin\"\u003eAWS değişkenleri (\u003ccode\u003escan s3\u003c/code\u003e ve AWS sır doğrulaması için)\u003c/h3\u003e\n\u003cp\u003eBunlar standart AWS SDK ortam değişkenleridir. Leakwatch bunları AWS SDK v2 varsayılan kimlik bilgisi zincirine aktarır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS erişim anahtarı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS gizli erişim anahtarı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS oturum token'ı (geçici kimlik bilgileri için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKullanılacak \u003ccode\u003e~/.aws/credentials\u003c/code\u003e dosyasından adlandırılmış profil.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-deikeni-scan-gcs-iin\"\u003eGCS değişkeni (\u003ccode\u003escan gcs\u003c/code\u003e için)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGoogle hizmet hesabı JSON anahtar dosyasının yolu. Bir GCS kovasını tararken Uygulama Varsayılan Kimlik Bilgileri tarafından kullanılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-rnei\"\u003eÖncelik örneği\u003c/h2\u003e\n\u003cp\u003eŞu kurulumu varsayın:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, \u003ccode\u003eoutput.format: table\u003c/code\u003e olarak ayarlıyor\u003c/li\u003e\n\u003cli\u003eOrtamda \u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e ayarlanmış\u003c/li\u003e\n\u003cli\u003eKomut \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e olarak çalıştırılıyor (\u003ccode\u003e--format\u003c/code\u003e bayrağı yok)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOrtam değişkeni yapılandırma dosyasını geçersiz kıldığından geçerli biçim \u003ccode\u003ejson\u003c/code\u003e'dır.\u003c/p\u003e\n\u003cp\u003eKomut \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e olarak çalıştırılırsa, bayrak her şeyi geçersiz kıldığından geçerli biçim \u003ccode\u003esarif\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kimlik-bilgileri-ve-tarama-kimlik-bilgileri\"\u003eDoğrulama kimlik bilgileri ve tarama kimlik bilgileri\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYukarıdaki AWS ve GCP değişkenleri, Leakwatch'ın \u003cstrong\u003ekendisinin\u003c/strong\u003e nesneleri taramak için S3 veya GCS'ye bağlanırken kimliğini doğrulaması için kullanılır. Bulunan sırları doğrulamak için kullanılmazlar. Keşfedilen bir AWS anahtarının doğrulanması, örneğin, runner'ın kimlik bilgilerini değil, keşfedilen anahtarın kendisini kullanarak AWS STS'yi çağırır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-srlar-gvenli-biimde-geirme\"\u003eCI'da sırları güvenli biçimde geçirme\u003c/h2\u003e\n\u003cp\u003eGitHub Actions'ta şifrelenmiş sırları kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGitLab CI'da maskelenmiş CI/CD değişkenlerini kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # proje ayarlarında maskelenmiş değişken olarak tanımlanmış\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eToken değerlerini hiçbir zaman iş akışı dosyalarına veya Dockerfile'lara sabit olarak kodlamayın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tam \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e anahtar başvurusu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eBulut Depolama Taraması\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e ve \u003ccode\u003escan gcs\u003c/code\u003e kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Taraması\u003c/a\u003e — Slack token kapsamları ve izinleri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — eşdeğer komut satırı bayrakları.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Çıkış Kodları","description":"Leakwatch çıkış kodu başvurusu ve bunların betiklerde ve CI pipeline'larında nasıl kullanılacağı.","html":"\u003ch1 id=\"k-kodlar\"\u003eÇıkış Kodları\u003c/h1\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için küçük, iyi tanımlanmış bir çıkış kodu seti kullanır. Her tarama alt komutu üç koddan biriyle çıkar.\u003c/p\u003e\n\u003ch2 id=\"kod-bavurusu\"\u003eKod başvurusu\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAd\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTemiz\u003c/td\u003e\n\u003ctd\u003eTarama başarıyla tamamlandı ve etkin filtrelerden hiçbir bulgu geçmedi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular var\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı ve etkin filtrelerden geçen bir veya daha fazla sır bulundu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHata\u003c/td\u003e\n\u003ctd\u003eTaramanın hiç çalışamamasına neden olan ciddi bir hata oluştu — örneğin geçersiz bir bayrak, okunamaz bir yol veya kimlik doğrulama hatası. Stderr'e bir \u003ccode\u003eError: ...\u003c/code\u003e mesajı ve kullanım ipucu yazdırılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"filtrelerin-k-kodu-1i-nasl-etkiledii\"\u003eFiltrelerin çıkış kodu 1'i nasıl etkilediği\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, yalnızca en az bir bulgu etkin çıktı filtrelerinin tümünden geçtiğinde yayılır. En ilgili iki filtre şunlardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — eşiğin altındaki bulgular bastırılır. Tüm bulgular \u003ccode\u003elow\u003c/code\u003e önem derecesindeyse ve \u003ccode\u003e--min-severity high\u003c/code\u003e ile çalışıyorsanız, sırlar mevcut olmasına rağmen çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulgular raporlanır. Etkin sır bulunamazsa çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBu, çıkış kodu \u003ccode\u003e0\u003c/code\u003e'ın \u0026quot;mevcut filtre ayarlarınızla eşleşen bulgu yok\u0026quot; anlamına geldiği anlamına gelir — kod tabanının hiçbir sır içermediği değil.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e altında temiz \u003ccode\u003e0\u003c/code\u003e çıkışı, kod tabanının sırdan arındırılmış olduğunu garanti etmez. Doğrulamanın mevcut olmadığı sır türleri (9 dedektör türü) her zaman doğrulanmamış olarak raporlanır ve \u003ccode\u003e--only-verified\u003c/code\u003e tarafından bastırılır. Tam kapsam için \u003ccode\u003e--only-verified\u003c/code\u003e ile birlikte ayrı bir filtresiz tarama yapın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kabuk-betiklerinde-k-kodlarn-kullanma\"\u003eKabuk betiklerinde çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;Sır bulunamadı. Derleme devam ediyor.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Sırlar bulundu — birleştirmeden önce leakwatch.json'u inceleyin ve düzeltin.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch bir hatayla karşılaştı (çıkış $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTaramadan önce \u003ccode\u003eset +e\u003c/code\u003e kullanmak, kabuğun sıfır dışı kodlarda çıkmasını engeller ve kodu kendiniz yakalayıp işlemenize olanak tanır.\u003c/p\u003e\n\u003ch2 id=\"ci-pipelinelarnda-k-kodlarn-kullanma\"\u003eCI pipeline'larında çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cp\u003eÇoğu CI sistemi, sıfır dışı herhangi bir çıkış kodunu adım başarısızlığı olarak değerlendirir. Leakwatch sırlar bulunduğunda \u003ccode\u003e1\u003c/code\u003e ile çıktığından, ek yapılandırma olmadan pipeline otomatik olarak başarısız olur — yalnızca tarama komutunu çalıştırın.\u003c/p\u003e\n\u003cp\u003eSırlar bulunsa bile pipeline'ın devam etmesine izin vermek için (örneğin, derlemeyi engellemeden raporu toplamak amacıyla) çıkış kodunu açıkça yoksayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitLab CI'da:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitHub Action'da \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"uygulamada-k-kodu-2\"\u003eUygulamada çıkış kodu 2\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e2\u003c/code\u003e, taramanın hiç çalışamamasına neden olan bir yapılandırma veya çalışma zamanı hatasını gösterir. Yaygın nedenler:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGeçersiz bir bayrak değeri (örneğin \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMevcut olmayan veya okunamaz bir yol.\u003c/li\u003e\n\u003cli\u003eEksik gerekli argüman (örneğin, URL olmadan \u003ccode\u003escan git\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBir bulut kaynağına bağlanırken kimlik doğrulama hatası.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHata mesajı stderr'e yazdırılır ve sorunu teşhis etmeye yardımcı olacak bağlam içerir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — çıkış kodlarını GitLab CI, Jenkins ve diğerlerine bağlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — resmi action'ın çıkış kodlarını adım sonuçlarıyla nasıl eşlediği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — tam bayrak başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Bulut Depolama (S3 \u0026 GCS)","description":"AWS S3 ve Google Cloud Storage kovalarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"bulut-depolama-s3--gcs\"\u003eBulut Depolama (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSırlar sıklıkla bulut depolamaya taşınır — dışa aktarılan veritabanı dökümleri, ortam dosyaları, CI artefaktları ve günlük arşivleri, düşünüldüğünden çok daha fazla kişinin erişebildiği kovalara akar. Leakwatch, AWS S3 ve Google Cloud Storage kovalarını nesne nesne tarayabilir ve bulduğu sırları bir olaya dönüşmeden işaretler.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"kullanm\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003es3://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch standart \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS varsayılan kimlik bilgisi zincirini\u003c/a\u003e kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOrtam değişkenleri (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan kimlik bilgileri dosyası (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan yapılandırma dosyası (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eÖrneğe veya göreve atanmış IAM rolü (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAWS CLI ile zaten kimlik doğrulaması yaptıysanız (\u003ccode\u003eaws configure\u003c/code\u003e veya üstlenilmiş bir rol) ek yapılandırma gerekmez.\u003c/p\u003e\n\u003ch3 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca anahtarı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eAWS yapılandırmasından\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-rnekleri\"\u003eS3 örnekleri\u003c/h3\u003e\n\u003cp\u003eTüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir bölgede belirli bir anahtar öneki altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eTaramayı ilgili bir alt yola sınırlamak için \u003ccode\u003e--prefix\u003c/code\u003e kullanın. Milyonlarca nesne içeren büyük bir kovayı taramak yavaş olabilir ve S3 GET istek maliyeti doğurabilir. Öneki gerçekten önemli olana — örneğin \u003ccode\u003econfigs/\u003c/code\u003e veya \u003ccode\u003eexports/\u003c/code\u003e — daraltın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"kullanm-1\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003egs://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama-1\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e kullanır. Kimlik bilgisi arama sırası şu şekildedir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eHizmet hesabı anahtar dosyasına işaret eden \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e ortam değişkeni.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egcloud auth application-default login\u003c/code\u003e ile yapılandırılmış kullanıcı kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003eGoogle Compute Engine örneğine, Cloud Run hizmetine veya GKE iş yüküne atanmış hizmet hesabı.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcse-zg-bayraklar\"\u003eGCS'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca adı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği (bazı ADC yapılandırmalarında gereklidir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-rnekleri\"\u003eGCS örnekleri\u003c/h3\u003e\n\u003cp\u003eBelirli bir GCP projesiyle tüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca belirli bir önek altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCSV olarak çıktı alın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h2\u003e\n\u003cp\u003eHem \u003ccode\u003es3\u003c/code\u003e hem de \u003ccode\u003egcs\u003c/code\u003e aynı ortak tarama bayraklarını destekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan nesneleri atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eNesne anahtarlarına uygulanan yol dışlamaları \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (kimlik doğrulama hatası, kova bulunamadı, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Konteyner İmajları","description":"Docker daemon gerektirmeksizin OCI ve Docker imaj katmanlarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"konteyner-majlar\"\u003eKonteyner İmajları\u003c/h1\u003e\n\u003cp\u003eKonteyner imajları sırların sıklıkla gizlendiği yerlerden biridir: ortam değişkenlerine gömülen API anahtarları, derleme katmanlarına yerleştirilmiş kimlik bilgileri ve imaj katmanlarına kopyalanıp unutulan yapılandırma dosyaları. \u003ccode\u003eleakwatch scan image\u003c/code\u003e, bir OCI veya Docker imajının her katmanını inceler ve bu sırları dağıtım öncesinde gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: standart \u003ccode\u003ename:tag\u003c/code\u003e gösteriminde bir imaj referansı. Leakwatch imajları çekmek ve incelemek için \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e kullanır — herhangi bir Docker daemon \u003cstrong\u003egerekmez\u003c/strong\u003e.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Docker Hub imajını tara\nleakwatch scan image nginx:latest\n\n# Özel GitHub Container Registry imajını tara\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Amazon ECR imajını tara\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"desteklenen-kayt-sunucular\"\u003eDesteklenen kayıt sunucuları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKayıt Sunucusu\u003c/th\u003e\n\u003cth\u003eÖrnek referans\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eOCI uyumlu herhangi bir kayıt sunucusu\u003c/td\u003e\n\u003ctd\u003eStandart \u003ccode\u003eregistry/name:tag\u003c/code\u003e biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, Docker ve diğer OCI araçları tarafından kullanılan standart kimlik bilgisi anahtarlığını kullanır. \u003ccode\u003edocker login\u003c/code\u003e (veya \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, bulut sağlayıcısı kimlik bilgisi yardımcıları gibi eşdeğer araçlar) ile oturum açtıysanız, Leakwatch bu kimlik bilgilerini otomatik olarak kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Önce GHCR'a giriş yapın\ndocker login ghcr.io\n\n# Ardından tarayın — kimlik bilgileri otomatik olarak alınır\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAmazon ECR için, taramadan önce ECR kimlik bilgisi yardımcısını yapılandırın ya da \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e ve ilgili ortam değişkenlerini ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch imaj manifestini çeker, her katmanı sırayla işler ve her katmandaki dosyaları çıkarır. Her dosyanın içeriği, dosya sistemi taramasıyla aynı tespit hattından geçirilir. \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları burada da geçerlidir ve katmanlar içinde hangi dosya yollarının inceleneceğini sınırlar.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003cp\u003eİmaja özgü bayrak yoktur. Tüm ortak tarama bayrakları geçerlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eYol tabanlı dışlamalar \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eDocker Hub imajını tarayın ve sonuçları tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt sunucusu imajını tarayın ve SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif sırları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eJSON çıktısına düzeltme rehberi dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eİmaj taramasından elde edilen her bulgu katman meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan imaj referansı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği katman özeti.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKatman içindeki dosyanın yolu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGizli bilgilerin bir kayıt sunucusuna push edilmeden önce yakalanması için konteyner imaj taramasını CI/CD hattınızın derleme aşamasına entegre edin. Sonuçları doğrudan GitHub Code Scanning'e yüklemek için \u003ccode\u003e--format sarif\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (imaj bulunamadı, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Dosya Sistemi","description":"leakwatch scan fs komutuyla yerel bir dizin ağacını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"dosya-sistemi\"\u003eDosya Sistemi\u003c/h1\u003e\n\u003cp\u003eSırlar çoğu zaman önce yerel kaynak kodda ortaya çıkar. \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutu, bir dizin ağacındaki tüm dosyaları dolaşır, her biri üzerinde tam tespit hattını çalıştırır ve bulguları raporlar — henüz commit edilmeden önce yakalamak ya da mevcut bir kod tabanını sonradan taramak için kullanabilirsiniz.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e isteğe bağlıdır. Belirtilmediğinde Leakwatch geçerli çalışma dizinini (\u003ccode\u003e.\u003c/code\u003e) tarar. Yalnızca tek bir path argümanı kabul edilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara\nleakwatch scan fs\n\n# Belirli bir proje klasörünü tara\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"dosya-sistemi-kaynann-otomatik-olarak-atladklar\"\u003eDosya sistemi kaynağının otomatik olarak atladıkları\u003c/h2\u003e\n\u003cp\u003eTaramaları hızlı ve gürültüsüz tutmak için dosya sistemi kaynağı herhangi bir yapılandırma gerekmeksizin şunları atlar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eİkili dosyalar\u003c/strong\u003e — dosyanın ilk 8 KB'ında null byte bulunmasıyla tespit edilir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBilinen ikili uzantılar\u003c/strong\u003e — yaygın derlenmiş, görsel, ses, video ve arşiv biçimleri.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKilit dosyaları\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e ve benzerleri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"dosya-sistemine-zg\"\u003eDosya sistemine özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (tekrarlanabilir)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob desenleri. Birden fazla kez belirtilebilir veya virgülle ayrılabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eGeçerli dizini tarayın ve terminalde renklendirilmiş bir tablo yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTest dosyalarını ve vendor dizinlerini dışlayıp GitHub Code Scanning için SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir monorepo için dosya boyutunu sınırlayın ve çalışan sayısını artırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca yüksek önem dereceli bulguları gösterip rotasyon talimatlarını dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yollar-dlama\"\u003eYolları dışlama\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--exclude\u003c/code\u003e bayrağı glob desenlerini kabul eder ve birden fazla kez belirtilebilir ya da virgülle ayrılmış liste olarak kullanılabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki ayrı bayrak\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Virgülle ayrılmış\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTakımınızla paylaşılan kalıcı dışlama kuralları için \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasına \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında ekleyin. Bu kurallar yalnızca dosya sistemi taramalarına değil, tüm kaynaklara uygulanır. Proje kök dizininizde bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası da oluşturabilirsiniz. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e ve \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e sayfalarına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (yapılandırma hatası, okunamayan yol, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti (kaynak türü, hedef, dosya sayısı, süre ve bulgu sayısı) yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGeliştirme sırasında \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e komutunu çalıştırarak hızlı bir görsel genel bakış elde edin. CI hatlarında GitHub Code Scanning ile entegrasyon için \u003ccode\u003e--format sarif\u003c/code\u003e seçeneğine geçin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — varsayılan biçimi, dışlamaları ve daha fazlasını yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e ve satır içi baskılama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — çalışma ağacı yerine commit edilmiş geçmişi tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git Geçmişi","description":"Yerel veya uzak bir Git deposunun tüm commit geçmişini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"git-gemii\"\u003eGit Geçmişi\u003c/h1\u003e\n\u003cp\u003eCommit edilip sonradan silinen bir sır, önceki her commit'te hâlâ mevcuttur ve depoya erişimi olan herkes tarafından ulaşılabilir durumdadır. \u003ccode\u003eleakwatch scan git\u003c/code\u003e, bir deponun — yerel veya uzak — \u003cem\u003etüm\u003c/em\u003e commit geçmişini dolaşarak bu sırları, istismar edilmeden önce gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: depoya giden \u003cstrong\u003eyerel dosya sistemi yolu\u003c/strong\u003e (geçerli dizin için \u003ccode\u003e.\u003c/code\u003e) ya da \u003cstrong\u003euzak HTTP/HTTPS veya SSH URL'si\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch tüm Git işlemleri için \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e kullanır; bu, sistem \u003ccode\u003egit\u003c/code\u003e ikili dosyasına bağımlılığı olmayan saf bir Go uygulamasıdır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizindeki yerel depoyu tara\nleakwatch scan git .\n\n# HTTPS üzerinden uzak bir depoyu tara\nleakwatch scan git https://github.com/org/repo.git\n\n# SSH üzerinden tara\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch geçmişteki her commit'i dolaşır ve her commit tarafından eklenen blob'ları inceler. \u003cstrong\u003eBlob-hash tekilleştirmesi\u003c/strong\u003e, aynı dosya içeriğinin kaç commit tarafından referans alındığından bağımsız olarak yalnızca bir kez taranmasını sağlar. Bu, tarama süresini ham commit sayısı yerine depodaki \u003cem\u003ebenzersiz içerik\u003c/em\u003e miktarıyla orantılı tutar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch commit-bazlı diff'leri incelediğinden, sonradan silinen — yani mevcut çalışma ağacında görünmeyen — sırları da bulur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"gite-zg\"\u003eGit'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit hash'inden HEAD'e kadar olan değişiklikleri tara (diff tabanlı).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan yerine belirli bir dalı hedef al.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eYalnızca uzak depolar\u003c/strong\u003e için klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eYerel deponun tam geçmişini tarayın ve tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003edevelop\u003c/code\u003e dalında belirli bir tarihten sonraki commit'leri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir commit'ten bu yana tanıtılan değişiklikleri tarayın (CI'da yeni commit'leri kontrol etmek için kullanışlıdır):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir uzak depoyu hızlandırmak için sığ klonlama yapın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak depoyu tarayıp yalnızca doğrulanmış bulguları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eGit taramasından elde edilen her bulgu commit meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan deponun URL'si veya yolu (kimlik bilgileri ayıklanmış).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın tanıtıldığı commit hash'i.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit yazarının adı ve e-postası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit zaman damgası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDal bağlamı (kullanılabilir olduğunda).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePull request CI işlerinde yalnızca PR tarafından eklenen commit'leri taramak için \u003ccode\u003e--since-commit\u003c/code\u003e kullanın. Son aktiviteyi kapsayan zamanlanmış gece taramaları için \u003ccode\u003e--since \u0026lt;tarih\u0026gt;\u003c/code\u003e tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'leri gömülü kimlik bilgileri içeriyorsa (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch bu bilgileri günlüklere veya çıktıya yazmadan önce URL'den ayırır; bu sayede token tarama sonuçlarında veya CI izlerinde hiçbir zaman görünmez.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (geçersiz URL, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eÇoklu Depo\u003c/a\u003e — tek komutla birden fazla depoyu tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — geçmiş yerine çalışma ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Çoklu Depo","description":"Birden fazla Git deposunu eşzamanlı olarak tarayın ve sonuçları tek bir raporda birleştirin.","html":"\u003ch1 id=\"oklu-depo\"\u003eÇoklu Depo\u003c/h1\u003e\n\u003cp\u003eBir kuruluş büyüdükçe sırlar düzinelerce hatta yüzlerce deponun herhangi birine yerleşebilir. Bunları tek tek kontrol etmek pratik değildir. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e, birden fazla depo URL'sini alır, bunları eşzamanlı olarak tarar ve tüm bulguları tek bir çıktıda birleştirir — tek komut, tek rapor.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut \u003cstrong\u003een az iki\u003c/strong\u003e depo URL'si gerektirir. Tüm depolar otomatik olarak klonlanır, taranır ve temizlenir. Sonunda birleşik bulgu sayısı ve tek bir tarama özeti raporlanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"nasl-alr\"\u003eNasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch aynı anda en fazla \u003ccode\u003e--parallel\u003c/code\u003e sayıda depo taraması başlatır. Her depo:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSağlanan URL'den klonlanır (güvenlik açısından kimlik bilgileri günlüklerden ve çıktıdan ayıklanır).\u003c/li\u003e\n\u003cli\u003eTam tespit hattıyla taranır; bu depo için \u003ccode\u003e--concurrency\u003c/code\u003e sayıda çalışan kullanılır.\u003c/li\u003e\n\u003cli\u003eTarama tamamlandığında temizlenir (geçici klon silinir).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eTüm depolardan elde edilen bulgular toplanır ve tek bir kaynaktan yapılmış tarama gibi tek bir çıktı olarak yazılır. Görüntülenen hedef \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e (N depo) şeklindedir.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"oklu-depoya-zg\"\u003eÇoklu depoya özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eDepo başına\u003c/strong\u003e eşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasındaki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları tüm depolara uygulanır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eİki depoyu tarayın ve sonuçları tablo olarak görüntüleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeş depoyu daha yüksek paralellik ile tarayın ve birleşik sonuçları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDepo başına daha fazla çalışan kullanarak yalnızca doğrulanmış bulguları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"paralellii-ayarlama\"\u003eParalelliği ayarlama\u003c/h2\u003e\n\u003cp\u003eVerimi kontrol eden iki parametre vardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e, kaç depo klonlama ve taramasının aynı anda çalışacağını kontrol eder. Varsayılan \u003ccode\u003e3\u003c/code\u003e, çoğu iş yükü için uygundur. Ağ bant genişliği ve CPU kapasitesi izin verdiğinde artırın; kısıtlı makinelerde düşürün.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e), her bir depodaki dosya blob'larını işleyen çalışan goroutine sayısını kontrol eder. Bu, tüm tarama komutlarında bulunan aynı bayraktır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTepe noktasındaki toplam eşzamanlı işlem = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBir veya daha fazla depo taraması başarısız olursa (örneğin ağ hatası veya kimlik doğrulama sorunu nedeniyle), Leakwatch hatayı günlüğe kaydeder ve kalan depoları taramaya devam eder. Diğer depolar bulgu üretmiş olsa bile herhangi bir depo taraması başarısız olursa çıkış kodu \u003ccode\u003e2\u003c/code\u003e olur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'lerindeki gömülü kimlik bilgileri (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), URL günlüklere, çıktıya veya tarama özetine yazılmadan önce ayıklanır.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir veya daha fazla depo taraması başarısız oldu ya da yapılandırma hatası oluştu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — tek bir depoyu derinlemesine tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tüm kaynaklar için paylaşılan varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Çalışma Alanı","description":"Slack kanal ve DM mesaj metinlerini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"slack-alma-alan\"\u003eSlack Çalışma Alanı\u003c/h1\u003e\n\u003cp\u003eGeliştiriciler çoğu zaman kimlik bilgilerini sohbet üzerinden paylaşır — hızlı bir test için bir kanala yapıştırılan token, DM ile gönderilen parola ya da bir olay başlığında söz edilen API anahtarı. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e, Slack çalışma alanınızdaki mesaj metinlerini okur ve bulduğu sırları işaretler.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e tarar. Yüklenen dosyaların (ekler, snippet'ler) içeriğini taramak uygulanmamıştır. Yalnızca mesajların metin gövdesi analiz edilir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003cstrong\u003ekonumsal argüman almaz\u003c/strong\u003e. Tüm yapılandırma bayraklar veya ortam değişkenleri aracılığıyla sağlanır.\u003c/p\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eBir Slack Bot Token gereklidir. \u003ccode\u003e--token\u003c/code\u003e bayrağı veya \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni aracılığıyla sağlayın. Ortam değişkeni kullanmak önerilir; böylece token kabuk geçmişinde veya süreç listelerinde asla görünmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"gerekli-bot-token-kapsamlar\"\u003eGerekli bot token kapsamları\u003c/h3\u003e\n\u003cp\u003eBot token'ı, aşağıdaki OAuth kapsamlarına sahip bir Slack uygulamasıyla ilişkilendirilmiş olmalıdır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKapsam\u003c/th\u003e\n\u003cth\u003eAmaç\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı genel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı özel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrup doğrudan mesajlarını oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"slacke-zg\"\u003eSlack'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni tercih edilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003etüm kanallar\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eBu tarihte veya sonrasında gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları ve grup DM'lerini de tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API istek sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eDahili parça boyutu sınırı (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eToken için ortam değişkeni kullanarak botun erişebildiği tüm kanalları tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli kanalları tarayın ve yılın başından bu yana gönderilen mesajlarla sınırlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGürültülü kanalları dışlayın ve doğrudan mesajları dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük çalışma alanlarında Slack hız sınırı hatalarını önlemek için API istek hızını düşürün:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif bulguları bir JSON dosyasına kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eSlack taramasından elde edilen her bulgu mesaj ve kanal meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği kanal adı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack mesaj zaman damgası (benzersiz mesaj kimliği).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMesaj yazarının Slack kullanıcı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performans-deerlendirmeleri\"\u003ePerformans değerlendirmeleri\u003c/h2\u003e\n\u003cp\u003eSlack API istekleri, Slack tarafından uygulanan hız sınırlarına tabidir. \u003ccode\u003e--rate-limit\u003c/code\u003e bayrağı (varsayılan saniyede \u003ccode\u003e20\u003c/code\u003e istek), Leakwatch'ın istekleri ne kadar agresif yapacağını kontrol eder. Özellikle büyük çalışma alanlarında \u003ccode\u003e429 Too Many Requests\u003c/code\u003e hatası alıyorsanız bu değeri düşürün.\u003c/p\u003e\n\u003cp\u003eHer çalıştırmada tüm çalışma alanını taramak yerine belirli kanalları hedeflemek için \u003ccode\u003e--channels\u003c/code\u003e kullanın. Mesajları artımlı biçimde taramak için \u003ccode\u003e--since\u003c/code\u003e ile birleştirin.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (eksik token, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — commit edilmiş geçmişi sırlara karşı tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"Doğrulama Nasıl Çalışır","description":"Leakwatch'ın tespit edilen bir sırrın hâlâ aktif olup olmadığını nasıl teyit ettiği, hangi doğrulama modlarını kullandığı ve doğrulamanın nasıl yapılandırılacağı veya devre dışı bırakılacağı.","html":"\u003ch1 id=\"dorulama-nasl-alr\"\u003eDoğrulama Nasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eBir kod tabanında sır bulmak hikayenin yalnızca yarısıdır. Altı ay önce döndürülen bir anahtar gürültüdür; hâlâ canlı olan bir anahtar ise aktif bir olayı temsil eder. Doğrulama, bu çizgiyi çizen adımdır — tespit edilen her bulguyu alır ve mümkün olan durumlarda sırrın sağlayıcıda hâlâ geçerli olup olmadığını teyit eder.\u003c/p\u003e\n\u003ch2 id=\"tespiten-dorulamaya\"\u003eTespiten doğrulamaya\u003c/h2\u003e\n\u003cp\u003eTarama motoru bulguları topladıktan sonra doğrulayıcı havuzu onları işlemeye alır. Her bulgu bir \u003ccode\u003edetector_id\u003c/code\u003e taşır; Leakwatch bu ID için kayıtlı bir doğrulayıcı olup olmadığını arar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBir doğrulayıcı mevcutsa çalışır ve bir durum döndürür.\u003c/li\u003e\n\u003cli\u003eO dedektör türü için kayıtlı bir doğrulayıcı yoksa bulgu değiştirilmeden \u003ccode\u003eunverified\u003c/code\u003e durumuyla geçer.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ki-dorulama-modu\"\u003eİki doğrulama modu\u003c/h2\u003e\n\u003cp\u003eTüm sırlar aynı şekilde doğrulanamaz. Leakwatch, her kimlik bilgisi türü için güvenli olan yaklaşıma göre iki farklı yöntem kullanır.\u003c/p\u003e\n\u003ch3 id=\"canl-api-dorulamas\"\u003eCanlı API doğrulaması\u003c/h3\u003e\n\u003cp\u003eYaklaşık 49 dedektör türü için Leakwatch, sağlayıcıya \u003cstrong\u003ekontrollü, salt-okunur bir API çağrısı\u003c/strong\u003e yapar — örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, GitHub token'ları için \u003ccode\u003eGET /user\u003c/code\u003e. Çağrı yalnızca kimliği doğrulamak için gereken minimum uç noktayı kullanır; hiçbir zaman veri değiştirmez, kaynak oluşturmaz veya faturalandırma olayı tetiklemez.\u003c/p\u003e\n\u003cp\u003eSağlayıcı başarılı bir yanıt döndürürse bulgu \u003ccode\u003everified_active\u003c/code\u003e olarak işaretlenir. Sağlayıcı kimlik bilgisini reddederse (örneğin HTTP 401 veya 403 ile) bulgu \u003ccode\u003everified_inactive\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"yalnzca-format-dorulamas\"\u003eYalnızca format doğrulaması\u003c/h3\u003e\n\u003cp\u003eBeş kimlik bilgisi türü için güvenli bir canlı kontrol mevcut değildir — sağlayıcının anonim bir kimlik uç noktası yoktur ya da gerçek bir çağrı yan etkiye yol açar. Bu durumlar için Leakwatch, herhangi bir ağ isteği yapmadan kimlik bilgisinin yapısını doğrular:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e alanlarının varlığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca format kontrolü — geçerli bir format hiçbir şeyi kanıtlamaz, sonuç her zaman \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFormat kontrolü geçse bile sonuç \u003ccode\u003eunverified\u003c/code\u003e olarak kalır. Yapısal olarak geçerli bir kimlik bilgisi süresi dolmuş veya iptal edilmiş olabilir. Bu bulgular her zaman manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama-durumlar\"\u003eDoğrulama durumları\u003c/h2\u003e\n\u003cp\u003eLeakwatch çıktısındaki her bulgu dört durumdan birini taşır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDurum\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen eylem\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın sağlayıcı tarafından canlı olduğu teyit edildi.\u003c/td\u003e\n\u003ctd\u003eAktif bir olay olarak ele alın. Hemen döndürün.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcı kimlik bilgisini reddetti.\u003c/td\u003e\n\u003ctd\u003eMuhtemelen zaten döndürülmüş. Bağlamı gözden geçirin ve kapatın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBu tür için doğrulayıcı yok, format doğrulaması sonuç vermedi veya doğrulama devre dışı bırakıldı.\u003c/td\u003e\n\u003ctd\u003eManuel olarak inceleyin; risk bağlama göre belirlenir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulayıcı çalıştı ancak ağ hatası, zaman aşımı veya beklenmedik yanıtla karşılaştı.\u003c/td\u003e\n\u003ctd\u003ePotansiyel olarak aktif kabul edin. Yeniden deneyin veya manuel olarak inceleyin.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulama-motoru\"\u003eDoğrulama motoru\u003c/h2\u003e\n\u003cp\u003eDoğrulama, tarama çalışan havuzundan yalıtılmış ayrı bir eşzamanlı çalışan havuzunda çalışır. Sağlayıcı hız sınırlarını tetiklememek için varsayılanlar temkinlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAyar\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇalışan sayısı\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal hız sınırı\u003c/td\u003e\n\u003ctd\u003e10 istek/saniye\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eİstek başına zaman aşımı\u003c/td\u003e\n\u003ctd\u003e10 sn\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer üç değer de \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003everification:\u003c/code\u003e bloğu altında ayarlanabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # global, saniye başına istek sayısı\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYüzlerce bulgu tetikleyen bir depoyu tarıyorsanız \u003ccode\u003erate-limit\u003c/code\u003e değerini 5'e düşürmeyi veya \u003ccode\u003e--only-verified\u003c/code\u003e etkinleştirmeyi düşünün; bu, doğrulanmış-aktif kümesini küçük ve uygulanabilir tutar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"komut-satrndan-dorulamay-kontrol-etme\"\u003eKomut satırından doğrulamayı kontrol etme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--no-verify\u003c/code\u003e ile \u003cstrong\u003edoğrulamayı tamamen devre dışı bırakın\u003c/strong\u003e (ya da yapılandırmada \u003ccode\u003everification.enabled: false\u003c/code\u003e ayarlayın). Her bulgu \u003ccode\u003eunverified\u003c/code\u003e olarak geçer. Bunu çevrimdışı veya hava boşluklu ortamlar için ya da herhangi bir sağlayıcı API'sine dokunmadan mümkün olan en hızlı taramayı istediğinizde kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eYalnızca canlı olduğu doğrulanan sırları görmek\u003c/strong\u003e için \u003ccode\u003e--only-verified\u003c/code\u003e kullanın. \u003ccode\u003everified_active\u003c/code\u003e olmayan her şey çıktıdan düşürülür. Bu, büyük bir sonuç kümesini önceliklendirmenin en hızlı yoludur — yalnızca hemen harekete geçmeniz gereken anahtarları görürsünüz.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e ve \u003ccode\u003everify_error\u003c/code\u003e bulgularını sessizce düşürür. Bunu uyumluluk bağlamında tek filtreniz olarak kullanmayın — bazı kimlik bilgisi türleri (JWT'ler, genel API anahtarları, özel anahtarlar) hiçbir zaman doğrulanamaz ve her zaman dışarıda kalır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eDoğrulama, ham sır değerinin süreç sınırını güvensiz biçimde asla terk etmeyecek şekilde tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDoğrulayıcılar sırrı TLS üzerinden doğrudan sağlayıcının HTTP uç noktasına iletir — diske yazılmaz, bir loga gönderilmez ve çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003cli\u003eBaşlatılamayan veya panikle karşılaşan bir doğrulayıcı motor tarafından yakalanır; motor, bulguyu \u003ccode\u003everify_error\u003c/code\u003e olarak işaretler ve taramayı çökertmeden devam eder.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektör türlerinin canlı doğrulandığı, format doğrulandığı veya hiç doğrulanamadığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003everification:\u003c/code\u003e bloğunun tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e — doğrulama durumunun JSON, SARIF, CSV ve tablo çıktısında nasıl göründüğü.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Doğrulama Kapsamı","description":"63 yerleşik dedektörün hangilerinin canlı doğrulandığı, yalnızca format doğrulandığı veya doğrulanamaz olduğu ve bunun önceliklendirme açısından ne anlama geldiği.","html":"\u003ch1 id=\"dorulama-kapsam\"\u003eDoğrulama Kapsamı\u003c/h1\u003e\n\u003cp\u003eLeakwatch 63 yerleşik dedektör ve 54 doğrulayıcı ile gelir; bu, \u003cstrong\u003e%85,7\u003c/strong\u003e kapsama oranı sağlar (63 dedektör türünün 54'ünün bir tür doğrulaması mevcuttur). Bu sayfa, çıktınızda ne beklemeniz gerektiğini bilmeniz için her dedektörü doğrulama durumuna göre eşler.\u003c/p\u003e\n\u003ch2 id=\"canl-dorulanan-49-dedektr-tr\"\u003eCanlı doğrulanan (49 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu türler için Leakwatch, sağlayıcıya kontrollü, salt-okunur bir API çağrısı yapar ve \u003ccode\u003everified_active\u003c/code\u003e ya da \u003ccode\u003everified_inactive\u003c/code\u003e döndürür. Hiçbir veri oluşturulmaz veya değiştirilmez; çağrı, kimliği doğrulamak için gereken minimum uç noktayı kullanır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör türü\u003c/th\u003e\n\u003cth\u003eSağlayıcı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yalnzca-format-dorulamas-5-dedektr-tr\"\u003eYalnızca format doğrulaması (5 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu doğrulayıcılar tamamen çevrimdışı çalışır. Hiçbir ağ isteği yapılmaz. Geçerli bir format kimlik bilgisinin aktif olduğunu kanıtlamadığından, beşi de format kontrolünün geçip geçmediğinden bağımsız olarak her zaman \u003ccode\u003eunverified\u003c/code\u003e döndürür.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003cth\u003eNeden canlı kontrol yok\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol, yan etkileri olan GCP OAuth2 token değişimi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003ctd\u003eHerkese açık kimlik doğrulamasız sağlık uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eParola uzunluğu ve host alt dize kontrolü\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol bir JDBC/ODBC veritabanı bağlantısı gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eHesap başına HMAC imzalama gerektirir; genel kimlik uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eİstemci kimlik bilgisi akışı oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulanamaz-9-dedektr-tr\"\u003eDoğrulanamaz (9 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu dedektör türlerinin hiç doğrulayıcısı yoktur. Bunlardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e olur. Bu durum önemsiz oldukları anlamına \u003cstrong\u003egelmez\u003c/strong\u003e — tam olarak tespit edilip raporlanırlar — ancak herkese açık bir doğrulama API'si bulunmamakta ya da herhangi bir doğrulama girişimi yan etkiye yol açmaktadır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eNeden\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJWT herhangi bir tarafça yayınlanabilir; evrensel bir doğrulama uç noktası yoktur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇağrılacak sağlayıcı yok; aktif kullanım uzaktan tespit edilemez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanım gereği bilinmeyen sağlayıcı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak hedef veritabanında oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak Redis örneğinde canlı bağlantı açar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGüvenli, salt-okunur FTP yoklama yöntemi yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind kimliği doğrulanmış bir oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWebhook'un aktif olduğunu doğrulamak mesaj göndermeyi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token doğrulaması, Vault uç noktasının bilinmesini gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Doğrulanamaz\u0026quot; \u0026quot;bulunamaz\u0026quot; anlamına gelmez. Bu 9 türün tamamı yine de tespit edilir ve çıktınızda görünür. Kimlik bilgisinin canlı olup olmadığını ve döndürülmesi gerekip gerekmediğini belirlemek için manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kapsam-zeti\"\u003eKapsam özeti\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKategori\u003c/th\u003e\n\u003cth\u003eSayı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eCanlı doğrulanan\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eYalnızca format doğrulaması\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDoğrulanamaz\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eToplam dedektör\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDoğrulayıcı (herhangi bir kapsam)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (%85,7)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — iki doğrulama modu, durumlar ve doğrulama motoru.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — yerleşik dedektörlerin tam listesi ve şiddet seviyeleri.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; +window.LW_MANUAL["tr"] = {"ci-cd/docker-usage":{"title":"Docker Kullanımı","description":"Resmi Docker imajını kullanarak Leakwatch taramalarını bir konteyner içinde çalıştırın.","html":"\u003ch1 id=\"docker-kullanm\"\u003eDocker Kullanımı\u003c/h1\u003e\n\u003cp\u003eResmi Leakwatch konteyner imajı, ana makineye herhangi bir şey kurmadan tarama yapmanızı sağlar. İmaj \u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e ile statik olarak derlenmiş ve root olmayan bir kullanıcı olarak çalışır; bu nedenle kilitli CI ortamlarında ve ana sistemi değiştirmek istemediğiniz paylaşımlı makinelerde güvenle kullanılabilir.\u003c/p\u003e\n\u003ch2 id=\"maj-referans\"\u003eİmaj referansı\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eghcr.io/hodetech/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eİmaj Alpine tabanlıdır, root olmayan \u003ccode\u003eleakwatch\u003c/code\u003e kullanıcısı olarak çalışır, çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır ve giriş noktası olarak \u003ccode\u003eleakwatch\u003c/code\u003e'ı ayarlar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGiriş noktası \u003ccode\u003eleakwatch\u003c/code\u003e olduğundan alt komutu ve bayrakları doğrudan imaj adının ardına eklersiniz — örneğin \u003ccode\u003eghcr.io/hodetech/leakwatch:latest scan fs /scan\u003c/code\u003e. İkili dosya adını tekrar yazmanıza gerek yoktur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerel-dizin-tarama\"\u003eYerel dizin tarama\u003c/h2\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAna makinedeki bir dosyaya sonuç yazmak için çıktı dosyasını bağlı birime yazın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --format sarif -o /scan/leakwatch.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch.sarif\u003c/code\u003e dosyası, konteyner çıktıktan sonra ana makinedeki geçerli dizinde görünür.\u003c/p\u003e\n\u003ch2 id=\"uzak-git-deposu-tarama\"\u003eUzak Git deposu tarama\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan git https://github.com/org/repo.git --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak Git depoları için birim bağlaması gerekli değildir — Leakwatch bunları konteyner içindeki geçici bir dizine klonlar.\u003c/p\u003e\n\u003ch2 id=\"konteyner-imaj-tarama\"\u003eKonteyner imajı tarama\u003c/h2\u003e\n\u003cp\u003eLeakwatch daemonsuz çalışır: imaj katmanlarını Docker daemon'ına ihtiyaç duymadan doğrudan kayıt defterinden çeker. Bu, Leakwatch konteynerinden, ana makine Docker soketini bağlamadan uzak bir imajı tarayabileceğiniz anlamına gelir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan image registry.example.com/my-app:v2.3.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt defterleri için kimlik bilgilerini, kayıt defterinizin desteklediği standart ortam değişkenleri aracılığıyla geçirin (örneğin, bağlı bir kimlik bilgisi dosyasına işaret eden \u003ccode\u003eDOCKER_CONFIG\u003c/code\u003e).\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-geirme\"\u003eYapılandırma dosyası geçirme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasını \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın; Leakwatch onu otomatik olarak bulur:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e bağlanan dizinde olduğu sürece Leakwatch onu bulur çünkü \u003ccode\u003e/scan\u003c/code\u003e hem çalışma dizini hem de taramaya geçirilen yoldur. Yapılandırma dosyanız başka bir yerdeyse onu ayrıca bağlayın ve \u003ccode\u003e--config\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n -v \u0026quot;/path/to/custom-config.yaml:/config/leakwatch.yaml:ro\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan --config /config/leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikenleri-geirme\"\u003eOrtam değişkenleri geçirme\u003c/h2\u003e\n\u003cp\u003eBulut taraması ve token tabanlı kimlik doğrulama için ortam değişkenleri \u003ccode\u003e-e\u003c/code\u003e ile enjekte edilebilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# AWS kimlik bilgileriyle S3 taraması\ndocker run --rm \\\n -e AWS_ACCESS_KEY_ID=AKIA••••••••••••EXAMPLE \\\n -e AWS_SECRET_ACCESS_KEY=••••••••••••••••••••••••••••••••••••••• \\\n -e AWS_REGION=us-east-1 \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan s3 my-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCI ortamlarında, kimlik bilgilerini komut satırına gömmek yerine maskelenmiş CI değişkenleri olarak enjekte etmeyi tercih edin.\u003c/p\u003e\n\u003ch2 id=\"kt-dosyas-kalb\"\u003eÇıktı dosyası kalıbı\u003c/h2\u003e\n\u003cp\u003eCI'da yaygın bir Docker kalıbı, sonuçları bağlı birime yazmak ve ardından dosyayı bir pipeline artifact'i olarak yüklemek veya arşivlemektir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan \\\n --format json \\\n --only-verified \\\n -o /scan/leakwatch-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Docker kullanmak yerine yerel ikili dosyayı kurma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — \u003ccode\u003escan fs\u003c/code\u003e bayrakları ve davranışı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/container-images\"\u003eKonteyner İmajları\u003c/a\u003e — OCI/Docker imaj katmanlarını sır açısından tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI ve diğer pipeline'larda Docker imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm alt komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/github-action":{"title":"GitHub Action","description":"GitHub iş akışlarında sır taraması yapmak için resmi Leakwatch GitHub Action'ını kullanın.","html":"\u003ch1 id=\"github-action\"\u003eGitHub Action\u003c/h1\u003e\n\u003cp\u003eDeponuza yapılan her push, bir sırrın içeri sızması için bir fırsattır. Resmi \u003cstrong\u003eLeakwatch GitHub Action\u003c/strong\u003e (\u003ccode\u003eHodeTech/leakwatch-action@v1\u003c/code\u003e), Leakwatch'ı doğrudan GitHub iş akışınıza entegre eder — aracı kurar, taramayı çalıştırır, çıkış kodlarını işler ve isteğe bağlı olarak SARIF sonuçlarını GitHub Code Scanning'e yükler; bunların hepsini harici bir servis bağımlılığı olmadan yapar.\u003c/p\u003e\n\u003ch2 id=\"hzl-balang\"\u003eHızlı başlangıç\u003c/h2\u003e\n\u003cp\u003eSır bulunduğunda iş akışını engelleyen minimal yapılandırma:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch-minimal.yml\nname: Sır taraması (minimal)\n\non: [push, pull_request]\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: HodeTech/leakwatch-action@v1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca varsayılan değerlerle action, dosya sistemi taraması yapar (\u003ccode\u003escan-type: fs\u003c/code\u003e), SARIF çıktısı üretir, canlı doğrulamayı atlar (\u003ccode\u003eno-verify: true\u003c/code\u003e) ve herhangi bir bulgu raporlandığında işi başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"sarif-ykleme-ile-tam-rnek\"\u003eSARIF yükleme ile tam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki iş akışı, GitHub Code Scanning'e SARIF yüklemeyi etkinleştirir ve bulguları depo içinde güvenlik uyarıları olarak gösterir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# .github/workflows/leakwatch.yml\nname: Sır taraması\n\non:\n push:\n branches: [\u0026quot;main\u0026quot;, \u0026quot;develop\u0026quot;]\n pull_request:\n\npermissions:\n contents: read\n security-events: write # SARIF yüklemesi için gerekli\n\njobs:\n leakwatch:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Sırları tara\n uses: HodeTech/leakwatch-action@v1\n with:\n scan-type: fs\n path: .\n format: sarif\n no-verify: \u0026quot;true\u0026quot;\n min-severity: low\n sarif-upload: \u0026quot;true\u0026quot;\n fail-on-findings: \u0026quot;true\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSARIF yüklemesi, işin \u003ccode\u003epermissions: security-events: write\u003c/code\u003e bildirmesini gerektirir. Bu olmadan yükleme adımı 403 hatasıyla başarısız olur. \u003ccode\u003eactions/checkout@v4\u003c/code\u003e için \u003ccode\u003econtents: read\u003c/code\u003e izni de gereklidir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"girdiler\"\u003eGirdiler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eGirdi\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan-type\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇalıştırılacak tarama türü: \u003ccode\u003efs\u003c/code\u003e, \u003ccode\u003egit\u003c/code\u003e veya \u003ccode\u003eimage\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epath\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranacak yol (\u003ccode\u003efs\u003c/code\u003e/\u003ccode\u003egit\u003c/code\u003e için) veya imaj referansı (\u003ccode\u003eimage\u003c/code\u003e için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eformat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eonly-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eno-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak (sağlayıcılara giden ağ çağrısı yapılmaz).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emin-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-upload\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaramadan sonra SARIF sonuçlarını GitHub Code Scanning'e yükle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efail-on-findings\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etrue\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular raporlandığında (çıkış kodu 1) iş akışı adımını başarısız kıl. \u003ccode\u003efalse\u003c/code\u003e olarak ayarlandığında adım başarısız olmak yerine \u003ccode\u003e::warning::\u003c/code\u003e ek açıklaması yayar. Ciddi hatalar (çıkış kodu 2) bu ayardan bağımsız olarak her zaman adımı başarısız kılar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eversion\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elatest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKurulacak Leakwatch sürümü. Belirli bir sürümü sabitlemek için \u003ccode\u003ev1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ktlar\"\u003eÇıktılar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÇıktı\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efindings-count\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu raporlanmadıysa \u003ccode\u003e0\u003c/code\u003e; bulgu raporlandıysa \u003ccode\u003e1\u003c/code\u003e. Leakwatch çıkış kodunu yansıtır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esarif-file\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRunner üzerindeki SARIF çıktı dosyasının yolu (\u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda ayarlanır).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"cida-dorulama\"\u003eCI'da doğrulama\u003c/h2\u003e\n\u003cp\u003eVarsayılan olarak \u003ccode\u003eno-verify\u003c/code\u003e değeri \u003ccode\u003etrue\u003c/code\u003e'dur — CI'da canlı doğrulama \u003cstrong\u003ekapalıdır\u003c/strong\u003e. Bu, taramayı hızlı tutar ve CI runner'larından sağlayıcı API'lerine giden ağ çağrılarını önler; runner'lar güvenlik duvarı arkasında olabilir veya hız sınırlı kimlik bilgilerine sahip olabilir.\u003c/p\u003e\n\u003cp\u003eCI'da doğrulamayı etkinleştirmek için \u003ccode\u003eno-verify: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n no-verify: \u0026quot;false\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eCI'da doğrulamayı etkinleştirmek, Leakwatch'ın her aday bulgu için sağlayıcılara (AWS, GitHub, Stripe vb.) kimlik doğrulamalı API çağrıları yapmasına neden olur. Sağlayıcı hız limitlerinden haberdar olun ve runner'ın giden internet erişimine sahip olduğundan emin olun.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sarif-yklemesi-nasl-alr\"\u003eSARIF yüklemesi nasıl çalışır\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif-upload: \u0026quot;true\u0026quot;\u003c/code\u003e ve \u003ccode\u003eformat: sarif\u003c/code\u003e olduğunda action:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eLeakwatch'a çıktıyı \u003ccode\u003eresults.sarif\u003c/code\u003e dosyasına yazmasını söyler.\u003c/li\u003e\n\u003cli\u003eTaramanın ardından \u003ccode\u003ecategory: leakwatch\u003c/code\u003e ile \u003ccode\u003egithub/codeql-action/upload-sarif@v3\u003c/code\u003e'ü çağırır.\u003c/li\u003e\n\u003cli\u003eGitHub dosyayı işler ve bulguları deponun \u003cstrong\u003eSecurity\u003c/strong\u003e sekmesinde \u003cstrong\u003eCode Scanning uyarıları\u003c/strong\u003e olarak gösterir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eYükleme adımı \u003ccode\u003eif: always()\u003c/code\u003e ile çalışır; dolayısıyla \u003ccode\u003efail-on-findings: \u0026quot;true\u0026quot;\u003c/code\u003e tarama adımını başarısız kılsa bile sonuçlar yüklenir.\u003c/p\u003e\n\u003ch2 id=\"action-ktlarn-kullanmak\"\u003eAction çıktılarını kullanmak\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- name: Sırları tara\n id: scan\n uses: HodeTech/leakwatch-action@v1\n with:\n fail-on-findings: \u0026quot;false\u0026quot; # iş akışının devam etmesine izin ver\n\n- name: Sonucu yazdır\n run: echo \u0026quot;Raporlanan bulgular: ${{ steps.scan.outputs.findings-count }}\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"belirli-bir-srm-sabitleme\"\u003eBelirli bir sürümü sabitleme\u003c/h2\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için \u003ccode\u003eversion\u003c/code\u003e değerini belirli bir etikete sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- uses: HodeTech/leakwatch-action@v1\n with:\n version: \u0026quot;v1.5.0\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu, \u003ccode\u003ego install\u003c/code\u003e aracılığıyla tam olarak \u003ccode\u003egithub.com/HodeTech/leakwatch@v1.5.0\u003c/code\u003e'ı kurar.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısını anlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — Leakwatch'ın sağlayıcı API'lerini ne zaman ve nasıl çağırdığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/pre-commit\"\u003ePre-commit Kancası\u003c/a\u003e — commit edilmeden önce sırları yakalama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — GitLab CI, Jenkins ve genel kabuk entegrasyonu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/other-ci":{"title":"Diğer CI Sistemleri","description":"Leakwatch'ı GitLab CI, Jenkins, Bitbucket Pipelines ve diğer CI sistemlerine entegre edin.","html":"\u003ch1 id=\"dier-ci-sistemleri\"\u003eDiğer CI Sistemleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olduğundan, kabuk komutu çalıştırabilen herhangi bir CI ortamında çalışır: GitLab CI, Jenkins, Bitbucket Pipelines, CircleCI, Azure DevOps ve diğerleri. Bu sayfada açıklananların ötesinde bu sistemler için yerleşik bir entegrasyon yoktur; kalıp her zaman aynıdır: ikili dosyayı kur, taramayı çalıştır, çıkış koduna göre hareket et.\u003c/p\u003e\n\u003ch2 id=\"cida-leakwatch-kurma\"\u003eCI'da Leakwatch kurma\u003c/h2\u003e\n\u003cp\u003eRunner ortamınıza en uygun yöntemi seçin:\u003c/p\u003e\n\u003ch3 id=\"go-install-araclyla-runnerda-go-gerektirir\"\u003e\u003ccode\u003ego install\u003c/code\u003e aracılığıyla (runner'da Go gerektirir)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYeniden üretilebilir derlemeler için belirli bir sürüme sabitleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@v1.5.0\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"docker-imaj-araclyla-go-gerekmez\"\u003eDocker imajı aracılığıyla (Go gerekmez)\u003c/h3\u003e\n\u003cp\u003e\u003ccode\u003eghcr.io/hodetech/leakwatch:latest\u003c/code\u003e'i iş imajı olarak kullanın veya \u003ccode\u003edocker run\u003c/code\u003e ile çalıştırın. Tam kalıp için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch3 id=\"hazr-bir-srm-ikili-dosyas-araclyla\"\u003eHazır bir sürüm ikili dosyası aracılığıyla\u003c/h3\u003e\n\u003cp\u003eUygun tar arşivini \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasından indirin, çıkarın ve \u003ccode\u003ePATH\u003c/code\u003e'e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için iyi tanımlanmış üç çıkış kodu kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen CI eylemi\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgu yok\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını geç\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırlar bulundu\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCiddi hata (hatalı yapılandırma, okunamaz yol vb.)\u003c/td\u003e\n\u003ctd\u003ePipeline aşamasını başarısız kıl\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıkış koduna göre dallanma yapan genel bir kabuk parçacığı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eset +e\nleakwatch scan fs . --format json -o leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\nif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 0 ]; then\n echo \u0026quot;Sır bulunamadı.\u0026quot;\nelif [ \u0026quot;$EXIT_CODE\u0026quot; -eq 1 ]; then\n echo \u0026quot;Sırlar bulundu — derlemeyi başarısız kılıyorum.\u0026quot;\n exit 1\nelse\n echo \u0026quot;Tarama hatası (çıkış $EXIT_CODE) — derlemeyi başarısız kılıyorum.\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"gitlab-ci-rnei\"\u003eGitLab CI örneği\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.gitlab-ci.yml\u003c/code\u003e işi Leakwatch'ı kurar, dosya sistemi taraması çalıştırır ve JSON raporunu pipeline artifact'i olarak saklar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eleakwatch:\n stage: test\n image: golang:1.25-alpine\n script:\n - go install github.com/HodeTech/leakwatch@v1.5.0\n - leakwatch scan fs . --format json -o leakwatch.json --no-verify\n artifacts:\n when: always\n paths:\n - leakwatch.json\n expire_in: 7 gün\n allow_failure: false\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eallow_failure: false\u003c/code\u003e (varsayılan) değeri, çıkış kodu \u003ccode\u003e1\u003c/code\u003e'in pipeline aşamasını başarısız kılması anlamına gelir. Taramanın merge işlemini engellemeden raporlamasını istiyorsanız \u003ccode\u003eallow_failure: true\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGitLab, SAST raporu artifact'larını destekler. Leakwatch SARIF üretir (\u003ccode\u003e--format sarif\u003c/code\u003e) ancak GitLab'ın yerel SAST JSON şemasını değil; bu nedenle \u003ccode\u003ereports: sast:\u003c/code\u003e anahtarı yerine \u003ccode\u003epaths:\u003c/code\u003e artifact yaklaşımını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ci-runnerlar-iin-neriler\"\u003eCI runner'ları için öneriler\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eGiden internet erişimi olmayan runner'larda \u003ccode\u003e--no-verify\u003c/code\u003e kullanın.\u003c/strong\u003e Doğrulama, sağlayıcılara (AWS, GitHub, Stripe vb.) canlı API çağrıları yapar. Hava boşluklu veya güvenlik duvarıyla kısıtlanmış runner'larda bu çağrılar zaman aşımına uğrar ve taramayı yavaşlatır. Doğrulamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eÇıktıyı artifact olarak kaydedin.\u003c/strong\u003e İşi tamamlandıktan sonra saklanabilecek, bir güvenlik açığı yönetim platformuna yüklenebilecek veya incelenebilecek bir dosya yazmak için \u003ccode\u003e--format sarif\u003c/code\u003e ya da \u003ccode\u003e--format json\u003c/code\u003e ile birlikte \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e değerini en çok önem taşıyan sırlara odaklanmak için ayarlayın. Gürültülü bir kod tabanında \u003ccode\u003e--min-severity high\u003c/code\u003e ile başlayın ve birikmiş öğeleri temizledikten sonra eşiği düşürün.\u003c/p\u003e\n\u003ch2 id=\"azure-devops-rnei\"\u003eAzure DevOps örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e- script: |\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format sarif -o $(Build.ArtifactStagingDirectory)/leakwatch.sarif --no-verify\n displayName: \u0026quot;Leakwatch sır taraması\u0026quot;\n\n- task: PublishBuildArtifacts@1\n inputs:\n pathToPublish: \u0026quot;$(Build.ArtifactStagingDirectory)\u0026quot;\n artifactName: \u0026quot;leakwatch-sonuclari\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"jenkins-rnei\"\u003eJenkins örneği\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-groovy\"\u003estage('Sır taraması') {\n steps {\n sh '''\n go install github.com/HodeTech/leakwatch@v1.5.0\n leakwatch scan fs . --format json -o leakwatch.json --no-verify\n '''\n archiveArtifacts artifacts: 'leakwatch.json', allowEmptyArchive: true\n }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — tüm çıkış kodlarının tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Biçimleri\u003c/a\u003e — JSON, SARIF, CSV ve tablo çıktısı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e — ikili dosyayı kurmak yerine konteyner imajını kullanma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub iş akışları için resmi action.\u003c/li\u003e\n\u003c/ul\u003e\n"},"ci-cd/pre-commit":{"title":"Pre-commit Kancası","description":"Her commit'ten önce sır taraması yapmak için Leakwatch pre-commit kancasını kullanın.","html":"\u003ch1 id=\"pre-commit-kancas\"\u003ePre-commit Kancası\u003c/h1\u003e\n\u003cp\u003eBir sırrı yakalamak için en ucuz an, onu depoya girmeden önce durdurmaktır. Leakwatch, her \u003ccode\u003egit commit\u003c/code\u003e işleminde \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutunu otomatik olarak çalıştıran yerel bir \u003ca href=\"https://pre-commit.com\"\u003epre-commit\u003c/a\u003e kancası sunar; böylece sızan bir API anahtarı veya parola, geçmişte yer almak yerine commit işlemini başarısız kılar.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eŞunlara ihtiyacınız var:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePython 3.8+ (pre-commit bir Python aracıdır).\u003c/li\u003e\n\u003cli\u003eGenel olarak kurulmuş \u003ca href=\"https://pre-commit.com/#install\"\u003epre-commit\u003c/a\u003e (\u003ccode\u003epip install pre-commit\u003c/code\u003e veya \u003ccode\u003ebrew install pre-commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePATH\u003c/code\u003e üzerinde Go 1.25+ — kanca dili \u003ccode\u003egolang\u003c/code\u003e olduğundan pre-commit, ilk çalıştırmada Leakwatch'ı kaynaktan derler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"yaplandrma\"\u003eYapılandırma\u003c/h2\u003e\n\u003cp\u003eDeponuzun köküne bir \u003ccode\u003e.pre-commit-config.yaml\u003c/code\u003e dosyası ekleyin (veya mevcut olanı genişletin):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKancaları yerel Git deposuna kurun:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit install\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHepsi bu kadar. Bundan itibaren her \u003ccode\u003egit commit\u003c/code\u003e işlemi bir dosya sistemi taraması tetikler. Leakwatch herhangi bir sır bulursa commit engellenir ve bulgular terminale yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"elle-altrma\"\u003eElle çalıştırma\u003c/h2\u003e\n\u003cp\u003eTüm depoyu (yalnızca staged dosyaları değil) istediğiniz zaman taramak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDiğerlerini tetiklemeden yalnızca Leakwatch kancasını çalıştırmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit run leakwatch --all-files\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ek-argmanlar-geirme\"\u003eEk argümanlar geçirme\u003c/h2\u003e\n\u003cp\u003eKancanın varsayılan davranışı, ek bayrak olmadan \u003ccode\u003eleakwatch scan fs\u003c/code\u003e'e karşılık gelir. \u003ccode\u003eargs:\u003c/code\u003e anahtarı aracılığıyla ek argümanlar geçirebilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erepos:\n - repo: https://github.com/HodeTech/Leakwatch\n rev: v1.5.0\n hooks:\n - id: leakwatch\n args:\n - --only-verified\n - --min-severity\n - high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu örnek, yalnızca Leakwatch'ın hâlâ etkin olduğunu doğruladığı yüksek önem dereceli sırları raporlar — yanlış pozitif gürültüsünden kaçınmak isteyen ancak kapsam kaybetmek istemeyen ekipler için uygun katı bir politika.\u003c/p\u003e\n\u003cp\u003eDiğer kullanışlı argümanlar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eargs:\n - --no-verify # daha hızlı commit'ler için canlı doğrulamayı atla\n - --min-severity\n - medium # düşük önem dereceli gürültüyü bastır\n - --format\n - table # terminalde insan tarafından okunabilir çıktı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eKanca tanımında \u003ccode\u003epass_filenames: false\u003c/code\u003e ayarlandığından kanca, yalnızca mevcut commit için staged dosyaları değil her zaman tam çalışma ağacını tarar. Bu, staged olmayan dosyalarda halihazırda bulunan sırların da tespit edileceğini garanti eder.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kancann-taradklar\"\u003eKancanın taradıkları\u003c/h2\u003e\n\u003cp\u003eKanca, depo çalışma dizinine karşı \u003ccode\u003eleakwatch scan fs\u003c/code\u003e çalıştırır. CLI ile aynı tespit hattını kullanır: Aho-Corasick ön filtreleme, regex doğrulama, entropi hesaplama ve (\u003ccode\u003e--no-verify\u003c/code\u003e ayarlanmadıkça) canlı doğrulama.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki yapılandırma otomatik olarak uygulanır — dışlama kalıpları, entropi eşikleri ve doğrulama ayarları, herhangi bir ek kanca yapılandırması olmadan geçerli olur.\u003c/p\u003e\n\u003ch2 id=\"kancay-geici-olarak-atlama\"\u003eKancayı geçici olarak atlama\u003c/h2\u003e\n\u003cp\u003eKancayı çalıştırmadan commit yapmak için (örneğin, maskelenmiş sır içeren bir test sabiti commit edilirken):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eSKIP=leakwatch git commit -m \u0026quot;chore: test sabiti ekle\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eSKIP=leakwatch\u003c/code\u003e kullanmak, o commit için tüm sır taramasını devre dışı bırakır. Yalnızca içeriğin güvenli olduğunu teyit ettiğinizde kullanın; kalıcı bastırmalar için bunun yerine \u003ccode\u003e.leakwatchignore\u003c/code\u003e veya satır içi \u003ccode\u003eleakwatch:ignore\u003c/code\u003e yorumlarını tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kanca-srmn-sabitli-tutma\"\u003eKanca sürümünü sabitli tutma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003erev:\u003c/code\u003e değerini dal adı yerine belirli bir etikete sabitleyin. Bu, ekipteki tüm geliştiricilerin aynı dedektör setini kullandığını ve kancanın sprint ortasında sessizce yükseltilmediğini garantiler:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003erev: v1.5.0 # sabitle; 'main' veya 'HEAD' kullanmayın\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGüncellemek için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epre-commit autoupdate\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003ccode\u003erev\u003c/code\u003e değerini en son etikete yükseltir ve siz onu commit etmeden önce değişikliği inceleme fırsatı tanır.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — kancanın çalıştırdığı temel tarama komutu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'da dışlamaları, entropiyi ve doğrulamayı kontrol etme.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — GitHub CI'da her push ve pull request'te tarama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/config-file":{"title":"Yapılandırma Dosyası","description":"Leakwatch'ı .leakwatch.yaml ile yapılandırma — tam şema, varsayılanlar, doğrulama kuralları, ortam değişkeni geçersiz kılmaları ve leakwatch init komutu.","html":"\u003ch1 id=\"yaplandrma-dosyas\"\u003eYapılandırma Dosyası\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın her tarama komutundaki davranışı, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e adlı tek bir YAML dosyasıyla yönetilir. Bu dosyayı anlamak; eşzamanlılık, doğrulama, çıktı biçimi ve yol filtrelemeyi bir kez ayarlamanızı ve her taramanın bu ayarları otomatik olarak almasını sağlar.\u003c/p\u003e\n\u003ch2 id=\"dosya-kefi\"\u003eDosya keşfi\u003c/h2\u003e\n\u003cp\u003eLeakwatch, yapılandırma dosyasını aşağıdaki sırayla çözer:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e bayrağı\u003c/strong\u003e — çalışma dizininden bağımsız olarak açık bir yol kullanır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGeçerli dizin\u003c/strong\u003e — komutun çalıştırıldığı dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAna dizin\u003c/strong\u003e — yedek olarak \u003ccode\u003e~/.leakwatch.yaml\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eHiçbir dosya bulunamazsa, her ayar için yerleşik varsayılanlar kullanılır.\u003c/p\u003e\n\u003ch2 id=\"balang-dosyas-oluturma\"\u003eBaşlangıç dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e komutu, önerilen varsayılanlarla düzenlemeye hazır bir dosya yazar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak dosya, geçerli dizindeki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e konumuna yazılır. Farklı bir yol seçmek için \u003ccode\u003e--output\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --output /etc/leakwatch/.leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHedef dosya zaten mevcutsa, \u003ccode\u003eleakwatch init\u003c/code\u003e üzerine yazmayı reddeder ve hata vererek çıkar. Üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ortam-deikeni-geersiz-klmalar\"\u003eOrtam değişkeni geçersiz kılmaları\u003c/h2\u003e\n\u003cp\u003eHer yapılandırma anahtarı bir ortam değişkeniyle geçersiz kılınabilir. İsimlendirme kuralı şudur:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eÖnek: \u003ccode\u003eLEAKWATCH_\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştirin\u003c/li\u003e\n\u003cli\u003eBüyük harfe çevirin\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eÖrnekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003cth\u003eOrtam değişkeni\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-sras\"\u003eÖncelik sırası\u003c/h2\u003e\n\u003cp\u003eAynı ayar birden fazla yerde belirtildiğinde, en yüksek öncelikli kaynak kazanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eKomut satırı bayrağı (en yüksek)\u003c/li\u003e\n\u003cli\u003eOrtam değişkeni\u003c/li\u003e\n\u003cli\u003eYapılandırma dosyası değeri\u003c/li\u003e\n\u003cli\u003eYerleşik varsayılan (en düşük)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"tam-ema\"\u003eTam şema\u003c/h2\u003e\n\u003cp\u003eAşağıdaki açıklamalı şema, desteklenen her anahtarı, varsayılan değerini ve geçerli aralığını göstermektedir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# ── Tarama motoru ─────────────────────────────────────────────────────────────\n\nscan:\n # Eşzamanlı dosya işleme worker sayısı.\n # Varsayılan olarak ana makinedeki mantıksal CPU çekirdeği sayısı kullanılır.\n # \u0026gt;= 1 olmalıdır.\n concurrency: 8\n\n # Taranacak maksimum dosya boyutu (bayt cinsinden). Bu sınırı aşan dosyalar\n # tamamen atlanır. Varsayılan: 10 MB (10485760). \u0026gt;= 1 olmalıdır.\n max-file-size: 10485760\n\n# ── Tespit ────────────────────────────────────────────────────────────────────\n\ndetection:\n entropy:\n # Her aday eşleşme için Shannon entropi hesaplamasını etkinleştirir.\n enabled: true\n\n # Gösterim ve özel kural kapısı için kullanılan entropi eşiği.\n # Aralık: 0–8. Varsayılan: 4.0.\n # Yerleşik bulgular hakkındaki nota bakın.\n threshold: 4.0\n\n# ── Doğrulama ─────────────────────────────────────────────────────────────────\n\nverification:\n # Sağlayıcı API'lerine karşı canlı doğrulamayı etkinleştirir.\n enabled: true\n\n # İstek başına HTTP zaman aşımı. Doğrulama etkinleştirildiğinde \u0026gt;= 1ms olmalıdır.\n # Süre dizesi kullanın (örn. \u0026quot;10s\u0026quot;, \u0026quot;500ms\u0026quot;) — tam sayı nanosaniye olarak\n # yorumlanır ve doğrulama başarısız olur.\n timeout: 10s\n\n # Eşzamanlı doğrulama worker sayısı. \u0026gt;= 1 olmalıdır.\n concurrency: 4\n\n # Saniyedeki maksimum doğrulama isteği (token-bucket hız sınırlayıcı).\n # \u0026gt; 0 olmalıdır.\n rate-limit: 10.0\n\n# ── Filtreleme ────────────────────────────────────────────────────────────────\n\nfilter:\n # Taramadan hariç tutulacak yollar için glob desenleri.\n # Desteklenen glob stilleri: filepath.Match desenleri, sıfır veya daha fazla\n # yol segmentini kapsayan ** çift yıldız ve herhangi bir derinlikte adlandırılmış\n # dizini eşleştiren sondaki eğik çizgili dir/ desenleri. Her desen hem tam yol\n # hem de temel dosya adına karşı test edilir.\n # Tüm tarama kaynaklarına uygulanır. (`scan fs` komutunda --exclude bayrağı da bunu ayarlar.)\n # Varsayılan: [] (yerleşik ikili/kilit dosya atlamalarının ötesinde hariç tutma yok).\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;go.sum\u0026quot;\n - \u0026quot;package-lock.json\u0026quot;\n - \u0026quot;yarn.lock\u0026quot;\n\n # Tamamen devre dışı bırakılacak dedektör ID'leri. Listelenen dedektörlerden\n # gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez.\n # Varsayılan: [].\n exclude-detectors: []\n\n# ── Çıktı ─────────────────────────────────────────────────────────────────────\n\noutput:\n # Çıktı biçimi. Şunlardan biri: json, sarif, csv, table. Varsayılan: json.\n # --format / -f bayrağı bunu çalışma zamanında geçersiz kılar.\n format: json\n\n # Çıktıyı stdout yerine bu dosya yoluna yaz. Varsayılan: \u0026quot;\u0026quot; (stdout).\n # --output / -o bayrağı bunu çalışma zamanında geçersiz kılar.\n file: \u0026quot;\u0026quot;\n\n # Bu önem seviyesinin altındaki bulguları bırak.\n # Şunlardan biri: low, medium, high, critical. Varsayılan: \u0026quot;\u0026quot; (tümünü göster).\n # --min-severity bayrağı bunu çalışma zamanında geçersiz kılar.\n severity-threshold: \u0026quot;\u0026quot;\n\n # Çıktıda maskelenmemiş sır değerini dahil et.\n # Varsayılan: false. --show-raw bayrağı bunu çalışma zamanında geçersiz kılar.\n show-raw: false\n\n# ── Özel kurallar ─────────────────────────────────────────────────────────────\n\n# Kendi dedektörlerinizi YAML kuralları olarak tanımlayın. Tam kural şeması\n# için özel kurallar sayfasına bakın.\n# custom-rules:\n# - id: \u0026quot;my-internal-token\u0026quot;\n# description: \u0026quot;Internal Service Token\u0026quot;\n# regex: \u0026quot;mycompany_[a-zA-Z0-9]{32}\u0026quot;\n# keywords: [\u0026quot;mycompany_\u0026quot;]\n# severity: critical\ncustom-rules: []\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e, bir bulgunun yanında gösterilen entropi değerini kontrol eder ve özel kurallar için bir kapı görevi görür (entropisi eşiğin altına düşen özel kural eşleşmeleri bastırılır). Yerleşik dedektörlerin bulgularını \u003cstrong\u003ebastırmaz\u003c/strong\u003e — yerleşik dedektörlerin kendi eşleşme kriterleri vardır ve bu ayar tarafından hiçbir zaman bırakılmazlar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, taramaya başlamadan önce yüklenen yapılandırmayı doğrular ve aşağıdaki durumların herhangi birinde hata vererek çıkar:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKoşul\u003c/th\u003e\n\u003cth\u003eHata\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.concurrency \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz eşzamanlılık değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003escan.max-file-size \u0026lt; 1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGeçersiz max-file-size değeri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.format\u003c/code\u003e \u003ccode\u003ejson|sarif|csv|table\u003c/code\u003e içinde değil\u003c/td\u003e\n\u003ctd\u003eDesteklenmeyen çıktı biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edetection.entropy.threshold\u003c/code\u003e 0–8 dışında\u003c/td\u003e\n\u003ctd\u003eGeçersiz entropi eşiği\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e geçerli bir seviye değil (boş değilse)\u003c/td\u003e\n\u003ctd\u003eGeçersiz severity-threshold\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout \u0026lt; 1ms\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama zaman aşımı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency \u0026lt; 1\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama eşzamanlılığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit \u0026lt;= 0\u003c/code\u003e (doğrulama etkinleştirildiğinde)\u003c/td\u003e\n\u003ctd\u003eGeçersiz doğrulama rate-limit\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/ignoring-findings":{"title":"Bulguları Yok Sayma","description":".leakwatchignore dosyaları, satır içi yok sayma işaretçileri ve yerleşik ikili dosya ve kilit dosyası atlamaları ile yanlış pozitifleri bastırın.","html":"\u003ch1 id=\"bulgular-yok-sayma\"\u003eBulguları Yok Sayma\u003c/h1\u003e\n\u003cp\u003eHiçbir tarayıcının yanlış pozitif oranı sıfır değildir. Leakwatch, gürültüyü bastırmak için size üç katmanlı mekanizma sunar: yol tabanlı dışlamalar için bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası, satır düzeyinde bastırma için satır içi işaretçiler ve ikili dosyalar ile yaygın kilit dosyaları için her zaman etkin olan yerleşik atlamalar.\u003c/p\u003e\n\u003ch2 id=\"leakwatchignore-dosyas\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası\u003c/h2\u003e\n\u003cp\u003eTarama sonuçlarından yolları hariç tutmak için depo kökünüze (veya geçerli dizine) bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası oluşturun. Gitignore stilinde söz dizimi kullanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e#\u003c/code\u003e ile başlayan satırlar yorum satırlarıdır.\u003c/li\u003e\n\u003cli\u003eBoş satırlar atlanır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e!\u003c/code\u003e öneki bir deseni \u003cstrong\u003egeçersiz kılar\u003c/strong\u003e; önceki bir desen tarafından dışlanmış olacak bir yolu yeniden dahil eder.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSon eşleşen desen kazanır\u003c/strong\u003e — sıra önemlidir.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"ykleme-sras\"\u003eYükleme sırası\u003c/h3\u003e\n\u003cp\u003eLeakwatch, \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyasını önce tarama kökünden, ardından geçerli çalışma dizininden yükler. Her ikisi de aynı yol için desen içeriyorsa, geçerli dizin dosyasının desenleri öncelik kazanır çünkü son değerlendirilenler bunlardır.\u003c/p\u003e\n\u003ch3 id=\"glob-sz-dizimi\"\u003eGlob söz dizimi\u003c/h3\u003e\n\u003cp\u003eÜç desen stili desteklenir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eStil\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003cth\u003eÖrnek\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eStandart glob\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efilepath.Match\u003c/code\u003e stili, hem tam yola hem de temel dosya adına karşı eşleştirilen\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e*.pem\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇift yıldız \u003ccode\u003e**\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSıfır veya daha fazla yol segmentini kapsar\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003etest/fixtures/**\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSondaki eğik çizgi \u003ccode\u003edir/\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAdlandırılmış dizinin herhangi bir derinliğindeki her dosyayla eşleşir\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003esnapshots/\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"leakwatchignore-rnei\"\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e örneği\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e# Tüm test fixture dosyalarını yok say\ntest/fixtures/**\n\n# Dokümantasyondaki bilinen yer tutucu anahtarları yok say\ndocs/examples/\n\n# Ağaçtaki herhangi bir yerdeki belirli uzantılı dosyaları yok say\n*.pem.example\n\n# Yukarıdaki kural tarafından dışlanan belirli bir dosyayı yeniden dahil et\n!docs/examples/real-config-sample.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e.leakwatchignore\u003c/code\u003e filtrelemesi, her bulgunun dosya yoluna göre tarama tamamlandıktan \u003cstrong\u003esonra\u003c/strong\u003e uygulanır. Dosyaların okunmasını engellemez — ürettikleri bulguları bastırır. Dosyaları okunmadan önce atlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e veya \u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"satr-ii-yok-sayma-iaretileri\"\u003eSatır içi yok sayma işaretçileri\u003c/h2\u003e\n\u003cp\u003eSöz konusu satırdaki dedektörleri bastırmak için herhangi bir kaynak satırına doğrudan bir işaretçi koyun. İşaretçi satırın herhangi bir yerine yerleştirilebilir — genellikle bir yorum içinde — ve motor tarafından doğrulamadan \u003cstrong\u003eönce\u003c/strong\u003e uygulanır; böylece yok sayılan bir satır hiçbir zaman ağ çağrısını tetiklemez.\u003c/p\u003e\n\u003ch3 id=\"bir-satrdaki-tm-dedektrleri-bastr\"\u003eBir satırdaki tüm dedektörleri bastır\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# Ödeme işleme yapılandırması\nSTRIPE_KEY = \u0026quot;sk_test_XXXXXXXXXXXXXXXXXXXX\u0026quot; # leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"bir-satrdaki-belirli-bir-dedektr-bastr\"\u003eBir satırdaki belirli bir dedektörü bastır\u003c/h3\u003e\n\u003cp\u003eYalnızca bir dedektörü bastırırken diğerlerini etkin bırakmak için \u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// Bu token dokümantasyon için kasıtlı olarak bir yer tutucudur\nexampleToken := \u0026quot;ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026quot; // leakwatch:ignore:github-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Platform tarafından ayarlanan CI ortam değişkeni — gerçek bir sır değil\napi_key: \u0026quot;${CI_API_KEY_PLACEHOLDER}\u0026quot; # leakwatch:ignore:generic-api-key\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eMümkün olduğunda genel form yerine dedektöre özgü formu (\u003ccode\u003eleakwatch:ignore:\u0026lt;detector-id\u0026gt;\u003c/code\u003e) tercih edin. Hangi dedektörü bastırdığınızı belgeler ve diğer tüm dedektörleri o satırda etkin bırakır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"yerleik-atlamalar-her-zaman-uygulanr\"\u003eYerleşik atlamalar (her zaman uygulanır)\u003c/h2\u003e\n\u003cp\u003eLeakwatch, herhangi bir dedektörü çalıştırmadan önce aşağıdakileri koşulsuz olarak atlar:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili dosya uzantıları\u003c/strong\u003e — \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.so\u003c/code\u003e, \u003ccode\u003e.dylib\u003c/code\u003e, \u003ccode\u003e.bin\u003c/code\u003e, \u003ccode\u003e.png\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e, \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.gz\u003c/code\u003e, \u003ccode\u003e.pdf\u003c/code\u003e, \u003ccode\u003e.woff\u003c/code\u003e, \u003ccode\u003e.ttf\u003c/code\u003e ve diğerleri gibi uzantılara sahip dosyalar hiçbir zaman taranmaz.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eİkili içerik tespiti\u003c/strong\u003e — ilk 8 KB'ı null bayt içeren herhangi bir dosya, uzantısından bağımsız olarak ikili olarak kabul edilir ve atlanır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eYaygın kilit dosyaları\u003c/strong\u003e — aşağıdaki dosya adları, yüksek oranda yanlış pozitif üreten hash ve sağlama toplamları içerdikleri için her zaman atlanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDosya\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epackage-lock.json\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eyarn.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epnpm-lock.yaml\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecomposer.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGemfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eCargo.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epoetry.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ego.sum\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ePipfile.lock\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eBu yerleşik atlamalar devre dışı bırakılamaz. \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ayarından ayrıdır ve yapılandırma tabanlı filtrelemeden önce çalışır.\u003c/p\u003e\n\u003ch2 id=\"tarama-ncesi-yol-tabanl-dlama\"\u003eTarama öncesi yol tabanlı dışlama\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru tarafından okunmadan önce dışlamak için yapılandırma dosyanızda \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;third-party/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu ayar \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır (dosya sistemi, Git geçmişi, konteyner imajları, bulut depolama, Slack). \u003ccode\u003escan fs\u003c/code\u003e komutunda ayrıca komut satırında \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e parametresi de geçirebilirsiniz; bu, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile eşdeğer bir bayraktır.\u003c/p\u003e\n\u003cp\u003eTam yapılandırma şeması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e, dedektör düzeyinde ve önem derecesi düzeyinde filtreleme için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"configuration/severity-and-filtering":{"title":"Önem Derecesi \u0026 Filtreleme","description":"Önem eşikleri, yalnızca doğrulanmış mod, dedektör dışlamaları ve yol dışlamaları kullanarak hangi bulguların çıktınıza ulaşacağını kontrol edin.","html":"\u003ch1 id=\"nem-derecesi--filtreleme\"\u003eÖnem Derecesi \u0026amp; Filtreleme\u003c/h1\u003e\n\u003cp\u003eYoğun bir kod tabanı çok sayıda bulgu üretebilir. Leakwatch, en önemli sinyallere odaklanmak için birleştirebileceğiniz birkaç bağımsız filtre sunar: önem eşikleri düşük öncelikli gürültüyü eler, yalnızca doğrulanmış mod yalnızca onaylanmış canlı sırları ortaya çıkarır, dedektör dışlamaları bilinen yanlış pozitif kaynakları susturur ve yol dışlamaları tüm dizin ağaçlarını kapsamın dışında bırakır.\u003c/p\u003e\n\u003ch2 id=\"nem-seviyeleri\"\u003eÖnem seviyeleri\u003c/h2\u003e\n\u003cp\u003eHer yerleşik dedektör, varsayılan bir önem derecesiyle birlikte gelir. En düşükten en yüksek önceliğe doğru dört seviye şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eSeviye\u003c/th\u003e\n\u003cth\u003eTipik kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDaha yüksek yanlış pozitif oranına sahip genel desenler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanınabilir kimlik bilgisi biçimleri, doğrulanmamış\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMaruziyetin büyük olasılıkla önemli olduğu iyi yapılandırılmış sırlar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOnaylanmış canlı sırlar veya neredeyse sıfır yanlış pozitif oranlı biçimler\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer dedektöre atanan önem derecesi \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir.\u003c/p\u003e\n\u003ch2 id=\"--min-severity-eiin-altndaki-bulgular-brak\"\u003e\u003ccode\u003e--min-severity\u003c/code\u003e: eşiğin altındaki bulguları bırak\u003c/h2\u003e\n\u003cp\u003eBelirtilen seviyenin altındaki önem derecesine sahip bulguları atmak için \u003ccode\u003e--min-severity \u0026lt;level\u0026gt;\u003c/code\u003e parametresini kullanın. Yalnızca eşik değerinde veya üzerindeki bulgular çıktıya ulaşır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Yalnızca high ve critical bulguları göster\nleakwatch scan fs . --min-severity high\n\n# medium, high ve critical bulguları göster\nleakwatch scan fs . --min-severity medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eoutput.severity-threshold\u003c/code\u003e altında yapılandırma dosyasında kalıcı bir varsayılan ayarlayabilirsiniz. \u003ccode\u003e--min-severity\u003c/code\u003e bayrağı, çalışma zamanında yapılandırma değerini geçersiz kılar:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eoutput:\n severity-threshold: medium\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"--only-verified-yalnzca-onaylanm-aktif-srlar\"\u003e\u003ccode\u003e--only-verified\u003c/code\u003e: yalnızca onaylanmış aktif sırlar\u003c/h2\u003e\n\u003cp\u003eYalnızca doğrulama durumu \u003ccode\u003everified_active\u003c/code\u003e olan bulguları, yani Leakwatch'ın sağlayıcı API'sine kontrollü bir salt-okunur çağrı yaparak hâlâ geçerli olduğunu doğruladığı sırları tutmak için \u003ccode\u003e--only-verified\u003c/code\u003e parametresini kullanın. Diğer tüm bulgular (doğrulanmamış, doğrulanmış-etkin değil veya doğrulama hatası) bırakılır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu bayrak, derlemeyi yalnızca onaylanmış olaylar üzerinde, yer tutucu veya zaten döndürülmüş kimlik bilgileri olabilecek şüpheli desenler üzerinde değil, başarısız kılmak istediğiniz CI hatlarında en kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eHangi dedektörlerin canlı doğrulamayı desteklediği için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-detectors-belirli-dedektrleri-devre-d-brak\"\u003e\u003ccode\u003efilter.exclude-detectors\u003c/code\u003e: belirli dedektörleri devre dışı bırak\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü kalıcı olarak devre dışı bırakmak için ID'lerini yapılandırma dosyasındaki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e altında listeleyin. Listelenen dedektörlerden gelen bulgular, diğer ayarlardan bağımsız olarak hiçbir zaman üretilmez:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDedektör ID'leri \u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e'nda listelenmiştir. Bir dedektör sürekli olarak kod tabanınız için yanlış pozitifler ürettiğinde ve diğer bastırma mekanizmaları (satır içi yok saymalar veya \u003ccode\u003e.leakwatchignore\u003c/code\u003e) yeterince ayrıntılı olmadığında bu ayarı kullanın.\u003c/p\u003e\n\u003ch2 id=\"filterexclude-paths-tarama-ncesi-yollar-atla\"\u003e\u003ccode\u003efilter.exclude-paths\u003c/code\u003e: tarama öncesi yolları atla\u003c/h2\u003e\n\u003cp\u003eYolları tarama motoru okumadan önce dışlamak için yapılandırma dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e kullanın. Desenler, \u003ccode\u003e.leakwatchignore\u003c/code\u003e ile aynı glob söz dizimini kullanır (standart globlar, \u003ccode\u003e**\u003c/code\u003e çift yıldız ve sondaki eğik çizgili dizin desenleri) ve \u003cstrong\u003etüm tarama kaynaklarına\u003c/strong\u003e uygulanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;**/*.min.js\u0026quot;\n - \u0026quot;**/*.min.css\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003escan fs\u003c/code\u003e komutunda \u003ccode\u003e--exclude \u0026lt;pattern\u0026gt;\u003c/code\u003e bayrağı, \u003ccode\u003efilter.exclude-paths\u003c/code\u003e ile komut satırı eşdeğeridir. \u003ccode\u003e--exclude\u003c/code\u003e bayrağı \u003cstrong\u003eyalnızca\u003c/strong\u003e \u003ccode\u003escan fs\u003c/code\u003e komutunda mevcuttur — diğer tüm kaynaklar için yapılandırma dosyası ayarını kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-filtreleri-birletirme\"\u003eCI'da filtreleri birleştirme\u003c/h2\u003e\n\u003cp\u003eBir CI hattında genellikle yalnızca gerçek olaylarda başarısız olan, düşük gürültülü ve yüksek sinyalli bir çalışma istersiniz. Önerilen bir kombinasyon:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --only-verified \\\n --min-severity high \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYapılandırma dosyasının kalıcı yol dışlamalarını yönetmesiyle:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-paths:\n - \u0026quot;vendor/**\u0026quot;\n - \u0026quot;node_modules/**\u0026quot;\n - \u0026quot;test/fixtures/\u0026quot;\n exclude-detectors:\n - generic-api-key\n\noutput:\n severity-threshold: high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eArdından CI için yalnızca biçimi ve hedefi komut satırında geçersiz kılın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama ayrıntıları için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e, satır içi ve dosya tabanlı bastırma için \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e ve tam şema için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e bölümlerine bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yok Sayma\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/custom-rules":{"title":"Özel Kurallar","description":"YAML ile kendi sır tespit kalıplarınızı nasıl tanımlayacağınız ve 63 yerleşik dedektörün yanında bir Leakwatch taramasına nasıl ekleyeceğiniz.","html":"\u003ch1 id=\"zel-kurallar\"\u003eÖzel Kurallar\u003c/h1\u003e\n\u003cp\u003e63 yerleşik dedektör yaygın kullanılan kimlik bilgisi formatlarını kapsar; ancak her kuruluşun dahili token'ları, özel servis anahtarları veya hiçbir genel aracın önceden tahmin edemeyeceği ortama özgü kalıpları vardır. Özel kurallar, kaynak kodu değiştirmeden veya ikili dosyayı yeniden derlemeden kendi kalıplarınızı düz YAML ile tanımlamanıza ve çalışma zamanında yüklemenize olanak tanıyarak Leakwatch'ı genişletmenizi sağlar.\u003c/p\u003e\n\u003ch2 id=\"zel-kurallar-nerede-tanmlanr\"\u003eÖzel kurallar nerede tanımlanır\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyanızda en üst düzey bir \u003ccode\u003ecustom-rules:\u003c/code\u003e listesi altında tanımlanır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı\u0026quot;\n regex: 'acme_[a-z0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKurallar, Leakwatch başladığında çalışma zamanında kaydedilir. Aynı Aho-Corasick ön-filtre hattını kullanarak yerleşik dedektörlerle birlikte çalışırlar.\u003c/p\u003e\n\u003ch2 id=\"kural-alanlar\"\u003eKural alanları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eZorunlu\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eid\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eBenzersiz dedektör ID'si. Çıktıda ve \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e içinde kullanılır. Yerleşik dedektör ID'si veya başka bir özel kural ID'si ile çakışmamalıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edescription\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eÇıktıda gösterilen insan tarafından okunabilir açıklama.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eregex\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEvet\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eRE2 uyumlu düzenli ifade. Maksimum 4096 karakter.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ekeywords\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring listesi\u003c/td\u003e\n\u003ctd\u003eAho-Corasick ön-filtre anahtar kelimeleri. Regex yalnızca bu dizelerden en az birini içeren parçalar üzerinde çalışır. Bu alanın atlanması regex'in her parça üzerinde çalışmasına neden olur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eseverity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e veya \u003ccode\u003elow\u003c/code\u003e. Varsayılan \u003ccode\u003emedium\u003c/code\u003e'dur.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eentropy\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHayır\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003eShannon entropi eşiği (0–8). Entropisi bu değerin \u003cstrong\u003ealtında\u003c/strong\u003e olan eşleşmeler atılır. Düşük rastgelelikli yanlış pozitifleri filtrelemek için kullanışlıdır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eHer zaman \u003ccode\u003ekeywords\u003c/code\u003e belirtin. Tek kısa bir anahtar kelime bile (token ön eki gibi) regex motorunun işlediği parça sayısını önemli ölçüde azaltır ve büyük depolarda taramaların hızlı kalmasını sağlar. Örneğin tüm dahili token'larınız \u003ccode\u003eacme_\u003c/code\u003e ile başlıyorsa \u003ccode\u003ekeywords: [acme_]\u003c/code\u003e ayarlayın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eentropy\u003c/code\u003e kullanarak \u003ccode\u003eacme_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/code\u003e gibi kalıbı karşılayan ancak açıkça gerçek sır olmayan yer tutucu değerlerdeki eşleşmeleri bastırın. 3,0–3,5 civarı bir eşik iyi bir başlangıç noktasıdır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"akma-ynetimi\"\u003eÇakışma yönetimi\u003c/h2\u003e\n\u003cp\u003eBir özel kuralın \u003ccode\u003eid\u003c/code\u003e'si zaten kayıtlı bir dedektörle eşleşirse — yerleşik dedektör veya daha önce yüklenen özel kural olsun fark etmez — yinelenen kural \u003cstrong\u003eatlanır\u003c/strong\u003e ve bir hata loglanır. Leakwatch çökmez; geri kalan kurallar normal şekilde yüklenir. Bir özel kuralın etkisiz göründüğü durumlarda log çıktısını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"dorulama\"\u003eDoğrulama\u003c/h2\u003e\n\u003cp\u003eÖzel kuralların eşleştirilmiş doğrulayıcısı yoktur. Özel kurallardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e durumuyla raporlanır — hiçbir zaman \u003ccode\u003everified_active\u003c/code\u003e veya \u003ccode\u003everified_inactive\u003c/code\u003e olmaz.\u003c/p\u003e\n\u003ch2 id=\"tam-rnek\"\u003eTam örnek\u003c/h2\u003e\n\u003cp\u003eAşağıdaki \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, iki özel kural tanımlar: biri dahili servis token'ı, diğeri webhook'larda kullanılan imzalama sırrı için.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003ecustom-rules:\n - id: acme-internal-token\n description: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;\n regex: 'acme_[a-f0-9]{32}'\n keywords:\n - acme_\n severity: critical\n entropy: 3.2\n\n - id: acme-webhook-signing-secret\n description: \u0026quot;ACME Corp webhook imzalama sırrı (format: whsec_ + 40 base64url karakter)\u0026quot;\n regex: 'whsec_[A-Za-z0-9_\\-]{40}'\n keywords:\n - whsec_\n severity: high\n entropy: 3.5\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu yapılandırmayla bir tarama çalıştırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --config .leakwatch.yaml\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kural bulgusu için örnek JSON çıktısı (sır değeri maskelenmiştir):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;detector_id\u0026quot;: \u0026quot;acme-internal-token\u0026quot;,\n \u0026quot;description\u0026quot;: \u0026quot;ACME Corp dahili servis token'ı (format: acme_ + 32 hex karakter)\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;verification_status\u0026quot;: \u0026quot;unverified\u0026quot;,\n \u0026quot;file\u0026quot;: \u0026quot;config/production.env\u0026quot;,\n \u0026quot;line\u0026quot;: 14,\n \u0026quot;raw_redacted\u0026quot;: \u0026quot;acme_********************************\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003eraw_redacted\u003c/code\u003e alanı gerçek sırrı her zaman maskeler. Ham değer, açıkça \u003ccode\u003e--show-raw\u003c/code\u003e geçilmedikçe çıktıya asla yazılmaz (kontrollü ortamlar dışında önerilmez).\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kural-hari-tutma\"\u003eÖzel kuralı hariç tutma\u003c/h2\u003e\n\u003cp\u003eÖzel kurallar, yerleşik dedektörlerle aynı filtrelemeye katılır. Bir özel kuralı yapılandırmadan kaldırmadan devre dışı bırakmak için:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - acme-internal-token\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003ecustom-rules:\u003c/code\u003e öğesinin belge yapısındaki yeri dahil \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e için tam referans.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — özel kuralınızı adlandırmadan önce ID çakışmalarını kontrol etmek için 63 yerleşik dedektör.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — \u003ccode\u003ekeywords\u003c/code\u003e öğesinin bağlandığı Aho-Corasick ön-filtre hattı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"detectors/detector-catalog":{"title":"Dedektör Kataloğu","description":"Kategorilere göre gruplanmış tüm 63 yerleşik dedektör; ID'leri, ne tespit ettikleri ve varsayılan şiddet seviyeleri ile.","html":"\u003ch1 id=\"dedektr-katalou\"\u003eDedektör Kataloğu\u003c/h1\u003e\n\u003cp\u003eLeakwatch, bulut sağlayıcısı erişim anahtarlarından ve yapay zekâ API token'larından veritabanı bağlantı dizelerine ve özel kriptografik anahtarlara kadar geniş bir kimlik bilgisi türü yelpazesini kapsayan \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile gelir. Her dedektörün kararlı bir ID'si, varsayılan bir şiddet seviyesi ve (çoğu için) bulunan sırrın hâlâ canlı olup olmadığını teyit edebilen eşleştirilmiş bir doğrulayıcısı vardır.\u003c/p\u003e\n\u003cp\u003eBu sayfa her yerleşik dedektörü listeler. Doğrulama kapsamı ayrıntıları için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın. Kendi kalıplarınızı eklemek için \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"bu-katalogu-nasl-okuyacaksnz\"\u003eBu katalogu nasıl okuyacaksınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eID\u003c/strong\u003e — yapılandırma ve çıktıda kullanılan kararlı dize tanımlayıcısı. Bir dedektörü atlamak için \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin veya \u003ccode\u003e--min-severity\u003c/code\u003e filtrelemesiyle birlikte kullanın (\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTespit eder\u003c/strong\u003e — dedektörün ne aradığı.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eŞiddet\u003c/strong\u003e — \u003ccode\u003eCritical\u003c/code\u003e (Kritik), \u003ccode\u003eHigh\u003c/code\u003e (Yüksek) veya \u003ccode\u003eMedium\u003c/code\u003e (Orta). Bu varsayılandır; \u003ccode\u003e--min-severity\u003c/code\u003e bayrağını ve \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e yapılandırma anahtarını besler.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"bulut-ve-altyap\"\u003eBulut ve Altyapı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS Access Key ID\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGCP Servis Hesabı Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Storage Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAzure Entra ID İstemci Sırrı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud/Enterprise API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHashiCorp Vault Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler Servis Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yapay-zek--makine-renimi\"\u003eYapay Zekâ / Makine Öğrenimi\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"demeler-ve-ticaret\"\u003eÖdemeler ve Ticaret\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Canlı API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe Test API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"gelitirme-aralar-ci-ve-paketler\"\u003eGeliştirme Araçları, CI ve Paketler\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub OAuth2 Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket Uygulama Parolası\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI Kişisel API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNPM Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud/SonarQube Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly SDK Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"letiim-ve-birlii\"\u003eİletişim ve İşbirliği\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Bot/Kullanıcı Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams Gelen Webhook URL'si\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion Dahili Entegrasyon Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable Kişisel Erişim Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"e-posta-ve-mesajlama-teslimat\"\u003eE-posta ve Mesajlaşma Teslimatı\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark Sunucu API Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"zleme-ve-gzlemlenebilirlik\"\u003eİzleme ve Gözlemlenebilirlik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry Kimlik Doğrulama Token'ı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"veritabanlar-ve-balant-dizeleri\"\u003eVeritabanları ve Bağlantı Dizeleri\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVeritabanı Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRedis Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRabbitMQ Bağlantı Dizesi\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnowflake Bağlantı Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase Servis Rolü Anahtarı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-ve-eriim\"\u003eKimlik ve Erişim\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Yönetim API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API Token'ı\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP/LDAPS Bağlama Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"web3\"\u003eWeb3\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API Anahtarı\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"genel-ve-kriptografik\"\u003eGenel ve Kriptografik\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eID\u003c/th\u003e\n\u003cth\u003eTespit eder\u003c/th\u003e\n\u003cth\u003eŞiddet\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGenel API Anahtarı\u003c/td\u003e\n\u003ctd\u003eMedium\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON Web Token\u003c/td\u003e\n\u003ctd\u003eHigh\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÖzel Anahtar (RSA, SSH, DSA, EC, PGP)\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFTP/SFTP Kimlik Bilgileri\u003c/td\u003e\n\u003ctd\u003eCritical\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003cp\u003e\u003cstrong\u003eToplam: 63 yerleşik dedektör.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"iddete-gre-filtreleme\"\u003eŞiddete göre filtreleme\u003c/h2\u003e\n\u003cp\u003eBulgular, komut satırında \u003ccode\u003e--min-severity\u003c/code\u003e veya yapılandırmada \u003ccode\u003eoutput.severity-threshold\u003c/code\u003e kullanılarak şiddet seviyesine göre filtrelenebilir. Yalnızca belirtilen seviyede veya üzerindeki bulgular çıktıya dahil edilir. Ayrıntılar için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"belirli-dedektrleri-hari-tutma\"\u003eBelirli dedektörleri hariç tutma\u003c/h2\u003e\n\u003cp\u003eBir veya daha fazla dedektörü tamamen atlamak için ID'lerini \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-detectors\u003c/code\u003e listesine ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003efilter:\n exclude-detectors:\n - generic-api-key\n - jwt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam filtreleme referansı için \u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kapsam\"\u003eDoğrulama kapsamı\u003c/h2\u003e\n\u003cp\u003eBazı dedektörlerin canlı doğrulayıcısı vardır; bazıları yalnızca format doğrulamasına tabi tutulur; dokuzu ise hiç doğrulayıcıya sahip değildir. Tam döküm için \u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e — YAML ile kendi tespit kalıplarınızı tanımlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektörlerin canlı doğrulanabileceği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/severity-and-filtering\"\u003eŞiddet ve Filtreleme\u003c/a\u003e — bulguları şiddet seviyesine veya dedektöre göre filtreleme.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/how-it-works":{"title":"Nasıl Çalışır","description":"Leakwatch tarama hattının mimarisi: kaynaklar, tespit, doğrulama ve çıktı.","html":"\u003ch1 id=\"nasl-alr\"\u003eNasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eLeakwatch hattını anlamak, performansı ayarlamanıza, sonuçları yorumlamanıza ve hangi bayrakları kullanacağınıza karar vermenize yardımcı olur. Bu sayfa, bir tarama komutunu çalıştırdığınız andan bir bulgunun çıktınızda göründüğü ana kadar neler olduğunu açıklar.\u003c/p\u003e\n\u003ch2 id=\"hatta-genel-bak\"\u003eHatta genel bakış\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-mermaid\"\u003eflowchart LR\n A([Kaynak\\nfs / git / image\\ns3 / gcs / slack]) --\u0026gt; B[İşçi Havuzu\\n—concurrency işçi]\n B --\u0026gt; C[Aho-Corasick\\nÖn-Filtre]\n C --\u0026gt; D[Regex\\nDedektörler]\n D --\u0026gt; E[Satır İçi İgnore\\nKontrolü]\n E --\u0026gt; F[Doğrulama\\nHavuzu\\n4 işçi / 10 rps]\n F --\u0026gt; G[Tarama Sonrası\\nFiltreler]\n G --\u0026gt; H([Çıktı\\njson / sarif\\ncsv / table])\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer aşama aşağıda ayrıntılı olarak açıklanmaktadır.\u003c/p\u003e\n\u003ch2 id=\"1-kaynak\"\u003e1. Kaynak\u003c/h2\u003e\n\u003cp\u003eHer tarama, motorun işlemesi için veri parçaları yayan bir soyutlama olan \u003cstrong\u003eKaynak\u003c/strong\u003e ile başlar. Leakwatch altı kaynak ile birlikte gelir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNe yayar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosya içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir OCI/Docker imajının katman içerikleri, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesne içerikleri\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanal ve DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar. Slack'e yüklenen dosyaların içerikleri taranmaz.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cp\u003eParçalar, işçi havuzu tarafından tüketilen tamponlu bir kanala akar.\u003c/p\u003e\n\u003ch2 id=\"2-i-havuzu\"\u003e2. İşçi havuzu\u003c/h2\u003e\n\u003cp\u003eMotor, sabit sayıda \u003cstrong\u003egoroutine\u003c/strong\u003e içeren bir havuz yönetir — her biri \u003ccode\u003e--concurrency\u003c/code\u003e değerine karşılık gelir (varsayılan: CPU sayısı). Her işçi kanaldan bir parça alır ve tespit hattını bağımsız olarak çalıştırır. İşçiler değişebilir durum paylaşmadığından havuz, I/O ve bellek sınırlarına kadar eşzamanlılıkla doğrusal ölçeklenir.\u003c/p\u003e\n\u003cp\u003eTaramalar \u003ccode\u003eSIGINT\u003c/code\u003e / \u003ccode\u003eSIGTERM\u003c/code\u003e'e yanıt verir: iptal sinyali geldiğinde bağlam iptal edilir, işçiler mevcut parçalarını tamamlayıp durur ve kısmi sonuçlar çıktı yazılmadan önce toplanır.\u003c/p\u003e\n\u003ch2 id=\"3-aho-corasick-anahtar-kelime-n-filtresi\"\u003e3. Aho-Corasick anahtar kelime ön-filtresi\u003c/h2\u003e\n\u003cp\u003eHer parça üzerinde 63 regex desenini çalıştırmak yavaş olur. Bunun yerine motor, başlangıçta her dedektörün bildirdiği anahtar kelime listelerinden tek bir \u003cstrong\u003eAho-Corasick çok-desenli otomat\u003c/strong\u003e oluşturur. Her parça için bu otomat tek bir doğrusal geçiş yapar ve yalnızca anahtar kelimeleri parçanın baytlarında görünen dedektörleri döndürür.\u003c/p\u003e\n\u003cp\u003eBu, çoğu dedektörün çoğu parça üzerinde regex'ini hiç çalıştırmadığı anlamına gelir. Anahtar kelime bildirmeyen dedektörler her zaman çalışır (ön filtreyi atlayarak doğrudan regex'e geçerler).\u003c/p\u003e\n\u003cp\u003eAho-Corasick uygulaması \u003ca href=\"https://github.com/cloudflare/ahocorasick\"\u003ecloudflare/ahocorasick\u003c/a\u003e kütüphanesinden gelmektedir.\u003c/p\u003e\n\u003ch2 id=\"4-regex-dedektrler\"\u003e4. Regex dedektörler\u003c/h2\u003e\n\u003cp\u003eKısa listeye alınan her dedektör, derlenmiş \u003cstrong\u003edüzenli ifadesini\u003c/strong\u003e parça baytları üzerinde çalıştırır. Bir desen eşleştiğinde dedektör şunları içeren bir \u003ccode\u003eRawFinding\u003c/code\u003e döndürür:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları (yalnızca doğrulama için bellekte tutulur; asla loglanmaz veya diske yazılmaz).\u003c/li\u003e\n\u003cli\u003eÇıktı için güvenli olan \u003cstrong\u003emaskelenmiş\u003c/strong\u003e bir gösterim.\u003c/li\u003e\n\u003cli\u003eİsteğe bağlı ek meta veri (örneğin bir AWS anahtarı için hesap kimliği).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch, 60 paket genelinde \u003cstrong\u003e63 yerleşik dedektör\u003c/strong\u003e ile birlikte gelir; bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını, sürüm kontrolünü ve daha fazlasını kapsar. \u003ca href=\"#/detectors/custom-rules\"\u003eÖzel YAML kuralları\u003c/a\u003e aracılığıyla kendi desenlerinizi ekleyebilirsiniz.\u003c/p\u003e\n\u003cp\u003eTüm dedektörler, Go'nun \u003ccode\u003einit()\u003c/code\u003e işlevi ve boş importlar kullanılarak derleme zamanında kaydedilir (ADR-0004). Çalışma zamanında eklenti yükleyici veya dinamik keşif yoktur.\u003c/p\u003e\n\u003ch2 id=\"5-satr-ii-ignore-kontrol\"\u003e5. Satır içi ignore kontrolü\u003c/h2\u003e\n\u003cp\u003eBir bulgu doğrulamaya gönderilmeden önce motor, kaynak satırın bir \u003cstrong\u003esatır içi ignore işareti\u003c/strong\u003e içerip içermediğini kontrol eder:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eveya dedektöre özgü bir varyant:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-go\"\u003e// leakwatch:ignore:aws-access-key-id\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİşaret mevcutsa bulgu, \u003cstrong\u003eherhangi bir ağ çağrısı yapılmadan önce\u003c/strong\u003e sessizce bırakılır. Bu kasıtlıdır: yoksayılan sırlar asla canlı bir API isteğini tetiklememeli.\u003c/p\u003e\n\u003ch2 id=\"6-dorulama\"\u003e6. Doğrulama\u003c/h2\u003e\n\u003cp\u003eTüm parçalar için tespit tamamlandıktan sonra motor, bulguları ayrı bir \u003cstrong\u003edoğrulama işçi havuzuna\u003c/strong\u003e geçirir (varsayılan 4 işçi). Doğrulama:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eTüm işçiler arasında paylaşılan global bir \u003cstrong\u003ehız sınırlayıcı\u003c/strong\u003e (varsayılan saniyede 10 istek) ile korunur.\u003c/li\u003e\n\u003cli\u003eHer API çağrısına \u003cstrong\u003eistek başına zaman aşımı\u003c/strong\u003e (varsayılan 10 saniye) uygular.\u003c/li\u003e\n\u003cli\u003eSağlayıcıya yalnızca \u003cstrong\u003esalt-okunur, yıkıcı olmayan\u003c/strong\u003e çağrılar yapar (örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHer bulguyu dört durumdan biriyle işaretler: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eLeakwatch \u003cstrong\u003e54 doğrulayıcı\u003c/strong\u003e ile birlikte gelir; 63 yerleşik dedektör türünün %85,7'sini kapsar. Kalan 9 tür (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman \u003ccode\u003eunverified\u003c/code\u003e olarak raporlanır.\u003c/p\u003e\n\u003cp\u003eBu aşamayı tamamen atlamak için \u003ccode\u003e--no-verify\u003c/code\u003e geçirin — hızlı, çevrimdışı taramalar için kullanışlıdır.\u003c/p\u003e\n\u003cp\u003eDoğrulama davranışı ve durum anlamları hakkında derinlemesine bilgi için \u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"7-bulgu-kimlii-ve-entropi\"\u003e7. Bulgu kimliği ve entropi\u003c/h2\u003e\n\u003cp\u003eHer bulgu, şu şekilde hesaplanan \u003cstrong\u003edeterministik bir kimlik\u003c/strong\u003e alır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003esha256(dedektörID + maskelendi + dosyaYolu + satır) → 16 hex karaktere kısaltıldı\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAynı konumdaki aynı sır her zaman aynı kimliği üretir; bu da bulguları çalıştırmalar arasında yinelenenleri kaldırmayı veya sorun izleyicilerde takip etmeyi güvenli kılar.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eShannon entropisi\u003c/strong\u003e (aralık 0–8) her bulgu için hesaplanır ve bilgilendirme amacıyla çıktıda gösterilir. Motor düzeyinde entropi, yerleşik bulguları \u003cstrong\u003eengellemez veya düşürmez\u003c/strong\u003e — düşük entropili bir eşleşme yine de sonuçlarda görünür. Entropi eşikleri yalnızca özel kuralların içinde geçerlidir; her kural kendi minimumunu bildirebilir.\u003c/p\u003e\n\u003ch2 id=\"8-tarama-sonras-filtreler\"\u003e8. Tarama sonrası filtreler\u003c/h2\u003e\n\u003cp\u003eDoğrulamadan sonra iki filtre uygulanır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--only-verified\u003c/code\u003e — \u003ccode\u003everified:active\u003c/code\u003e olmayan tüm bulguları bırakır.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--min-severity\u003c/code\u003e — belirtilen önem düzeyinin (\u003ccode\u003elow\u003c/code\u003e | \u003ccode\u003emedium\u003c/code\u003e | \u003ccode\u003ehigh\u003c/code\u003e | \u003ccode\u003ecritical\u003c/code\u003e; varsayılan \u003ccode\u003elow\u003c/code\u003e) altındaki bulguları bırakır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHer iki filtre de doğrulama sonrasında çalışır; böylece \u003ccode\u003e--only-verified\u003c/code\u003e değerlendirildiğinde doğrulama durumu kullanılabilir olur.\u003c/p\u003e\n\u003ch2 id=\"9-kt\"\u003e9. Çıktı\u003c/h2\u003e\n\u003cp\u003eHayatta kalan bulgular dört \u003cstrong\u003ebiçimleyiciden\u003c/strong\u003e birine iletilir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBiçim\u003c/th\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eYaygın kullanım\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eJSON\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format json\u003c/code\u003e (varsayılan)\u003c/td\u003e\n\u003ctd\u003eMakine tarafından okunabilir, hat dostu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSARIF v2.1.0\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format sarif\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub Code Scanning, güvenlik panoları\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eCSV\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format csv\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eElektronik tablolar, veri analizi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eTablo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e--format table\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerminal incelemesi, önem derecesine göre renklendirilmiş\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eÇıktı varsayılan olarak stdout'a gider; bir dosyaya yazmak için \u003ccode\u003e--output \u0026lt;dosya\u0026gt;\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eBiçim veya çıktı hedefi ne olursa olsun, her taramadan sonra bir \u003cstrong\u003etarama özeti\u003c/strong\u003e (tarih, kaynak türü, hedef, taranan dosyalar, süre, bulgu sayısı, kesme durumu) her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır.\u003c/p\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eLeakwatch, bulunan sırların doğrulama çağrıları dışında süreç sınırını asla terk etmemesi için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHam sır baytları yalnızca tespit ve doğrulama sırasında bellekte yaşar.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--show-raw\u003c/code\u003e bayrağı varsayılan olarak \u003ccode\u003efalse\u003c/code\u003e'tur; bu olmadan çıktıda yalnızca maskelenmiş gösterim görünür.\u003c/li\u003e\n\u003cli\u003eSırlar asla diske yazılmaz, \u003ccode\u003eslog\u003c/code\u003e aracılığıyla loglanmaz veya çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"tasarm-kararlar\"\u003eTasarım kararları\u003c/h2\u003e\n\u003cp\u003eMimari, ADR'ler olarak belgelenmiş çeşitli bilinçli seçimleri yansıtır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGo + CGO devre dışı\u003c/strong\u003e (ADR-0001) — tek statik ikili dosya, çalışma zamanı bağımlılığı yok, tüm platformlara çapraz derlenir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCobra + Viper\u003c/strong\u003e (ADR-0002) — \u003ccode\u003ebayrak \u0026gt; env \u0026gt; yapılandırma \u0026gt; varsayılan\u003c/code\u003e önceliğiyle hiyerarşik CLI.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-git\u003c/strong\u003e (ADR-0003) — saf Go Git kütüphanesi; harici \u003ccode\u003egit\u003c/code\u003e ikili dosyası gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDerleme zamanı dedektör kaydı\u003c/strong\u003e (ADR-0004) — \u003ccode\u003einit()\u003c/code\u003e + boş importlar; tür güvenli, çalışma zamanı eklenti yükleyicisi yok.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick hibrit eşleştirme\u003c/strong\u003e (ADR-0005) — ön filtre, alakasız parçalardaki regex çalışmasının çoğunu ortadan kaldırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ego-containerregistry\u003c/strong\u003e (ADR-0006) — daemonsuz katman analizi; imajları taramak için Docker daemon gerekmez.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eİşçi havuzu\u003c/strong\u003e (ADR-0008) — sabit goroutine sayısı, kanal tabanlı fan-out; öngörülebilir bellek ve CPU kullanımı.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/custom-rules\"\u003eÖzel Kurallar\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/installation":{"title":"Kurulum","description":"Leakwatch'ı Homebrew, go install, Docker veya hazır bir ikili dosya ile kurun.","html":"\u003ch1 id=\"kurulum\"\u003eKurulum\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ı makinenize kurmak bir dakikadan az sürer. İş akışınıza en uygun yöntemi seçin: Homebrew macOS ve Linux'ta en basit seçenektir, \u003ccode\u003ego install\u003c/code\u003e halihazırda bir Go araç zinciriniz varsa idealdir, Docker ana sisteminizi temiz tutar ve hazır ikili dosyalar herhangi bir araç zinciri gerektirmeden her yerde çalışır.\u003c/p\u003e\n\u003ch2 id=\"homebrew-macos-ve-linux\"\u003eHomebrew (macOS ve Linux)\u003c/h2\u003e\n\u003cp\u003eResmi tap, amd64 ve arm64 mimarilerinde macOS ve Linux'u destekler.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ebrew install HodeTech/tap/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTap, \u003ca href=\"https://github.com/HodeTech/homebrew-tap\"\u003egithub.com/HodeTech/homebrew-tap\u003c/a\u003e adresinde barındırılmaktadır. Homebrew ile yükseltmek için \u003ccode\u003ebrew upgrade leakwatch\u003c/code\u003e komutunu kullanın.\u003c/p\u003e\n\u003ch2 id=\"go-install\"\u003ego install\u003c/h2\u003e\n\u003cp\u003eGo 1.25 veya daha yeni bir sürümü yüklüyse, en son sürümü doğrudan kaynaktan derleyip kurabilirsiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ego install github.com/HodeTech/leakwatch@latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eİkili dosya \u003ccode\u003e$(go env GOPATH)/bin\u003c/code\u003e dizinine yerleştirilir. Bu dizinin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olduğundan emin olun.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003ego install\u003c/code\u003e her zaman en son etiketli sürümü getirir. Belirli bir sürüme sabitlemek için \u003ccode\u003e@latest\u003c/code\u003e yerine \u003ccode\u003e@v1.5.0\u003c/code\u003e gibi bir etiket kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"docker\"\u003eDocker\u003c/h2\u003e\n\u003cp\u003eMinimal, çok aşamalı bir Alpine imajı GitHub Container Registry'de yayımlanmaktadır. İmaj, root olmayan bir kullanıcı (\u003ccode\u003eleakwatch\u003c/code\u003e) olarak çalışır, CGO devre dışıdır ve çalışma dizini olarak \u003ccode\u003e/scan\u003c/code\u003e kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker run --rm \\\n -v \u0026quot;$(pwd):/scan\u0026quot; \\\n ghcr.io/hodetech/leakwatch:latest \\\n scan fs /scan\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKullanılabilir etiketler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eEtiket\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:latest\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEn son sürüm\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5.0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTam sürüm sabitleme\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e:v1.5\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKüçük sürüm sabitleme (yama sürümlerini takip eder)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTaramak istediğiniz dizini konteyner içindeki \u003ccode\u003e/scan\u003c/code\u003e dizinine bağlayın. Bayraklar ve seçenekler yerel ikili dosyayla tamamen aynı şekilde çalışır — tam liste için \u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eUzak Git depolarını tarama ve kimlik bilgilerini güvenli biçimde geçirme dahil Docker'a özgü kullanım kalıpları için \u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"hazr-ikili-dosya\"\u003eHazır ikili dosya\u003c/h2\u003e\n\u003cp\u003eHer sürüm, desteklenen tüm platformlar için \u003ca href=\"https://github.com/HodeTech/Leakwatch/releases\"\u003eGitHub Releases\u003c/a\u003e sayfasında tar arşivleri yayımlar. Platformunuza ait arşivi indirin, açın ve ikili dosyayı \u003ccode\u003ePATH\u003c/code\u003e değişkeninizdeki bir dizine taşıyın.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDesteklenen platformlar:\u003c/strong\u003e amd64 ve arm64 mimarilerinde Linux, macOS ve Windows.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Linux amd64 örneği — OS ve ARCH değerlerini platformunuza göre değiştirin\ncurl -LO https://github.com/HodeTech/Leakwatch/releases/latest/download/leakwatch_Linux_amd64.tar.gz\ntar -xzf leakwatch_Linux_amd64.tar.gz\nsudo mv leakwatch /usr/local/bin/leakwatch\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003ePlatform adlandırması \u003ccode\u003eleakwatch_\u0026lt;OS\u0026gt;_\u0026lt;ARCH\u0026gt;.tar.gz\u003c/code\u003e kalıbını izler; \u003ccode\u003e\u0026lt;OS\u0026gt;\u003c/code\u003e değeri \u003ccode\u003eLinux\u003c/code\u003e, \u003ccode\u003eDarwin\u003c/code\u003e veya \u003ccode\u003eWindows\u003c/code\u003e, \u003ccode\u003e\u0026lt;ARCH\u0026gt;\u003c/code\u003e değeri ise \u003ccode\u003eamd64\u003c/code\u003e veya \u003ccode\u003earm64\u003c/code\u003e olabilir.\u003c/p\u003e\n\u003ch2 id=\"kurulumu-dorulama\"\u003eKurulumu doğrulama\u003c/h2\u003e\n\u003cp\u003eHerhangi bir kurulum yönteminin ardından ikili dosyanın erişilebilir olduğunu doğrulayın ve sürümü kontrol edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeklenen çıktı:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut bulunamazsa kurulum dizininin \u003ccode\u003ePATH\u003c/code\u003e değişkeninde olup olmadığını kontrol edin.\u003c/p\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — Leakwatch taramasının arkasındaki mimari.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile tarama davranışını özelleştirin.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/docker-usage\"\u003eDocker Kullanımı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/introduction":{"title":"Tanıtım","description":"Leakwatch nedir, neyi tarar ve sızan sırları nasıl tespit edip doğrular.","html":"\u003ch1 id=\"tantm\"\u003eTanıtım\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLeakwatch\u003c/strong\u003e, sızan sırları — API anahtarları, token'lar, parolalar, bağlantı dizeleri ve özel anahtarlar — kod tabanlarınızda, Git geçmişinizde, konteyner imajlarınızda, bulut depolamanızda ve Slack çalışma alanlarınızda \u003cstrong\u003etespit eden, doğrulayan ve raporlayan\u003c/strong\u003e yüksek performanslı, açık kaynaklı (MIT) bir güvenlik aracıdır.\u003c/p\u003e\n\u003cp\u003eGo ile yazılmıştır, çalışma zamanı bağımlılığı olmayan tek bir statik ikili dosya olarak dağıtılır (\u003ccode\u003eCGO_ENABLED=0\u003c/code\u003e) ve her yerde çalışacak şekilde tasarlanmıştır: bir geliştirici dizüstü bilgisayarı, bir pre-commit kancası veya bir CI/CD hattı.\u003c/p\u003e\n\u003ch2 id=\"neden-leakwatch\"\u003eNeden Leakwatch\u003c/h2\u003e\n\u003cp\u003eTek bir commit'te sızan bir kimlik bilgisi — sonradan silinse bile — Git geçmişinde sonsuza dek erişilebilir kalabilir ve push edildikten dakikalar sonra istismar edilebilir. Leakwatch, bu sırları erken yakalamak ve hangilerinin \u003cem\u003egerçekten tehlikeli\u003c/em\u003e olduğunu söylemek için tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGeniş tespit\u003c/strong\u003e — bulut sağlayıcılarını, yapay zekâ API'lerini, ödeme platformlarını, veritabanlarını, mesajlaşma araçlarını ve daha fazlasını kapsayan 63 yerleşik dedektör; ayrıca kendi YAML özel kurallarınız.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eYalnızca tespit değil, doğrulama\u003c/strong\u003e — 54 dedektör türü için Leakwatch, bulunan bir sırrın \u003cem\u003ehâlâ etkin\u003c/em\u003e olup olmadığını sağlayıcıya kontrollü, salt-okunur bir çağrı yaparak teyit edebilir. Etkin olduğu doğrulanmış bir anahtar bir olaydır; etkin olmayan bir anahtar ise gürültüdür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eÇok sayıda kaynak\u003c/strong\u003e — yerel dosya sistemi, eksiksiz bir Git geçmişi, bir OCI/Docker imajı, AWS S3, Google Cloud Storage ve Slack mesajları.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCI-uyumlu çıktı\u003c/strong\u003e — JSON, SARIF (GitHub Code Scanning için), CSV ve renklendirilmiş terminal tablosu.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTasarımı gereği sır-güvenli\u003c/strong\u003e — bulunan sırlar varsayılan olarak maskelenir ve asla loglanmaz, önbelleğe alınmaz veya diske yazılmaz.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"neleri-tarar\"\u003eNeleri tarar\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKaynak\u003c/th\u003e\n\u003cth\u003eKomut\u003c/th\u003e\n\u003cth\u003eNeyi kapsar\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDosya sistemi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan fs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYerel bir dizin ağacındaki dosyalar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGit geçmişi\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan git\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm commit geçmişindeki her blob (yerel veya uzak)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eKonteyner imajı\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan image\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOCI/Docker imaj katmanları, daemonsuz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAWS S3\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan s3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir S3 kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Cloud Storage\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan gcs\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir GCS kovasındaki nesneler\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eSlack\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan slack\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKanallardaki ve (isteğe bağlı) DM'lerdeki mesaj metni\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇoklu depo\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eleakwatch scan repos\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAynı anda birden fazla Git deposu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"tespit-ksaca-nasl-alr\"\u003eTespit kısaca nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch, büyük girdilerde bile hızlı kalmak için katmanlı bir hat kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAho-Corasick anahtar kelime ön-filtresi\u003c/strong\u003e — tek bir çok-desenli otomat, bir parçayı hangi dedektörlerin eşleştirebileceğine hızla karar verir; böylece dedektörlerin çoğu regex'ini hiç çalıştırmaz.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegex doğrulaması\u003c/strong\u003e — yalnızca kısa listeye alınan dedektörler kesin desenlerini çalıştırır.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEntropi\u003c/strong\u003e — Shannon entropisi gösterim için hesaplanır (ve özel kurallar tarafından düşük rastgelelikteki eşleşmeleri elemek için kullanılır).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDoğrulama\u003c/strong\u003e — uygun bulgular canlı sağlayıcı API'sine karşı kontrol edilir.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch'ı kullanmak için bu hattı anlamanız gerekmez — ancak taramaların neden hızlı olduğunu ve bazı bulguların neden bir doğrulama durumu gösterirken bazılarının göstermediğini açıklar. Tam tablo için \u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"leakwatch-ne-deildir\"\u003eLeakwatch \u003cem\u003ene değildir\u003c/em\u003e\u003c/h2\u003e\n\u003cp\u003eBeklentileri doğru belirlemek için:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGit geçmişini yeniden yazmaz veya sırları sizin için \u003cstrong\u003ekaldırmaz\u003c/strong\u003e — onları bulup raporlar ve (\u003ccode\u003e--remediation\u003c/code\u003e ile) nasıl döndüreceğinizi söyler.\u003c/li\u003e\n\u003cli\u003eSlack taraması yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e kapsar; yüklenen dosyaların \u003cem\u003eiçeriğini\u003c/em\u003e taramak uygulanmamıştır.\u003c/li\u003e\n\u003cli\u003eDoğrulama, birçok sır türü için mevcuttur ancak hepsi için değil — 9 dedektör türü (JWT'ler ve genel API anahtarları gibi) güvenli biçimde doğrulanamaz ve her zaman doğrulanmamış olarak raporlanır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"sonraki-admlar\"\u003eSonraki adımlar\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e — Homebrew, \u003ccode\u003ego install\u003c/code\u003e, Docker veya hazır bir ikili dosya ile kurun.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e — taramanın arkasındaki mimari.\u003c/li\u003e\n\u003c/ul\u003e\n"},"getting-started/quick-start":{"title":"Hızlı Başlangıç","description":"İlk Leakwatch taramanızı bir dakikadan kısa sürede çalıştırın.","html":"\u003ch1 id=\"hzl-balang\"\u003eHızlı Başlangıç\u003c/h1\u003e\n\u003cp\u003eLeakwatch'ın neler yapabileceğini anlamanın en hızlı yolu, onu gerçek bir dizine yönlendirmektir. Bu sayfa ilk taramanızda size rehberlik eder, çıktının ne anlama geldiğini açıklar ve en sık kullanacağınız bayrakları gösterir.\u003c/p\u003e\n\u003ch2 id=\"n-koullar\"\u003eÖn koşullar\u003c/h2\u003e\n\u003cp\u003eLeakwatch kurulu ve \u003ccode\u003ePATH\u003c/code\u003e değişkeninizde erişilebilir olmalıdır. Henüz yapmadıysanız \u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"lk-taramanz\"\u003eİlk taramanız\u003c/h2\u003e\n\u003cp\u003eMevcut dizini tek bir komutla tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs .\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan olarak çıktı JSON biçiminde stdout'a yazılır. Bunun yerine okunabilir, renklendirilmiş bir tablo almak için \u003ccode\u003e--format table\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBir sonucun nasıl göründüğü aşağıdadır:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003e SEVERITY DETECTOR FILE LINE REDACTED STATUS\n─────────────────────────────────────────────────────────────────────────────────────────────\n CRITICAL aws-access-key-id config/deploy.env 12 AKIA••••••••••••EXAMPLE verified:active\n HIGH github-pat scripts/bootstrap.sh 37 ghp_•••••••••••••••••• verified:active\n MEDIUM generic-api-key src/services/analytics.js 89 sk-•••••••••••••••••••• unverified\n\n── Scan Summary ─────────────────────────────────\n Date: 2026-05-23 14:03:11\n Source: filesystem\n Target: /home/user/myproject\n Files scanned: 312\n Duration: 1.24s\n Findings: 3\n─────────────────────────────────────────────────\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTarama özeti her zaman \u003cstrong\u003estderr\u003c/strong\u003e'e yazdırılır; bu nedenle pipe veya yeniden yönlendirilen çıktıyla hiçbir zaman çakışmaz.\u003c/p\u003e\n\u003ch2 id=\"bulguyu-anlamak\"\u003eBulguyu anlamak\u003c/h2\u003e\n\u003cp\u003eTablodaki her satır (veya JSON'daki her nesne) bir bulguyu temsil eder. Temel alanlar şunlardır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSEVERITY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSır türünün ne kadar kritik olduğu: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDETECTOR\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşen dedektör — sır türünü tanımlar (örneğin \u003ccode\u003eaws-access-key-id\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFILE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın bulunduğu dosyanın tarama köküne göreli yolu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLINE\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eEşleşmenin satır numarası\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eREDACTED\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın maskelenmiş gösterimi — \u003ccode\u003e--show-raw\u003c/code\u003e ayarlanmadıkça ham değer hiçbir zaman gösterilmez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSTATUS\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulama sonucu: \u003ccode\u003everified:active\u003c/code\u003e, \u003ccode\u003everified:inactive\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e veya \u003ccode\u003everify:error\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003everified:active\u003c/code\u003e durumu, Leakwatch'ın sağlayıcıya salt-okunur bir API çağrısı yaparak sırrın hâlâ etkin olduğunu doğruladığı anlamına gelir. \u003cstrong\u003eHer \u003ccode\u003everified:active\u003c/code\u003e bulgusunu açık bir olay olarak değerlendirin.\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"yaygn-tarama-seenekleri\"\u003eYaygın tarama seçenekleri\u003c/h2\u003e\n\u003ch3 id=\"yalnzca-onaylanm-srlara-odaklann\"\u003eYalnızca onaylanmış sırlara odaklanın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu seçenek doğrulanmamış ve etkin olmayan bulguları gizler; yalnızca etkin olduğu onaylananları bırakır. Çok sayıda sonucunuz olduğunda önceliklendirme için kullanışlıdır.\u003c/p\u003e\n\u003ch3 id=\"hzl-evrimd-tarama-iin-a-dorulamasn-atlayn\"\u003eHızlı çevrimdışı tarama için ağ doğrulamasını atlayın\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDoğrulama tamamen atlanır — hiçbir giden ağ çağrısı yapılmaz. Sonuçlar daha hızlı görünür ve internet bağlantısı olmadan çalışır, ancak tüm bulgular \u003ccode\u003eunverified\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"dzeltme-klavuzu-ekleyin\"\u003eDüzeltme kılavuzu ekleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHer bulgu, söz konusu sır türünü nasıl döndüreceğinizi veya iptal edeceğinizi açıklayan bir \u003cstrong\u003eREMEDIATION\u003c/strong\u003e sütunu kazanır. Bayrak ayarlandığında aynı veriler JSON, SARIF ve CSV çıktısına da dahil edilir.\u003c/p\u003e\n\u003ch3 id=\"minimum-nem-derecesine-gre-filtreleyin\"\u003eMinimum önem derecesine göre filtreleyin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e önem derecesindeki bulgular raporlanır.\u003c/p\u003e\n\u003ch3 id=\"sonular-dosyaya-kaydedin\"\u003eSonuçları dosyaya kaydedin\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--output\u003c/code\u003e / \u003ccode\u003e-o\u003c/code\u003e bayrağı stdout yerine bir dosyaya yazar. SARIF çıktısı \u003ca href=\"https://docs.github.com/en/code-security/code-scanning\"\u003eGitHub Code Scanning\u003c/a\u003e ile uyumludur.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-dosyas-oluturma\"\u003eYapılandırma dosyası oluşturma\u003c/h2\u003e\n\u003cp\u003eİlk denemede varsayılanlarla çalıştırmak uygundur; ancak tekrarlayan kullanım için proje düzeyinde bir yapılandırma isteyeceksiniz:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut, eşzamanlılık, entropi, doğrulama, çıktı biçimi ve yaygın yol dışlamaları için önerilen varsayılanlarla mevcut dizine \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yazar. Mevcut bir dosyanın üzerine yazmak için \u003ccode\u003e--force\u003c/code\u003e, farklı bir yola yazmak için \u003ccode\u003e--output\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003cp\u003eHer seçeneğin tam açıklaması için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003cp\u003eLeakwatch, CI betiklerinin çıktıyı ayrıştırmadan sonuçlara göre hareket edebilmesi için farklı çıkış kodları kullanır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bulgu yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı — bir veya daha fazla sır bulundu\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama bir hata nedeniyle başarısız oldu\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eTipik bir CI kapısı şöyle görünür:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --only-verified --format sarif --output results.sarif\nif [ $? -eq 1 ]; then\n echo \u0026quot;Etkin sırlar bulundu — derleme başarısız\u0026quot;\n exit 1\nfi\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, etkin filtreleri geçen (\u003ccode\u003e--min-severity\u003c/code\u003e ve \u003ccode\u003e--only-verified\u003c/code\u003e dahil) \u003cem\u003eherhangi bir\u003c/em\u003e bulgu olduğunda döndürülür. Temiz çıkış kodu \u003ccode\u003e0\u003c/code\u003e, hiçbir bulgunun eşleşmediği anlamına gelir — kod tabanında sır olmadığı anlamına gelmez.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"taramay-iptal-etme\"\u003eTaramayı iptal etme\u003c/h2\u003e\n\u003cp\u003eÇalışan bir taramayı iptal etmek için \u003ccode\u003eCtrl+C\u003c/code\u003e tuşuna basın (veya \u003ccode\u003eSIGTERM\u003c/code\u003e gönderin). Leakwatch düzgün biçimde durur: işlemdeki parçalar tamamlanır, kısmi sonuçlar yazılır ve özet \u003ccode\u003eStatus: interrupted (partial results)\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/installation\"\u003eKurulum\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/how-it-works\"\u003eNasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/output-formats":{"title":"Çıktı Formatları","description":"Leakwatch'ın desteklediği dört çıktı formatı — JSON, SARIF, CSV ve tablo — örnekler ve her birini ne zaman kullanacağınıza dair rehberlik.","html":"\u003ch1 id=\"kt-formatlar\"\u003eÇıktı Formatları\u003c/h1\u003e\n\u003cp\u003eLeakwatch dört çıktı formatını destekler: makine tarafından okunabilir hatlar, güvenlik araç entegrasyonları, elektronik tablo dışa aktarmaları ve insan tarafından okunabilir terminal incelemesi. \u003ccode\u003e--format\u003c/code\u003e (veya \u003ccode\u003e-f\u003c/code\u003e) ile bir format seçin; stdout yerine bir dosyaya yazmak için \u003ccode\u003e--output\u003c/code\u003e (veya \u003ccode\u003e-o\u003c/code\u003e) kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format json\nleakwatch scan fs . --format sarif --output results.sarif\nleakwatch scan fs . --format csv --output findings.csv\nleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eVarsayılan format \u003ccode\u003ejson\u003c/code\u003e'dur.\u003c/p\u003e\n\u003ch2 id=\"json\"\u003eJSON\u003c/h2\u003e\n\u003cp\u003eJSON varsayılan format ve en eksiksiz temsil biçimidir. Leakwatch, stdout'a (veya \u003ccode\u003e--output\u003c/code\u003e ile verilen dosyaya) bulgu nesnelerinden oluşan bir JSON \u003cstrong\u003edizisi\u003c/strong\u003e yazar.\u003c/p\u003e\n\u003cp\u003eHam sır değeri, \u003ccode\u003e--show-raw\u003c/code\u003e açıkça ayarlanmadıkça \u003cstrong\u003ehiçbir zaman\u003c/strong\u003e serileştirilmez. \u003ccode\u003e--show-raw\u003c/code\u003e ile her nesneye bir \u003ccode\u003e\u0026quot;raw\u0026quot;\u003c/code\u003e alanı eklenir.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs ./src --format json --output findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-bulgu-nesnesi\"\u003eÖrnek bulgu nesnesi\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--remediation\u003c/code\u003e de ayarlandığında her bulgunun içine iç içe bir \u003ccode\u003e\u0026quot;remediation\u0026quot;\u003c/code\u003e nesnesi yerleştirilir. Bkz. \u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"sarif\"\u003eSARIF\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003esarif\u003c/code\u003e formatı, \u003ca href=\"https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github\"\u003eGitHub Code Scanning\u003c/a\u003e'e yüklenmek üzere tasarlanmış bir SARIF v2.1.0 belgesi üretir. Araç adı \u003ccode\u003eLeakwatch\u003c/code\u003e'tır ve \u003ccode\u003einformationUri\u003c/code\u003e \u003ccode\u003ehttps://github.com/HodeTech/Leakwatch\u003c/code\u003e adresine işaret eder.\u003c/p\u003e\n\u003cp\u003eBulgularda görünen her dedektör, SARIF sürücüsünde bir \u003cstrong\u003ekural\u003c/strong\u003e haline gelir; \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme adımlarından doldurulan \u003ccode\u003ehelp\u003c/code\u003e metni ve sağlayıcı belgelerine işaret eden bir \u003ccode\u003ehelpUri\u003c/code\u003e ile birlikte. Sonuçlar, dedektör ID'si, maskelenmiş değer ve dosya yolundan hesaplanan bir \u003ccode\u003eleakwatch/v1\u003c/code\u003e kısmi parmak izi taşır — bu, çevresindeki kod kaydığında bile GitHub Code Scanning'in aynı uyarıyı takip etmesini sağlar.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-1\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"github-code-scanninge-ykleme\"\u003eGitHub Code Scanning'e yükleme\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003e# Bir GitHub Actions iş akışı adımında:\n- name: SARIF sonuçlarını yükle\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam CI kurulumu için \u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e bölümüne bakın.\u003c/p\u003e\n\u003ch2 id=\"csv\"\u003eCSV\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003ecsv\u003c/code\u003e formatı, bir başlık satırı ve ardından bulgu başına bir satır yazar; standart virgülle ayrılmış değerler kullanır. Her hücre yazılmadan önce elektronik tablo formül enjeksiyonuna karşı sterilize edilir.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar (varsayılan):\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eraw\u003c/code\u003e sütunu eklenir.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003eremediation\u003c/code\u003e sütunu, \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında düzeltme başlığını (örn. \u003ccode\u003e\u0026quot;Revoke GitHub Token\u0026quot;\u003c/code\u003e) içerir, aksi hâlde boş kalır.\u003c/p\u003e\n\u003ch3 id=\"rnek-ar-2\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format csv --output findings.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-csv\"\u003eid,detector_id,severity,redacted,file_path,commit,verification_status,remediation\na3f9c12d-...,github-token,critical,ghp_****Xk9R,scripts/deploy.sh,7d3e1f2,verified_active,Revoke GitHub Token\nb7d2e45a-...,aws-access-key-id,high,AKIA****K7NP,config/aws.yml,7d3e1f2,unverified,Rotate AWS Access Key\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tablo\"\u003eTablo\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003etable\u003c/code\u003e formatı, insan tarafından okunabilir sekme hizalı bir tablo yazar; sonuçların hızlı görsel taramasını istediğiniz etkileşimli terminal oturumları için en uygun formattır.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSütunlar:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY | DETECTOR | FILE | REDACTED | STATUS | REMEDIATION\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e--show-raw\u003c/code\u003e ayarlandığında, sona bir \u003ccode\u003eRAW\u003c/code\u003e sütunu eklenir. Tablonun altına bir özet satırı yazdırılır (örn. \u003ccode\u003eFound 3 secrets (1 critical, 2 high).\u003c/code\u003e).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eANSI rengi\u003c/strong\u003e, \u003ccode\u003eSEVERITY\u003c/code\u003e sütununa otomatik olarak uygulanır, ancak yalnızca dört koşulun tamamı sağlandığında:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003ccode\u003e--format table\u003c/code\u003e seçilmiş\u003c/li\u003e\n\u003cli\u003eÇıktı stdout'a gidiyor (\u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e yok)\u003c/li\u003e\n\u003cli\u003estdout bir TTY (pipe veya yönlendirme değil)\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e ortam değişkeni ayarlanmamış\u003c/li\u003e\n\u003c/ol\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eÖnem derecesi\u003c/th\u003e\n\u003cth\u003eRenk\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecritical\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKalın kırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKırmızı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emedium\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSarı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMavi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"rnek-ar-3\"\u003eÖrnek çağrı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table --min-severity high\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"rnek-kt-1\"\u003eÖrnek çıktı\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\nHIGH aws-access-key-id config/aws.yml AKIA****K7NP unverified Rotate AWS Access Key\n\nFound 2 secrets (1 critical, 1 high).\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yaygn-kt-bayraklar\"\u003eYaygın çıktı bayrakları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı formatı: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e (varsayılan \u003ccode\u003ejson\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout yerine dosyaya yaz\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya maskelenmemiş sır değerini dahil et\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBu önem seviyesinin altındaki bulguları bırak\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca \u003ccode\u003everified_active\u003c/code\u003e bulgularını tut\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003ctd\u003eBulguları sağlayıcı düzeltme rehberiyle zenginleştir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/remediation\"\u003eDüzeltme Rehberi\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"output/remediation":{"title":"Düzeltme Rehberi","description":"Bulguları sağlayıcıya özgü döndürme ve iptal adımları, aciliyet dereceleri ve resmi dokümantasyon bağlantılarıyla zenginleştirmek için --remediation kullanın.","html":"\u003ch1 id=\"dzeltme-rehberi\"\u003eDüzeltme Rehberi\u003c/h1\u003e\n\u003cp\u003eBir sırrın sızdığını bilmek işin yalnızca yarısıdır — ayrıca ne yapacağınızı da bilmeniz gerekir. Herhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e eklemek, her bulguyu yapılandırılmış, sağlayıcıya özgü rehberlikle zenginleştirir: kimlik bilgisini döndürme veya iptal etme adımları, sağlayıcının belgelerine bağlantı, yönetim konsoluna bağlantı, aciliyet derecelendirmesi ve bir doğrulama kontrol listesi.\u003c/p\u003e\n\u003ch2 id=\"nasl-etkinletirilir\"\u003eNasıl etkinleştirilir\u003c/h2\u003e\n\u003cp\u003eHerhangi bir tarama komutuna \u003ccode\u003e--remediation\u003c/code\u003e ekleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation\nleakwatch scan git . --remediation --format json\nleakwatch scan image myapp:latest --remediation --format sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDüzeltme zenginleştirmesi varsayılan olarak devre dışıdır. Bayrak yoksa, her bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı \u003ccode\u003enull\u003c/code\u003e olur ve fazladan veri alınmaz veya hesaplanmaz.\u003c/p\u003e\n\u003ch2 id=\"ne-ierir\"\u003eNe içerir\u003c/h2\u003e\n\u003cp\u003eHer düzeltme girişi aşağıdaki alanları içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etitle\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDüzeltme eyleminin kısa adı (örn. \u003ccode\u003e\u0026quot;Rotate AWS Access Key\u0026quot;\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esteps\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrı döndürmek veya iptal etmek için sıralı adımlar listesi\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoc_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının resmi kimlik bilgisi yönetimi belgelerine bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003econsole_url\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcının yönetim konsolu sayfasına doğrudan bağlantı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eurgency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNe kadar hızlı harekete geçileceği: \u003ccode\u003e\u0026quot;immediate\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;high\u0026quot;\u003c/code\u003e veya \u003ccode\u003e\u0026quot;medium\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echecklist\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDöndürme sonrası doğrulama adımları (örn. denetim günlüklerini inceleyin, güvenlik ekibini bilgilendirin)\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eLeakwatch, her yerleşik dedektör için bir tane olmak üzere 63 düzeltme girişiyle birlikte gelir. 63 girişin tamamı ikili dosyaya dahildir; rehberliği almak için herhangi bir ağ çağrısı yapılmaz. Bu, çevrimdışı ortamlarda veya hava boşluklu ağlarda bile düzeltme rehberliğinin sorunsuz çalışması anlamına gelir.\u003c/p\u003e\n\u003ch2 id=\"her-formatta-nasl-grnr\"\u003eHer formatta nasıl görünür\u003c/h2\u003e\n\u003cp\u003eZenginleştirme, rehberliği bellekteki bulgu nesnesine ekler. Nasıl göründüğü çıktı formatına bağlıdır:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eJSON\u003c/strong\u003e — tam yapılandırılmış \u003ccode\u003eremediation\u003c/code\u003e nesnesi her bulgunun içine yerleştirilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\n \u0026quot;id\u0026quot;: \u0026quot;a3f9c12d-8e4b-4c7a-9f2e-1b5d3a7c9e0f\u0026quot;,\n \u0026quot;detector_id\u0026quot;: \u0026quot;github-token\u0026quot;,\n \u0026quot;severity\u0026quot;: \u0026quot;critical\u0026quot;,\n \u0026quot;redacted\u0026quot;: \u0026quot;ghp_****************************Xk9R\u0026quot;,\n \u0026quot;source\u0026quot;: {\n \u0026quot;source_type\u0026quot;: \u0026quot;filesystem\u0026quot;,\n \u0026quot;file_path\u0026quot;: \u0026quot;scripts/deploy.sh\u0026quot;,\n \u0026quot;line\u0026quot;: 14\n },\n \u0026quot;verification\u0026quot;: {\n \u0026quot;status\u0026quot;: \u0026quot;verified_active\u0026quot;\n },\n \u0026quot;remediation\u0026quot;: {\n \u0026quot;title\u0026quot;: \u0026quot;Revoke GitHub Token\u0026quot;,\n \u0026quot;steps\u0026quot;: [\n \u0026quot;Go to GitHub Settings \u0026gt; Developer settings \u0026gt; Personal access tokens.\u0026quot;,\n \u0026quot;Revoke the compromised token immediately.\u0026quot;,\n \u0026quot;Create a new token with the minimum required scopes.\u0026quot;,\n \u0026quot;Update all integrations and CI/CD pipelines with the new token.\u0026quot;\n ],\n \u0026quot;doc_url\u0026quot;: \u0026quot;https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\u0026quot;,\n \u0026quot;console_url\u0026quot;: \u0026quot;https://github.com/settings/tokens\u0026quot;,\n \u0026quot;urgency\u0026quot;: \u0026quot;immediate\u0026quot;,\n \u0026quot;checklist\u0026quot;: [\n \u0026quot;Review the GitHub audit log for unauthorized actions performed with the token.\u0026quot;,\n \u0026quot;Check repository and organization settings for unexpected changes.\u0026quot;,\n \u0026quot;Notify the security team about the exposure.\u0026quot;,\n \u0026quot;Scan for other repositories that may contain the same token.\u0026quot;\n ]\n },\n \u0026quot;entropy\u0026quot;: 5.82,\n \u0026quot;detected_at\u0026quot;: \u0026quot;2026-05-23T10:15:30Z\u0026quot;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSARIF\u003c/strong\u003e — \u003ccode\u003esteps\u003c/code\u003e alanları, kuralın \u003ccode\u003ehelp.text\u003c/code\u003e alanına yerleştirilir ve \u003ccode\u003edoc_url\u003c/code\u003e, kuralın \u003ccode\u003ehelpUri\u003c/code\u003e'si olarak ayarlanır. Bu, GitHub Code Scanning'in uyarı ayrıntıları panelinde doğrudan görünür.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCSV\u003c/strong\u003e — yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı \u003ccode\u003eremediation\u003c/code\u003e sütununa yazılır. Tam yapılandırılmış rehberlik CSV çıktısına dahil edilmez.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTablo\u003c/strong\u003e — \u003ccode\u003eREMEDIATION\u003c/code\u003e sütununda yalnızca düzeltme \u003ccode\u003etitle\u003c/code\u003e'ı gösterilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eSEVERITY DETECTOR FILE REDACTED STATUS REMEDIATION\n-------- -------- ---- -------- ------ -----------\nCRITICAL github-token scripts/deploy.sh ghp_****Xk9R verified_active Revoke GitHub Token\n\nFound 1 secret (1 critical).\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eOtomatik olay müdahale iş akışları için tam yapılandırılmış rehberliğe ihtiyaç duyduğunuzda \u003ccode\u003e--remediation --format json\u003c/code\u003e kullanın. Terminalde hızlı, insan tarafından okunabilir bir önceliklendirme oturumu için \u003ccode\u003e--remediation --format table\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eZenginleştirme yalnızca \u003ccode\u003e--remediation\u003c/code\u003e ayarlandığında çalışır. Bayrak olmadan, \u003ccode\u003eremediation\u003c/code\u003e alanı JSON ve SARIF çıktısında yoktur ve CSV ile tablo \u003ccode\u003eremediation\u003c/code\u003e sütunları boştur. Bayrak, orijinal tarama sonuçlarını değiştirmez — bunların üzerine bir katman ekler.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"zel-kurallar-ve-dzeltme\"\u003eÖzel kurallar ve düzeltme\u003c/h2\u003e\n\u003cp\u003eÖzel kural tanımları bir \u003ccode\u003eremediation\u003c/code\u003e bloğunu desteklemez — düzeltme rehberliği yalnızca yerleşik dedektörler için mevcuttur. Özel bir kural tarafından tetiklenen bulgu için \u003ccode\u003e--remediation\u003c/code\u003e bayrağı geçildiğinde, o bulgunun \u003ccode\u003eremediation\u003c/code\u003e alanı boş kalır; diğer alanlar etkilenmez.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/cli-reference":{"title":"CLI Başvurusu","description":"Her Leakwatch komutu, alt komutu ve bayrağı için tam başvuru kaynağı.","html":"\u003ch1 id=\"cli-bavurusu\"\u003eCLI Başvurusu\u003c/h1\u003e\n\u003cp\u003eBu sayfa, tüm Leakwatch komutları ve bayrakları için yetkili başvuru kaynağıdır. Kavramsal açıklamalar ve çalışma örnekleri için ilgili tarama veya yapılandırma sayfalarındaki çapraz bağlantıları takip edin.\u003c/p\u003e\n\u003ch2 id=\"global-bayraklar\"\u003eGlobal bayraklar\u003c/h2\u003e\n\u003cp\u003eBu bayraklar her komut ve alt komut üzerinde kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--config \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOtomatik olarak bulunan \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasının yolu. Atlandığında Leakwatch, geçerli dizinde ve üst dizinlerinde \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e arar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--log-level \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ewarn\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGünlük ayrıntı düzeyi: \u003ccode\u003edebug\u003c/code\u003e, \u003ccode\u003einfo\u003c/code\u003e, \u003ccode\u003ewarn\u003c/code\u003e veya \u003ccode\u003eerror\u003c/code\u003e. Günlük çıktısı stderr'e gider ve tarama sonuçlarını etkilemez.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"leakwatch-version\"\u003e\u003ccode\u003eleakwatch version\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eİkili dosya sürümünü, commit karmasını ve derleme zaman damgasını yazdırır, ardından çıkar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch version\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eleakwatch v1.5.0 (commit: a3f9c12, built: 2026-05-10T08:22:00Z)\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-init\"\u003e\u003ccode\u003eleakwatch init\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eGeçerli dizinde önerilen varsayılanlarla bir \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e yapılandırma dosyası oluşturur.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch init [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYapılandırma dosyasını varsayılan yerine bu yola yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--force\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMevcut bir yapılandırma dosyasının üzerine yaz. Bu bayrak olmadan, çıktı dosyası zaten mevcutsa \u003ccode\u003einit\u003c/code\u003e hatayla çıkar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Varsayılan yapılandırmayı oluştur\nleakwatch init\n\n# Mevcut yapılandırmanın üzerine yaz\nleakwatch init --force\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"leakwatch-scan\"\u003e\u003ccode\u003eleakwatch scan\u003c/code\u003e\u003c/h2\u003e\n\u003cp\u003eTüm tarama alt komutları için üst komut. Kendi başına davranışı yoktur; bir alt komut çalıştırın.\u003c/p\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003cp\u003eAşağıdaki bayraklar \u003cstrong\u003etüm\u003c/strong\u003e \u003ccode\u003escan\u003c/code\u003e alt komutlarında kullanılabilir.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosya yoluna yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu bayt sayısından büyük dosyaları veya blob'ları atla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya ham (maskelenmemiş) sır değerini dahil et. Dikkatli kullanın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı sır doğrulamasını devre dışı bırak. Giden API çağrısı yapılmaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca canlı doğrulama ile etkin olduğu teyit edilen bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıya dahil edilecek minimum önem derecesi: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e veya \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi (dönüşüm/iptal adımları) ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-fs\"\u003e\u003ccode\u003escan fs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel bir dizin ağacını tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path] [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e varsayılan olarak \u003ccode\u003e.\u003c/code\u003e'dır. En fazla bir konumsal argüman kabul eder.\u003c/p\u003e\n\u003ch4 id=\"dosya-sistemine-zg-bayraklar\"\u003eDosya sistemine özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude \u0026lt;kalıp\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob kalıbı. Tekrarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara, renklendirilmiş tablo yazdır\nleakwatch scan fs . --format table\n\n# SARIF çıktısını kaydet, test dosyalarını ve vendor'ı dışla\nleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-git\"\u003e\u003ccode\u003escan git\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eYerel veya uzak bir Git deposunun tam commit geçmişini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir: yerel bir yol veya HTTP/HTTPS/SSH URL'si.\u003c/p\u003e\n\u003ch4 id=\"gite-zg-bayraklar\"\u003eGit'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit \u0026lt;hash\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit karmasından HEAD'e kadar olan değişiklikleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch \u0026lt;ad\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan dal yerine belirli bir dalı hedefle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003eUzak depolar için sığ klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi getirir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-1\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tam yerel geçmişi tara\nleakwatch scan git . --format table\n\n# Bir pull request tarafından eklenen commit'leri tara\nleakwatch scan git . --since-commit a1b2c3d --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-image\"\u003e\u003ccode\u003escan image\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir OCI/Docker imajının katmanlarını sırlar açısından tarar. Leakwatch daemonsuz çalışır ve kayıt defterinden doğrudan çeker — Docker soketi gerekmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"rnekler-2\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Genel bir imajı tara\nleakwatch scan image nginx:latest --format table\n\n# Özel kayıt defteri imajını tara, JSON çıktısını kaydet\nleakwatch scan image registry.example.com/my-app:v2.3.0 \\\n --format json \\\n --output image-results.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-s3\"\u003e\u003ccode\u003escan s3\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir AWS S3 kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, anahtarı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi. \u003ccode\u003eAWS_REGION\u003c/code\u003e ortam değişkenine veya AWS SDK varsayılanına geri döner.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-3\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm kovayı tara\nleakwatch scan s3 my-data-bucket --region us-east-1 --format table\n\n# Belirli bir ön eki tara\nleakwatch scan s3 my-data-bucket --prefix backups/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-gcs\"\u003e\u003ccode\u003escan gcs\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Google Cloud Storage kovasındaki nesneleri tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;kova\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTam olarak bir konumsal argüman gereklidir.\u003c/p\u003e\n\u003ch4 id=\"gcsye-zg-bayraklar\"\u003eGCS'ye özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaramayı, adı bu ön ekle başlayan nesnelerle sınırla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği. Varsayılan kimlik bilgilerinden proje çıkarılamadığında gereklidir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-4\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Tüm GCS kovasını tara\nleakwatch scan gcs my-gcs-bucket --project my-gcp-project --format table\n\n# Ön ek tara\nleakwatch scan gcs my-gcs-bucket --prefix uploads/2026/ --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-slack\"\u003e\u003ccode\u003escan slack\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBir Slack çalışma alanındaki mesaj metnini tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKonumsal argüman yoktur.\u003c/p\u003e\n\u003ch4 id=\"slacke-zg-bayraklar\"\u003eSlack'e özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token \u0026lt;string\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack bot token'ı. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni ile de ayarlanabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adları veya kimliklerinin virgülle ayrılmış listesi. Atlandığında erişilebilir tüm kanalları tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels \u0026lt;liste\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adları veya kimliklerinin virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since \u0026lt;YYYY-MM-DD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonra gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları dahil et (ek OAuth kapsamları gerektirir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;int\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-5\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Erişilebilir tüm kanalları tara\nleakwatch scan slack --token xoxb-••••••••••••-••••••••••••-•••••••••••••••••••••••• --format table\n\n# Belirli kanalları belirli bir tarihten itibaren tara\nleakwatch scan slack \\\n --token xoxb-••••••••••••-••••••••••••-••••••••••••••••••••••••• \\\n --channels general,engineering \\\n --since 2026-01-01 \\\n --format json\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch3 id=\"scan-repos\"\u003e\u003ccode\u003escan repos\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003eBirden fazla Git deposunu paralel olarak tarar.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url_or_path...\u0026gt; [bayraklar]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eEn az iki konumsal argüman (depo URL'leri veya yerel yollar) gereklidir.\u003c/p\u003e\n\u003ch4 id=\"reposa-zg-bayraklar\"\u003eRepos'a özgü bayraklar\u003c/h4\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eHer depo taramasındaki çalışan eşzamanlılığı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch4 id=\"rnekler-6\"\u003eÖrnekler\u003c/h4\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki depoyu paralel olarak tara\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n --format json\n\n# Büyük bir depo seti için paralellizmi artır\nleakwatch scan repos \\\n https://github.com/org/repo-a.git \\\n https://github.com/org/repo-b.git \\\n https://github.com/org/repo-c.git \\\n --parallel 3 \\\n --format sarif \\\n --output multi-repo.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/reference/exit-codes\"\u003eÇıkış Kodları\u003c/a\u003e — çıkış kodlarının tarama sonuçlarıyla nasıl eşleştiği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/environment-variables\"\u003eOrtam Değişkenleri\u003c/a\u003e — Leakwatch'ı bayrak kullanmadan yapılandırma.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi Taraması\u003c/a\u003e — ayrıntılı \u003ccode\u003escan fs\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — ayrıntılı \u003ccode\u003escan git\u003c/code\u003e rehberi.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/environment-variables":{"title":"Ortam Değişkenleri","description":"Leakwatch davranışını bayrak kullanmadan yapılandıran ortam değişkenleri.","html":"\u003ch1 id=\"ortam-deikenleri\"\u003eOrtam Değişkenleri\u003c/h1\u003e\n\u003cp\u003eLeakwatch, yapılandırmayı öncelik sırasına göre üç kaynaktan okur: \u003cstrong\u003ekomut satırı bayrakları\u003c/strong\u003e, \u003cstrong\u003eortam değişkenlerini\u003c/strong\u003e geçersiz kılar; ortam değişkenleri \u003cstrong\u003eyapılandırma dosyasını\u003c/strong\u003e (\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e) geçersiz kılar; yapılandırma dosyası yerleşik \u003cstrong\u003evarsayılanlara\u003c/strong\u003e geri döner. Ortam değişkenleri, bir yapılandırma dosyasını değiştiremeyeceğiniz veya her çağrıya bayrak geçiremeyeceğiniz CI ortamlarında kullanışlıdır.\u003c/p\u003e\n\u003ch2 id=\"yaplandrma-deikeni-kalb\"\u003eYapılandırma değişkeni kalıbı\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e'daki herhangi bir anahtar, ortam değişkeni olarak şu şekilde ayarlanabilir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAnahtar adını büyük harfe çevir.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e.\u003c/code\u003e ve \u003ccode\u003e-\u003c/code\u003e karakterlerini \u003ccode\u003e_\u003c/code\u003e ile değiştir.\u003c/li\u003e\n\u003cli\u003eBaşına \u003ccode\u003eLEAKWATCH_\u003c/code\u003e ekle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eÖrneğin, \u003ccode\u003escan.concurrency\u003c/code\u003e yapılandırma anahtarı \u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"deiken-bavurusu\"\u003eDeğişken başvurusu\u003c/h2\u003e\n\u003ch3 id=\"leakwatcha-zg-deikenler\"\u003eLeakwatch'a özgü değişkenler\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003escan slack\u003c/code\u003e için Slack bot token'ı. \u003ccode\u003e--token\u003c/code\u003e'a eşdeğer. Token'ın kabuk geçmişinde veya CI günlüklerinde görünmesini önlemek için bayrak olarak geçirmek yerine bunu ayarlayın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_SCAN_CONCURRENCY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı tarama çalışanı sayısı. \u003ccode\u003e--concurrency\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_ENABLED\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCanlı doğrulamayı genel olarak devre dışı bırakmak için \u003ccode\u003efalse\u003c/code\u003e olarak ayarlayın. \u003ccode\u003e--no-verify\u003c/code\u003e'e eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_VERIFICATION_RATE_LIMIT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm doğrulayıcılar genelinde saniye başına maksimum doğrulama isteği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan çıktı biçimi (\u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e veya \u003ccode\u003etable\u003c/code\u003e). \u003ccode\u003e--format\u003c/code\u003e'a eşdeğer.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eLEAKWATCH_DETECTION_ENTROPY_THRESHOLD\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir eşleşmenin raporlanması için gereken minimum Shannon entropisi. Float değer, örn. \u003ccode\u003e3.5\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"grntleme-deikeni\"\u003eGörüntüleme değişkeni\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eNO_COLOR\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBoş olmayan herhangi bir değere ayarlandığında, \u003ccode\u003etable\u003c/code\u003e çıktı biçimlendiricisindeki ANSI renk kodlarını devre dışı bırakır. \u003ca href=\"https://no-color.org\"\u003eno-color.org\u003c/a\u003e kuralını izler.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"aws-deikenleri-scan-s3-ve-aws-sr-dorulamas-iin\"\u003eAWS değişkenleri (\u003ccode\u003escan s3\u003c/code\u003e ve AWS sır doğrulaması için)\u003c/h3\u003e\n\u003cp\u003eBunlar standart AWS SDK ortam değişkenleridir. Leakwatch bunları AWS SDK v2 varsayılan kimlik bilgisi zincirine aktarır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS erişim anahtarı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS gizli erişim anahtarı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS oturum token'ı (geçici kimlik bilgileri için).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_REGION\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVarsayılan AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eAWS_PROFILE\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKullanılacak \u003ccode\u003e~/.aws/credentials\u003c/code\u003e dosyasından adlandırılmış profil.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-deikeni-scan-gcs-iin\"\u003eGCS değişkeni (\u003ccode\u003escan gcs\u003c/code\u003e için)\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDeğişken\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGoogle hizmet hesabı JSON anahtar dosyasının yolu. Bir GCS kovasını tararken Uygulama Varsayılan Kimlik Bilgileri tarafından kullanılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ncelik-rnei\"\u003eÖncelik örneği\u003c/h2\u003e\n\u003cp\u003eŞu kurulumu varsayın:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e, \u003ccode\u003eoutput.format: table\u003c/code\u003e olarak ayarlıyor\u003c/li\u003e\n\u003cli\u003eOrtamda \u003ccode\u003eLEAKWATCH_OUTPUT_FORMAT=json\u003c/code\u003e ayarlanmış\u003c/li\u003e\n\u003cli\u003eKomut \u003ccode\u003eleakwatch scan fs .\u003c/code\u003e olarak çalıştırılıyor (\u003ccode\u003e--format\u003c/code\u003e bayrağı yok)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOrtam değişkeni yapılandırma dosyasını geçersiz kıldığından geçerli biçim \u003ccode\u003ejson\u003c/code\u003e'dır.\u003c/p\u003e\n\u003cp\u003eKomut \u003ccode\u003eleakwatch scan fs . --format sarif\u003c/code\u003e olarak çalıştırılırsa, bayrak her şeyi geçersiz kıldığından geçerli biçim \u003ccode\u003esarif\u003c/code\u003e olur.\u003c/p\u003e\n\u003ch2 id=\"dorulama-kimlik-bilgileri-ve-tarama-kimlik-bilgileri\"\u003eDoğrulama kimlik bilgileri ve tarama kimlik bilgileri\u003c/h2\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYukarıdaki AWS ve GCP değişkenleri, Leakwatch'ın \u003cstrong\u003ekendisinin\u003c/strong\u003e nesneleri taramak için S3 veya GCS'ye bağlanırken kimliğini doğrulaması için kullanılır. Bulunan sırları doğrulamak için kullanılmazlar. Keşfedilen bir AWS anahtarının doğrulanması, örneğin, runner'ın kimlik bilgilerini değil, keşfedilen anahtarın kendisini kullanarak AWS STS'yi çağırır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"cida-srlar-gvenli-biimde-geirme\"\u003eCI'da sırları güvenli biçimde geçirme\u003c/h2\u003e\n\u003cp\u003eGitHub Actions'ta şifrelenmiş sırları kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eenv:\n LEAKWATCH_SLACK_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGitLab CI'da maskelenmiş CI/CD değişkenlerini kullanın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003evariables:\n LEAKWATCH_SLACK_TOKEN: $SLACK_BOT_TOKEN # proje ayarlarında maskelenmiş değişken olarak tanımlanmış\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eToken değerlerini hiçbir zaman iş akışı dosyalarına veya Dockerfile'lara sabit olarak kodlamayın.\u003c/p\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tam \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e anahtar başvurusu.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/cloud-storage\"\u003eBulut Depolama Taraması\u003c/a\u003e — \u003ccode\u003escan s3\u003c/code\u003e ve \u003ccode\u003escan gcs\u003c/code\u003e kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/slack\"\u003eSlack Taraması\u003c/a\u003e — Slack token kapsamları ve izinleri.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — eşdeğer komut satırı bayrakları.\u003c/li\u003e\n\u003c/ul\u003e\n"},"reference/exit-codes":{"title":"Çıkış Kodları","description":"Leakwatch çıkış kodu başvurusu ve bunların betiklerde ve CI pipeline'larında nasıl kullanılacağı.","html":"\u003ch1 id=\"k-kodlar\"\u003eÇıkış Kodları\u003c/h1\u003e\n\u003cp\u003eLeakwatch, CI pipeline'larının ve kabuk betiklerinin çıktıyı ayrıştırmadan tarama sonuçlarına göre hareket edebilmesi için küçük, iyi tanımlanmış bir çıkış kodu seti kullanır. Her tarama alt komutu üç koddan biriyle çıkar.\u003c/p\u003e\n\u003ch2 id=\"kod-bavurusu\"\u003eKod başvurusu\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAd\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTemiz\u003c/td\u003e\n\u003ctd\u003eTarama başarıyla tamamlandı ve etkin filtrelerden hiçbir bulgu geçmedi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgular var\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı ve etkin filtrelerden geçen bir veya daha fazla sır bulundu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHata\u003c/td\u003e\n\u003ctd\u003eTaramanın hiç çalışamamasına neden olan ciddi bir hata oluştu — örneğin geçersiz bir bayrak, okunamaz bir yol veya kimlik doğrulama hatası. Stderr'e bir \u003ccode\u003eError: ...\u003c/code\u003e mesajı ve kullanım ipucu yazdırılır.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"filtrelerin-k-kodu-1i-nasl-etkiledii\"\u003eFiltrelerin çıkış kodu 1'i nasıl etkilediği\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e1\u003c/code\u003e, yalnızca en az bir bulgu etkin çıktı filtrelerinin tümünden geçtiğinde yayılır. En ilgili iki filtre şunlardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/strong\u003e — eşiğin altındaki bulgular bastırılır. Tüm bulgular \u003ccode\u003elow\u003c/code\u003e önem derecesindeyse ve \u003ccode\u003e--min-severity high\u003c/code\u003e ile çalışıyorsanız, sırlar mevcut olmasına rağmen çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/strong\u003e — yalnızca canlı doğrulama ile etkin olduğu teyit edilen bulgular raporlanır. Etkin sır bulunamazsa çıkış kodu \u003ccode\u003e0\u003c/code\u003e döndürülür.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBu, çıkış kodu \u003ccode\u003e0\u003c/code\u003e'ın \u0026quot;mevcut filtre ayarlarınızla eşleşen bulgu yok\u0026quot; anlamına geldiği anlamına gelir — kod tabanının hiçbir sır içermediği değil.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e altında temiz \u003ccode\u003e0\u003c/code\u003e çıkışı, kod tabanının sırdan arındırılmış olduğunu garanti etmez. Doğrulamanın mevcut olmadığı sır türleri (9 dedektör türü) her zaman doğrulanmamış olarak raporlanır ve \u003ccode\u003e--only-verified\u003c/code\u003e tarafından bastırılır. Tam kapsam için \u003ccode\u003e--only-verified\u003c/code\u003e ile birlikte ayrı bir filtresiz tarama yapın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kabuk-betiklerinde-k-kodlarn-kullanma\"\u003eKabuk betiklerinde çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e#!/usr/bin/env bash\nset +e\nleakwatch scan fs . --format json --output leakwatch.json --no-verify\nEXIT_CODE=$?\nset -e\n\ncase \u0026quot;$EXIT_CODE\u0026quot; in\n 0)\n echo \u0026quot;Sır bulunamadı. Derleme devam ediyor.\u0026quot;\n ;;\n 1)\n echo \u0026quot;Sırlar bulundu — birleştirmeden önce leakwatch.json'u inceleyin ve düzeltin.\u0026quot;\n exit 1\n ;;\n *)\n echo \u0026quot;Leakwatch bir hatayla karşılaştı (çıkış $EXIT_CODE).\u0026quot;\n exit \u0026quot;$EXIT_CODE\u0026quot;\n ;;\nesac\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTaramadan önce \u003ccode\u003eset +e\u003c/code\u003e kullanmak, kabuğun sıfır dışı kodlarda çıkmasını engeller ve kodu kendiniz yakalayıp işlemenize olanak tanır.\u003c/p\u003e\n\u003ch2 id=\"ci-pipelinelarnda-k-kodlarn-kullanma\"\u003eCI pipeline'larında çıkış kodlarını kullanma\u003c/h2\u003e\n\u003cp\u003eÇoğu CI sistemi, sıfır dışı herhangi bir çıkış kodunu adım başarısızlığı olarak değerlendirir. Leakwatch sırlar bulunduğunda \u003ccode\u003e1\u003c/code\u003e ile çıktığından, ek yapılandırma olmadan pipeline otomatik olarak başarısız olur — yalnızca tarama komutunu çalıştırın.\u003c/p\u003e\n\u003cp\u003eSırlar bulunsa bile pipeline'ın devam etmesine izin vermek için (örneğin, derlemeyi engellemeden raporu toplamak amacıyla) çıkış kodunu açıkça yoksayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format sarif --output results.sarif --no-verify || true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitLab CI'da:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003eallow_failure: true\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYa da GitHub Action'da \u003ccode\u003efail-on-findings: \u0026quot;false\u0026quot;\u003c/code\u003e olarak ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"uygulamada-k-kodu-2\"\u003eUygulamada çıkış kodu 2\u003c/h2\u003e\n\u003cp\u003eÇıkış kodu \u003ccode\u003e2\u003c/code\u003e, taramanın hiç çalışamamasına neden olan bir yapılandırma veya çalışma zamanı hatasını gösterir. Yaygın nedenler:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eGeçersiz bir bayrak değeri (örneğin \u003ccode\u003e--format invalid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMevcut olmayan veya okunamaz bir yol.\u003c/li\u003e\n\u003cli\u003eEksik gerekli argüman (örneğin, URL olmadan \u003ccode\u003escan git\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBir bulut kaynağına bağlanırken kimlik doğrulama hatası.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eHata mesajı stderr'e yazdırılır ve sorunu teşhis etmeye yardımcı olacak bağlam içerir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-text\"\u003eError: unknown format \u0026quot;xlsx\u0026quot;; valid values: json, sarif, csv, table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/other-ci\"\u003eDiğer CI Sistemleri\u003c/a\u003e — çıkış kodlarını GitLab CI, Jenkins ve diğerlerine bağlama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/ci-cd/github-action\"\u003eGitHub Action\u003c/a\u003e — resmi action'ın çıkış kodlarını adım sonuçlarıyla nasıl eşlediği.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Başvurusu\u003c/a\u003e — tam bayrak başvurusu.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/cloud-storage":{"title":"Bulut Depolama (S3 \u0026 GCS)","description":"AWS S3 ve Google Cloud Storage kovalarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"bulut-depolama-s3--gcs\"\u003eBulut Depolama (S3 \u0026amp; GCS)\u003c/h1\u003e\n\u003cp\u003eSırlar sıklıkla bulut depolamaya taşınır — dışa aktarılan veritabanı dökümleri, ortam dosyaları, CI artefaktları ve günlük arşivleri, düşünüldüğünden çok daha fazla kişinin erişebildiği kovalara akar. Leakwatch, AWS S3 ve Google Cloud Storage kovalarını nesne nesne tarayabilir ve bulduğu sırları bir olaya dönüşmeden işaretler.\u003c/p\u003e\n\u003ch2 id=\"aws-s3\"\u003eAWS S3\u003c/h2\u003e\n\u003ch3 id=\"kullanm\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003es3://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003es3://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch standart \u003ca href=\"https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html\"\u003eAWS varsayılan kimlik bilgisi zincirini\u003c/a\u003e kullanır:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOrtam değişkenleri (\u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e, \u003ccode\u003eAWS_SESSION_TOKEN\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan kimlik bilgileri dosyası (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePaylaşılan yapılandırma dosyası (\u003ccode\u003e~/.aws/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eÖrneğe veya göreve atanmış IAM rolü (EC2, ECS, Lambda).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eAWS CLI ile zaten kimlik doğrulaması yaptıysanız (\u003ccode\u003eaws configure\u003c/code\u003e veya üstlenilmiş bir rol) ek yapılandırma gerekmez.\u003c/p\u003e\n\u003ch3 id=\"s3e-zg-bayraklar\"\u003eS3'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca anahtarı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--region\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003eAWS yapılandırmasından\u003c/td\u003e\n\u003ctd\u003eKovanın bulunduğu AWS bölgesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"s3-rnekleri\"\u003eS3 örnekleri\u003c/h3\u003e\n\u003cp\u003eTüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-config-bucket\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir bölgede belirli bir anahtar öneki altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --prefix logs/ --region us-east-1\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan s3 my-bucket --format sarif --output s3-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eTaramayı ilgili bir alt yola sınırlamak için \u003ccode\u003e--prefix\u003c/code\u003e kullanın. Milyonlarca nesne içeren büyük bir kovayı taramak yavaş olabilir ve S3 GET istek maliyeti doğurabilir. Öneki gerçekten önemli olana — örneğin \u003ccode\u003econfigs/\u003c/code\u003e veya \u003ccode\u003eexports/\u003c/code\u003e — daraltın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003chr\u003e\n\u003ch2 id=\"google-cloud-storage\"\u003eGoogle Cloud Storage\u003c/h2\u003e\n\u003ch3 id=\"kullanm-1\"\u003eKullanım\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs \u0026lt;bucket\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: \u003cstrong\u003ekova adı\u003c/strong\u003e (\u003ccode\u003egs://\u003c/code\u003e öneki olmadan). Tarama hedefi \u003ccode\u003egs://\u0026lt;bucket\u0026gt;\u003c/code\u003e olarak gösterilir.\u003c/p\u003e\n\u003ch3 id=\"kimlik-dorulama-1\"\u003eKimlik doğrulama\u003c/h3\u003e\n\u003cp\u003eLeakwatch \u003ca href=\"https://cloud.google.com/docs/authentication/application-default-credentials\"\u003eApplication Default Credentials (ADC)\u003c/a\u003e kullanır. Kimlik bilgisi arama sırası şu şekildedir:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eHizmet hesabı anahtar dosyasına işaret eden \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e ortam değişkeni.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egcloud auth application-default login\u003c/code\u003e ile yapılandırılmış kullanıcı kimlik bilgileri.\u003c/li\u003e\n\u003cli\u003eGoogle Compute Engine örneğine, Cloud Run hizmetine veya GKE iş yüküne atanmış hizmet hesabı.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"gcse-zg-bayraklar\"\u003eGCS'e özgü bayraklar\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--prefix\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca adı bu önekle başlayan nesneleri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--project\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eGCP proje kimliği (bazı ADC yapılandırmalarında gereklidir).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"gcs-rnekleri\"\u003eGCS örnekleri\u003c/h3\u003e\n\u003cp\u003eBelirli bir GCP projesiyle tüm kovayı tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-config-bucket --project my-gcp-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca belirli bir önek altındaki nesneleri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --project my-gcp-project --prefix exports/\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCSV olarak çıktı alın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan gcs my-bucket --format csv --output gcs-results.csv\n\u003c/code\u003e\u003c/pre\u003e\n\u003chr\u003e\n\u003ch2 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h2\u003e\n\u003cp\u003eHem \u003ccode\u003es3\u003c/code\u003e hem de \u003ccode\u003egcs\u003c/code\u003e aynı ortak tarama bayraklarını destekler:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan nesneleri atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eNesne anahtarlarına uygulanan yol dışlamaları \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (kimlik doğrulama hatası, kova bulunamadı, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/container-images":{"title":"Konteyner İmajları","description":"Docker daemon gerektirmeksizin OCI ve Docker imaj katmanlarını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"konteyner-majlar\"\u003eKonteyner İmajları\u003c/h1\u003e\n\u003cp\u003eKonteyner imajları sırların sıklıkla gizlendiği yerlerden biridir: ortam değişkenlerine gömülen API anahtarları, derleme katmanlarına yerleştirilmiş kimlik bilgileri ve imaj katmanlarına kopyalanıp unutulan yapılandırma dosyaları. \u003ccode\u003eleakwatch scan image\u003c/code\u003e, bir OCI veya Docker imajının her katmanını inceler ve bu sırları dağıtım öncesinde gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image \u0026lt;image:tag\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: standart \u003ccode\u003ename:tag\u003c/code\u003e gösteriminde bir imaj referansı. Leakwatch imajları çekmek ve incelemek için \u003ca href=\"https://github.com/google/go-containerregistry\"\u003ego-containerregistry\u003c/a\u003e kullanır — herhangi bir Docker daemon \u003cstrong\u003egerekmez\u003c/strong\u003e.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Docker Hub imajını tara\nleakwatch scan image nginx:latest\n\n# Özel GitHub Container Registry imajını tara\nleakwatch scan image ghcr.io/org/myapp:v1.2.0\n\n# Amazon ECR imajını tara\nleakwatch scan image 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"desteklenen-kayt-sunucular\"\u003eDesteklenen kayıt sunucuları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKayıt Sunucusu\u003c/th\u003e\n\u003cth\u003eÖrnek referans\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eDocker Hub\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003enginx:latest\u003c/code\u003e, \u003ccode\u003emyorg/myapp:1.0.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGitHub Container Registry (GHCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003eghcr.io/org/myapp:v1.2.0\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAmazon ECR\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGoogle Container Registry (GCR)\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003egcr.io/my-project/myapp:latest\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eOCI uyumlu herhangi bir kayıt sunucusu\u003c/td\u003e\n\u003ctd\u003eStandart \u003ccode\u003eregistry/name:tag\u003c/code\u003e biçimi\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eLeakwatch, Docker ve diğer OCI araçları tarafından kullanılan standart kimlik bilgisi anahtarlığını kullanır. \u003ccode\u003edocker login\u003c/code\u003e (veya \u003ccode\u003ecrane\u003c/code\u003e, \u003ccode\u003eskopeo\u003c/code\u003e, bulut sağlayıcısı kimlik bilgisi yardımcıları gibi eşdeğer araçlar) ile oturum açtıysanız, Leakwatch bu kimlik bilgilerini otomatik olarak kullanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Önce GHCR'a giriş yapın\ndocker login ghcr.io\n\n# Ardından tarayın — kimlik bilgileri otomatik olarak alınır\nleakwatch scan image ghcr.io/org/private-app:latest\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eAmazon ECR için, taramadan önce ECR kimlik bilgisi yardımcısını yapılandırın ya da \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e ve ilgili ortam değişkenlerini ayarlayın.\u003c/p\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch imaj manifestini çeker, her katmanı sırayla işler ve her katmandaki dosyaları çıkarır. Her dosyanın içeriği, dosya sistemi taramasıyla aynı tespit hattından geçirilir. \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları burada da geçerlidir ve katmanlar içinde hangi dosya yollarının inceleneceğini sınırlar.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003cp\u003eİmaja özgü bayrak yoktur. Tüm ortak tarama bayrakları geçerlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eYol tabanlı dışlamalar \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasında \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında yapılandırılır. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e sayfasına bakın.\u003c/p\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eDocker Hub imajını tarayın ve sonuçları tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image alpine:3.20 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eÖzel kayıt sunucusu imajını tarayın ve SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image ghcr.io/org/myapp:v1.2.0 --format sarif -o results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif sırları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --only-verified --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eJSON çıktısına düzeltme rehberi dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan image myapp:latest --remediation --format json -o image-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eİmaj taramasından elde edilen her bulgu katman meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eimage\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan imaj referansı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elayer\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği katman özeti.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efile_path\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eKatman içindeki dosyanın yolu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGizli bilgilerin bir kayıt sunucusuna push edilmeden önce yakalanması için konteyner imaj taramasını CI/CD hattınızın derleme aşamasına entegre edin. Sonuçları doğrudan GitHub Code Scanning'e yüklemek için \u003ccode\u003e--format sarif\u003c/code\u003e kullanın.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (imaj bulunamadı, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — yerel bir dizin ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — dışlamaları ve diğer varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/filesystem":{"title":"Dosya Sistemi","description":"leakwatch scan fs komutuyla yerel bir dizin ağacını sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"dosya-sistemi\"\u003eDosya Sistemi\u003c/h1\u003e\n\u003cp\u003eSırlar çoğu zaman önce yerel kaynak kodda ortaya çıkar. \u003ccode\u003eleakwatch scan fs\u003c/code\u003e komutu, bir dizin ağacındaki tüm dosyaları dolaşır, her biri üzerinde tam tespit hattını çalıştırır ve bulguları raporlar — henüz commit edilmeden önce yakalamak ya da mevcut bir kod tabanını sonradan taramak için kullanabilirsiniz.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs [path]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003epath\u003c/code\u003e isteğe bağlıdır. Belirtilmediğinde Leakwatch geçerli çalışma dizinini (\u003ccode\u003e.\u003c/code\u003e) tarar. Yalnızca tek bir path argümanı kabul edilir.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizini tara\nleakwatch scan fs\n\n# Belirli bir proje klasörünü tara\nleakwatch scan fs ./my-project\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"dosya-sistemi-kaynann-otomatik-olarak-atladklar\"\u003eDosya sistemi kaynağının otomatik olarak atladıkları\u003c/h2\u003e\n\u003cp\u003eTaramaları hızlı ve gürültüsüz tutmak için dosya sistemi kaynağı herhangi bir yapılandırma gerekmeksizin şunları atlar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eİkili dosyalar\u003c/strong\u003e — dosyanın ilk 8 KB'ında null byte bulunmasıyla tespit edilir.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBilinen ikili uzantılar\u003c/strong\u003e — yaygın derlenmiş, görsel, ses, video ve arşiv biçimleri.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKilit dosyaları\u003c/strong\u003e — \u003ccode\u003epackage-lock.json\u003c/code\u003e, \u003ccode\u003eyarn.lock\u003c/code\u003e, \u003ccode\u003ePipfile.lock\u003c/code\u003e ve benzerleri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"dosya-sistemine-zg\"\u003eDosya sistemine özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (tekrarlanabilir)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eDışlanacak yollar için glob desenleri. Birden fazla kez belirtilebilir veya virgülle ayrılabilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan dosyaları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eGeçerli dizini tarayın ve terminalde renklendirilmiş bir tablo yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTest dosyalarını ve vendor dizinlerini dışlayıp GitHub Code Scanning için SARIF çıktısı kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . \\\n --exclude \u0026quot;**/*_test.go\u0026quot; \\\n --exclude \u0026quot;vendor/**\u0026quot; \\\n --format sarif \\\n --output results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir monorepo için dosya boyutunu sınırlayın ve çalışan sayısını artırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --max-file-size 5242880 --concurrency 8 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca yüksek önem dereceli bulguları gösterip rotasyon talimatlarını dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --min-severity high --remediation --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"yollar-dlama\"\u003eYolları dışlama\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--exclude\u003c/code\u003e bayrağı glob desenlerini kabul eder ve birden fazla kez belirtilebilir ya da virgülle ayrılmış liste olarak kullanılabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# İki ayrı bayrak\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go\u0026quot; --exclude \u0026quot;docs/**\u0026quot;\n\n# Virgülle ayrılmış\nleakwatch scan fs . --exclude \u0026quot;**/*_test.go,docs/**\u0026quot;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eTakımınızla paylaşılan kalıcı dışlama kuralları için \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasına \u003ccode\u003efilter.exclude-paths\u003c/code\u003e altında ekleyin. Bu kurallar yalnızca dosya sistemi taramalarına değil, tüm kaynaklara uygulanır. Proje kök dizininizde bir \u003ccode\u003e.leakwatchignore\u003c/code\u003e dosyası da oluşturabilirsiniz. Ayrıntılar için \u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e ve \u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e sayfalarına bakın.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (yapılandırma hatası, okunamayan yol, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti (kaynak türü, hedef, dosya sayısı, süre ve bulgu sayısı) yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eGeliştirme sırasında \u003ccode\u003eleakwatch scan fs . --format table\u003c/code\u003e komutunu çalıştırarak hızlı bir görsel genel bakış elde edin. CI hatlarında GitHub Code Scanning ile entegrasyon için \u003ccode\u003e--format sarif\u003c/code\u003e seçeneğine geçin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — varsayılan biçimi, dışlamaları ve daha fazlasını yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — \u003ccode\u003e.leakwatchignore\u003c/code\u003e ve satır içi baskılama.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — çalışma ağacı yerine commit edilmiş geçmişi tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/git-history":{"title":"Git Geçmişi","description":"Yerel veya uzak bir Git deposunun tüm commit geçmişini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"git-gemii\"\u003eGit Geçmişi\u003c/h1\u003e\n\u003cp\u003eCommit edilip sonradan silinen bir sır, önceki her commit'te hâlâ mevcuttur ve depoya erişimi olan herkes tarafından ulaşılabilir durumdadır. \u003ccode\u003eleakwatch scan git\u003c/code\u003e, bir deponun — yerel veya uzak — \u003cem\u003etüm\u003c/em\u003e commit geçmişini dolaşarak bu sırları, istismar edilmeden önce gün yüzüne çıkarır.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git \u0026lt;url_or_path\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut tam olarak bir argüman alır: depoya giden \u003cstrong\u003eyerel dosya sistemi yolu\u003c/strong\u003e (geçerli dizin için \u003ccode\u003e.\u003c/code\u003e) ya da \u003cstrong\u003euzak HTTP/HTTPS veya SSH URL'si\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLeakwatch tüm Git işlemleri için \u003ca href=\"https://github.com/go-git/go-git\"\u003ego-git\u003c/a\u003e kullanır; bu, sistem \u003ccode\u003egit\u003c/code\u003e ikili dosyasına bağımlılığı olmayan saf bir Go uygulamasıdır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003e# Geçerli dizindeki yerel depoyu tara\nleakwatch scan git .\n\n# HTTPS üzerinden uzak bir depoyu tara\nleakwatch scan git https://github.com/org/repo.git\n\n# SSH üzerinden tara\nleakwatch scan git git@github.com:org/repo.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"tarama-nasl-alr\"\u003eTarama nasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch geçmişteki her commit'i dolaşır ve her commit tarafından eklenen blob'ları inceler. \u003cstrong\u003eBlob-hash tekilleştirmesi\u003c/strong\u003e, aynı dosya içeriğinin kaç commit tarafından referans alındığından bağımsız olarak yalnızca bir kez taranmasını sağlar. Bu, tarama süresini ham commit sayısı yerine depodaki \u003cem\u003ebenzersiz içerik\u003c/em\u003e miktarıyla orantılı tutar.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch commit-bazlı diff'leri incelediğinden, sonradan silinen — yani mevcut çalışma ağacında görünmeyen — sırları da bulur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"gite-zg\"\u003eGit'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu tarihten sonraki commit'leri tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since-commit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eYalnızca bu commit hash'inden HEAD'e kadar olan değişiklikleri tara (diff tabanlı).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--branch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eVarsayılan yerine belirli bir dalı hedef al.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--depth\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e (tam)\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eYalnızca uzak depolar\u003c/strong\u003e için klonlama derinliği. \u003ccode\u003e0\u003c/code\u003e tam geçmişi tarar.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eYerel deponun tam geçmişini tarayın ve tablo olarak yazdırın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003edevelop\u003c/code\u003e dalında belirli bir tarihten sonraki commit'leri tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since 2026-02-23 --branch develop\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli bir commit'ten bu yana tanıtılan değişiklikleri tarayın (CI'da yeni commit'leri kontrol etmek için kullanışlıdır):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --since-commit a1b2c3d\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük bir uzak depoyu hızlandırmak için sığ klonlama yapın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git --depth 50\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eUzak depoyu tarayıp yalnızca doğrulanmış bulguları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git https://github.com/org/repo.git \\\n --only-verified \\\n --format sarif \\\n --output git-results.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eGit taramasından elde edilen her bulgu commit meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erepository\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTaranan deponun URL'si veya yolu (kimlik bilgileri ayıklanmış).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecommit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın tanıtıldığı commit hash'i.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit yazarının adı ve e-postası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edate\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCommit zaman damgası.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebranch\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDal bağlamı (kullanılabilir olduğunda).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003ePull request CI işlerinde yalnızca PR tarafından eklenen commit'leri taramak için \u003ccode\u003e--since-commit\u003c/code\u003e kullanın. Son aktiviteyi kapsayan zamanlanmış gece taramaları için \u003ccode\u003e--since \u0026lt;tarih\u0026gt;\u003c/code\u003e tercih edin.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'leri gömülü kimlik bilgileri içeriyorsa (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), Leakwatch bu bilgileri günlüklere veya çıktıya yazmadan önce URL'den ayırır; bu sayede token tarama sonuçlarında veya CI izlerinde hiçbir zaman görünmez.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (geçersiz URL, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/multiple-repos\"\u003eÇoklu Depo\u003c/a\u003e — tek komutla birden fazla depoyu tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/filesystem\"\u003eDosya Sistemi\u003c/a\u003e — geçmiş yerine çalışma ağacını tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/multiple-repos":{"title":"Çoklu Depo","description":"Birden fazla Git deposunu eşzamanlı olarak tarayın ve sonuçları tek bir raporda birleştirin.","html":"\u003ch1 id=\"oklu-depo\"\u003eÇoklu Depo\u003c/h1\u003e\n\u003cp\u003eBir kuruluş büyüdükçe sırlar düzinelerce hatta yüzlerce deponun herhangi birine yerleşebilir. Bunları tek tek kontrol etmek pratik değildir. \u003ccode\u003eleakwatch scan repos\u003c/code\u003e, birden fazla depo URL'sini alır, bunları eşzamanlı olarak tarar ve tüm bulguları tek bir çıktıda birleştirir — tek komut, tek rapor.\u003c/p\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \u0026lt;url1\u0026gt; \u0026lt;url2\u0026gt; [url...]\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eKomut \u003cstrong\u003een az iki\u003c/strong\u003e depo URL'si gerektirir. Tüm depolar otomatik olarak klonlanır, taranır ve temizlenir. Sonunda birleşik bulgu sayısı ve tek bir tarama özeti raporlanır.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"nasl-alr\"\u003eNasıl çalışır\u003c/h2\u003e\n\u003cp\u003eLeakwatch aynı anda en fazla \u003ccode\u003e--parallel\u003c/code\u003e sayıda depo taraması başlatır. Her depo:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eSağlanan URL'den klonlanır (güvenlik açısından kimlik bilgileri günlüklerden ve çıktıdan ayıklanır).\u003c/li\u003e\n\u003cli\u003eTam tespit hattıyla taranır; bu depo için \u003ccode\u003e--concurrency\u003c/code\u003e sayıda çalışan kullanılır.\u003c/li\u003e\n\u003cli\u003eTarama tamamlandığında temizlenir (geçici klon silinir).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eTüm depolardan elde edilen bulgular toplanır ve tek bir kaynaktan yapılmış tarama gibi tek bir çıktı olarak yazılır. Görüntülenen hedef \u003ccode\u003e\u0026lt;N\u0026gt; repositories\u003c/code\u003e (N depo) şeklindedir.\u003c/p\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"oklu-depoya-zg\"\u003eÇoklu depoya özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--parallel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eint\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eEşzamanlı olarak taranacak depo sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003eDepo başına\u003c/strong\u003e eşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eBu boyutu aşan blob'ları atla (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e.leakwatch.yaml\u003c/code\u003e dosyasındaki \u003ccode\u003efilter.exclude-paths\u003c/code\u003e yol dışlamaları tüm depolara uygulanır. \u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eİki depoyu tarayın ve sonuçları tablo olarak görüntüleyin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBeş depoyu daha yüksek paralellik ile tarayın ve birleşik sonuçları SARIF olarak kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/api.git \\\n https://github.com/org/web.git \\\n https://github.com/org/infra.git \\\n https://github.com/org/mobile.git \\\n https://github.com/org/docs.git \\\n --parallel 4 \\\n --format sarif \\\n --output all-repos.sarif\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eDepo başına daha fazla çalışan kullanarak yalnızca doğrulanmış bulguları gösterin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan repos \\\n https://github.com/org/backend.git \\\n https://github.com/org/frontend.git \\\n --concurrency 8 \\\n --only-verified \\\n --format json \\\n --output verified-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"paralellii-ayarlama\"\u003eParalelliği ayarlama\u003c/h2\u003e\n\u003cp\u003eVerimi kontrol eden iki parametre vardır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003e--parallel\u003c/code\u003e, kaç depo klonlama ve taramasının aynı anda çalışacağını kontrol eder. Varsayılan \u003ccode\u003e3\u003c/code\u003e, çoğu iş yükü için uygundur. Ağ bant genişliği ve CPU kapasitesi izin verdiğinde artırın; kısıtlı makinelerde düşürün.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--concurrency\u003c/code\u003e (\u003ccode\u003e-c\u003c/code\u003e), her bir depodaki dosya blob'larını işleyen çalışan goroutine sayısını kontrol eder. Bu, tüm tarama komutlarında bulunan aynı bayraktır.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTepe noktasındaki toplam eşzamanlı işlem = \u003ccode\u003e--parallel\u003c/code\u003e × \u003ccode\u003e--concurrency\u003c/code\u003e.\u003c/p\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eBir veya daha fazla depo taraması başarısız olursa (örneğin ağ hatası veya kimlik doğrulama sorunu nedeniyle), Leakwatch hatayı günlüğe kaydeder ve kalan depoları taramaya devam eder. Diğer depolar bulgu üretmiş olsa bile herhangi bir depo taraması başarısız olursa çıkış kodu \u003ccode\u003e2\u003c/code\u003e olur.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kimlik-bilgisi-gvenlii\"\u003eKimlik bilgisi güvenliği\u003c/h2\u003e\n\u003cp\u003eDepo URL'lerindeki gömülü kimlik bilgileri (örn. \u003ccode\u003ehttps://user:TOKEN@host/repo.git\u003c/code\u003e), URL günlüklere, çıktıya veya tarama özetine yazılmadan önce ayıklanır.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTüm taramalar tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBir veya daha fazla depo taraması başarısız oldu ya da yapılandırma hatası oluştu.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — tek bir depoyu derinlemesine tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — tüm kaynaklar için paylaşılan varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"scanning/slack":{"title":"Slack Çalışma Alanı","description":"Slack kanal ve DM mesaj metinlerini sızan sırlara karşı tarayın.","html":"\u003ch1 id=\"slack-alma-alan\"\u003eSlack Çalışma Alanı\u003c/h1\u003e\n\u003cp\u003eGeliştiriciler çoğu zaman kimlik bilgilerini sohbet üzerinden paylaşır — hızlı bir test için bir kanala yapıştırılan token, DM ile gönderilen parola ya da bir olay başlığında söz edilen API anahtarı. \u003ccode\u003eleakwatch scan slack\u003c/code\u003e, Slack çalışma alanınızdaki mesaj metinlerini okur ve bulduğu sırları işaretler.\u003c/p\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eLeakwatch yalnızca \u003cstrong\u003emesaj metnini\u003c/strong\u003e tarar. Yüklenen dosyaların (ekler, snippet'ler) içeriğini taramak uygulanmamıştır. Yalnızca mesajların metin gövdesi analiz edilir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"temel-kullanm\"\u003eTemel kullanım\u003c/h2\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBu komut \u003cstrong\u003ekonumsal argüman almaz\u003c/strong\u003e. Tüm yapılandırma bayraklar veya ortam değişkenleri aracılığıyla sağlanır.\u003c/p\u003e\n\u003ch2 id=\"kimlik-dorulama\"\u003eKimlik doğrulama\u003c/h2\u003e\n\u003cp\u003eBir Slack Bot Token gereklidir. \u003ccode\u003e--token\u003c/code\u003e bayrağı veya \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni aracılığıyla sağlayın. Ortam değişkeni kullanmak önerilir; böylece token kabuk geçmişinde veya süreç listelerinde asla görünmez.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 id=\"gerekli-bot-token-kapsamlar\"\u003eGerekli bot token kapsamları\u003c/h3\u003e\n\u003cp\u003eBot token'ı, aşağıdaki OAuth kapsamlarına sahip bir Slack uygulamasıyla ilişkilendirilmiş olmalıdır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKapsam\u003c/th\u003e\n\u003cth\u003eAmaç\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannels:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı genel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egroups:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBotun katıldığı özel kanallardaki mesajları oku.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003empim:history\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrup doğrudan mesajlarını oku (yalnızca \u003ccode\u003e--include-dms\u003c/code\u003e ile gerekli).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"bayraklar\"\u003eBayraklar\u003c/h2\u003e\n\u003ch3 id=\"slacke-zg\"\u003eSlack'e özgü\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eTür\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eSlack Bot Token. \u003ccode\u003eLEAKWATCH_SLACK_TOKEN\u003c/code\u003e ortam değişkeni tercih edilir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003etüm kanallar\u003c/td\u003e\n\u003ctd\u003eTaranacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--exclude-channels\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eAtlanacak kanal adlarının virgülle ayrılmış listesi.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--since\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estring (YYYY-MM-DD)\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003eBu tarihte veya sonrasında gönderilen mesajları tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--include-dms\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ebool\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrudan mesajları ve grup DM'lerini de tara.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003efloat\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e20\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSaniye başına maksimum Slack API istek sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"ortak-tarama-bayraklar\"\u003eOrtak tarama bayrakları\u003c/h3\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eBayrak\u003c/th\u003e\n\u003cth\u003eKısa\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003ejson\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktı biçimi: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003etable\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003estdout\u003c/td\u003e\n\u003ctd\u003eSonuçları stdout yerine bu dosyaya yaz.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--concurrency\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCPU sayısı\u003c/td\u003e\n\u003ctd\u003eEşzamanlı çalışan sayısı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--max-file-size\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003e10485760\u003c/code\u003e (10 MB)\u003c/td\u003e\n\u003ctd\u003eDahili parça boyutu sınırı (bayt).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--show-raw\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇıktıda ham sır değerini göster.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--no-verify\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSır doğrulamasını devre dışı bırak.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--only-verified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca doğrulama ile aktif olduğu onaylanan bulguları raporla.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--min-severity\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003elow\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRaporlanacak minimum önem: \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003ecritical\u003c/code\u003e.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e--remediation\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003e—\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003efalse\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHer bulguya düzeltme rehberi ekle.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003ccode\u003e--config\u003c/code\u003e ve \u003ccode\u003e--log-level\u003c/code\u003e (varsayılan \u003ccode\u003ewarn\u003c/code\u003e) kök bayrakları da geçerlidir.\u003c/p\u003e\n\u003ch2 id=\"rnekler\"\u003eÖrnekler\u003c/h2\u003e\n\u003cp\u003eToken için ortam değişkeni kullanarak botun erişebildiği tüm kanalları tarayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eexport LEAKWATCH_SLACK_TOKEN=xoxb-...\nleakwatch scan slack\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBelirli kanalları tarayın ve yılın başından bu yana gönderilen mesajlarla sınırlayın:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --channels general,engineering,backend \\\n --since 2026-01-01\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eGürültülü kanalları dışlayın ve doğrudan mesajları dahil edin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --exclude-channels random,social,giphy \\\n --include-dms\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eBüyük çalışma alanlarında Slack hız sınırı hatalarını önlemek için API istek hızını düşürün:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack --rate-limit 10 --format table\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eYalnızca doğrulanmış aktif bulguları bir JSON dosyasına kaydedin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan slack \\\n --only-verified \\\n --format json \\\n --output slack-findings.json\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2 id=\"bulgu-meta-verisi\"\u003eBulgu meta verisi\u003c/h2\u003e\n\u003cp\u003eSlack taramasından elde edilen her bulgu mesaj ve kanal meta verisi içerir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAlan\u003c/th\u003e\n\u003cth\u003eAçıklama\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003echannel\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBulgunun tespit edildiği kanal adı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emessage_ts\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack mesaj zaman damgası (benzersiz mesaj kimliği).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauthor\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMesaj yazarının Slack kullanıcı kimliği.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"performans-deerlendirmeleri\"\u003ePerformans değerlendirmeleri\u003c/h2\u003e\n\u003cp\u003eSlack API istekleri, Slack tarafından uygulanan hız sınırlarına tabidir. \u003ccode\u003e--rate-limit\u003c/code\u003e bayrağı (varsayılan saniyede \u003ccode\u003e20\u003c/code\u003e istek), Leakwatch'ın istekleri ne kadar agresif yapacağını kontrol eder. Özellikle büyük çalışma alanlarında \u003ccode\u003e429 Too Many Requests\u003c/code\u003e hatası alıyorsanız bu değeri düşürün.\u003c/p\u003e\n\u003cp\u003eHer çalıştırmada tüm çalışma alanını taramak yerine belirli kanalları hedeflemek için \u003ccode\u003e--channels\u003c/code\u003e kullanın. Mesajları artımlı biçimde taramak için \u003ccode\u003e--since\u003c/code\u003e ile birleştirin.\u003c/p\u003e\n\u003ch2 id=\"k-kodlar\"\u003eÇıkış kodları\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKod\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e0\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgu yok.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama tamamlandı, bulgular raporlandı.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTarama başarısız oldu (eksik token, kimlik doğrulama hatası, vb.).\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer çalıştırmanın ardından stderr'e bir tarama özeti yazdırılır. Taramalar SIGINT/SIGTERM sinyalinde düzgün biçimde iptal edilir.\u003c/p\u003e\n\u003ch2 id=\"ayrca-baknz\"\u003eAyrıca bakınız\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/getting-started/quick-start\"\u003eHızlı Başlangıç\u003c/a\u003e — ilk taramanızı bir dakikadan kısa sürede çalıştırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e ile varsayılanları yapılandırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/ignoring-findings\"\u003eBulguları Yoksayma\u003c/a\u003e — bilinen yanlış pozitifleri bastırın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — doğrulama durumlarını anlayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/scanning/git-history\"\u003eGit Geçmişi\u003c/a\u003e — commit edilmiş geçmişi sırlara karşı tarayın.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/reference/cli-reference\"\u003eCLI Referansı\u003c/a\u003e — tüm komutlar için tam bayrak referansı.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/how-verification-works":{"title":"Doğrulama Nasıl Çalışır","description":"Leakwatch'ın tespit edilen bir sırrın hâlâ aktif olup olmadığını nasıl teyit ettiği, hangi doğrulama modlarını kullandığı ve doğrulamanın nasıl yapılandırılacağı veya devre dışı bırakılacağı.","html":"\u003ch1 id=\"dorulama-nasl-alr\"\u003eDoğrulama Nasıl Çalışır\u003c/h1\u003e\n\u003cp\u003eBir kod tabanında sır bulmak hikayenin yalnızca yarısıdır. Altı ay önce döndürülen bir anahtar gürültüdür; hâlâ canlı olan bir anahtar ise aktif bir olayı temsil eder. Doğrulama, bu çizgiyi çizen adımdır — tespit edilen her bulguyu alır ve mümkün olan durumlarda sırrın sağlayıcıda hâlâ geçerli olup olmadığını teyit eder.\u003c/p\u003e\n\u003ch2 id=\"tespiten-dorulamaya\"\u003eTespiten doğrulamaya\u003c/h2\u003e\n\u003cp\u003eTarama motoru bulguları topladıktan sonra doğrulayıcı havuzu onları işlemeye alır. Her bulgu bir \u003ccode\u003edetector_id\u003c/code\u003e taşır; Leakwatch bu ID için kayıtlı bir doğrulayıcı olup olmadığını arar:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBir doğrulayıcı mevcutsa çalışır ve bir durum döndürür.\u003c/li\u003e\n\u003cli\u003eO dedektör türü için kayıtlı bir doğrulayıcı yoksa bulgu değiştirilmeden \u003ccode\u003eunverified\u003c/code\u003e durumuyla geçer.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ki-dorulama-modu\"\u003eİki doğrulama modu\u003c/h2\u003e\n\u003cp\u003eTüm sırlar aynı şekilde doğrulanamaz. Leakwatch, her kimlik bilgisi türü için güvenli olan yaklaşıma göre iki farklı yöntem kullanır.\u003c/p\u003e\n\u003ch3 id=\"canl-api-dorulamas\"\u003eCanlı API doğrulaması\u003c/h3\u003e\n\u003cp\u003eYaklaşık 49 dedektör türü için Leakwatch, sağlayıcıya \u003cstrong\u003ekontrollü, salt-okunur bir API çağrısı\u003c/strong\u003e yapar — örneğin AWS anahtarları için \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, GitHub token'ları için \u003ccode\u003eGET /user\u003c/code\u003e. Çağrı yalnızca kimliği doğrulamak için gereken minimum uç noktayı kullanır; hiçbir zaman veri değiştirmez, kaynak oluşturmaz veya faturalandırma olayı tetiklemez.\u003c/p\u003e\n\u003cp\u003eSağlayıcı başarılı bir yanıt döndürürse bulgu \u003ccode\u003everified_active\u003c/code\u003e olarak işaretlenir. Sağlayıcı kimlik bilgisini reddederse (örneğin HTTP 401 veya 403 ile) bulgu \u003ccode\u003everified_inactive\u003c/code\u003e olarak işaretlenir.\u003c/p\u003e\n\u003ch3 id=\"yalnzca-format-dorulamas\"\u003eYalnızca format doğrulaması\u003c/h3\u003e\n\u003cp\u003eBeş kimlik bilgisi türü için güvenli bir canlı kontrol mevcut değildir — sağlayıcının anonim bir kimlik uç noktası yoktur ya da gerçek bir çağrı yan etkiye yol açar. Bu durumlar için Leakwatch, herhangi bir ağ isteği yapmadan kimlik bilgisinin yapısını doğrular:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı — \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e alanlarının varlığı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eYalnızca format kontrolü — geçerli bir format hiçbir şeyi kanıtlamaz, sonuç her zaman \u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eFormat kontrolü geçse bile sonuç \u003ccode\u003eunverified\u003c/code\u003e olarak kalır. Yapısal olarak geçerli bir kimlik bilgisi süresi dolmuş veya iptal edilmiş olabilir. Bu bulgular her zaman manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"dorulama-durumlar\"\u003eDoğrulama durumları\u003c/h2\u003e\n\u003cp\u003eLeakwatch çıktısındaki her bulgu dört durumdan birini taşır:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDurum\u003c/th\u003e\n\u003cth\u003eAnlam\u003c/th\u003e\n\u003cth\u003eÖnerilen eylem\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_active\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSırrın sağlayıcı tarafından canlı olduğu teyit edildi.\u003c/td\u003e\n\u003ctd\u003eAktif bir olay olarak ele alın. Hemen döndürün.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everified_inactive\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSağlayıcı kimlik bilgisini reddetti.\u003c/td\u003e\n\u003ctd\u003eMuhtemelen zaten döndürülmüş. Bağlamı gözden geçirin ve kapatın.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eunverified\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBu tür için doğrulayıcı yok, format doğrulaması sonuç vermedi veya doğrulama devre dışı bırakıldı.\u003c/td\u003e\n\u003ctd\u003eManuel olarak inceleyin; risk bağlama göre belirlenir.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003everify_error\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoğrulayıcı çalıştı ancak ağ hatası, zaman aşımı veya beklenmedik yanıtla karşılaştı.\u003c/td\u003e\n\u003ctd\u003ePotansiyel olarak aktif kabul edin. Yeniden deneyin veya manuel olarak inceleyin.\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulama-motoru\"\u003eDoğrulama motoru\u003c/h2\u003e\n\u003cp\u003eDoğrulama, tarama çalışan havuzundan yalıtılmış ayrı bir eşzamanlı çalışan havuzunda çalışır. Sağlayıcı hız sınırlarını tetiklememek için varsayılanlar temkinlidir:\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eAyar\u003c/th\u003e\n\u003cth\u003eVarsayılan\u003c/th\u003e\n\u003cth\u003eYapılandırma anahtarı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eÇalışan sayısı\u003c/td\u003e\n\u003ctd\u003e4\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.concurrency\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eGlobal hız sınırı\u003c/td\u003e\n\u003ctd\u003e10 istek/saniye\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.rate-limit\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eİstek başına zaman aşımı\u003c/td\u003e\n\u003ctd\u003e10 sn\u003c/td\u003e\n\u003ctd\u003e\u003ccode\u003everification.timeout\u003c/code\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eHer üç değer de \u003ccode\u003e.leakwatch.yaml\u003c/code\u003e içindeki \u003ccode\u003everification:\u003c/code\u003e bloğu altında ayarlanabilir:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-yaml\"\u003everification:\n enabled: true\n concurrency: 4\n rate-limit: 10.0 # global, saniye başına istek sayısı\n timeout: 10s\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-tip\"\u003e\u003cdiv class=\"callout-label\"\u003eİpucu\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003eYüzlerce bulgu tetikleyen bir depoyu tarıyorsanız \u003ccode\u003erate-limit\u003c/code\u003e değerini 5'e düşürmeyi veya \u003ccode\u003e--only-verified\u003c/code\u003e etkinleştirmeyi düşünün; bu, doğrulanmış-aktif kümesini küçük ve uygulanabilir tutar.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"komut-satrndan-dorulamay-kontrol-etme\"\u003eKomut satırından doğrulamayı kontrol etme\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003e--no-verify\u003c/code\u003e ile \u003cstrong\u003edoğrulamayı tamamen devre dışı bırakın\u003c/strong\u003e (ya da yapılandırmada \u003ccode\u003everification.enabled: false\u003c/code\u003e ayarlayın). Her bulgu \u003ccode\u003eunverified\u003c/code\u003e olarak geçer. Bunu çevrimdışı veya hava boşluklu ortamlar için ya da herhangi bir sağlayıcı API'sine dokunmadan mümkün olan en hızlı taramayı istediğinizde kullanın.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan fs . --no-verify\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eYalnızca canlı olduğu doğrulanan sırları görmek\u003c/strong\u003e için \u003ccode\u003e--only-verified\u003c/code\u003e kullanın. \u003ccode\u003everified_active\u003c/code\u003e olmayan her şey çıktıdan düşürülür. Bu, büyük bir sonuç kümesini önceliklendirmenin en hızlı yoludur — yalnızca hemen harekete geçmeniz gereken anahtarları görürsünüz.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003eleakwatch scan git . --only-verified\n\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv class=\"callout callout-warn\"\u003e\u003cdiv class=\"callout-label\"\u003eUyarı\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u003ccode\u003e--only-verified\u003c/code\u003e, \u003ccode\u003eunverified\u003c/code\u003e ve \u003ccode\u003everify_error\u003c/code\u003e bulgularını sessizce düşürür. Bunu uyumluluk bağlamında tek filtreniz olarak kullanmayın — bazı kimlik bilgisi türleri (JWT'ler, genel API anahtarları, özel anahtarlar) hiçbir zaman doğrulanamaz ve her zaman dışarıda kalır.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"sr-gvenlii\"\u003eSır güvenliği\u003c/h2\u003e\n\u003cp\u003eDoğrulama, ham sır değerinin süreç sınırını güvensiz biçimde asla terk etmeyecek şekilde tasarlanmıştır:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDoğrulayıcılar sırrı TLS üzerinden doğrudan sağlayıcının HTTP uç noktasına iletir — diske yazılmaz, bir loga gönderilmez ve çalıştırmalar arasında önbelleğe alınmaz.\u003c/li\u003e\n\u003cli\u003eBaşlatılamayan veya panikle karşılaşan bir doğrulayıcı motor tarafından yakalanır; motor, bulguyu \u003ccode\u003everify_error\u003c/code\u003e olarak işaretler ve taramayı çökertmeden devam eder.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/verification-coverage\"\u003eDoğrulama Kapsamı\u003c/a\u003e — hangi dedektör türlerinin canlı doğrulandığı, format doğrulandığı veya hiç doğrulanamadığı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/configuration/config-file\"\u003eYapılandırma: Yapılandırma Dosyası\u003c/a\u003e — \u003ccode\u003everification:\u003c/code\u003e bloğunun tam referansı.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/output/output-formats\"\u003eÇıktı Formatları\u003c/a\u003e — doğrulama durumunun JSON, SARIF, CSV ve tablo çıktısında nasıl göründüğü.\u003c/li\u003e\n\u003c/ul\u003e\n"},"verification/verification-coverage":{"title":"Doğrulama Kapsamı","description":"63 yerleşik dedektörün hangilerinin canlı doğrulandığı, yalnızca format doğrulandığı veya doğrulanamaz olduğu ve bunun önceliklendirme açısından ne anlama geldiği.","html":"\u003ch1 id=\"dorulama-kapsam\"\u003eDoğrulama Kapsamı\u003c/h1\u003e\n\u003cp\u003eLeakwatch 63 yerleşik dedektör ve 54 doğrulayıcı ile gelir; bu, \u003cstrong\u003e%85,7\u003c/strong\u003e kapsama oranı sağlar (63 dedektör türünün 54'ünün bir tür doğrulaması mevcuttur). Bu sayfa, çıktınızda ne beklemeniz gerektiğini bilmeniz için her dedektörü doğrulama durumuna göre eşler.\u003c/p\u003e\n\u003ch2 id=\"canl-dorulanan-49-dedektr-tr\"\u003eCanlı doğrulanan (49 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu türler için Leakwatch, sağlayıcıya kontrollü, salt-okunur bir API çağrısı yapar ve \u003ccode\u003everified_active\u003c/code\u003e ya da \u003ccode\u003everified_inactive\u003c/code\u003e döndürür. Hiçbir veri oluşturulmaz veya değiştirilmez; çağrı, kimliği doğrulamak için gereken minimum uç noktayı kullanır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör türü\u003c/th\u003e\n\u003cth\u003eSağlayıcı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eaws-access-key-id\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAWS STS (\u003ccode\u003eGetCallerIdentity\u003c/code\u003e)\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egithub-oauth-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitHub REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egitlab-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGitLab REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSlack Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eopenai-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOpenAI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eanthropic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAnthropic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edeepseek-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDeepSeek API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehuggingface-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHugging Face API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esendgrid-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSendGrid Web API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003emailgun-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMailgun API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epostmark-server-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePostmark API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-live\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003estripe-api-key-test\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eStripe API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edigitalocean-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDigitalOcean API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecloudflare-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCloudflare API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eheroku-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eHeroku Platform API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003evercel-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVercel REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enpm-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003enpm Registry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epypi-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePyPI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erubygems-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eRubyGems API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edockerhub-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDocker Hub API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecircleci-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCircleCI API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eterraform-cloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTerraform Cloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ediscord-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDiscord API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etelegram-bot-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTelegram Bot API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esentry-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSentry API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003epagerduty-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003ePagerDuty API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enewrelic-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNew Relic API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egrafana-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGrafana API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatadog-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatadog API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnyk-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSnyk API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003etwilio-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTwilio API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edoppler-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDoppler API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elaunchdarkly-sdk-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLaunchDarkly API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esonarcloud-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSonarCloud API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eshopify-access-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eShopify Admin API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003enotion-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eNotion API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003elinear-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLinear API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003efigma-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFigma REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eairtable-pat\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAirtable API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eokta-api-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eOkta API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eauth0-management-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAuth0 Management API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabricks-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eDatabricks REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ebitbucket-app-password\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBitbucket REST API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ecoinbase-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eCoinbase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esupabase-service-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eSupabase API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003einfura-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eInfura API\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eteams-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eMicrosoft Teams\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"yalnzca-format-dorulamas-5-dedektr-tr\"\u003eYalnızca format doğrulaması (5 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu doğrulayıcılar tamamen çevrimdışı çalışır. Hiçbir ağ isteği yapılmaz. Geçerli bir format kimlik bilgisinin aktif olduğunu kanıtlamadığından, beşi de format kontrolünün geçip geçmediğinden bağımsız olarak her zaman \u003ccode\u003eunverified\u003c/code\u003e döndürür.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eDoğrulanan özellik\u003c/th\u003e\n\u003cth\u003eNeden canlı kontrol yok\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egcp-service-account\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJSON yapısı (\u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003eproject_id\u003c/code\u003e, \u003ccode\u003eprivate_key_id\u003c/code\u003e, \u003ccode\u003eclient_email\u003c/code\u003e)\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol, yan etkileri olan GCP OAuth2 token değişimi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003erabbitmq-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eAMQP URL'nin başarıyla ayrıştırılması\u003c/td\u003e\n\u003ctd\u003eHerkese açık kimlik doğrulamasız sağlık uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003esnowflake-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eParola uzunluğu ve host alt dize kontrolü\u003c/td\u003e\n\u003ctd\u003eCanlı kontrol bir JDBC/ODBC veritabanı bağlantısı gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-storage-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eHesap başına HMAC imzalama gerektirir; genel kimlik uç noktası yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eazure-entra-secret\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eFormat kontrolü\u003c/td\u003e\n\u003ctd\u003eİstemci kimlik bilgisi akışı oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"dorulanamaz-9-dedektr-tr\"\u003eDoğrulanamaz (9 dedektör türü)\u003c/h2\u003e\n\u003cp\u003eBu dedektör türlerinin hiç doğrulayıcısı yoktur. Bunlardan gelen bulgular her zaman \u003ccode\u003eunverified\u003c/code\u003e olur. Bu durum önemsiz oldukları anlamına \u003cstrong\u003egelmez\u003c/strong\u003e — tam olarak tespit edilip raporlanırlar — ancak herkese açık bir doğrulama API'si bulunmamakta ya da herhangi bir doğrulama girişimi yan etkiye yol açmaktadır.\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eDedektör ID\u003c/th\u003e\n\u003cth\u003eNeden\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ejwt\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eJWT herhangi bir tarafça yayınlanabilir; evrensel bir doğrulama uç noktası yoktur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eprivate-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eÇağrılacak sağlayıcı yok; aktif kullanım uzaktan tespit edilemez\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003egeneric-api-key\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eTanım gereği bilinmeyen sağlayıcı\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003edatabase-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak hedef veritabanında oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eredis-connection-string\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eBağlanmak Redis örneğinde canlı bağlantı açar\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eftp-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eGüvenli, salt-okunur FTP yoklama yöntemi yok\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eldap-credentials\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eLDAP bind kimliği doğrulanmış bir oturum oluşturur\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003eslack-webhook\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eWebhook'un aktif olduğunu doğrulamak mesaj göndermeyi gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003ccode\u003ehashicorp-vault-token\u003c/code\u003e\u003c/td\u003e\n\u003ctd\u003eVault token doğrulaması, Vault uç noktasının bilinmesini gerektirir\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"callout callout-note\"\u003e\u003cdiv class=\"callout-label\"\u003eNot\u003c/div\u003e\u003cdiv class=\"callout-body\"\u003e\u003cp\u003e\u0026quot;Doğrulanamaz\u0026quot; \u0026quot;bulunamaz\u0026quot; anlamına gelmez. Bu 9 türün tamamı yine de tespit edilir ve çıktınızda görünür. Kimlik bilgisinin canlı olup olmadığını ve döndürülmesi gerekip gerekmediğini belirlemek için manuel inceleme gerektirir.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e\n\u003ch2 id=\"kapsam-zeti\"\u003eKapsam özeti\u003c/h2\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eKategori\u003c/th\u003e\n\u003cth\u003eSayı\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003eCanlı doğrulanan\u003c/td\u003e\n\u003ctd\u003e49\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eYalnızca format doğrulaması\u003c/td\u003e\n\u003ctd\u003e5\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eDoğrulanamaz\u003c/td\u003e\n\u003ctd\u003e9\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eToplam dedektör\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e63\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eDoğrulayıcı (herhangi bir kapsam)\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cstrong\u003e54 (%85,7)\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"ayrca-bakn\"\u003eAyrıca bakın\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#/verification/how-verification-works\"\u003eDoğrulama Nasıl Çalışır\u003c/a\u003e — iki doğrulama modu, durumlar ve doğrulama motoru.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#/detectors/detector-catalog\"\u003eDedektör Kataloğu\u003c/a\u003e — yerleşik dedektörlerin tam listesi ve şiddet seviyeleri.\u003c/li\u003e\n\u003c/ul\u003e\n"}}; From 11e134e01903fe93e2b07ccef2fe095417103a32 Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Sat, 23 May 2026 22:36:34 +0300 Subject: [PATCH 6/7] feat(site): add in-browser playground (real client-side scanner) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a /playground page where visitors paste text and run Leakwatch's real detection patterns entirely client-side — nothing is uploaded. - Patterns are auto-extracted from internal/detector by tools/site-build (go/ast -> site/js/detectors.js); Go RE2 ports cleanly to JS regex. - js/scanner.js applies the keyword pre-filter + regex + Shannon entropy, with a min-match-length guard (kills context-gate noise) and a 64 KB cap. - 62 of 63 detectors run in the browser (entropy-gated generic and runtime custom rules stay CLI-only). Honest 'preview, not verified' framing. - Bilingual (EN/TR); reachable via the nav 'Try it' link and the hero/nav 'Run scan' buttons (now link to the playground). Also: hero CTA 'Read the dossier' -> 'Read the docs'; replace the empty redaction boxes in the detector index with real redacted detector names that reveal on hover (+ count fixed to 44). Co-Authored-By: Claude Opus 4.7 (1M context) --- site/README.md | 26 +- site/contact.html | 1 + site/css/style.css | 34 +- site/docs.html | 1 + site/index.html | 9 +- site/js/detectors.js | 843 ++++++++++++++++++++++++++++++++++ site/js/scanner.js | 164 +++++++ site/js/translations.js | 68 ++- site/playground.html | 123 +++++ tools/site-build/detectors.go | 329 +++++++++++++ tools/site-build/main.go | 8 + 11 files changed, 1593 insertions(+), 13 deletions(-) create mode 100644 site/js/detectors.js create mode 100644 site/js/scanner.js create mode 100644 site/playground.html create mode 100644 tools/site-build/detectors.go diff --git a/site/README.md b/site/README.md index 8cf2d7c..f5d6b88 100644 --- a/site/README.md +++ b/site/README.md @@ -13,17 +13,20 @@ site/ ├── index.html Landing page (Redacted hero with a scan-reveal document) ├── docs.html Documentation portal (sidebar + hash-routed content) ├── contact.html Contact page (Formspree-backed form + GitHub channels) +├── playground.html In-browser scanner — paste text, real detection runs client-side ├── css/style.css Design system (the Redacted dossier theme) ├── js/ │ ├── translations.js UI strings for EN / TR (marketing chrome + docs shell) │ ├── i18n.js Language detection, switching, persistence │ ├── main.js Mobile nav, copy buttons, hero scan animation, contact form │ ├── docs.js Docs portal controller (nav, routing, search, Mermaid) +│ ├── scanner.js Playground engine (runs window.LW_DETECTORS client-side) +│ ├── detectors.js GENERATED — detector patterns extracted from internal/detector │ └── manuals/ GENERATED — compiled manual content (do not edit by hand) │ ├── _index.js Navigation tree (from docs/user-manuals/_meta.yaml) │ ├── en.js English manual pages, rendered to HTML │ └── tr.js Turkish manual pages, rendered to HTML -├── assets/ favicon.svg, og.svg +├── assets/ favicon.svg, og.svg, fonts/ └── .nojekyll Disable Jekyll (so files like _index.js are served) ``` @@ -34,6 +37,27 @@ single set of URLs, with the language toggled in the navbar and remembered in `localStorage`. UI strings live in `js/translations.js`; manual content is compiled per language into `js/manuals/.js`. +## Playground (in-browser scanner) + +`playground.html` + `js/scanner.js` let visitors paste a file and run Leakwatch's +**real detection patterns entirely client-side** — nothing is uploaded. It is a +preview: regex + entropy detection only. The CLI adds live verification, Git +history, containers, cloud/Slack, and the entropy/custom-rule detectors. + +The patterns are **not hand-maintained**. `tools/site-build` parses +`internal/detector/**` with `go/ast` and emits `js/detectors.js` +(`window.LW_DETECTORS`) — each detector's ID, severity, keywords, and regex +pattern(s). Go uses RE2 (no look-around/back-references), a subset of JS regex, +so patterns port over; a small normalization step handles Go-only tokens +(leading inline flags → JS flags, `(?P)` → `(?)`, Go anchors). This +keeps the browser scanner in sync with the engine automatically. Currently +**62 of 63** detectors run in the browser (the entropy-gated generic detector +and runtime custom rules stay CLI-only). Regenerate together with the manuals: + +```bash +cd tools/site-build && go run . +``` + ## Contact form (Formspree) `contact.html` posts to [Formspree](https://formspree.io). Before it works you diff --git a/site/contact.html b/site/contact.html index 267644d..093e9ba 100644 --- a/site/contact.html +++ b/site/contact.html @@ -25,6 +25,7 @@ How it works Sources Detectors + Try it Docs Contact
diff --git a/site/css/style.css b/site/css/style.css index 9793c7a..c69830c 100644 --- a/site/css/style.css +++ b/site/css/style.css @@ -209,7 +209,6 @@ h1,h2,h3,h4{font-family:var(--display);font-weight:700;letter-spacing:-.015em;co /* ---- detector index ---- */ .index-grid{display:flex;flex-wrap:wrap;gap:8px} .idx-chip{font-family:var(--mono);font-size:12px;color:var(--muted);border:1px solid var(--line-2);border-radius:4px;padding:6px 11px;background:var(--panel)} -.idx-chip.r{background:#000;color:transparent;box-shadow:inset 0 0 0 1px #000;width:78px} .idx-chip.more{color:var(--alert);border-color:rgba(230,57,77,.4)} .idx-chip.more:hover{background:rgba(230,57,77,.08)} @@ -349,6 +348,37 @@ h1,h2,h3,h4{font-family:var(--display);font-weight:700;letter-spacing:-.015em;co .toc-link.lvl-3:hover{color:var(--muted)} .toc-link.active{color:var(--alert-2);border-left-color:var(--alert)} +/* ========================================================================== + Playground (in-browser scanner) + ========================================================================== */ +.play-privacy{display:inline-flex;align-items:center;gap:8px;font-size:13px;color:var(--cleared);margin-top:8px} +.play-grid{display:grid;grid-template-columns:1fr 1fr;gap:18px;align-items:start} +.play-card{border-radius:8px;display:flex;flex-direction:column;min-height:400px} +.play-head{display:flex;align-items:center;gap:10px;padding:10px 14px;border-bottom:1px solid var(--line);background:var(--panel-2);font-size:12px;color:var(--muted)} +.play-head .file{color:var(--paper);font-weight:600} +.play-samples{margin-left:auto;display:flex;gap:8px} +.play-mini{font-family:var(--mono);font-size:11px;color:var(--muted);border:1px solid var(--line-2);background:none;border-radius:5px;padding:3px 9px;cursor:pointer} +.play-mini:hover{color:var(--paper);border-color:var(--alert)} +#code{flex:1;width:100%;min-height:330px;resize:vertical;background:var(--code-bg);color:var(--code-text);border:0;outline:none;font-family:var(--mono);font-size:13px;line-height:1.85;padding:14px 16px;display:block} +.play-run{display:flex;gap:10px;align-items:center;padding:12px 14px;border-top:1px solid var(--line);background:var(--panel-2)} +.play-count{margin-left:auto;color:var(--muted);font-size:12px} +.play-out{flex:1;overflow-y:auto;padding:10px 12px;min-height:330px} +.play-empty{color:var(--faint);font-size:13px;padding:26px 6px;text-align:center} +.play-trunc{color:var(--warn);font-size:12px;padding:4px 6px 12px} +.play-finding{border:1px solid var(--line-2);border-left:3px solid var(--alert);background:var(--panel-2);border-radius:0 7px 7px 0;padding:10px 13px;margin-bottom:8px;opacity:0;transform:translateX(-6px);animation:pf-in .25s forwards} +@keyframes pf-in{to{opacity:1;transform:none}} +.pf-top{display:flex;align-items:center;gap:10px} +.pf-det{font-weight:700;color:var(--paper);font-size:13.5px} +.pf-loc{margin-left:auto;font-size:11.5px;color:var(--faint)} +.pf-val{margin-top:7px} +.pf-secret{font-family:var(--mono);font-size:12.5px;color:var(--alert-2);background:rgba(230,57,77,.08);border:1px solid var(--line);border-radius:4px;padding:.12em .45em;word-break:break-all} +.pf-meta{font-size:11px;color:var(--muted);margin-top:6px;display:flex;gap:14px;flex-wrap:wrap} +.pf-status{color:var(--info)} +.sev.critical{background:rgba(230,57,77,.16);color:var(--alert-2)} +.sev.high{background:rgba(240,133,47,.16);color:var(--sev-high)} +.sev.medium{background:rgba(240,180,41,.16);color:var(--warn)} +.sev.low{background:rgba(90,169,230,.16);color:var(--sev-low)} + /* ========================================================================== Responsive ========================================================================== */ @@ -370,7 +400,7 @@ h1,h2,h3,h4{font-family:var(--display);font-weight:700;letter-spacing:-.015em;co .nav-menu{display:none} .nav-burger{display:inline-flex} .stats{grid-template-columns:1fr 1fr} - .grid-3,.grid-2,.chain{grid-template-columns:1fr} + .grid-3,.grid-2,.chain,.play-grid{grid-template-columns:1fr} .footer-grid{grid-template-columns:1fr;gap:24px} .case-row{grid-template-columns:30px 1fr 96px;gap:8px} .case-row .loc,.case-row .num,.case-row .h-action{display:none} diff --git a/site/docs.html b/site/docs.html index e4895db..bcc013d 100644 --- a/site/docs.html +++ b/site/docs.html @@ -23,6 +23,7 @@ How it works Sources Detectors + Try it Docs Contact
diff --git a/site/index.html b/site/index.html index 2d1178a..c429814 100644 --- a/site/index.html +++ b/site/index.html @@ -30,6 +30,7 @@ How it works Sources Detectors + Try it Docs Contact @@ -45,7 +46,7 @@ GitHub - + ▸ Run scan @@ -59,8 +60,8 @@

Some secrets shouldn't be visible.
Leakwatch finds the ones that are.

Detect, verify, and report leaked API keys, tokens, and credentials across code, Git history, containers, and the cloud — then watch the redactions lift.

63 detectors · 54 live verifiers · 6 sources · exit-code aware
@@ -162,7 +163,7 @@

Some secrets shouldn't be § 06

Redacted index — 63 detectors

A sample of the catalog. 54 of these can be verified against the live provider. Add your own with YAML custom rules.

- aws-access-key-idgcp-service-accountopenai-api-keyanthropic-api-keygithub-tokenstripe-api-key-liveslack-tokentwilio-api-keydatadog-api-keycloudflare-api-tokenprivate-keyjwtsupabase-service-keygitlab-pat+ 45 more · view full catalog → + aws-access-key-idgcp-service-accountopenai-api-keyanthropic-api-keygithub-tokenstripe-api-key-livesendgrid-api-keyslack-tokentwilio-api-keydigitalocean-tokendatadog-api-keycloudflare-api-tokennpm-tokenprivate-keyjwtshopify-access-tokensupabase-service-keygitlab-patvercel-token+ 44 more · view full catalog →

diff --git a/site/js/detectors.js b/site/js/detectors.js new file mode 100644 index 0000000..bc6fd2b --- /dev/null +++ b/site/js/detectors.js @@ -0,0 +1,843 @@ +// Generated by tools/site-build from internal/detector. Do not edit by hand. +window.LW_DETECTORS = [ + { + "id": "airtable-pat", + "severity": "high", + "keywords": [ + "pat", + "airtable", + "AIRTABLE" + ], + "patterns": [ + { + "src": "pat[A-Za-z0-9]{14}\\.[a-f0-9]{64}" + } + ] + }, + { + "id": "anthropic-api-key", + "severity": "critical", + "keywords": [ + "sk-ant-" + ], + "patterns": [ + { + "src": "sk-ant-[A-Za-z0-9_-]{85,}" + } + ] + }, + { + "id": "auth0-management-token", + "severity": "critical", + "keywords": [ + "AUTH0_MANAGEMENT_TOKEN", + "AUTH0_API_TOKEN", + "auth0_token", + "auth0" + ], + "patterns": [ + { + "src": "(?:AUTH0_MANAGEMENT_TOKEN|AUTH0_API_TOKEN|auth0_token)\\s*[=:]\\s*['\"]?([A-Za-z0-9_-]{30,})['\"]?" + } + ] + }, + { + "id": "aws-access-key-id", + "severity": "critical", + "keywords": [ + "AKIA", + "ABIA", + "ACCA", + "ASIA" + ], + "patterns": [ + { + "src": "(AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16}" + } + ] + }, + { + "id": "azure-entra-secret", + "severity": "critical", + "keywords": [ + "AZURE_CLIENT_SECRET", + "azure_client_secret", + "client_secret" + ], + "patterns": [ + { + "src": "(?:AZURE_CLIENT_SECRET|azure_client_secret|client_secret)\\s*[=:]\\s*['\"]?([A-Za-z0-9~._-]{34,40})['\"]?" + } + ] + }, + { + "id": "azure-storage-key", + "severity": "critical", + "keywords": [ + "DefaultEndpointsProtocol", + "AccountKey" + ], + "patterns": [ + { + "src": "DefaultEndpointsProtocol=https?;AccountName=[^;]+;AccountKey=[A-Za-z0-9+/=]{86,88};" + } + ] + }, + { + "id": "bitbucket-app-password", + "severity": "critical", + "keywords": [ + "BITBUCKET_APP_PASSWORD", + "bitbucket_app_password", + "bitbucket" + ], + "patterns": [ + { + "src": "(?:BITBUCKET_APP_PASSWORD|bitbucket_app_password|bitbucket)\\s*[=:]\\s*['\"]?([A-Za-z0-9]{18,24})['\"]?" + } + ] + }, + { + "id": "circleci-token", + "severity": "high", + "keywords": [ + "CCIPAT_", + "circleci", + "CIRCLECI" + ], + "patterns": [ + { + "src": "CCIPAT_[A-Za-z0-9_]{50,}" + } + ] + }, + { + "id": "cloudflare-api-token", + "severity": "critical", + "keywords": [ + "cloudflare", + "CLOUDFLARE", + "CF_API_TOKEN", + "cf_api_token", + "cf_api_key" + ], + "patterns": [ + { + "src": "(?:CF_API_TOKEN|CLOUDFLARE_API_TOKEN|cloudflare_api_token|cf_api_key)\\s*[=:]\\s*['\"]?([A-Za-z0-9_-]{40})['\"]?" + } + ] + }, + { + "id": "coinbase-api-key", + "severity": "critical", + "keywords": [ + "COINBASE_API_KEY", + "coinbase_api_key", + "coinbase_api_secret" + ], + "patterns": [ + { + "src": "(?:COINBASE_API_KEY|coinbase_api_key|coinbase_api_secret)\\s*[=:]\\s*['\"]?([A-Za-z0-9+/=]{16,64})['\"]?" + } + ] + }, + { + "id": "database-connection-string", + "severity": "critical", + "keywords": [ + "postgres://", + "mysql://", + "mongodb://", + "mongodb+srv://", + "redis://", + "Password=", + "password=", + "Pwd=", + "pwd=" + ], + "patterns": [ + { + "src": "(postgres|mysql|mongodb(\\+srv)?|redis)://[^\\s'\"]+@[^\\s'\"]+" + }, + { + "src": "(?:Host|Server|Data Source)=[^;]+;[^'\"]*(?:Password|Pwd)=([^;'\"\\s]+)", + "flags": "i" + } + ] + }, + { + "id": "databricks-token", + "severity": "critical", + "keywords": [ + "dapi" + ], + "patterns": [ + { + "src": "dapi[a-f0-9]{32}(-[0-9])?" + } + ] + }, + { + "id": "datadog-api-key", + "severity": "critical", + "keywords": [ + "DD_API_KEY", + "DATADOG_API_KEY", + "datadog_api_key" + ], + "patterns": [ + { + "src": "(?:DD_API_KEY|DATADOG_API_KEY|datadog_api_key)\\s*[=:]\\s*['\"]?([a-fA-F0-9]{32})['\"]?" + } + ] + }, + { + "id": "deepseek-api-key", + "severity": "critical", + "keywords": [ + "deepseek", + "DEEPSEEK", + "deep_seek" + ], + "patterns": [ + { + "src": "sk-[a-f0-9]{32,}" + } + ] + }, + { + "id": "digitalocean-token", + "severity": "critical", + "keywords": [ + "dop_v1_" + ], + "patterns": [ + { + "src": "dop_v1_[a-f0-9]{64}" + } + ] + }, + { + "id": "discord-bot-token", + "severity": "critical", + "keywords": [], + "patterns": [ + { + "src": "[MNO][A-Za-z0-9_-]{23}\\.[A-Za-z0-9_-]{6}\\.[A-Za-z0-9_-]{27,}" + } + ] + }, + { + "id": "dockerhub-pat", + "severity": "critical", + "keywords": [ + "dckr_pat_" + ], + "patterns": [ + { + "src": "dckr_pat_[A-Za-z0-9_-]{27,}" + } + ] + }, + { + "id": "doppler-token", + "severity": "critical", + "keywords": [ + "dp.st." + ], + "patterns": [ + { + "src": "dp\\.st\\.[a-zA-Z0-9_-]{40,}" + } + ] + }, + { + "id": "figma-pat", + "severity": "high", + "keywords": [ + "figd_" + ], + "patterns": [ + { + "src": "figd_[A-Za-z0-9_-]{40,}" + } + ] + }, + { + "id": "ftp-credentials", + "severity": "critical", + "keywords": [ + "ftp://", + "sftp://", + "ftps://" + ], + "patterns": [ + { + "src": "(?:s?ftps?)://[^\\s'\"]+:[^\\s'\"]+@[^\\s'\"]+" + } + ] + }, + { + "id": "gcp-service-account", + "severity": "critical", + "keywords": [ + "service_account", + "private_key_id", + "client_email" + ], + "patterns": [ + { + "src": "\"type\"\\s*:\\s*\"service_account\"" + }, + { + "src": "\"private_key_id\"\\s*:\\s*\"([^\"]+)\"" + }, + { + "src": "\"client_email\"\\s*:\\s*\"([^\"]+)\"" + } + ] + }, + { + "id": "github-oauth-token", + "severity": "critical", + "keywords": [ + "gho_", + "ghu_", + "ghr_", + "ghs_" + ], + "patterns": [ + { + "src": "gh[orus]_[A-Za-z0-9_]{36,}" + } + ] + }, + { + "id": "github-token", + "severity": "critical", + "keywords": [ + "ghp_" + ], + "patterns": [ + { + "src": "ghp_[A-Za-z0-9_]{36,100}" + } + ] + }, + { + "id": "gitlab-pat", + "severity": "critical", + "keywords": [ + "glpat-" + ], + "patterns": [ + { + "src": "glpat-[A-Za-z0-9_\\-]{20}" + } + ] + }, + { + "id": "grafana-api-key", + "severity": "high", + "keywords": [ + "glsa_" + ], + "patterns": [ + { + "src": "glsa_[A-Za-z0-9_]{32,}_[a-f0-9]{8}" + } + ] + }, + { + "id": "hashicorp-vault-token", + "severity": "critical", + "keywords": [ + "hvs.", + "VAULT_TOKEN", + "vault_token" + ], + "patterns": [ + { + "src": "hvs\\.[A-Za-z0-9_-]{24,}" + } + ] + }, + { + "id": "heroku-api-key", + "severity": "critical", + "keywords": [ + "HEROKU_API_KEY", + "heroku_api_key", + "heroku" + ], + "patterns": [ + { + "src": "(?:HEROKU_API_KEY|heroku_api_key|heroku)\\s*[=:]\\s*['\"]?([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})['\"]?" + } + ] + }, + { + "id": "huggingface-token", + "severity": "critical", + "keywords": [ + "hf_" + ], + "patterns": [ + { + "src": "hf_[A-Za-z0-9]{34,}" + } + ] + }, + { + "id": "infura-api-key", + "severity": "high", + "keywords": [ + "INFURA_API_KEY", + "infura_api_key", + "infura" + ], + "patterns": [ + { + "src": "(?:INFURA_API_KEY|infura_api_key|infura)\\s*[=:]\\s*['\"]?([a-f0-9]{32})['\"]?" + } + ] + }, + { + "id": "jwt", + "severity": "high", + "keywords": [ + "eyJ" + ], + "patterns": [ + { + "src": "eyJ[A-Za-z0-9_-]{10,}\\.eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}" + } + ] + }, + { + "id": "launchdarkly-sdk-key", + "severity": "high", + "keywords": [ + "sdk-", + "launchdarkly", + "LAUNCHDARKLY" + ], + "patterns": [ + { + "src": "sdk-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}" + } + ] + }, + { + "id": "ldap-credentials", + "severity": "critical", + "keywords": [ + "ldap://", + "ldaps://" + ], + "patterns": [ + { + "src": "ldaps?://[^\\s'\"]+:[^\\s'\"]+@[^\\s'\"]+" + } + ] + }, + { + "id": "linear-api-key", + "severity": "high", + "keywords": [ + "lin_api_" + ], + "patterns": [ + { + "src": "lin_api_[A-Za-z0-9]{40,}" + } + ] + }, + { + "id": "mailgun-api-key", + "severity": "critical", + "keywords": [ + "mailgun", + "MAILGUN", + "key-" + ], + "patterns": [ + { + "src": "key-[a-f0-9]{32}" + } + ] + }, + { + "id": "newrelic-api-key", + "severity": "high", + "keywords": [ + "NRAK-" + ], + "patterns": [ + { + "src": "NRAK-[A-Z0-9]{27}" + } + ] + }, + { + "id": "notion-token", + "severity": "high", + "keywords": [ + "ntn_", + "secret_" + ], + "patterns": [ + { + "src": "ntn_[A-Za-z0-9]{43,}" + }, + { + "src": "secret_[A-Za-z0-9]{43,}" + } + ] + }, + { + "id": "npm-token", + "severity": "high", + "keywords": [ + "npm_" + ], + "patterns": [ + { + "src": "npm_[A-Za-z0-9]{36}" + } + ] + }, + { + "id": "okta-api-token", + "severity": "critical", + "keywords": [ + "okta", + "OKTA", + "SSWS" + ], + "patterns": [ + { + "src": "(?:okta|SSWS)", + "flags": "i" + }, + { + "src": "00[A-Za-z0-9_-]{40}" + } + ] + }, + { + "id": "openai-api-key", + "severity": "critical", + "keywords": [ + "sk-proj-" + ], + "patterns": [ + { + "src": "sk-proj-[A-Za-z0-9_-]{50,}" + } + ] + }, + { + "id": "pagerduty-api-key", + "severity": "high", + "keywords": [ + "pagerduty", + "PAGERDUTY", + "PagerDuty" + ], + "patterns": [ + { + "src": "(?:PAGERDUTY_API_KEY|pagerduty_api_key|pagerduty_token|PAGERDUTY_TOKEN|pagerduty)\\s*[=:]\\s*['\"]?(u\\+[A-Za-z0-9_-]{17,})['\"]?" + } + ] + }, + { + "id": "postmark-server-token", + "severity": "high", + "keywords": [ + "POSTMARK_SERVER_TOKEN", + "postmark_server_token", + "X-Postmark-Server-Token" + ], + "patterns": [ + { + "src": "(?:POSTMARK_SERVER_TOKEN|postmark_server_token|X-Postmark-Server-Token)\\s*[=:]\\s*['\"]?([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})['\"]?" + } + ] + }, + { + "id": "private-key", + "severity": "critical", + "keywords": [ + "-----BEGIN RSA PRIVATE", + "-----BEGIN OPENSSH PRIVATE", + "-----BEGIN DSA PRIVATE", + "-----BEGIN EC PRIVATE", + "-----BEGIN PGP PRIVATE", + "-----BEGIN PRIVATE KEY" + ], + "patterns": [ + { + "src": "-----BEGIN\\s+(RSA |OPENSSH |DSA |EC |PGP )?PRIVATE KEY( BLOCK)?-----" + }, + { + "src": "-----END\\s+(?:RSA |OPENSSH |DSA |EC |PGP )?PRIVATE KEY(?: BLOCK)?-----" + } + ] + }, + { + "id": "pypi-api-token", + "severity": "high", + "keywords": [ + "pypi-" + ], + "patterns": [ + { + "src": "pypi-[A-Za-z0-9_-]{16,}" + } + ] + }, + { + "id": "rabbitmq-connection-string", + "severity": "critical", + "keywords": [ + "amqp://", + "amqps://" + ], + "patterns": [ + { + "src": "amqps?://[^\\s'\"]+:[^\\s'\"]+@[^\\s'\"]+" + } + ] + }, + { + "id": "redis-connection-string", + "severity": "critical", + "keywords": [ + "redis://", + "rediss://" + ], + "patterns": [ + { + "src": "rediss?://[^\\s'\"]+:[^\\s'\"]+@[^\\s'\"]+" + } + ] + }, + { + "id": "rubygems-api-key", + "severity": "high", + "keywords": [ + "rubygems_" + ], + "patterns": [ + { + "src": "rubygems_[a-f0-9]{48}" + } + ] + }, + { + "id": "sendgrid-api-key", + "severity": "critical", + "keywords": [ + "SG." + ], + "patterns": [ + { + "src": "SG\\.[A-Za-z0-9_-]{22}\\.[A-Za-z0-9_-]{43}" + } + ] + }, + { + "id": "sentry-token", + "severity": "high", + "keywords": [ + "sntrys_" + ], + "patterns": [ + { + "src": "sntrys_[A-Za-z0-9_]{40,}" + } + ] + }, + { + "id": "shopify-access-token", + "severity": "critical", + "keywords": [ + "shpat_" + ], + "patterns": [ + { + "src": "shpat_[a-f0-9]{32}" + } + ] + }, + { + "id": "slack-token", + "severity": "critical", + "keywords": [ + "xoxb-", + "xoxp-", + "xoxa-", + "xoxr-" + ], + "patterns": [ + { + "src": "xox[bpar]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,34}" + } + ] + }, + { + "id": "slack-webhook", + "severity": "high", + "keywords": [ + "hooks.slack.com" + ], + "patterns": [ + { + "src": "https://hooks\\.slack\\.com/services/T[A-Z0-9]{8,}/B[A-Z0-9]{8,}/[a-zA-Z0-9]{20,48}" + } + ] + }, + { + "id": "snowflake-credentials", + "severity": "critical", + "keywords": [ + "snowflakecomputing" + ], + "patterns": [ + { + "src": "snowflakecomputing\\.com[^\\s]*(?:password|pwd|PWD|PASSWORD)\\s*=\\s*([^\u0026\\s'\"]+)" + } + ] + }, + { + "id": "snyk-api-key", + "severity": "high", + "keywords": [ + "SNYK_TOKEN", + "snyk_token", + "SNYK_API_KEY" + ], + "patterns": [ + { + "src": "(?:SNYK_TOKEN|snyk_token|SNYK_API_KEY)\\s*[=:]\\s*['\"]?([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})['\"]?" + } + ] + }, + { + "id": "sonarcloud-token", + "severity": "high", + "keywords": [ + "sqp_" + ], + "patterns": [ + { + "src": "sqp_[a-f0-9]{40}" + } + ] + }, + { + "id": "stripe-api-key-live", + "severity": "critical", + "keywords": [ + "sk_live_", + "rk_live_" + ], + "patterns": [ + { + "src": "(sk|rk)_live_[a-zA-Z0-9]{24,99}" + } + ] + }, + { + "id": "stripe-api-key-test", + "severity": "high", + "keywords": [ + "sk_test_", + "rk_test_" + ], + "patterns": [ + { + "src": "(sk|rk)_test_[a-zA-Z0-9]{24,99}" + } + ] + }, + { + "id": "supabase-service-key", + "severity": "critical", + "keywords": [ + "sbp_" + ], + "patterns": [ + { + "src": "sbp_[a-f0-9]{40}" + } + ] + }, + { + "id": "teams-webhook", + "severity": "high", + "keywords": [ + "webhook.office.com", + "IncomingWebhook" + ], + "patterns": [ + { + "src": "https://[a-zA-Z0-9-]+\\.webhook\\.office\\.com/webhookb2/[a-f0-9-]+/IncomingWebhook/[a-f0-9]+/[a-f0-9-]+" + } + ] + }, + { + "id": "telegram-bot-token", + "severity": "high", + "keywords": [], + "patterns": [ + { + "src": "[0-9]{7,10}:[A-Za-z0-9_-]{35}" + } + ] + }, + { + "id": "terraform-cloud-token", + "severity": "critical", + "keywords": [ + "atlasv1", + "terraform", + "TF_TOKEN" + ], + "patterns": [ + { + "src": "[a-zA-Z0-9]{14}\\.atlasv1\\.[a-zA-Z0-9]{67,}" + } + ] + }, + { + "id": "twilio-api-key", + "severity": "critical", + "keywords": [ + "twilio", + "TWILIO", + "twilio_api" + ], + "patterns": [ + { + "src": "SK[a-f0-9]{32}" + }, + { + "src": "AC[a-f0-9]{32}" + } + ] + }, + { + "id": "vercel-token", + "severity": "high", + "keywords": [ + "vercel_" + ], + "patterns": [ + { + "src": "vercel_[A-Za-z0-9_-]{24,}" + } + ] + } +]; diff --git a/site/js/scanner.js b/site/js/scanner.js new file mode 100644 index 0000000..9f1a59d --- /dev/null +++ b/site/js/scanner.js @@ -0,0 +1,164 @@ +/* Leakwatch playground — in-browser secret scanner. + Loads the detector set compiled from the Go source (window.LW_DETECTORS) and + runs real regex + entropy detection entirely client-side. Nothing is ever + uploaded. This is a preview: it does pattern detection only — the CLI adds + live verification, Git history, containers, cloud, and entropy/custom rules. */ +(function () { + "use strict"; + + var codeEl = document.getElementById("code"); + if (!codeEl) return; + var out = document.getElementById("out"); + var countEl = document.getElementById("count"); + var detCountEl = document.getElementById("detCount"); + + var MIN_MATCH = 8; // ignore matches shorter than this (kills context-gate noise) + var INPUT_CAP = 64 * 1024; // guard against pathological input + + function t(k, fb) { + return (window.LWI18n && window.LWI18n.t(k)) || fb || k; + } + + // Compile the usable detector set from the build-extracted patterns. + var DETS = (window.LW_DETECTORS || []).map(function (d) { + var res = (d.patterns || []).map(function (p) { + try { + var flags = "g" + (p.flags || "").replace(/g/g, ""); + return new RegExp(p.src, flags); + } catch (e) { + return null; + } + }).filter(Boolean); + return { id: d.id, sev: d.severity, kw: d.keywords || [], res: res }; + }).filter(function (d) { return d.res.length; }); + + if (detCountEl) detCountEl.textContent = String(DETS.length); + + var SAMPLES = { + env: +"# config/prod.env (example values — safe to scan)\n" + +"DB_HOST=db.internal.acme.io\n" + +"DB_PORT=5432\n" + +// Example values are split into fragments so the source file never contains a +// contiguous secret-shaped string (which would trip secret-scanning / push +// protection). They are reassembled at runtime, so the demo is unaffected. +"AWS_ACCESS_KEY_ID=" + "AKIA" + "IOSFODNN7EXAMPLE\n" + +"OPENAI_API_KEY=" + "sk-" + "proj-Hb3xExampleKey0aZ9q1W2e3R4t5Y6u7I8o9P0aS1d2F3g4H5j6K7l8\n" + +"GITHUB_TOKEN=" + "ghp" + "_Example1234567890abcdefABCDEF1234567890\n" + +"STRIPE_SECRET=" + "sk_" + "live_4eC39HqLyExampleKey1234abcd\n" + +"LOG_LEVEL=info\n" + +"JWT=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.dozjgExampleSignature0w5Nq9\n", + code: +"// service/client.js (example values)\n" + +"const cfg = {\n" + +" region: \"eu-central-1\",\n" + +" sendgrid: \"" + "SG." + "Exampleaaaaaaaaaaaaaaaa.Examplebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\",\n" + +" npmToken: \"" + "npm" + "_Example1234567890abcdefABCDEFabcdef12\",\n" + +" digitalocean: \"dop_v1_\" + \"a\".repeat(64),\n" + +"};\n", + clear: "", + }; + codeEl.value = SAMPLES.env; + + function entropy(s) { + var freq = {}, i; + for (i = 0; i < s.length; i++) freq[s[i]] = (freq[s[i]] || 0) + 1; + var e = 0, n = s.length, k; + for (k in freq) { var p = freq[k] / n; e -= p * Math.log2(p); } + return e.toFixed(2); + } + function redact(s) { + if (s.length <= 12) return "•".repeat(s.length); + return s.slice(0, 4) + "•".repeat(Math.min(14, s.length - 8)) + s.slice(-4); + } + function lineOf(text, idx) { return text.slice(0, idx).split("\n").length; } + function esc(s) { + return String(s).replace(/[&<>"]/g, function (c) { + return { "&": "&", "<": "<", ">": ">", '"': """ }[c]; + }); + } + + var lastFound = [], lastTruncated = false; + + function scan() { + var text = codeEl.value; + var truncated = false; + if (text.length > INPUT_CAP) { text = text.slice(0, INPUT_CAP); truncated = true; } + var lower = text.toLowerCase(); + var found = [], seen = {}; + + DETS.forEach(function (d) { + // Aho-Corasick-style keyword pre-filter (faithful to the engine). + if (d.kw.length && !d.kw.some(function (k) { return lower.indexOf(k.toLowerCase()) !== -1; })) return; + d.res.forEach(function (re) { + re.lastIndex = 0; + var m; + while ((m = re.exec(text)) !== null) { + var whole = m[0]; + if (whole.length >= MIN_MATCH) { + // Prefer the longest capture group (the secret) for display. + var disp = whole; + for (var i = 1; i < m.length; i++) { + if (m[i] && m[i].length >= MIN_MATCH && m[i].length < disp.length) disp = m[i]; + } + var line = lineOf(text, m.index); + var key = d.id + "|" + disp + "|" + line; + if (!seen[key]) { seen[key] = true; found.push({ id: d.id, sev: d.sev, line: line, val: disp }); } + } + if (m.index === re.lastIndex) re.lastIndex++; // avoid zero-width loop + } + }); + }); + + var order = { critical: 0, high: 1, medium: 2, low: 3 }; + found.sort(function (a, b) { return (order[a.sev] - order[b.sev]) || (a.line - b.line); }); + lastFound = found; lastTruncated = truncated; + render(found, truncated); + } + + function render(found, truncated) { + countEl.textContent = found.length + ? found.length + " " + t("play.count.detected", "detected") + : "0 " + t("play.count.findings", "findings"); + if (!found.length) { + out.innerHTML = '
' + esc(t("play.none", "No secrets detected in this input.")) + "
"; + return; + } + var html = ""; + if (truncated) html += '
' + esc(t("play.truncated", "Input truncated to 64 KB for this preview.")) + "
"; + found.forEach(function (f, i) { + html += + '
' + + '
' + f.sev.toUpperCase() + "" + + '' + esc(f.id) + "" + + '' + t("play.f.line", "line") + " " + f.line + "
" + + '
' + esc(redact(f.val)) + "
" + + '
' + t("play.f.entropy", "entropy") + " " + entropy(f.val) + "" + + "" + f.val.length + " " + t("play.f.chars", "chars") + "" + + '' + t("play.f.detected", "detected · verify in CLI") + "
" + + "
"; + }); + out.innerHTML = html; + } + + // Wiring + document.getElementById("run").addEventListener("click", scan); + codeEl.addEventListener("keydown", function (e) { + if ((e.metaKey || e.ctrlKey) && e.key === "Enter") { e.preventDefault(); scan(); } + }); + document.querySelectorAll("[data-sample]").forEach(function (b) { + b.addEventListener("click", function () { + codeEl.value = SAMPLES[b.getAttribute("data-sample")] || ""; + if (b.getAttribute("data-sample") === "clear") { lastFound = []; render([], false); } else { scan(); } + }); + }); + var pasteBtn = document.getElementById("paste"); + if (pasteBtn) pasteBtn.addEventListener("click", function () { + if (navigator.clipboard && navigator.clipboard.readText) { + navigator.clipboard.readText().then(function (txt) { codeEl.value = txt; scan(); }).catch(function () { codeEl.focus(); }); + } else { codeEl.focus(); } + }); + document.addEventListener("lw:langchange", function () { render(lastFound, lastTruncated); }); + + window.addEventListener("load", function () { setTimeout(scan, 350); }); +})(); diff --git a/site/js/translations.js b/site/js/translations.js index 8a2c4e2..3e949c8 100644 --- a/site/js/translations.js +++ b/site/js/translations.js @@ -27,7 +27,7 @@ window.LW_T = { "hero.title": "Some secrets shouldn't be visible.
Leakwatch finds the ones that are.", "hero.lede": "Detect, verify, and report leaked API keys, tokens, and credentials across code, Git history, containers, and the cloud — then watch the redactions lift.", "hero.cta.run": "▸ Run the scan", - "hero.cta.docs": "Read the dossier", + "hero.cta.docs": "Read the docs", "hero.kv": "63 detectors · 54 live verifiers · 6 sources · exit-code aware", "hero.doc.redacted": "3 REDACTED", "hero.doc.hint": "hover a redaction to reveal it", @@ -91,7 +91,7 @@ window.LW_T = { "index.title": "Redacted index — 63 detectors", "index.intro": "A sample of the catalog. 54 of these can be verified against the live provider. Add your own with YAML custom rules.", - "index.more": "+ 45 more · view full catalog →", + "index.more": "+ 44 more · view full catalog →", "cta.title": "Declassify your repo", "cta.subtitle": "One static binary. No daemon, no runtime dependencies. Install it your way.", @@ -145,7 +145,35 @@ window.LW_T = { "contact.ch.sec.a": "Open a private advisory →", "contact.ch.docs.t": "Read the docs first", "contact.ch.docs.d": "Most questions are answered in the bilingual user manual.", - "contact.ch.docs.a": "Browse the documentation →" + "contact.ch.docs.a": "Browse the documentation →", + + "nav.tryit": "Try it", + "meta.play.title": "Playground — scan in your browser · Leakwatch", + "meta.play.desc": "Try Leakwatch in your browser. Paste a file and its real detection patterns run client-side — nothing is uploaded.", + "play.classbar": "Client-side · nothing uploaded", + "play.eyebrow": "▸ Try it", + "play.title": "Scan it yourself.", + "play.lede": "Paste a config file, an .env, a diff — anything. Leakwatch's real detection patterns run right here in your browser. No upload, no server.", + "play.detsuffix": "of 63 detectors run in your browser · your input is never sent anywhere", + "play.editor.file": "paste-here.txt", + "play.sample.env": ".env", + "play.sample.code": "source", + "play.sample.clear": "clear", + "play.run": "▸ Run scan", + "play.paste": "Paste from clipboard", + "play.kbd": "⌘/Ctrl + Enter", + "play.results.title": "Findings", + "play.empty": "Hit Run scan to scan the text on the left.", + "play.none": "No secrets detected in this input. Try the .env sample, or paste your own.", + "play.truncated": "Input truncated to 64 KB for this preview.", + "play.count.detected": "detected", + "play.count.findings": "findings", + "play.f.line": "line", + "play.f.entropy": "entropy", + "play.f.chars": "chars", + "play.f.detected": "detected · verify in CLI", + "play.caveat.label": "Browser preview", + "play.caveat": "This runs Leakwatch's real regex + entropy detection client-side. The CLI adds live verification (is the key still active?), Git history, container images, cloud & Slack, and the full detector set. Findings here are “detected”, not “verified”." }, tr: { @@ -172,7 +200,7 @@ window.LW_T = { "hero.title": "Bazı sırlar görünür olmamalı.
Leakwatch görünür olanları bulur.", "hero.lede": "Sızan API anahtarlarını, token'ları ve kimlik bilgilerini kodda, Git geçmişinde, konteynerlerde ve bulutta tespit edin, doğrulayın ve raporlayın — sonra sansürlerin kalkışını izleyin.", "hero.cta.run": "▸ Taramayı çalıştır", - "hero.cta.docs": "Dosyayı okuyun", + "hero.cta.docs": "Dokümanları oku", "hero.kv": "63 dedektör · 54 canlı doğrulayıcı · 6 kaynak · çıkış-kodu duyarlı", "hero.doc.redacted": "3 REDAKTE", "hero.doc.hint": "bir redaksiyonun üzerine gelin, açılsın", @@ -236,7 +264,7 @@ window.LW_T = { "index.title": "Redakteli indeks — 63 dedektör", "index.intro": "Kataloğun bir örneği. Bunların 54'ü canlı sağlayıcıya karşı doğrulanabilir. YAML özel kurallarıyla kendi dedektörlerinizi ekleyin.", - "index.more": "+ 45 tane daha · tüm kataloğu görüntüle →", + "index.more": "+ 44 tane daha · tüm kataloğu görüntüle →", "cta.title": "Deponuzun gizliliğini kaldırın", "cta.subtitle": "Tek bir statik ikili dosya. Daemon yok, çalışma zamanı bağımlılığı yok. İstediğiniz yöntemle kurun.", @@ -290,6 +318,34 @@ window.LW_T = { "contact.ch.sec.a": "Özel bir advisory açın →", "contact.ch.docs.t": "Önce dokümanları okuyun", "contact.ch.docs.d": "Soruların çoğu çift dilli kullanıcı kılavuzunda yanıtlanıyor.", - "contact.ch.docs.a": "Dokümantasyona göz atın →" + "contact.ch.docs.a": "Dokümantasyona göz atın →", + + "nav.tryit": "Dene", + "meta.play.title": "Deneme alanı — tarayıcında tara · Leakwatch", + "meta.play.desc": "Leakwatch'ı tarayıcında dene. Bir dosya yapıştır, gerçek tespit desenleri istemci-tarafında çalışsın — hiçbir şey yüklenmez.", + "play.classbar": "İstemci-taraflı · hiçbir şey yüklenmez", + "play.eyebrow": "▸ Dene", + "play.title": "Kendin tara.", + "play.lede": "Bir yapılandırma dosyası, bir .env, bir diff — ne olursa. Leakwatch'ın gerçek tespit desenleri tam burada, tarayıcında çalışır. Yükleme yok, sunucu yok.", + "play.detsuffix": "/ 63 dedektör tarayıcında çalışır · girdiniz hiçbir yere gönderilmez", + "play.editor.file": "buraya-yapıştır.txt", + "play.sample.env": ".env", + "play.sample.code": "kaynak", + "play.sample.clear": "temizle", + "play.run": "▸ Taramayı çalıştır", + "play.paste": "Panodan yapıştır", + "play.kbd": "⌘/Ctrl + Enter", + "play.results.title": "Bulgular", + "play.empty": "Soldaki metni taramak için Taramayı çalıştır'a basın.", + "play.none": "Bu girdide sır tespit edilmedi. .env örneğini deneyin ya da kendinizinkini yapıştırın.", + "play.truncated": "Bu önizleme için girdi 64 KB'a kısaltıldı.", + "play.count.detected": "tespit edildi", + "play.count.findings": "bulgu", + "play.f.line": "satır", + "play.f.entropy": "entropi", + "play.f.chars": "karakter", + "play.f.detected": "tespit edildi · CLI'da doğrulayın", + "play.caveat.label": "Tarayıcı önizlemesi", + "play.caveat": "Bu, Leakwatch'ın gerçek regex + entropi tespitini istemci-tarafında çalıştırır. CLI; canlı doğrulama (anahtar hâlâ etkin mi?), Git geçmişi, konteyner imajları, bulut & Slack ve dedektörlerin tamamını ekler. Buradaki bulgular “tespit edildi”dir, “doğrulandı” değil." } }; diff --git a/site/playground.html b/site/playground.html new file mode 100644 index 0000000..08d74ed --- /dev/null +++ b/site/playground.html @@ -0,0 +1,123 @@ + + + + + +Playground — scan in your browser · Leakwatch + + + + + + + + + +
⬤ Classified — Leakwatch field reportClient-side · nothing uploaded
+ + + + +
+
+
▸ Try it
+

Scan it yourself.

+

Paste a config file, an .env, a diff — anything. Leakwatch's real detection patterns run right here in your browser. No upload, no server.

+
🔒 of 63 detectors run in your browser · your input is never sent anywhere
+
+ +
+
+ +
+
paste-here.txt + + + + + +
+ +
+ + + ⌘/Ctrl + Enter +
+
+ + +
+
Findings
+
Hit Run scan to scan the text on the left.
+
+
+ +
+
Browser preview
+

This runs Leakwatch's real regex + entropy detection client-side. The CLI adds live verification (is the key still active?), Git history, container images, cloud & Slack, and the full detector set. Findings here are “detected”, not “verified”.

+
+
+
+ + + + + + + + + + diff --git a/tools/site-build/detectors.go b/tools/site-build/detectors.go new file mode 100644 index 0000000..57517a4 --- /dev/null +++ b/tools/site-build/detectors.go @@ -0,0 +1,329 @@ +package main + +// Detector pattern extraction. +// +// Parses internal/detector/** with go/ast and emits site/js/detectors.js, the +// data the in-browser playground scanner uses. Each detector contributes its +// ID, default severity, Aho-Corasick keywords, and the regex pattern(s) its +// Scan method references. Go uses RE2 (no look-around / back-references), which +// is a clean subset of JavaScript's regex syntax, so the patterns port over; +// a small normalization step handles the few Go-specific tokens. + +import ( + "encoding/json" + "fmt" + "go/ast" + "go/parser" + "go/token" + "io/fs" + "os" + "path/filepath" + "regexp" + "sort" + "strconv" + "strings" +) + +type detPattern struct { + Src string `json:"src"` + Flags string `json:"flags,omitempty"` +} + +type detEntry struct { + ID string `json:"id"` + Severity string `json:"severity"` + Keywords []string `json:"keywords"` + Patterns []detPattern `json:"patterns"` +} + +// Packages whose detection depends on logic the browser can't fa­ithfully +// reproduce (entropy gating, runtime-registered rules, test helpers). +var detectorSkipDirs = map[string]bool{ + "testutil": true, + "custom": true, + "generic": true, +} + +var leadingFlagsRe = regexp.MustCompile(`^\(\?([imsU]+)\)`) + +// buildDetectors extracts detector patterns and writes site/js/detectors.js. +// It returns the number of detectors emitted. +func buildDetectors(root, jsDir string) (int, error) { + detRoot := filepath.Join(root, "internal", "detector") + fset := token.NewFileSet() + var entries []detEntry + + err := filepath.WalkDir(detRoot, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + if d.IsDir() { + if detectorSkipDirs[d.Name()] { + return filepath.SkipDir + } + return nil + } + if !strings.HasSuffix(path, ".go") || strings.HasSuffix(path, "_test.go") { + return nil + } + f, perr := parser.ParseFile(fset, path, nil, 0) + if perr != nil { + return fmt.Errorf("parse %s: %w", path, perr) + } + entries = append(entries, extractDetectors(f)...) + return nil + }) + if err != nil { + return 0, fmt.Errorf("walk detectors: %w", err) + } + + sort.Slice(entries, func(i, j int) bool { return entries[i].ID < entries[j].ID }) + + data, err := json.MarshalIndent(entries, "", " ") + if err != nil { + return 0, fmt.Errorf("marshal detectors: %w", err) + } + content := "// Generated by tools/site-build from internal/detector. Do not edit by hand.\n" + + "window.LW_DETECTORS = " + string(data) + ";\n" + if err := os.WriteFile(filepath.Join(jsDir, "detectors.js"), []byte(content), 0o644); err != nil { + return 0, fmt.Errorf("write detectors.js: %w", err) + } + return len(entries), nil +} + +func extractDetectors(f *ast.File) []detEntry { + // Named regexp vars (name -> raw pattern) and every MustCompile literal in + // the file (covers patterns declared inside slices, used as a fallback). + varPat := map[string]string{} + var filePats []string + for _, decl := range f.Decls { + gd, ok := decl.(*ast.GenDecl) + if !ok || gd.Tok != token.VAR { + continue + } + for _, spec := range gd.Specs { + vs, ok := spec.(*ast.ValueSpec) + if !ok { + continue + } + for i, val := range vs.Values { + if raw, ok := mustCompileExpr(val); ok && i < len(vs.Names) { + varPat[vs.Names[i].Name] = raw + } + } + } + } + ast.Inspect(f, func(n ast.Node) bool { + if call, ok := n.(*ast.CallExpr); ok { + if raw, ok := mustCompileExpr(call); ok { + filePats = append(filePats, raw) + } + } + return true + }) + + // Group the detector methods by receiver type. + type methods struct{ id, kw, sev, scan *ast.FuncDecl } + types := map[string]*methods{} + getType := func(name string) *methods { + if types[name] == nil { + types[name] = &methods{} + } + return types[name] + } + for _, decl := range f.Decls { + fd, ok := decl.(*ast.FuncDecl) + if !ok || fd.Recv == nil || len(fd.Recv.List) == 0 { + continue + } + rt := recvTypeName(fd.Recv.List[0].Type) + if rt == "" { + continue + } + switch fd.Name.Name { + case "ID": + getType(rt).id = fd + case "Keywords": + getType(rt).kw = fd + case "Severity": + getType(rt).sev = fd + case "Scan": + getType(rt).scan = fd + } + } + + var out []detEntry + for _, m := range types { + if m.id == nil { + continue + } + id := returnStringLit(m.id) + if id == "" { + continue + } + entry := detEntry{ID: id, Severity: severityOf(m.sev), Keywords: stringLitsIn(m.kw)} + if entry.Keywords == nil { + entry.Keywords = []string{} + } + + // Patterns this type's Scan references by name; fall back to every + // pattern in the file (correct for single-detector multi-pattern files). + var pats []string + if m.scan != nil { + ast.Inspect(m.scan, func(n ast.Node) bool { + if ident, ok := n.(*ast.Ident); ok { + if p, ok := varPat[ident.Name]; ok { + pats = append(pats, p) + } + } + return true + }) + } + if len(pats) == 0 { + pats = filePats + } + + seen := map[string]bool{} + for _, p := range dedup(pats) { + src, flags, ok := goToJSRegex(p) + if !ok || seen[src+"\x00"+flags] { + continue + } + seen[src+"\x00"+flags] = true + entry.Patterns = append(entry.Patterns, detPattern{Src: src, Flags: flags}) + } + if len(entry.Patterns) > 0 { + out = append(out, entry) + } + } + return out +} + +// mustCompileExpr reports whether expr is regexp.MustCompile(`literal`) and +// returns the unquoted pattern. +func mustCompileExpr(expr ast.Expr) (string, bool) { + call, ok := expr.(*ast.CallExpr) + if !ok { + return "", false + } + sel, ok := call.Fun.(*ast.SelectorExpr) + if !ok || sel.Sel.Name != "MustCompile" { + return "", false + } + pkg, ok := sel.X.(*ast.Ident) + if !ok || pkg.Name != "regexp" || len(call.Args) != 1 { + return "", false + } + lit, ok := call.Args[0].(*ast.BasicLit) + if !ok || lit.Kind != token.STRING { + return "", false + } + s, err := strconv.Unquote(lit.Value) + if err != nil { + return "", false + } + return s, true +} + +func recvTypeName(e ast.Expr) string { + switch t := e.(type) { + case *ast.StarExpr: + return recvTypeName(t.X) + case *ast.Ident: + return t.Name + } + return "" +} + +func returnStringLit(fd *ast.FuncDecl) string { + if fd == nil || fd.Body == nil { + return "" + } + var out string + ast.Inspect(fd.Body, func(n ast.Node) bool { + ret, ok := n.(*ast.ReturnStmt) + if !ok || len(ret.Results) != 1 { + return true + } + if lit, ok := ret.Results[0].(*ast.BasicLit); ok && lit.Kind == token.STRING { + if s, err := strconv.Unquote(lit.Value); err == nil && out == "" { + out = s + } + } + return true + }) + return out +} + +func stringLitsIn(fd *ast.FuncDecl) []string { + if fd == nil || fd.Body == nil { + return nil + } + var out []string + ast.Inspect(fd.Body, func(n ast.Node) bool { + if lit, ok := n.(*ast.BasicLit); ok && lit.Kind == token.STRING { + if s, err := strconv.Unquote(lit.Value); err == nil { + out = append(out, s) + } + } + return true + }) + return out +} + +func severityOf(fd *ast.FuncDecl) string { + if fd == nil || fd.Body == nil { + return "medium" + } + out := "medium" + ast.Inspect(fd.Body, func(n ast.Node) bool { + sel, ok := n.(*ast.SelectorExpr) + if !ok { + return true + } + if x, ok := sel.X.(*ast.Ident); ok && x.Name == "finding" && strings.HasPrefix(sel.Sel.Name, "Severity") { + out = strings.ToLower(strings.TrimPrefix(sel.Sel.Name, "Severity")) + return false + } + return true + }) + return out +} + +func dedup(in []string) []string { + seen := map[string]bool{} + var out []string + for _, s := range in { + if !seen[s] { + seen[s] = true + out = append(out, s) + } + } + return out +} + +// goToJSRegex normalizes a Go RE2 pattern for JavaScript and reports whether it +// is safe to use. It lifts leading inline flags into JS flags, rewrites named +// groups and Go-only anchors, and rejects patterns needing Unicode property +// escapes (which would require the 'u' flag and change escaping semantics). +func goToJSRegex(p string) (src, flags string, ok bool) { + if m := leadingFlagsRe.FindStringSubmatch(p); m != nil { + for _, c := range m[1] { + switch c { + case 'i', 'm', 's': + if !strings.ContainsRune(flags, c) { + flags += string(c) + } + } + } + p = p[len(m[0]):] + } + p = strings.ReplaceAll(p, "(?P<", "(?<") + p = strings.ReplaceAll(p, `\A`, "^") + p = strings.ReplaceAll(p, `\z`, "$") + p = strings.ReplaceAll(p, `\Z`, "$") + if strings.Contains(p, `\p{`) || strings.Contains(p, `\P{`) || strings.Contains(p, "(?P=") { + return "", "", false + } + return p, flags, true +} diff --git a/tools/site-build/main.go b/tools/site-build/main.go index c40ffa9..f069cf2 100644 --- a/tools/site-build/main.go +++ b/tools/site-build/main.go @@ -160,6 +160,14 @@ func run() error { fmt.Printf("site-build: wrote %s (%d pages)\n", filepath.Base(target), len(bag)) } + // Compile the in-browser playground detector set from internal/detector. + jsDir := filepath.Join(root, "site", "js") + nDet, err := buildDetectors(root, jsDir) + if err != nil { + return err + } + fmt.Printf("site-build: wrote detectors.js (%d detectors)\n", nDet) + if missing > 0 && *strict { return fmt.Errorf("%d manual page(s) missing (strict mode)", missing) } From e01fe13f370a3961695f40dde34429eb9ebfb7ae Mon Sep 17 00:00:00 2001 From: Cemil ILIK Date: Sun, 24 May 2026 23:14:49 +0300 Subject: [PATCH 7/7] fix(site): keep redaction hover working across language switches - Delegate the redaction hover-peek from document instead of binding per-node, so it survives i18n re-renders that replace nodes via innerHTML on a language switch (the headline word stopped revealing after switching languages). - Replace the now-redundant 'hover a redaction to reveal it' hint with the concept line (the hero animation already reveals the secrets). - Add 'maintained by HodeTech' attribution to the footer tagline, copyright, and hero eyebrow (EN + TR, across index/contact/playground). Co-Authored-By: Claude Opus 4.7 (1M context) --- site/contact.html | 4 ++-- site/index.html | 8 ++++---- site/js/main.js | 9 ++++++--- site/js/translations.js | 16 ++++++++-------- site/playground.html | 4 ++-- 5 files changed, 22 insertions(+), 19 deletions(-) diff --git a/site/contact.html b/site/contact.html index 093e9ba..2d92c12 100644 --- a/site/contact.html +++ b/site/contact.html @@ -110,7 +110,7 @@

Product

- + diff --git a/site/index.html b/site/index.html index c429814..7913a83 100644 --- a/site/index.html +++ b/site/index.html @@ -56,7 +56,7 @@
-
Open-source secret scanner · MIT
+
Open-source secret scanner · MIT · by HodeTech

Some secrets shouldn't be visible.
Leakwatch finds the ones that are.

Detect, verify, and report leaked API keys, tokens, and credentials across code, Git history, containers, and the cloud — then watch the redactions lift.

@@ -82,7 +82,7 @@

Some secrets shouldn't be
3 findings - hover a redaction to reveal it + Leakwatch finds the secrets that shouldn't be visible.

@@ -188,7 +188,7 @@

Declassify your repo

- + diff --git a/site/js/main.js b/site/js/main.js index c972de6..3ad50ca 100644 --- a/site/js/main.js +++ b/site/js/main.js @@ -75,9 +75,12 @@ var redacts = doc ? [].slice.call(doc.querySelectorAll(".redact")) : []; var cards = doc ? [].slice.call(doc.querySelectorAll(".finding-card")) : []; - // hover-peek on any redaction bar (hero document + headline word) - document.querySelectorAll(".redact[data-real]").forEach(function (r) { - r.addEventListener("mouseenter", function () { r.classList.add("revealed"); }); + // Hover-peek on any redaction bar (headline word, detector index chips, + // hero document). Delegated from document so it keeps working after the + // i18n layer re-renders nodes with innerHTML on a language switch. + document.addEventListener("mouseover", function (e) { + var r = e.target && e.target.closest ? e.target.closest(".redact[data-real]") : null; + if (r) r.classList.add("revealed"); }); function run() { diff --git a/site/js/translations.js b/site/js/translations.js index 3e949c8..963054b 100644 --- a/site/js/translations.js +++ b/site/js/translations.js @@ -23,14 +23,14 @@ window.LW_T = { "nav.runscan": "▸ Run scan", "nav.getstarted": "Get started", - "hero.eyebrow": "Open-source secret scanner · MIT", + "hero.eyebrow": "Open-source secret scanner · MIT · by HodeTech", "hero.title": "Some secrets shouldn't be visible.
Leakwatch finds the ones that are.", "hero.lede": "Detect, verify, and report leaked API keys, tokens, and credentials across code, Git history, containers, and the cloud — then watch the redactions lift.", "hero.cta.run": "▸ Run the scan", "hero.cta.docs": "Read the docs", "hero.kv": "63 detectors · 54 live verifiers · 6 sources · exit-code aware", "hero.doc.redacted": "3 REDACTED", - "hero.doc.hint": "hover a redaction to reveal it", + "hero.doc.hint": "Leakwatch finds the secrets that shouldn't be visible.", "stats.detectors": "secret detectors", "stats.verifiers": "live verifiers", @@ -97,7 +97,7 @@ window.LW_T = { "cta.subtitle": "One static binary. No daemon, no runtime dependencies. Install it your way.", "cta.button": "Read the documentation", - "footer.tagline": "Open-source secret scanning that detects, verifies, and reports leaked credentials before they're abused.", + "footer.tagline": "Leakwatch is an open-source secret-scanning tool maintained by HodeTech. It detects, verifies, and reports leaked credentials before they're abused.", "footer.product": "Product", "footer.docs": "Documentation", "footer.project": "Project", @@ -108,7 +108,7 @@ window.LW_T = { "footer.releases": "Releases", "footer.issues": "Issues", "footer.license": "License (MIT)", - "footer.copyright": "© 2026 Leakwatch Contributors. Released under the MIT License.", + "footer.copyright": "© 2026 HodeTech · Leakwatch is open source under the MIT License.", "docs.search": "Search the manual…", "docs.loading": "Loading documentation…", @@ -196,14 +196,14 @@ window.LW_T = { "nav.runscan": "▸ Taramayı çalıştır", "nav.getstarted": "Başlayın", - "hero.eyebrow": "Açık kaynak sır tarayıcı · MIT", + "hero.eyebrow": "Açık kaynak sır tarayıcı · MIT · HodeTech", "hero.title": "Bazı sırlar görünür olmamalı.
Leakwatch görünür olanları bulur.", "hero.lede": "Sızan API anahtarlarını, token'ları ve kimlik bilgilerini kodda, Git geçmişinde, konteynerlerde ve bulutta tespit edin, doğrulayın ve raporlayın — sonra sansürlerin kalkışını izleyin.", "hero.cta.run": "▸ Taramayı çalıştır", "hero.cta.docs": "Dokümanları oku", "hero.kv": "63 dedektör · 54 canlı doğrulayıcı · 6 kaynak · çıkış-kodu duyarlı", "hero.doc.redacted": "3 REDAKTE", - "hero.doc.hint": "bir redaksiyonun üzerine gelin, açılsın", + "hero.doc.hint": "Leakwatch, görünür olmaması gereken sırları bulur.", "stats.detectors": "sır dedektörü", "stats.verifiers": "canlı doğrulayıcı", @@ -270,7 +270,7 @@ window.LW_T = { "cta.subtitle": "Tek bir statik ikili dosya. Daemon yok, çalışma zamanı bağımlılığı yok. İstediğiniz yöntemle kurun.", "cta.button": "Dokümantasyonu okuyun", - "footer.tagline": "Sızan kimlik bilgilerini kötüye kullanılmadan önce tespit eden, doğrulayan ve raporlayan açık kaynaklı sır taraması.", + "footer.tagline": "Leakwatch, HodeTech tarafından geliştirilip sürdürülen açık kaynaklı bir sır tarama aracıdır. Sızan kimlik bilgilerini kötüye kullanılmadan önce tespit eder, doğrular ve raporlar.", "footer.product": "Ürün", "footer.docs": "Dokümantasyon", "footer.project": "Proje", @@ -281,7 +281,7 @@ window.LW_T = { "footer.releases": "Sürümler", "footer.issues": "Sorunlar", "footer.license": "Lisans (MIT)", - "footer.copyright": "© 2026 Leakwatch Katkıda Bulunanlar. MIT Lisansı altında yayımlanmıştır.", + "footer.copyright": "© 2026 HodeTech · Leakwatch, MIT Lisansı altında açık kaynaktır.", "docs.search": "Kılavuzda ara…", "docs.loading": "Dokümantasyon yükleniyor…", diff --git a/site/playground.html b/site/playground.html index 08d74ed..14d2a8b 100644 --- a/site/playground.html +++ b/site/playground.html @@ -90,7 +90,7 @@

Product

- +