> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-pam-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# scan git-changes

> Scan for secrets in your uncommitted code

```bash theme={"dark"}
infisical scan git-changes

# Display the full secret findings
infisical scan git-changes --verbose
```

## Description

Scanning for secrets before you commit your changes is great way to prevent leaks. Infisical makes this easy with the sub command `git-changes`.

The `git-changes` scans for uncommitted changes in a Git repository, and is especially designed for use on developer machines, aligning with the ['shift left'](https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security) security approach.
When `git-changes` is run on a Git repository, Infisical parses the output from a `git diff` command.

To scan changes in commits that have been staged via `git add`, you can add the `--staged` flag to the sub command. This flag is particularly useful when using Infisical CLI as a pre-commit tool.

### Flags

<Accordion title="--staged">
  **Description**

  detect secrets in a --staged state

  Default value: `false`
</Accordion>

<Accordion title="--log-opts">
  **Description**

  git log options
</Accordion>

<Accordion title="--baseline-path">
  Short hand: `-b`

  **Description**

  path to baseline with issues that can be ignored
</Accordion>

<Accordion title="--config">
  Short hand: `-c`

  **Description**

  config file path

  order of precedence:

  1. \--config flag
  2. env var INFISICAL\_SCAN\_CONFIG
  3. (--source/-s)/.infisical-scan.toml
     If none of the three options are used, then Infisical will use the default config
</Accordion>

<Accordion title="--exit-code">
  **Description**

  exit code when leaks have been encountered (default 1)
</Accordion>

<Accordion title="--max-target-megabytes">
  **Description**

  files larger than this will be skipped
</Accordion>

<Accordion title="--no-color">
  **Description**

  turn off color for verbose output
</Accordion>

<Accordion title="--redact">
  **Description**

  redact secrets from logs and stdout
</Accordion>

<Accordion title="--report-format">
  **Description**

  output format (json, csv, sarif) (default "json")
</Accordion>

<Accordion title="--report-path">
  **Description**

  report file
</Accordion>

<Accordion title="--source">
  **Description**

  path to source (default ".")
</Accordion>

<Accordion title="--verbose">
  **Description**

  show verbose output from scan
</Accordion>
