Modern secrets discovery CLI for code, content, and collaboration platforms.
2ms is an open-source CLI from Checkmarx that helps teams surface credentials, API keys, tokens, and other sensitive data before it leaks. It builds on the gitleaks detection engine, adds Checkmarx expertise, CVSS-based scoring, and optional secret validation so you can triage the riskiest findings first.
- Quick Start
- Highlights
- Installation
- Scan Targets
- Configuration & Tuning
- Reports & Outputs
- CI/CD & Automation
- Contributing
- Community
Install, scan your local workspace, and review the findings in seconds:
brew install 2ms
2ms filesystem --path .Scan recent Git history instead:
2ms git . --depth 502ms prints a YAML summary by default and returns a non-zero exit code when secrets are detected.
- Unified scanning for local directories, Git history, Slack, Discord, Confluence Cloud, and Paligo — each exposed as a dedicated subcommand.
- Hundreds of tuned detection rules curated by Checkmarx on top of gitleaks, enriched with CVSS-based scoring in every finding.
- Optional live secret validation (
--validate) to confirm whether discovered credentials are still active. - Flexible filtering and noise reduction:
--rule,--ignore-rule,--add-special-rule,--ignore-result,--regex,--allowed-values, and--max-target-megabytes. - Rich reporting for developers and pipelines with JSON, YAML, and SARIF outputs, multiple
--report-pathdestinations, and CI-aware exit handling via--ignore-on-exit. - Automation ready: configuration files,
2MS_*environment variables, Docker images, and GitHub Actions templates. - Extensible plugin architecture — contributions for new data sources are welcome.
brew install 2msUpgrade with brew upgrade 2ms. Confirm the install:
2ms --versionDownload the latest release for your platform from the releases page:
Unzip the archive and place the 2ms binary somewhere on your PATH (for example /usr/local/bin/2ms).
git clone https://github.com/checkmarx/2ms.git
cd 2ms
go build -o dist/2ms ./...
./dist/2ms --versionRefer to go.mod for the minimum Go toolchain version.
Run 2ms from the published container image:
docker run --rm checkmarx/2msMount a workspace to scan it:
docker run --rm -v "$(pwd)":/repo checkmarx/2ms git /repo --stdout-format jsonProvide tokens and other secrets through environment variables (-e SLACK_TOKEN=...) or mounted config files.
| Command | Surface | Typical Use |
|---|---|---|
2ms filesystem |
Local directories | Scan any type of source file. |
2ms git <path> |
Git repositories | Inspect commit history to find any secret exposed. |
2ms confluence <URL> |
Confluence Cloud | Crawl spaces and pages. |
2ms discord |
Discord servers | Audit server message history. |
2ms slack |
Slack workspaces | Review channels for exposed credentials. |
2ms paligo |
Paligo instances | Scrape documentation components delivered via Paligo. |
2ms filesystem --path . --ignore-pattern "*.log"| Flag | Type | Description |
|---|---|---|
--path |
string (required) | Directory to scan. |
--project-name |
string | Optional label to distinguish multiple filesystem scans. |
--ignore-pattern |
string slice | Glob patterns to exclude (matched against the file or folder name). |
2ms git /path/to/repo --depth 200 --project-name api-service| Flag | Type | Description |
|---|---|---|
--depth |
int | Limit how many commits from HEAD are analyzed. |
--all-branches |
bool | Scan every branch instead of the checked-out branch. |
--base-commit |
string | Only scan commits between the base commit and HEAD. |
--project-name |
string | Optional label to differentiate results. |
2ms confluence https://<org>.atlassian.net/wiki --space-keys ENG,SEC --history \
--username alice@example.com --token-type api-token --token-value "$ATLASSIAN_TOKEN"| Flag | Type | Description |
|---|---|---|
--space-keys |
string slice | Comma-separated space keys to crawl. |
--space-ids |
string slice | Comma-separated space IDs to crawl. |
--page-ids |
string slice | Specific page IDs to scan. |
--history |
bool | Include all revisions (page history). |
--username |
string | Confluence user/email for authentication. |
--token-type |
string | api-token or scoped-api-token. Required when --token-value is set. |
--token-value |
string | Token value used with --token-type. |
URLs must be HTTPS. Without credentials 2ms scans only public content.
- To scan private spaces, provide
--username,--token-typeand--token-value(API token). - How to create a Confluence API token: https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/
-
Scan all public pages (no auth):
2ms confluence https://<company id>.atlassian.net/wiki
-
Scan private pages with an api token (requires auth):
2ms confluence https://<company id>.atlassian.net/wiki --username <USERNAME> --token-type api-token --token-value <API_TOKEN>
-
Scan private pages with a scoped api token (requires auth):
2ms confluence https://<company id>.atlassian.net/wiki --username <USERNAME> --token-type scoped-api-token --token-value <API_TOKEN>
-
Scan specific spaces by ID:
2ms confluence https://<company id>.atlassian.net/wiki --space-ids 1234567890,9876543210
-
Scan specific pages by ID:
2ms confluence https://<company id>.atlassian.net/wiki --page-ids 11223344556,99887766554
2ms slack --token "$SLACK_TOKEN" --team my-workspace --duration 30d --channel secure-chat| Flag | Type | Description |
|---|---|---|
--token |
string (required) | Slack token with permission to read conversations. |
--team |
string (required) | Workspace name or ID. |
--channel |
string slice | Channel names or IDs to target. Defaults to all channels. |
--duration |
duration | Look back interval (default 14d). Use values like 24h, 7d, 1M. |
--messages-count |
int | Upper bound on messages per channel (0 = all). |
2ms discord --token "$DISCORD_TOKEN" --server 1097814317077897307 --duration 9999h| Flag | Type | Description |
|---|---|---|
--token |
string (required) | Discord bot or user token. |
--server |
string slice (required) | Server (guild) names or IDs to scan. |
--channel |
string slice | Channel names or IDs to restrict the scan. Defaults to all channels. |
--duration |
duration | Look back interval (default 14d). |
--messages-count |
int | Maximum messages per channel (0 = scan until duration is met). |
2ms paligo --instance your-instance --username alice --token "$PALIGO_TOKEN"| Flag | Type | Description |
|---|---|---|
--instance |
string (required) | Paligo instance name (subdomain). |
--username |
string | Paligo username (use with --token). |
--token |
string | API token for authentication. |
--auth |
string | Base64-encoded username:password alternative to --username/--token. |
--folder |
int | Folder ID to scope the scan; scans the whole instance when omitted. |
Global flags work with every subcommand. Combine them with configuration files and environment variables to automate 2ms in large environments.
| Flag | Type | Default | Description |
|---|---|---|---|
--config |
string | Path to a YAML or JSON configuration file. | |
--log-level |
string | info |
Logging level: trace, debug, info, warn, error, fatal, or none. |
--stdout-format |
string | yaml |
yaml, json, or sarif output on stdout. |
--report-path |
string slice | Write findings to one or more files; format is inferred from the extension. | |
--ignore-on-exit |
enum | none |
Control exit codes: all, results, errors, or none. |
--max-target-megabytes |
int | 0 |
Skip files larger than the threshold (0 disables the check). |
--validate |
bool | false |
Enrich results by verifying secrets when supported. |
Pass --config to load shared defaults:
# .2ms.yaml
log-level: debug
stdout-format: json
report-path:
- reports/2ms.json
filesystem:
path: .
ignore-pattern:
- "*.log"You can still override values via CLI flags; the CLI always wins over config values.
- List the available detection rules (and whether they support validation) with
2ms rules. - The full rule catalog lives in
docs/list-of-rules.md. - Focus on specific checks with
--rule <rule-id>or exclude noisy ones with--ignore-rule. - Enable opt-in detections via
--add-special-rule <rule-id>and tailor searches using custom--regexpatterns. - Suppress individual findings with
--ignore-result <secret-id>or whitelist known safe secrets using--allowed-values. --validateasks 2ms to contact the upstream service (when available) to confirm a secret is still active. Validation outcomes feed into the CVSS-derived score in each result.
2ms prints YAML summaries by default. Switch formats or emit multiple artifacts:
2ms git . \
--stdout-format json \
--report-path build/2ms.sarif \
--report-path build/2ms.yamlSARIF reports plug directly into GitHub Advanced Security or other code-scanning dashboards. All outputs include rule metadata, severity scores, file locations, and (when enabled) validation status.
Run 2ms in pipelines, scheduled jobs, or security gates:
name: secret-scan
on:
pull_request:
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
- name: Run 2ms
run: |
docker run --rm -v "$PWD":/repo checkmarx/2ms \
git /repo --stdout-format sarif \
--report-path /repo/artifacts/2ms.sarif \
--ignore-on-exit results
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: artifacts/2ms.sarifUse --ignore-on-exit results to keep pipelines green when only findings (not errors) are present, or leave it at the default none to fail on detected secrets.
2ms is built around a plugin system so new targets and enhancements are easy to add. Check out CONTRIBUTING.md for development setup, coding guidelines, and how to propose new rules or plugins.
2ms is maintained by Checkmarx and released under the Apache 2.0 License — contributions and feedback are always welcome.
