2ms (Too Many Secrets)

Modern secrets discovery CLI for code, content, and collaboration platforms.

2ms is an open-source CLI from Checkmarx that helps teams surface credentials, API keys, tokens, and other sensitive data before it leaks. It builds on the gitleaks detection engine, adds Checkmarx expertise, CVSS-based scoring, and optional secret validation so you can triage the riskiest findings first.

Table of Contents

• Quick Start
• Highlights
• Installation
  • Homebrew (macOS/Linux)
  • Prebuilt Binaries
  • Build from Source
  • Docker
• Scan Targets
  • Local File System
  • Git Repositories
  • Confluence Cloud
  • Slack
  • Discord
  • Paligo
• Configuration & Tuning
  • Global Flags
  • Configuration Files & Environment Variables
  • Rules, Validation, and Custom Detection
• Reports & Outputs
• CI/CD & Automation
• Contributing
• Community

Quick Start

Install, scan your local workspace, and review the findings in seconds:

brew install 2ms
2ms filesystem --path .

Scan recent Git history instead:

2ms git . --depth 50

2ms prints a YAML summary by default and returns a non-zero exit code when secrets are detected.

Highlights

• Unified scanning for local directories, Git history, Slack, Discord, Confluence Cloud, and Paligo — each exposed as a dedicated subcommand.
• Hundreds of tuned detection rules curated by Checkmarx on top of gitleaks, enriched with CVSS-based scoring in every finding.
• Optional live secret validation (--validate) to confirm whether discovered credentials are still active.
• Flexible filtering and noise reduction: --rule, --ignore-rule, --add-special-rule, --ignore-result, --regex, --allowed-values, --max-target-megabytes, --max-findings, --max-rule-matches-per-fragment, and --max-secret-size.
• Rich reporting for developers and pipelines with JSON, YAML, and SARIF outputs, multiple --report-path destinations, and CI-aware exit handling via --ignore-on-exit.
• Automation ready: configuration files, 2MS_* environment variables, Docker images, and GitHub Actions templates.
• Extensible plugin architecture — contributions for new data sources are welcome.

Installation

Homebrew (macOS/Linux)

brew install 2ms

Upgrade with brew upgrade 2ms. Confirm the install:

2ms --version

Prebuilt Binaries

Download the latest release for your platform from the releases page:

• Windows (amd64)
• macOS (amd64)
• Linux (amd64)

Unzip the archive and place the 2ms binary somewhere on your PATH (for example /usr/local/bin/2ms).

Build from Source

git clone https://github.com/checkmarx/2ms.git
cd 2ms
go build -o dist/2ms ./...
./dist/2ms --version

Refer to go.mod for the minimum Go toolchain version.

Docker

Run 2ms from the published container image:

docker run --rm checkmarx/2ms

Mount a workspace to scan it:

docker run --rm -v "$(pwd)":/repo checkmarx/2ms git /repo --stdout-format json

Provide tokens and other secrets through environment variables (-e SLACK_TOKEN=...) or mounted config files.

Scan Targets

| Command | Surface | Typical Use | |---------|---------|-------------| | 2ms filesystem | Local directories | Scan any type of source file. | | 2ms git <path> | Git repositories | Inspect commit history to find any secret exposed. | | 2ms confluence <URL> | Confluence Cloud | Crawl spaces and pages. | | 2ms discord | Discord servers | Audit server message history. | | 2ms slack | Slack workspaces | Review channels for exposed credentials. | | 2ms paligo | Paligo instances | Scrape documentation components delivered via Paligo. |

Local File System

2ms filesystem --path . --ignore-pattern "*.log"

| Flag | Type | Description | |------|------|-------------| | --path | string (required) | Directory to scan. | | --project-name | string | Optional label to distinguish multiple filesystem scans. | | --ignore-pattern | string slice | Glob patterns to exclude (matched against the file or folder name). |

Git Repositories

2ms git /path/to/repo --depth 200 --project-name api-service

| Flag | Type | Description | |------|------|-------------| | --depth | int | Limit how many commits from HEAD are analyzed. | | --all-branches | bool | Scan every branch instead of the checked-out branch. | | --base-commit | string | Only scan commits between the base commit and HEAD. | | --project-name | string | Optional label to differentiate results. |

Confluence Cloud

2ms confluence https://<org>.atlassian.net/wiki --space-keys ENG,SEC --history \
  --username alice@example.com --token "$ATLASSIAN_TOKEN"

| Flag | Type | Description | |------|------|---------------------------------------------------------| | --space-keys | string slice | Comma-separated space keys to crawl. | | --space-ids | string slice | Comma-separated space IDs to crawl. | | --page-ids | string slice | Specific page IDs to scan. | | --history | bool | Include all revisions (page history). | | --username | string | Confluence user/email for authentication. | | --token | string | Authentication token (Confluence API token or scoped API token). | | --max-api-response-megabytes | int | Soft per-response size limit (MB). 0 disables it. Exceeded batches are skipped. | | --max-page-body-megabytes | int | Soft per-page body size limit (MB). 0 disables it. Oversized pages are skipped. | | --max-total-scan-megabytes | int | Global download limit (MB). 0 disables it. If exceeded, the scan stops early. |

URLs must be HTTPS. Without credentials 2ms scans only public content.

Authentication

• To scan private spaces, provide --username and --token (API token).
• How to create a Confluence API token: https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/

Examples

• Scan all public pages (no auth):

  2ms confluence https://<org>.atlassian.net/wiki
  

• Scan private pages with an api token or a scoped api token (requires auth):

  2ms confluence https://<org>.atlassian.net/wiki --username <USERNAME> --token <API_TOKEN>
  

• Scan specific spaces by ID:

  2ms confluence https://<org>.atlassian.net/wiki --space-ids 1234567890,9876543210
  

• Scan specific pages by ID:

  2ms confluence https://<org>.atlassian.net/wiki --page-ids 11223344556,99887766554
  

Slack

2ms slack --token "$SLACK_TOKEN" --team my-workspace --duration 30d --channel secure-chat

| Flag | Type | Description | |------|------|-------------| | --token | string (required) | Slack token with permission to read conversations. | | --team | string (required) | Workspace name or ID. | | --channel | string slice | Channel names or IDs to target. Defaults to all channels. | | --duration | duration | Look back interval (default 14d). Use values like 24h, 7d, 1M. | | --messages-count | int | Upper bound on messages per channel (0 = all). |

Discord

2ms discord --token "$DISCORD_TOKEN" --server 1097814317077897307 --duration 9999h

| Flag | Type | Description | |------|------|-------------| | --token | string (required) | Discord bot or user token. | | --server | string slice (required) | Server (guild) names or IDs to scan. | | --channel | string slice | Channel names or IDs to restrict the scan. Defaults to all channels. | | --duration | duration | Look back interval (default 14d). | | --messages-count | int | Maximum messages per channel (0 = scan until duration is met). |

Paligo

2ms paligo --instance your-instance --username alice --token "$PALIGO_TOKEN"

| Flag | Type | Description | |------|------|-------------| | --instance | string (required) | Paligo instance name (subdomain). | | --username | string | Paligo username (use with --token). | | --token | string | API token for authentication. | | --auth | string | Base64-encoded username:password alternative to --username/--token. | | --folder | int | Folder ID to scope the scan; scans the whole instance when omitted. |

Configuration & Tuning

Global flags work with every subcommand. Combine them with configuration files and environment variables to automate 2ms in large environments.

Global Flags

| Flag