SailPoint Entro CLI & Pre-Commit Hook
Getting Started with the SailPoint Entro CLI
This guide provides a comprehensive overview of the SailPoint Entro Command-Line Interface (CLI). You'll learn how to install and configure it for manual scanning and how to set it up as an automated pre-commit hook to prevent secrets from being committed to your repositories.
Setup: Installation & Configuration
First, you need to install the SailPoint Entro CLI and connect it to your SailPoint Entro account.
Step 1: Install the CLI
The SailPoint Entro CLI is compatible with macOS, Linux, and Windows shells. To install it, run the following command in your terminal:
Specific versions of the CLI can be installed using:
Specific version in CLI V2:
curl -fL https://public-entro-security.s3.us-east-1.amazonaws.com/entro-cli/install-cli-v2 | sh -s {VERSION}
For CLI V1:
curl -fL https://public-entro-security.s3.us-east-1.amazonaws.com/entro-cli/install-cli | sh
OR
curl -fL https://public-entro-security.s3.us-east-1.amazonaws.com/entro-cli/install-cli | sh -s {VERSION}
MacOS package (.pkg) can be installed using:
Latest version:
curl -fL https://public-entro-security.s3.us-east-1.amazonaws.com/entro-cli/download-pkg-installer-v2 | sh
Specific version:
curl -fL https://public-entro-security.s3.us-east-1.amazonaws.com/entro-cli/download-pkg-installer-v2 | sh -s {VERSION}
Step 2: Authenticate
You need an API Key to authenticate the CLI. You can create an Admin token or a Scanner only token from the SailPoint Entro Portal. Choose one of the following methods to provide your credentials:
🅰️ Configuration File (Recommended)
This method securely stores your credentials in a local configuration file (~/.entro/config.json), making it easy to run commands without setting variables each time.
Bash
🅱️ Environment Variables (for CI/CD)
This method is ideal for automated environments like CI/CD pipelines where you need to set credentials temporarily.
Bash
export ENTRO_SECURITY_PLATFORM_URL=https://<domain>.entro.security
export ENTRO_SECURITY_PLATFORM_TOKEN=<Entro_API_Key>
Note
The CLI will prioritize credentials set via flags or environment variables over those in the configuration file.
Part 2: Manual Scanning
You can use the SailPoint Entro CLI to perform one-off scans on files to find exposed secrets.
How to Scan
To scan specific file or directory, use the **entro scan path** command, followed by the path.
If secrets are found, the output will list their details -
➜ entro scan path path/to/file/OktaExample.docx
🔍 Progress: 100% [████████████████████████████████████████] (1/1) Files
🎯 Location: path/to/file
📌 Current: OktaExample.docx
🚨 Findings: 1
📂 Scanned 1 Files Containing 1 Exposed Secret
Path: path/to/file/OktaExample.docx (1 secret)
├─ Secret: OKTA Client ID
│ Line: 1
│ Value: 0a1dj42d***********djeu5f8dg
└─ Docs: https://docs.entro.security/knowledge-base/supported-secret-types/specific-secrets/okta-client-id
To scan git repositories, use the **entro scan git** command, in one of two ways:
# From within the git directory:
entro scan git
# You may also provide the path to the git repository:
entro scan git path/to/git/directory
If secrets are found, the output will list their details and their commit information -
➜ entro scan git
🔍 Progress: 100% [██████████████████████████████████████████████] (7/7) Commits
🎯 Location: 978c8a1d4bc167dd57e35bde70c6b1fd01a1854b
📌 Current: file_name
🚨 Findings: 10
📂 Scanned 7 Commits Containing 6 Exposed Secrets
📂 Scanned 6 Changes Containing 10 Exposed Secrets
📝 Commit: c9fc9965be6e6ffc6e13aff82043e6279e7370dc (GitHub)
│ Date: 2025-07-09 15:44:10
│ Message: this is a new commit
└── File: file_name (1 secrets)
└─ Secret: Palantir Jwt Token
Line: 1
Value: eyJwbG50ciI6IlQydGNuUW1jUUVLdVlUL0hzdHRZalE9PSIsImFsZyI6IkVTMjU*******************************************************Rva2VuIiwgImhkIjoidW5pdGUubmloLmdvdiJ9.NqqHz12e_BU409d9kesXqlTK
Docs: https://docs.entro.security/knowledge-base/supported-secret-types/specific-secrets/palantir-jwt-token
✨ Enable AI Classification for detected secrets (Supported for scan path)
To trigger AI Classification on local scan command, add the --ai-classification flag
➜ entro scan path path/to/file --ai-classification
🔍 Progress: 100% [████████████████████████████████████████] (1/1) Files
🎯 Location: .
📌 Current: file
🚨 Findings: 1
📂 Scanned 1 Files Containing 1 Exposed Secret
Path: file (1 secret)
├─ Secret: Gitlab Pat
│ Line: 2
│ Value: glpat-aJ9********Pn4BbyeDE
│ AI Classification: True Positive
│ AI Insights:
│ Implementation: Authorization string
│ Other Lines Contain More Secrets: true
│ Purpose: GitLab API authentication token
│ Service: GitLab
│ Type: API-Key
│ Docs: https://docs.entro.security/knowledge-base/supported-secret-types/specific-secrets/gitlab-pat
In order to get the AI classification only without additional AI insights, use --ai-insights=false
➜ entro scan path path/to/file --ai-classification --ai-insights=false
🔍 Progress: 100% [████████████████████████████████████████] (1/1) Files
🎯 Location: .
📌 Current: file
🚨 Findings: 2
📂 Scanned 1 Files Containing 3 Exposed Secrets
Path: file (2 secrets)
├─ Secret: Gitlab Pat
│ Line: 2
│ Value: glpat-aJ9********Pn4BbyeDE
│ AI Classification: True Positive
│ Docs: https://docs.entro.security/knowledge-base/supported-secret-types/specific-secrets/gitlab-pat
└─ Secret: Snowflake Pat
Line: 7
Value: eyJraWQiOiIzODQ4ODkyNDc3IiwiYWxnIjoiRVMyNTYifQ.eyJwIjoiMTUwMzQ2Mjg6MTUwMzQ2M******************************************************************ZbGksYiM-C-F3nLGZnBBhHvNlu-cRw0oxPjerB3ffkXrgYmJ4qWZOA4KoU9PJRhmtQonOwMeital
AI Classification: True Positive
Docs: https://docs.entro.security/knowledge-base/supported-secret-types/specific-secrets/snowflake-pat
Useful Flags
-
--generic: Use this flag to find non-specific secrets like passwords or keys. -
--redact=false: By default, secrets are hidden. Use this to display the full secret value. -
For scan path:
-
--ai-classification: Enable AI Classification for detected secrets -
--ai-insights=false: By default, AI classification includes additional enrichment. You may choose to remove it to get the AI classification only without additional AI insights.
-
-
-h,--help: Use this to see all available commands and flags.
Current Limitations
-
Input Size: The CLI has a file size limit of 2.5MB.
-
File Types: Scanning is optimized for text-based files like source code, configs, and documents.
Part 3: Automated Scanning with the Pre-Commit Hook
Integrate SailPoint Entro directly into your Git workflow to automatically scan for secrets before they are committed. This requires the pre-commit framework.
Step 1: Install the **pre-commit** Framework 📦
If you don't already have it, install pre-commit using the package manager for your system:
-
macOS (Homebrew):
brew install pre-commit -
Linux (Debian/Ubuntu):
sudo apt-get install pre-commit -
Linux (Fedora/RHEL):
sudo dnf install pre-commit -
Windows (Chocolatey):
choco install pre-commit -
Python/pip:
pip install pre-commit
Step 2: Activate the SailPoint Entro Hook
You can install the hook for a single project or globally for all your repositories.
-
Local Installation (Recommended): Navigate to your project's root directory and run:
Bash
-
Global Installation (Advanced): To enable the hook for all your Git repositories, run:
Bash
Important
This will replace any existing global Git hooks.
Step 3: Test Your Setup
The hook is now active! The next time you run git commit, the SailPoint Entro scan will run automatically. If a secret is detected, the commit will be blocked.
🚦 Part 4: Managing the Pre-Commit Hook
Sometimes you might need to bypass the hook. You may use one of the following options:
-
Skip hook for current commit (recommended approach)
This allows the commit to proceed even if secrets are found.
-
Soft Bypass (Ignore hook in current set up)
When using the 'ignore' option, entro hook will scan the code and reports the findings to entro, but it won't block you on any commits.
After running this, you can proceed with your
git commit. -
Hard Bypass (Skip)
This completely disables the entro scan for all subsequent commits until it's re-enabled.
-
To disable the hook:
-
To re-enable the hook:
-