Gitleaks: Secret detection for git repositories
Regex-based secret scanner for git repositories.
Learn more about Gitleaks
Gitleaks is a command-line tool written in Go that performs secret detection across git repositories and arbitrary data sources. The detection engine relies on regex patterns combined with entropy scoring to identify secrets, as documented in the project's technical blog post on regex-based detection. It can be deployed as a standalone CLI tool, Docker container, GitHub Action, or pre-commit hook, making it suitable for integration into development workflows and CI/CD pipelines. Common use cases include scanning repositories during development, enforcing secret detection in pull requests, and performing compliance checks on codebases.
Regex-Based Detection Engine
Uses configurable regex patterns with entropy analysis instead of ML models. Provides deterministic, auditable rules that can be customized for specific secret formats and organizational compliance requirements.
Multiple Deployment Options
Available as CLI tool, Docker image, GitHub Action, and pre-commit hook. Integrates at any point in the development lifecycle, from local commits to CI/CD pipelines.
Detailed Finding Metadata
Reports include commit history, author information, file locations, line numbers, and fingerprints for each detected secret. Enables tracking when secrets were introduced and supports systematic remediation workflows.
package main
import (
"github.com/zricethezav/gitleaks/v8/detect"
"github.com/zricethezav/gitleaks/v8/config"
)
func main() {
cfg, _ := config.NewConfig("path/to/gitleaks.toml")
detector := detect.NewDetector(cfg)
findings, _ := detector.DetectFiles("path/to/scan")
for _, finding := range findings {
println(finding.Description, finding.Secret)
}
}This release adds new detection rules for Looker and Airtable tokens, improves recursive decoding, and upgrades Go and Alpine versions.
- –0 to 5 - notes on recursive decoding
- –Add new Looker client ID and client secret rules
- –feat: add Airtable Personal Access Token detection
- –build: upgrade Go & alpine version
This release includes minor fixes and documents stdout report path functionality.
- –feat: document stdout report path
This release adds Amazon Bedrock API key detection, improves timeout handling, and enhances configuration validation.
- –Add trace log for skipped archive file when not enabled
- –Respect contexts with timeouts
- –Config min version
- –fix: validate rules when extend is used
- –feat: add Amazon Bedrock API key detection
See how people are using Gitleaks
Related Repositories
Discover similar tools and frameworks used by developers
DVWA
PHP/MariaDB training platform for web security exploitation practice.
FingerprintJS
Client-side JavaScript library for browser fingerprinting and visitor identification.
Subfinder
Passive subdomain discovery via DNS resolution and validation.
Prowler
Cloud security platform automating assessments and compliance across AWS, Azure, GCP, and K8s.
OpenSSL
C-based cryptographic library implementing TLS, DTLS, and QUIC protocols.