Gitleaks: Secret detection for git repositories
Regex-based secret scanner for git repositories.
Learn more about gitleaks
Gitleaks is a command-line tool written in Go that performs secret detection across git repositories and arbitrary data sources. The detection engine relies on regex patterns combined with entropy scoring to identify secrets, as documented in the project's technical blog post on regex-based detection. It can be deployed as a standalone CLI tool, Docker container, GitHub Action, or pre-commit hook, making it suitable for integration into development workflows and CI/CD pipelines. Common use cases include scanning repositories during development, enforcing secret detection in pull requests, and performing compliance checks on codebases.
Regex-Based Detection Engine
Uses configurable regex patterns with entropy analysis instead of ML models. Provides deterministic, auditable rules that can be customized for specific secret formats and organizational compliance requirements.
Multiple Deployment Options
Available as CLI tool, Docker image, GitHub Action, and pre-commit hook. Integrates at any point in the development lifecycle, from local commits to CI/CD pipelines.
Detailed Finding Metadata
Reports include commit history, author information, file locations, line numbers, and fingerprints for each detected secret. Enables tracking when secrets were introduced and supports systematic remediation workflows.
package main
import (
"github.com/zricethezav/gitleaks/v8/detect"
"github.com/zricethezav/gitleaks/v8/config"
)
func main() {
cfg, _ := config.NewConfig("path/to/gitleaks.toml")
detector := detect.NewDetector(cfg)
findings, _ := detector.DetectFiles("path/to/scan")
for _, finding := range findings {
println(finding.Description, finding.Secret)
}
}Adds config minimum version enforcement and improves secret detection for Amazon Bedrock keys and Sonar tokens with prefixes.
- –Pin your gitleaks config schema version using the new min-version field to prevent compatibility issues.
- –Update detection rules to catch Amazon Bedrock API keys and Sonar tokens with sqa_, sqp_ prefixes automatically.
Adds composite rules for multi-part secret detection with proximity constraints, plus performance optimizations and new detectors for Anthropic and Artifactory tokens.
- –Use composite rules with `[[rules.required]]` tables to match secrets only when auxiliary patterns appear within specified line/column proximity.
- –Performance improved by deferring newline calculation until a match occurs and promoting stopword optimizations from earlier PRs.
Adds experimental allowlist optimizations and detection for Notion Public API keys; no breaking changes noted.
- –Enable experimental allowlist optimizations to improve scan performance on large repositories.
- –Detect Notion Public API keys in scans to identify potential credential leaks.
See how people are using gitleaks
Top in Security
Related Repositories
Discover similar tools and frameworks used by developers
DVWA
PHP/MariaDB training platform for web security exploitation practice.
ghidra
NSA's open-source tool for analyzing compiled binaries.
subfinder
Passive subdomain discovery via DNS resolution and validation.
grype
Detect vulnerabilities in container images and filesystems.
fail2ban
Log-based intrusion prevention via dynamic firewall management.