Detect secrets in git repos, files, and piped input
- Stars27.7k
- Forks2.1k
- Open Issues416
MIT
- Go
- Go Template
- Shell
About Gitleaks
Gitleaks is a command line tool that detects hardcoded secrets like passwords, API keys, and tokens. Its detection engine is built largely on regular expressions, and it can scan git history, a working directory, individual files, or anything piped in over stdin.
Scanning git history walks every commit, so a secret that was committed and later removed is still caught. Findings report the rule ID, file path, line, commit, author, and a stable fingerprint, and baselines let you suppress known older findings so scans focus on what is new. Custom and composite rules tailor detection to a project.
Gitleaks installs via Homebrew, runs from Docker images on Docker Hub and ghcr.io, or builds from source with Go. Note that the project is now feature complete: the maintainer is shipping only security patches and has shifted focus to a successor, Betterleaks.
Key features
- Scans full git history, including past commits
- Scans directories, files, and stdin
- Baselines suppress known older findings
- Custom and composite detection rules
- Findings include rule ID, file, commit, and fingerprint
Details
- First released
- 2018
- Platforms
- CLI · macOS · Linux · Windows
- Deployment
- self-hostable · docker · offline
- Scanning modes
- git · dir · stdin
- Status
- Feature complete · patches only
- Latest release
- v8.30.1