gitleaks
Detects secrets like passwords, API keys, and tokens in git repositories, files, and stdin input
Gitleaks is a secrets detection tool that scans git repositories, directories, files, and stdin input for sensitive information like passwords, API keys, and tokens. It uses regex-based pattern matching to identify potential secrets across various formats and services. The tool operates in three scanning modes: git (for local repositories using git log patches), dir (for scanning directories and files), and stdin (for streaming data input).
The tool integrates with multiple development workflows through GitHub Actions, pre-commit hooks, and Docker containers. It supports custom configuration files in TOML format for defining detection rules and can generate reports in JSON, CSV, JUnit, SARIF, or custom template formats. Gitleaks includes baseline functionality to ignore previously identified findings, making it practical for scanning large repositories with extensive histories.
Gitleaks provides various output options including verbose logging, secret redaction capabilities, and configurable exit codes. It can be configured through command-line flags, environment variables, or configuration files, with support for ignoring specific findings through .gitleaksignore files and inline comments. The tool is designed for security teams, DevOps engineers, and developers who need to prevent secrets from being committed to version control systems.
Installation
# via Homebrew
brew install gitleaks
# via Docker
docker pull zricethezav/gitleaks:latest
# via Source
git clone https://github.com/gitleaks/gitleaks.git && cd gitleaks && make build