Gitleaks is the most widely adopted open-source secret scanning tool in the developer ecosystem. With over 25,000 GitHub stars, 26 million downloads on GitHub, 1.2 million installs via Homebrew, and 35 million Docker pulls, it has become the de facto standard for detecting hardcoded secrets in git repositories, files, and directories. Written in Go, it is a single-binary tool that detects passwords, API keys, tokens, and other sensitive credentials before they reach production or get committed to public-facing repositories.
The detection engine uses regex patterns combined with entropy analysis to identify secrets. It supports over 160 built-in secret types with new ones added regularly, covering everything from AWS keys and GitHub tokens to private SSH keys and database connection strings. The tool scans not just the latest source code but the entire git history, which is critical because secrets committed in earlier commits remain accessible even after deletion from the current codebase. This historical scanning is what separates proper secret detection from simple grep-style searches.
Gitleaks operates in three scanning modes. The git command scans local git repositories using git log patches, with full control over commit ranges and log options. The dir command scans directories and files independent of git history. And stdin mode lets you pipe content directly for scanning, enabling integration with virtually any tool or workflow. Reports are generated in multiple formats including JSON, CSV, JUnit, and SARIF — the latter integrating directly with GitHub Advanced Security to display findings in the security tab and block pull requests that introduce secrets.
CI/CD integration is where Gitleaks shines brightest. The official Gitleaks-Action GitHub Action automatically scans all pull requests and commits, or runs on-demand scheduled scans. For personal GitHub accounts, no license key is required. For organization accounts, a free license key is available through a simple sign-up form. The pre-commit hook integration prevents secrets from being committed in the first place, catching them in the staging area before they enter git history. This shift-left approach is significantly more effective than post-commit scanning because it prevents the problem rather than detecting it after the fact.
Configuration is handled through a TOML file that supports custom rules, allowlists for known false positives, and path-based exclusions. The Gitleaks Playground provides a browser-based tool for testing configurations using WebAssembly — everything processes locally with no server uploads, which is important when testing rules against potentially sensitive content. The configuration system is flexible enough to handle enterprise-specific secret patterns while maintaining the simplicity that makes Gitleaks accessible to individual developers.
The tool is completely free and open-source under the MIT license for the core scanner. You can use it in personal projects, commercial products, and CI/CD pipelines without licensing costs. It runs on Windows, Linux, and macOS, requires minimal resources (2GB RAM minimum, 50MB storage), and has no external dependencies beyond Git itself. This zero-cost, cross-platform simplicity is why Gitleaks has achieved the adoption numbers it has — there is essentially no barrier to adding it to any development workflow.