What Gitleaks Does
Gitleaks is the most widely adopted open-source secret scanning tool in the developer ecosystem. With over 27K+ GitHub stars, 16M+ Docker downloads, 9M+ GitHub downloads, and 700K+ Homebrew installs, it has become the de facto standard for detecting hardcoded secrets in git repositories, files, and directories. Written in Go, it is a single-binary tool that detects passwords, API keys, tokens, and other sensitive credentials before they reach production or get committed to public-facing repositories.
Detection Engine and Scanning Modes
The detection engine uses regex patterns combined with entropy analysis to identify secrets. It supports over 160 built-in secret types with new ones added regularly, covering everything from AWS keys and GitHub tokens to private SSH keys and database connection strings. The tool scans not just the latest source code but the entire git history, which is critical because secrets committed in earlier commits remain accessible even after deletion from the current codebase. This historical scanning is what separates proper secret detection from simple grep-style searches.
Gitleaks operates in three scanning modes. The git command scans local git repositories using git log patches, with full control over commit ranges and log options. The dir command scans directories and files independent of git history. And stdin mode lets you pipe content directly for scanning, enabling integration with virtually any tool or workflow. Reports are generated in multiple formats including JSON, CSV, JUnit, and SARIF — the latter integrating directly with GitHub Advanced Security to display findings in the security tab and block pull requests that introduce secrets.
CI/CD Integration and Configuration
CI/CD integration is where Gitleaks shines brightest. The official Gitleaks-Action GitHub Action automatically scans all pull requests and commits, or runs on-demand scheduled scans. For personal GitHub accounts, no license key is required. For organization accounts, a free license key is available through a simple sign-up form. The pre-commit hook integration prevents secrets from being committed in the first place, catching them in the staging area before they enter git history. This shift-left approach is significantly more effective than post-commit scanning because it prevents the problem rather than detecting it after the fact.
Configuration is handled through a TOML file that supports custom rules, allowlists for known false positives, and path-based exclusions. The Gitleaks Playground provides a browser-based tool for testing configurations using WebAssembly — everything processes locally with no server uploads, which is important when testing rules against potentially sensitive content. The configuration system is flexible enough to handle enterprise-specific secret patterns while maintaining the simplicity that makes Gitleaks accessible to individual developers.
Licensing and Recent Developments
The tool is completely free and open-source under the MIT license for the core scanner. You can use it in personal projects, commercial products, and CI/CD pipelines without licensing costs. It runs on Windows, Linux, and macOS, requires minimal resources (2GB RAM minimum, 50MB storage), and has no external dependencies beyond Git itself. This zero-cost, cross-platform simplicity is why Gitleaks has achieved the adoption numbers it has — there is essentially no barrier to adding it to any development workflow.
An important development in March 2026: Zach Rice, the original creator of Gitleaks, announced he no longer has full control over the Gitleaks repository and brand. He launched Betterleaks, sponsored by Aikido Security, as a successor project with improvements including parallelized Git scanning, BPE tokenization-based detection achieving 98.6% recall versus Gitleaks's 70.4% with traditional entropy, and default encoding detection for doubly and triply encoded secrets. Betterleaks is designed as a drop-in replacement with the same CLI interface and configuration format.
Competition and Limitations
Compared to TruffleHog, its most direct competitor, Gitleaks focuses specifically on git repositories and file scanning with speed and simplicity as priorities. TruffleHog offers broader source coverage scanning Slack, wikis, S3 buckets, and other services, and can verify whether leaked credentials are still active. Gitleaks is faster for git-only scanning, while TruffleHog provides deeper verification and wider surface coverage. The choice between them often comes down to whether your security needs extend beyond git repositories.
The limitations are straightforward. Gitleaks is a secret scanner, not a full SAST platform — it will not find SQL injection vulnerabilities, insecure coding patterns, or architectural issues. False positives can occur, particularly with high-entropy strings that are not actually secrets. The tool does not verify whether detected secrets are still active or revoked. And the ownership transition situation creates uncertainty about the long-term direction of the project, with Betterleaks now emerging as a potential successor.
The Bottom Line
Gitleaks remains the most practical starting point for any team that does not currently have secret scanning in their workflow. The combination of zero cost, single-binary installation, pre-commit hook support, and GitHub Action integration means you can go from nothing to comprehensive secret scanning in under thirty minutes. For most development teams, adding Gitleaks as a pre-commit hook is the highest-impact security improvement they can make with the least effort. Watch the Betterleaks project for potential migration in the future, but Gitleaks today is battle-tested and reliable.