LinuxCommandLibrary

gitleaks

Scan Git repositories for secrets

TLDR

Scan a remote repository

$ gitleaks detect --repo-url [https://github.com/username/repository.git]
copy

Scan a local directory
$ gitleaks detect [[-s|--source]] [path/to/repository]
copy

Output scan results to a JSON file
$ gitleaks detect [[-s|--source]] [path/to/repository] --report [path/to/report.json]
copy

Use a custom rules file
$ gitleaks detect [[-s|--source]] [path/to/repository] --config-path [path/to/config.toml]
copy

Start scanning from a specific commit
$ gitleaks detect [[-s|--source]] [path/to/repository] --log-opts [--since=commit_id]
copy

Scan uncommitted changes before a commit
$ gitleaks protect --staged
copy

Display verbose output indicating which parts were identified as leaks during the scan
$ gitleaks protect --staged --verbose
copy

SYNOPSIS

gitleaks detect [OPTIONS] [PATH]

PARAMETERS

-c, --config <path>
    Path to config file (default ".gitleaks.toml")

-d, --dest <dir>
    Destination directory for cloning repo

-e, --exit-code <int>
    Exit code on secrets found (default 1)

-f, --format <format>
    Report format: json, sarif, csv, etc. (default json)

--from-commit <commit>
    Start scan from specific commit

--http-proxy <proxy>
    HTTP proxy for git clone

-i, --issues
    Show detected issues (default true)

-l, --log-encoding <enc>
    Log format: json or text (default text)

-m, --max-modified-git-history <int>
    Max modified commits to scan (default 5000)

-n, --no-banner
    Suppress banner output

-o, --outfile <file>
    Write report to file

-p, --path <path>
    Repo path to scan (default ".")

-r, --redact
    Redact secrets in reports

--recipe <id>
    Run specific recipe ID

-R, --recipes-path <path>
    Path to custom recipes

-s, --scan-commits
    Scan individual commits

-S, --secrets-only
    Output only secrets (default true)

--since <commit>
    Scan from commit-ish onward

-t, --threads <int>
    Number of scan threads (default 4)

-v, --verbose
    Enable verbose logging

--version
    Print gitleaks version

-h, --help
    Show help

DESCRIPTION

Gitleaks is a fast, open-source SAST tool for scanning Git repositories to find leaked secrets like API keys, passwords, tokens, and private keys. It analyzes commit history, branches, and files using over 500 built-in regex patterns and high-entropy detection to identify potential secrets.

Written in Go, it's lightweight, cross-platform, and excels in CI/CD pipelines, pre-commit hooks, and security audits. Run gitleaks detect on a repo to scan from the latest commit back through history (configurable depth). Supports baseline files to suppress known false positives, custom rules via TOML config, and redaction to avoid exposing secrets in reports.

Key strengths: blazing speed (processes large repos quickly), multiple output formats (JSON, SARIF, CSV), multi-threaded scanning, and GitHub Action integration. The protect mode enables pre-push hooks to block commits with secrets. Widely used by devs and security teams to prevent accidental leaks.

Install on Linux via binaries from GitHub, Homebrew (brew install gitleaks), or packages like RPM/DEB.

CAVEATS

Can produce false positives; tune rules/baselines for accuracy.
Large repos with deep history may take time/memory despite optimizations.

SUBCOMMANDS

protect: Pre-commit/push hook mode.
version: Show version info.

CONFIGURATION

Edit .gitleaks.toml for custom rules, allowlists, and baselines to ignore known secrets.

HISTORY

Created in 2019 by Zack Proser as a fast Git secret scanner. Actively maintained on GitHub (gitleaks/gitleaks), with v8+ adding baselines, SARIF support, and performance boosts. Now used in thousands of repos for secret detection.

SEE ALSO

git(1)

Copied to clipboard