gitleaks
Detect secrets and sensitive data in Git repositories
TLDR
Scan repository
$ gitleaks detect
Scan specific path$ gitleaks detect --source [path]
Scan and report$ gitleaks detect --report-format json --report-path [report.json]
Protect pre-commit$ gitleaks protect
Use custom config$ gitleaks detect --config [.gitleaks.toml]
SYNOPSIS
gitleaks command [options]
DESCRIPTION
gitleaks detects secrets and sensitive data in Git repositories. It scans commits for API keys, passwords, tokens, and other credentials that should not be in version control.
The tool uses regex patterns to identify common secret formats. It can scan entire commit history or be used as a pre-commit hook to prevent accidental secret commits.
PARAMETERS
detect
Scan for secrets.protect
Pre-commit hook mode.--source PATH
Repository path.--report-format FORMAT
Output format (json, csv, sarif).--report-path FILE
Output file path.--config FILE
Configuration file.--help
Display help information.
CONFIGURATION
.gitleaks.toml
Custom rules configuration file defining regex patterns, allowlists, and scanning behavior.
CAVEATS
False positives possible. Custom rules may be needed. History scanning can be slow.
HISTORY
gitleaks was created by Zachary Rice to address the security risk of secrets accidentally committed to git repositories.
SEE ALSO
git-secret(1), trufflehog(1)