betterleaks is a secrets scanner for Git repositories, directories, and stdin. It is built by the maintainers of gitleaks and is largely backwards-compatible with gitleaks configuration and ignore files. It ships with a faster detection engine, parallelised Git scanning, recursive decoding for obfuscated secrets, archive scanning, and a token efficiency filter that reduces false positives on natural language strings.

• Scans Git history, directories, files, and piped stdin
• Detects 800+ secret types: API keys, tokens, passwords, private keys, and more
• Parallelised Git log scanning for significantly faster results on large repos
• Recursive decoding support: base64, hex, percent-encoding, unicode escapes
• Archive scanning: can scan inside zip, tar, and other archive formats
• Token efficiency filter: distinguishes true secrets from natural-language strings using BPE tokenisation
• Backwards compatible with gitleaks config and ignore files
• Outputs to JSON, CSV, JUnit XML, and SARIF

No setup required. Run from the shell.

betterleaks git <path>                  # e.g. betterleaks git .
betterleaks git . -v                    # verbose output
betterleaks git . --git-workers=8       # parallelised scan (faster on large repos)

betterleaks git . --log-opts="HEAD~50..HEAD"       # last 50 commits
betterleaks git . --log-opts="--since=2024-01-01"  # since a date
betterleaks git . --log-opts="--all commitA..commitB"

betterleaks dir <path>                  # e.g. betterleaks dir .
betterleaks dir /output                 # scan mounted output directory

cat some_file | betterleaks stdin
curl -s https://example.com/file | betterleaks stdin

Useful for finding secrets encoded in base64, hex, or percent-encoding:

betterleaks git . --max-decode-depth=5
betterleaks dir . --max-decode-depth=5

Scan inside zip files, tarballs, and other archives:

betterleaks dir . --max-archive-depth=3
betterleaks git . --max-archive-depth=3

betterleaks git . \
    --report-format json \
    --report-path /output/betterleaks-results.json

betterleaks git . \
    --report-format sarif \
    --report-path /output/betterleaks-results.sarif

# Step 1: create a baseline from existing findings
betterleaks git . --report-path baseline.json

# Step 2: future scans only report new findings
betterleaks git . \
    --baseline-path baseline.json \
    --report-path new-findings.json

Add a betterleaks:allow comment inline:

# In source code - betterleaks will skip this line
api_key = "example-key-for-testing"  # betterleaks:allow

Or add fingerprints to a .betterleaksignore file at the repo root. Fingerprints appear in the JSON report output.

betterleaks reads .betterleaks.toml or .gitleaks.toml from the target directory. To use a custom config:

betterleaks git . --config /path/to/config.toml

• betterleaks is backwards compatible with gitleaks config but has its own rule set — results may differ from gitleaks on the same repository.
• Very deep recursive decoding (--max-decode-depth) can increase scan time significantly on large repos.

• GitHub Repo
• Default Config