Using Gitleaks

Gitleaks is a fast secrets scanner for Git repositories, filesystems, and CI/CD pipelines. It detects hardcoded secrets including API keys, tokens, passwords, and private keys using a library of regex-based rules. It can scan full commit history, staged changes, or arbitrary file paths, and is well-suited to both point-in-time assessments and pipeline integration.

Scans Git repositories including full commit history
Detects 150+ secret types including AWS, Azure, GCP, GitHub, Slack, and more
Scans local directories, remote repos, and CI/CD pipeline output
Configurable via TOML — rules can be added, suppressed, or tuned
Outputs to JSON, CSV, and SARIF

Prepare the Environment

No setup required. Run from the shell.

Gather Data

Scan a Local Git Repository (full history)

gitleaks detect --source <path-to-repo>
gitleaks detect --source .                          # current directory
gitleaks detect --source . --report-format json \
    --report-path /output/gitleaks-results.json

Scan Only Uncommitted Changes (staged + unstaged)

gitleaks detect --source . --no-git

Scan a Specific Branch or Commit Range

gitleaks detect --source . --log-opts="main..HEAD"
gitleaks detect --source . --log-opts="--since=2024-01-01"

Scan a Remote Repository

gitleaks detect --source https://github.com/<org>/<repo>

Scan a Directory (no git context)

gitleaks detect --source <path> --no-git

Output Formats

gitleaks detect --source . \
    --report-format json \
    --report-path /output/gitleaks.json

gitleaks detect --source . \
    --report-format sarif \
    --report-path /output/gitleaks.sarif

gitleaks detect --source . \
    --report-format csv \
    --report-path /output/gitleaks.csv

Suppress Known False Positives

Add a .gitleaksignore file to the repo root, or use the --baseline-path flag to suppress findings from a previous baseline scan:

# Create a baseline from current findings
gitleaks detect --source . --report-format json \
    --report-path baseline.json

# Future scans only report new findings
gitleaks detect --source . \
    --baseline-path baseline.json

Exit Codes

Gitleaks exits non-zero if secrets are found, which is useful in CI/CD:

gitleaks detect --source . && echo "Clean" || echo "Secrets found"

Known Issues

Scanning very large repositories with long histories can be slow. Use --log-opts to scope to a date range or commit range if needed.
Some rules produce false positives on test fixtures or example files. Use .gitleaksignore or a custom config to suppress known FPs.

Additional Information

GitHub Repo

Using gitleaks - SethBodine/audit-tools GitHub Wiki

Using Gitleaks

Prepare the Environment

Gather Data

Scan a Local Git Repository (full history)

Scan Only Uncommitted Changes (staged + unstaged)

Scan a Specific Branch or Commit Range

Scan a Remote Repository

Scan a Directory (no git context)

Output Formats

Suppress Known False Positives

Exit Codes

Known Issues

Additional Information

⚠️ GitHub.com Fallback ⚠️

Using gitleaks - SethBodine/audit-tools GitHub Wiki

Using Gitleaks

Prepare the Environment

Gather Data

Scan a Local Git Repository (full history)

Scan Only Uncommitted Changes (staged + unstaged)

Scan a Specific Branch or Commit Range

Scan a Remote Repository

Scan a Directory (no git context)

Output Formats

Suppress Known False Positives

Exit Codes

Known Issues

Additional Information

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️