gitleaks
SAST tool for detecting secrets like API keys, passwords, and tokens in git repositories, files, and stdin
Gitleaks is a static analysis security testing (SAST) tool that detects secrets such as passwords, API keys, and tokens in git repositories, files, and stdin input. It uses regex-based pattern matching to identify potential credentials and sensitive data across different file types and formats.
The tool operates in three scanning modes: git (scans local repositories using git log patches), dir (scans directories and files directly), and stdin (processes piped input). Gitleaks supports configurable detection rules via TOML configuration files and includes built-in patterns for common services like AWS, GitHub, Slack, and database connection strings. It can scan historical git commits, current working directories, or real-time input streams.
Gitleaks integrates into development workflows through GitHub Actions, pre-commit hooks, and CI/CD pipelines. It outputs findings in multiple formats including JSON, CSV, SARIF, and JUnit XML. The tool includes baseline functionality to ignore previously identified issues, redaction options to protect sensitive data in logs, and supports scanning compressed archives and encoded files up to configurable depths.
Installation
# via Homebrew
brew install gitleaks
# via Docker
docker pull zricethezav/gitleaks:latest
# via Source
git clone https://github.com/gitleaks/gitleaks.git && cd gitleaks && make build