Cette page est affichée en anglais. Une traduction française est en cours.

SkillsApr 13, 2026·3 min de lecture

Gitleaks — Find Secrets in Git Repos and Code

Gitleaks is a fast SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens in Git repositories. It scans commit history and source code using regex patterns, preventing secret leaks before they reach production.

AI Open Source · Community

Prêt pour agents

Staging sûr pour cet actif

Cet actif est d'abord staged. Le prompt copié demande à l'agent d'inspecter les fichiers staged avant d'activer scripts, config MCP ou config globale.

Stage only · 29/100Policy : staging

Surface agent

Tout agent MCP/CLI

Type

Skill

Installation

Stage only

Confiance

Confiance : Established

Point d'entrée

step-1.md

Commande de staging sûr

npx -y tokrepo@latest install 40b108c4-372b-11f1-9bc6-00163e2b0d79 --target codex

Stage les fichiers d'abord; l'activation exige la revue du README et du plan staged.

TL;DR

Gitleaks scans Git repos and code for hardcoded secrets like API keys, passwords, and tokens using regex patterns.

§01

What it is

Gitleaks is a fast static application security testing (SAST) tool for detecting hardcoded secrets in Git repositories. It scans commit history and source code using regex patterns to find AWS keys, database passwords, API tokens, private keys, and other credentials that should never be committed.

Gitleaks is designed for security engineers and developers who want to prevent secret leaks before they reach production, integrated into CI/CD pipelines and pre-commit hooks.

§02

How it saves time or tokens

Gitleaks scans entire Git histories in seconds, catching secrets that were committed and later deleted but still exist in history. Running it as a pre-commit hook prevents secrets from being committed in the first place. This avoids the costly process of rotating compromised credentials after a leak.

§03

How to use

Install Gitleaks:

brew install gitleaks
# Or: go install github.com/gitleaks/gitleaks/v8@latest

Scan your repository:

# Scan all commits
gitleaks detect

# Scan only staged changes (pre-commit)
gitleaks protect --staged

# Scan a directory without Git
gitleaks dir -s ./src

Add as a pre-commit hook for continuous protection

§04

Example

# Output results as JSON for CI integration
gitleaks detect --report-format json --report-path results.json

# Custom config for additional patterns
cat > .gitleaks.toml << 'EOF'
[[rules]]
id = 'custom-api-key'
description = 'Custom API Key'
regex = '''MYAPP_API_KEY=[a-zA-Z0-9]{32}'''
[rules.allowlist]
paths = ['test/', 'docs/']
EOF

gitleaks detect -c .gitleaks.toml

§05

Related on TokRepo

Security tools — security scanning and auditing resources
DevOps tools — CI/CD pipeline integration tools

§06

Common pitfalls

Not scanning Git history (use detect not just dir), which misses secrets in deleted commits
Generating too many false positives without configuring allowlists for test data
Running Gitleaks only in CI without a pre-commit hook, allowing secrets to enter the repo first

Questions fréquentes

How does Gitleaks differ from git-secrets?+

Gitleaks scans the entire Git history by default and comes with a comprehensive built-in ruleset for common secret patterns. git-secrets by AWS focuses on preventing commits and requires manual rule configuration. Gitleaks is faster and has broader pattern coverage.

Can I use Gitleaks in CI/CD?+

Yes. Gitleaks provides a GitHub Action, and works in any CI system. Run gitleaks detect in your pipeline and fail the build on findings. JSON output integrates with security dashboards.

How do I handle false positives?+

Add a .gitleaks.toml config with allowlists for specific paths, commits, or patterns. You can also add inline comments with gitleaks:allow to suppress specific findings.

Does Gitleaks scan non-Git directories?+

Yes. Use gitleaks dir -s ./path to scan any directory without Git history. This is useful for scanning build artifacts, config files, or code before it enters version control.

What types of secrets does Gitleaks detect?+

Gitleaks detects AWS keys, GCP credentials, Azure tokens, GitHub tokens, private keys, database connection strings, API keys for major services, JWTs, and many more through its built-in regex rules.

Sources citées (3)

Gitleaks GitHub— Gitleaks SAST tool for detecting secrets
Gitleaks Documentation— Secret detection regex patterns
OWASP SAST— Static application security testing best practices

En lien sur TokRepo

Security tools DevOps tools Featured workflows

Fil de discussion

Connectez-vous pour rejoindre la discussion.

Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires

Trivy — All-in-One Security Scanner for Containers & Code

Trivy is an open-source, comprehensive security scanner that finds vulnerabilities, misconfigurations, secrets, and SBOM issues in containers, Kubernetes, code repos, and clouds.

Skills

Script Depot

fd — A Simple Fast User-Friendly Alternative to find

fd is a simple, fast, and user-friendly alternative to the venerable find command. Written in Rust with smart defaults: color output, gitignore-aware, parallel traversal, and intuitive syntax. Used by VS Code, Helix, and many dev tools.

Skills

AI Open Source

Sealed Secrets — One-Way Encrypted Kubernetes Secrets

Sealed Secrets is a Bitnami Labs controller and kubeseal CLI that lets teams commit encrypted secrets safely to Git, and have a cluster-side controller decrypt them into real Secrets at apply time.

Skills

AI Open Source

External Secrets Operator — Sync Secrets from Any Vault to Kubernetes

CNCF operator that pulls secrets from AWS Secrets Manager, Vault, GCP, Azure, 1Password, Doppler, and 25+ other backends into native Kubernetes Secret objects.

Skills

AI Open Source