Gitleaks

Gitleaks protects and discovers secrets in git repos by scanning code for hardcoded sensitive information such as passwords, API keys, and tokens. As a Static Application Security Testing (SAST) tool, it helps developers and security teams identify vulnerabilities before code is committed or deployed.

Use cases include pre-commit hooks to block secrets from entering repositories, auditing existing repos for leaked credentials, and integrating into CI/CD pipelines for automated secret detection. It scans both current and historical git commits to uncover secrets that may have been removed but still exist in the repo history.

The tool is particularly valuable for organizations managing large codebases where manual review is impractical, ensuring compliance with security best practices and reducing the risk of credential exposure.

Gitleaks scans git repositories, including current code and full commit history, using pattern matching and regex rules defined in configuration files to detect hardcoded secrets. It supports custom configs with precedence order: command-line flag, environment variable, or .gitleaks.toml in source. Baseline files allow ignoring known issues, and it exits with configurable codes when leaks are found.