loading
loading
Static Code Analysis
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
overview
gitleaks scans a git repository for hardcoded secrets: passwords, API keys, tokens, and other credentials left in the code. It walks the full commit history as well as the working tree, so a key that was committed and later deleted still surfaces. Detection runs on a configurable set of regex and entropy rules that you can extend with your own config.
It was built to slot into automation. A no-git mode treats the repo as a plain directory and scans the files as they sit on disk, log options bound the commit range you walk, and a redact flag strips matched secrets from logs and stdout so the report itself does not leak. When a project ships its own rules, point repo-config-path at the config committed inside the repo.
On Trickest, gitleaks is a Static Code Analysis node that reads a source directory or config and writes a file and a folder of findings. Pick JSON, CSV, or SARIF for the report so secret findings land in the same triage and reporting path as the rest of your security automation.
use cases
Scan a repository's entire commit history so a credential that was added and later removed is still caught and reported, not only what sits in the current tree.
Run gitleaks against each branch or pull request in an automated workflow so a committed key blocks the merge instead of reaching production.
Point gitleaks at a repo reconstructed from an exposed .git directory to triage which committed keys and tokens leaked.
Set the report format to SARIF so secret findings join scanner output in one table and one reporting flow.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| source-git-repository | FOLDER | --source | Directory to scan. |
| config | FILE | --config | Config file path for custom detection rules. |
| report-format | STRING | --report-format | Output format: json, csv, or sarif (default json). |
| no-git | BOOLEAN | --no-git | Treat the git repo as a regular directory and scan those files. |
| redact | BOOLEAN | --redact | Redact secrets from logs and stdout. |
| log-options | STRING | --log-opts | git log options to bound the commit range scanned. |
| repo-config-path | FILE | --repo-config-path | Path to a gitleaks config relative to the repo root. |
| log-level | STRING | --log-level | Log level: trace, debug, info, warn, error, fatal (default info). |
Showing key inputs. gitleaks exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| source-git-repository | FOLDER | --source | Directory to scan. |
| config | FILE | --config | Config file path for a custom rule set. |
| no-git | BOOLEAN | --no-git | Treat the git repo as a regular directory and scan those files; --log-opts then has no effect on the scan. |
| redact | BOOLEAN | --redact | Redact secrets from logs and stdout. |
| verbose | BOOLEAN | --verbose | Show verbose output from the scan. |
| log-level | STRING | --log-level | Log level: trace, debug, info, warn, error, or fatal (default info). |
| log-options | STRING | --log-opts | git log options to bound the commit range scanned. |
| report-format | STRING | --report-format | Output format: json, csv, or sarif (default json). |
| repo-config-path | FILE | --repo-config-path | Path to a gitleaks config relative to the repo root. |
example
# scan a repo's full history, redact matches, emit SARIFgitleaks detect --source ./example-repo --config gitleaks.toml --report-format sarif --redactFinding: generic_api_key = REDACTEDSecret: REDACTEDRuleID: generic-api-keyFile: src/config/settings.pyLine: 42Commit: 9f3a1c2b7d4e5f60a1b2c3d4e5f6a7b8c9d0e1f2Author: ci-botDate: 2025-02-11T14:22:07ZFingerprint: 9f3a1c2b:src/config/settings.py:generic-api-key:423:22PM WRN leaks found: 2guidance
Use gitleaks whenever you have a git repository or a directory of code to check for committed secrets. It scans source, not a running target, so pair it with a recovery tool like gitjacker upstream and route its SARIF or JSON into your reporting flow.
Also hunts secrets in git history, with verification of live credentials; a close alternative.
Fast regex-based secret scanning across large code corpora.
Broader static analysis; finds secret patterns plus other code-quality and security issues.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Inspect Go source code for security problems by scanning the Go AST.
A source repository feeds gitleaks, which scans the working tree and history and writes the secret findings as a queryable output.
Facts on this page come from the live Trickest tool library.