loading
loading
Static Code Analysis
Search for leaks in a GitHub org or in the responses of URLs.
overview
leakos hunts for leaked credentials in two places: a GitHub organization's code and the HTTP responses of a list of URLs. It orchestrates gitleaks and trufflehog under one interface, so a single run checks an org's repositories, its members' repositories, and the bodies of web responses for keys, tokens, and other secrets, then merges the results.
You scope it with comma-separated org, user, or repo names, or supply a file of URLs to scan their responses. A GitHub token widens the search across an org's members and dodges API rate limits. Switches let you skip an engine, keep only verified findings, cap how many URLs to check, or extend detection with your own regexes.
On Trickest, leakos is a Static Code Analysis node that takes targets and writes a file and a folder of findings. Run it against an org you own to catch exposed secrets before attackers do, or point it at the URLs a crawler discovered to find credentials leaking in responses.
use cases
Give leakos an org name with --github-orgs and a token so it checks the org's and its members' repositories for exposed keys and credentials in one run.
Feed a file of URLs with --urls-file so leakos scans each response body for leaked tokens, useful against a surface a crawler mapped moments ago.
Enable --only-verified so leakos returns trufflehog-confirmed secrets, cutting noise when you need actionable results from a large scan.
Schedule the leakos node so each run re-scans the org and its members, surfacing secrets that landed in a commit since the last pass.
Supply your own regex file with --rex-regex-path so leakos matches organization-specific token formats alongside the built-in gitleaks and trufflehog checks.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| github-orgs | STRING | --github-orgs | GitHub org names to search (comma separated). Members are searched too. |
| github-repos | STRING | --github-repos | GitHub repos to search (comma separated). |
| github-token | STRING | --github-token | Token to access the GitHub API (no permissions required). |
| urls-file | FILE | --urls-file | File of URLs whose responses are searched for leaks. |
| only-verified | BOOLEAN | --only-verified | Return only verified leaks (uses trufflehog). |
| rex-regexes | FILE | --rex-regex-path | Custom regexes file for the rex engine. |
| max-urls | STRING | --max-urls | Maximum number of URLs to check. |
| threads | STRING | --threads | Number of threads to use. |
Showing key inputs. leakos exposes 24 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| debug | BOOLEAN | --debug | Enable debug output. |
| not-rex | BOOLEAN | --not-rex | Do not run the rex regex checks. |
| threads | STRING | --threads | Number of threads to use. |
| timeout | STRING | --tools-timeout | Custom timeout while executing the underlying tools. |
| max-urls | STRING | --max-urls | Maximum number of URLs to check. |
| not-exts | STRING | --not-exts | Skip URLs with these extensions (comma separated). |
| urls-file | FILE | --urls-file | File of URLs whose responses are searched for leaks. |
| github-orgs | STRING | --github-orgs | GitHub org names to search (comma separated). Members are searched too. |
| rex-regexes | FILE | --rex-regex-path | Custom regexes file for the rex engine. |
| github-repos | STRING | --github-repos | GitHub repos to search (comma separated). |
| github-token | STRING | --github-token | Token to access the GitHub API (requires no permissions). |
| github-users | STRING | --github-users | GitHub user names to search (comma separated). |
| not-gitleaks | BOOLEAN | --not-gitleaks | Do not run the gitleaks checks. |
| avoid-sources | STRING | --avoid-sources | Lowercase comma-separated list of trufflehog and gitleaks sources to skip. |
| only-verified | BOOLEAN | --only-verified | Return only verified leaks (uses trufflehog). |
| not-trufflehog | BOOLEAN | --not-trufflehog | Do not run the trufflehog checks. |
| github-orgs-file | FILE | --github-orgs-file | File of GitHub org names to search. |
| github-repos-file | FILE | --github-repos-file | File of GitHub repos to search. |
| github-users-file | FILE | --github-users-file | File of GitHub user names to search. |
| max-secret-length | STRING | --max-secret-length | Maximum length of a valid secret. |
| add-org-repos-forks | BOOLEAN | --add-org-repos-forks | Check an org repo even if it is a fork. |
| generic-leak-in-web | BOOLEAN | --generic-leak-in-web | Accept generic leaks in web responses (disabled by default). |
| add-user-repos-forks | BOOLEAN | --add-user-repos-forks | Check a user repo even if it is a fork. |
| from-trufflehog-only-verified | BOOLEAN | --from-trufflehog-only-verified | From trufflehog, keep only verified leaks. |
example
# scan a GitHub org and its members for verified secretsleakos --github-orgs example-org --github-token $GITHUB_TOKEN --only-verified --threads 10[ {"source": "gitleaks", "repo": "example-org/payments-api", "file": "config/settings.py", "line": 42, "rule": "aws-access-token", "secret": "AKIA****************", "verified": false}, {"source": "trufflehog", "repo": "example-org/mobile-app", "file": ".env.staging", "line": 7, "rule": "SlackWebhook", "secret": "xoxb-****************", "verified": true}, {"source": "trufflehog", "url": "https://staging.example.com/static/app.js", "rule": "StripeApiKey", "secret": "sk_live_****************", "verified": true}, {"source": "gitleaks", "repo": "example-org/infra-scripts", "file": "deploy/backup.sh", "line": 15, "rule": "private-key", "secret": "-----BEGIN RSA PRIVATE KEY-----", "verified": false}]# 4 leaks (2 verified) across 3 repos and 1 URLguidance
Use leakos to sweep a GitHub org or a set of web responses for leaked secrets in one pass, since it wraps both gitleaks and trufflehog. For scanning a single cloned repository's history directly, use gitleaks or trufflehog on their own.
Secret scanner for git repos. leakos drives it across whole orgs and merges its findings with trufflehog.
Verified-secret scanner. leakos uses it as one engine; run it alone for a single source.
Fast secret and regex matcher over large inputs. An alternative engine for the same secret-hunting job.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A GitHub org feeds leakos, which scans its repositories with gitleaks and trufflehog and writes the discovered secrets as a queryable output.
Facts on this page come from the live Trickest tool library.