gitleaks

Gitleaks is a secrets-scanning CLI for git history, working trees, files, and streamed input. It is built for finding hardcoded credentials before or after they land in a repo, diff, or artifact set.

• Scan full git history, staged changes, pre-commit diffs, directories, files, or stdin for exposed credentials and tokens.
• Emit JSON, CSV, JUnit, SARIF, or custom template reports for CI gates, code-scanning uploads, and follow-up parsing.
• Use baselines, rule filters, and repo-local or explicit config files to focus scans on new leaks or organization-specific secret patterns.

• Non-interactive scan commands plus structured reports to stdout via --report-path - --report-format json make it workable in scripts and agent loops.
• It fits inspect-fix-rerun workflows well: findings include file, line, rule, commit, and fingerprint data that an agent can use to patch code and verify cleanup.
• Default console output is human-oriented and can surface matched secret text unless --redact and an explicit report format are set, so unattended runs need deliberate flag choices.

• Detection is rule-driven, so false positives and missed org-specific secrets are both possible without tuned config or follow-up review.
• Git scans shell out through git log -p, and deeper archive or decode settings can make large-repo runs slower or noisier.