Getting Started Guide
How to Install and Use Gitleaks
This guide covers installing Gitleaks and scanning git repositories for accidentally committed secrets, API keys, and credentials.
Prerequisites
- -Git
- -Go (for go install) or download binary
Install Gitleaks
Install Gitleaks from Homebrew, Go, or download the binary.
macOS
brew install gitleaksGo
go install github.com/gitleaks/gitleaks/v8@latestVerify
gitleaks versionScan a Local Repository
Scan the current git repository including all commit history for secrets.
Scan current repo
gitleaks detectVerbose output
gitleaks detect -vExample output
Finding: AKIA...
Secret: AKIAIOSFODNN7EXAMPLE
RuleID: aws-access-key-id
File: config/deploy.sh
Commit: abc1234...Note: Gitleaks scans the entire git history by default, not just current files. Secrets that were committed and then deleted are still found.
Scan Staged Changes Only (Pre-Commit)
Use as a pre-commit hook to catch secrets before they're committed.
Scan staged files
gitleaks protect --stagedGit pre-commit hook
# Add to .git/hooks/pre-commit:
gitleaks protect --staged --exit-code 1Note: The protect command only checks staged changes, making it fast enough for a pre-commit hook. This catches secrets before they enter the git history.
Scan a Remote Repository
Clone and scan a remote repository in one step.
GitHub repo
gitleaks detect --source https://github.com/owner/repoWith report
gitleaks detect --source https://github.com/owner/repo --report-format json --report-path report.jsonCustom Configuration
Customize what Gitleaks looks for with a config file, or exclude known false positives.
Use custom config
gitleaks detect --config custom-gitleaks.tomlGenerate baseline (ignore existing)
gitleaks detect --baseline-path .gitleaks-baseline.jsonScan with baseline
gitleaks detect --baseline-path .gitleaks-baseline.jsonNote: The baseline feature is useful for legacy repos with known committed secrets that can't be rotated. Generate a baseline once, then future scans only report new findings.