Gitleaks

active

24.4K stars — most-starred secret scanner. 150+ patterns. Fastest pre-commit scanner. The community default for pre-commit secret detection. No official MCP.

Score 88

Where it wins

24.4K stars — most-starred secret scanner

150+ detection patterns

Fastest pre-commit scanner — lightweight and fast

Community default for pre-commit hooks

Where to be skeptical

No official MCP server

Pre-commit only — no CI/CD verification or runtime interception

Fewer detection patterns than GitGuardian (150 vs 500+) or TruffleHog (800+)

Editorial verdict

Best pre-commit secret scanner. 24.4K stars — most-starred in the category. 150+ patterns, fastest scanner. The community default. No official MCP server — use as pre-commit hook, not agent integration.

Source

GitHub: gitleaks/gitleaks

Found via SkillPack? ★ Star us on GitHub

Security

#10of 10

Pre-commit secret detection — the lightweight OSS standard

CodeQL (via GitHub MCP Server)

GitHub-native SAST via CodeQL, accessible through the official GitHub MCP Server. Copilot Autofix generates fixes from CodeQL alerts. GitHub Security Lab Taskflow Agent found ~30 real CVEs. Zero extra setup for GitHub users.

TruffleHog

18K+ stars. 800+ secret types. Unique credential verification — confirms if leaked creds are still active. Scans S3, Docker, Slack — not just git. No official MCP but community integrations exist.

Tencent AI-Infra-Guard

Most comprehensive OSS AI red teaming tool. 3,264 stars. Full-stack: ClawScan, Agent Scan, Skills Scan, MCP scan, jailbreak eval. 43 AI framework components, 589 CVEs cataloged. v4.0 released.

HexStrike AI

Dominant offensive security MCP repo. 7,561 stars — largest security MCP repo period. 150+ cybersecurity tools via MCP. Autonomous pentesting, vulnerability discovery, bug bounty automation.

Public evidence

strong2026-03

Gitleaks 24.4K stars — most-starred secret scanner on GitHub

24.4K stars. Most popular pre-commit secret scanner. Community standard for lightweight git-based secret detection.

24.4K GitHub starsOpen-source community

Raw GitHub source

GitHub README peek

Constrained peek so you can sanity-check the source material without leaving the site.

Gitleaks

┌─○───┐
│ │╲  │
│ │ ○ │
│ ○ ░ │
└─░───┘

![Docker Hub][dockerhub-badge] ![Gitleaks Playground][gitleaks-playground-badge] ![Gitleaks Action][gitleaks-badge] ![License][badge-license]

Gitleaks is a tool for detecting secrets like passwords, API keys, and tokens in git repos, files, and whatever else you wanna throw at it via stdin. If you wanna learn more about how the detection engine works check out this blog: Regex is (almost) all you need.

➜  ~/code(master) gitleaks git -v

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks


Finding:     "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef",
Secret:      cafebabe:deadbeef
RuleID:      sidekiq-secret
Entropy:     2.609850
File:        cmd/generate/config/rules/sidekiq.go
Line:        23
Commit:      cd5226711335c68be1e720b318b7bc3135a30eb2
Author:      John
Email:       john@users.noreply.github.com
Date:        2022-08-03T12:31:40Z
Fingerprint: cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:23

Getting Started

Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the releases page. In addition, Gitleaks can be implemented as a pre-commit hook directly in your repo or as a GitHub action using Gitleaks-Action.

Installing

# MacOS
brew install gitleaks

# Docker (DockerHub)
docker pull zricethezav/gitleaks:latest
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] [OPTIONS] [SOURCE_PATH]

# Docker (ghcr.io)
docker pull ghcr.io/gitleaks/gitleaks:latest
docker run -v ${path_to_host_folder_to_scan}:/path ghcr.io/gitleaks/gitleaks:latest [COMMAND] [OPTIONS] [SOURCE_PATH]

# From Source (make sure `go` is installed)
git clone https://github.com/gitleaks/gitleaks.git
cd gitleaks
make build

GitHub Action

Check out the official Gitleaks GitHub Action

name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
  scan:
    name: gitleaks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts.

Pre-Commit

Install pre-commit from https://pre-commit.com/#install
Create a .pre-commit-config.yaml file at the root of your repository with the following content:
```
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.24.2
    hooks:
      - id: gitleaks
```
for a native execution of gitleaks or use the gitleaks-docker pre-commit ID for executing gitleaks using the official Docker images
Auto-update the config to the latest repos' versions by executing pre-commit autoupdate
Install with pre-commit install
Now you're all set!

➜ git commit -m "this commit contains a secret"
Detect hardcoded secrets.................................................Failed

Note: to disable the gitleaks pre-commit hook you can prepend SKIP=gitleaks to the commit command and it will skip running gitleaks

➜ SKIP=gitleaks git commit -m "skip gitleaks check"
Detect hardcoded secrets................................................Skipped

Usage

Gitleaks scans code, past or present, for secrets

Usage:
  gitleaks [command]

View on GitHub →