Single static binary with no runtime dependencies. Fast scanning of full git history. Built-in detection rules for common secret formats with custom TOML config support. Outputs JSON, CSV, JUnit, or SARIF for CI integration. Supports baseline files and inline allow comments to suppress known false positives.
Notes
Use 'git' subcommand for repo history scans, 'dir' for directories, and 'stdin' for piped input. Exit code 1 indicates leaks found by default. Configure detection via .gitleaks.toml or GITLEAKS_CONFIG env var. Pre-commit hook available via gitleaks protect.
Used by
GitLab, Trello, 1Password, Mozilla
Version
Latest known: 8.30.1 (2026-03-21)
Try it
Show installed version
Run 'gitleaks version' to display the installed version of the binary
Scan a directory for secrets
Run 'gitleaks dir' against a sample file containing fake AWS keys, GitHub tokens, and other credential patterns. Results are redacted by default.
Scan with JSON report output
Scan the sample file and emit a structured JSON findings report to stdout. Useful for piping results into CI dashboards or other tools.
# Gitleaks - Help
Source: https://gitleaks.io
```
Gitleaks scans code, past or present, for secrets
Usage:
gitleaks [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
dir scan directories or files for secrets
git scan git repositories for secrets
help Help about any command
stdin detect secrets from stdin
version display gitleaks version
Flags:
-b, --baseline-path string path to baseline with issues that can be ignored
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. env var GITLEAKS_CONFIG_TOML with the file content
4. (target path)/.gitleaks.toml
If none of the four options are used, then gitleaks will use the default config
--diagnostics string enable diagnostics (http OR comma-separated list: cpu,mem,trace). cpu=CPU prof, mem=memory prof, trace=exec tracing, http=serve via net/http/pprof
--diagnostics-dir string directory to store diagnostics output files when not using http mode (defaults to current directory)
--enable-rule strings only enable specific rules by id
--exit-code int exit code when leaks have been encountered (default 1)
-i, --gitleaks-ignore-path string path to .gitleaksignore file or folder containing one (default ".")
-h, --help help for gitleaks
--ignore-gitleaks-allow ignore gitleaks:allow comments
-l, --log-level string log level (trace, debug, info, warn, error, fatal) (default "info")
--max-archive-depth int allow scanning into nested archives up to this depth (default "0", no archive traversal is done)
--max-decode-depth int allow recursive decoding up to this depth (default 5)
--max-target-megabytes int files larger than this will be skipped
--no-banner suppress banner
--no-color turn off color for verbose output
--redact uint[=100] redact secrets from logs and stdout. To redact only parts of the secret just apply a percent value from 0..100. For example --redact=20 (default 100%)
-f, --report-format string output format (json, csv, junit, sarif, template)
-r, --report-path string report file (use "-" for stdout)
--report-template string template file used to generate the report (implies --report-format=template)
--timeout int set a timeout for gitleaks commands in seconds (default "0", no timeout is set)
-v, --verbose show verbose output from scan
--version version for gitleaks
Use "gitleaks [command] --help" for more information about a command.
```
