A New Contender in Secrets Scanning
A new open-source project called Betterleaks is positioning itself as a direct upgrade to Gitleaks, one of the most widely used tools for detecting secrets accidentally committed to source code. Betterleaks can scan directories, individual files, and full git repository histories — and unlike Gitleaks, it takes an extra step: it validates discovered secrets against live APIs before reporting them, filtering out expired or invalid credentials and dramatically reducing alert fatigue.
The project is available under the Apache 2.0 license, making it free for commercial use and extension.
Why Secrets Scanning Matters
Hardcoded secrets — API keys, database credentials, private certificates, OAuth tokens — are one of the most consistent sources of critical security incidents. Despite years of industry awareness:
- A 2025 GitGuardian report found that one in every ten git pushes across public repositories contained a hardcoded secret
- Secrets in git history persist indefinitely unless explicitly purged — even after a developer "deletes" a file, the credential lives in every prior commit
- Supply chain attacks increasingly target leaked credentials as an initial access vector
Gitleaks has been the community standard for automated secrets detection for several years. Betterleaks is designed to address its primary limitations: high false-positive rates from expired or test credentials, and limited support for customized detection rules.
Key Capabilities
What Betterleaks Scans
| Target | Description |
|---|---|
| Directories | Recursive scan of all files in a given path |
| Individual files | Targeted scan of specific files |
| Git repository history | Scans every commit in the full history, not just the current state |
| Staged changes | Pre-commit scanning for CI/CD pipeline integration |
Live API Validation
The standout feature is live validation: when Betterleaks detects a potential secret, it tests the credential against its associated API before reporting it. This means:
- AWS keys are tested against the AWS STS endpoint
- GitHub tokens are validated via the GitHub API
- Stripe keys are checked for API access
- Slack webhooks are pinged for connectivity
Secrets that fail validation (expired, revoked, or test credentials) are flagged as INACTIVE rather than suppressed entirely, giving security teams the full picture while prioritizing active threats.
Custom Rules
Betterleaks ships with a comprehensive default ruleset covering major cloud providers, SaaS platforms, and common credential patterns. Teams can extend these with their own regex-based rules using a YAML configuration format:
rules:
- id: internal-api-key
description: "Internal API key format"
regex: 'CBAPI-[A-Za-z0-9]{32}'
severity: HIGH
validate:
url: "https://api.internal.example.com/auth/validate"
method: GET
headers:
Authorization: "Bearer {match}"
valid_status: 200Detection Coverage
Betterleaks includes default detection for secrets across a wide range of services:
Cloud Providers
- AWS: Access keys, secret keys, session tokens, S3 presigned URLs
- GCP: Service account keys, OAuth tokens
- Azure: Storage connection strings, SAS tokens, service principal credentials
Version Control & CI/CD
- GitHub Personal Access Tokens and fine-grained tokens
- GitLab access tokens
- Bitbucket app passwords
- CircleCI, Jenkins, and GitHub Actions secrets
Payment & Communications
- Stripe publishable and secret keys
- Twilio auth tokens and API keys
- SendGrid API keys
- PayPal credentials
Infrastructure
- Database connection strings (PostgreSQL, MySQL, MongoDB, Redis)
- SSH private keys (RSA, ECDSA, Ed25519)
- TLS private keys and certificates
- Docker registry credentials
- Kubernetes kubeconfig secrets
Betterleaks vs. Gitleaks
| Feature | Gitleaks | Betterleaks |
|---|---|---|
| Directory scanning | ✓ | ✓ |
| Git history scanning | ✓ | ✓ |
| Pre-commit hooks | ✓ | ✓ |
| Live API validation | ✗ | ✓ |
| Custom rule YAML | Limited | Extensive |
| False positive rate | Higher | Lower (validated) |
| License | MIT | Apache 2.0 |
| CI/CD integration | ✓ | ✓ |
The core advantage is the validation step. A development team running Gitleaks on a mature codebase typically receives dozens to hundreds of findings on the first run, many of which are old, expired, or test credentials. Betterleaks surfaces only credentials that are currently live and exploitable in its priority tier, while still reporting inactive findings at a lower severity for hygiene purposes.
Installation and Quick Start
Betterleaks is distributed as a standalone binary for Linux, macOS, and Windows, as well as a Docker image:
# Install via Go
go install github.com/betterleaks/betterleaks@latest
# Or via Docker
docker pull ghcr.io/betterleaks/betterleaks:latest
# Basic scan of current directory
betterleaks scan .
# Full git history scan with validation
betterleaks scan --git-history --validate ./my-repo
# CI/CD pre-commit check
betterleaks scan --staged --validate --fail-on-activeCI/CD Integration
Betterleaks includes native GitHub Actions integration:
- name: Scan for secrets
uses: betterleaks/betterleaks-action@v1
with:
validate: true
fail-on: active
report-format: sarifThe SARIF output format allows findings to be imported directly into GitHub Advanced Security, Azure DevOps, and other platforms that support the standard.
Why This Matters for Security Teams
Several patterns make secrets scanning a high-priority DevSecOps control in 2026:
- AI-assisted development accelerates secret exposure — developers using AI code assistants are generating more code faster, but AI models can inadvertently suggest patterns that include hardcoded credentials from training data
- Git repositories are permanent — secrets committed once live in history forever unless actively purged with tools like
git filter-repo - Supply chain attacks target leaked credentials — the 2025 period saw multiple major supply chain incidents traced back to exposed repository secrets
Organizations currently using Gitleaks may want to evaluate Betterleaks as a drop-in replacement, particularly for codebases with long histories where false positive fatigue is a known problem.