Gitleaks Cheatsheet

Installation

Platform	Command
macOS (Homebrew)	`brew install gitleaks`
Linux (Binary)	`wget https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_linux_x64.tar.gz && tar -xzf gitleaks_linux_x64.tar.gz && sudo mv gitleaks /usr/local/bin/`
Ubuntu/Debian (Snap)	`sudo snap install gitleaks`
Arch Linux (AUR)	`yay -S gitleaks`
Windows (Chocolatey)	`choco install gitleaks`
Windows (Scoop)	`scoop install gitleaks`
Docker (All Platforms)	`docker pull zricethezav/gitleaks:latest`
Go Install	`go install github.com/gitleaks/gitleaks/v8@latest`

Basic Commands

Command	Description
`gitleaks detect`	Scan current repository for secrets in entire git history
`gitleaks detect -v`	Scan with verbose output showing detailed progress
`gitleaks detect --source /path/to/repo`	Scan a repository at specific location
`gitleaks detect --no-git`	Scan files without git history (for non-git directories)
`gitleaks detect --report-path report.json`	Generate JSON report of findings
`gitleaks detect --report-format csv --report-path report.csv`	Generate CSV format report
`gitleaks detect --report-format sarif --report-path report.sarif`	Generate SARIF report (for GitHub Code Scanning)
`gitleaks protect`	Scan uncommitted changes (ideal for pre-commit hooks)
`gitleaks protect --staged`	Scan only staged changes before commit
`gitleaks detect --redact`	Redact secret values in output for security
`gitleaks detect --exit-code 0`	Always exit with code 0 (non-blocking scan)
`gitleaks version`	Display installed Gitleaks version
`gitleaks detect --config .gitleaks.toml`	Use custom configuration file
`gitleaks detect --baseline-path baseline.json`	Ignore previously known findings using baseline
`gitleaks detect --log-opts="--all -- path/to/file.js"`	Scan specific files or paths

Advanced Usage

Command	Description
`gitleaks detect --log-opts="commit1..commit2"`	Scan commits between two specific commit hashes
`gitleaks detect --log-opts="-n 10"`	Scan only the last 10 commits
`gitleaks detect --log-opts="origin/develop"`	Scan specific branch
`gitleaks detect --log-opts="--since='2023-01-01' --until='2023-12-31'"`	Scan commits within date range
`gitleaks detect --log-opts="--author='john@example.com'"`	Scan commits from specific author
`gitleaks detect --threads=8`	Use 8 threads for parallel scanning (faster)
`gitleaks detect --max-target-megabytes=100`	Limit scan to files under 100MB
`gitleaks detect --log-level=debug`	Enable debug-level logging for troubleshooting
`gitleaks detect --enable-rule="aws-access-token"`	Enable specific detection rule
`gitleaks detect --disable-rule="generic-api-key"`	Disable specific detection rule
`gitleaks detect --follow-symlinks`	Include symbolic links in scan
`gitleaks detect --log-opts="--all -- . ':(exclude)vendor/*'"`	Exclude vendor directory from scan
`gitleaks detect --log-opts="--all -- . ':(exclude)node_modules/*'"`	Exclude node_modules from scan
`gitleaks protect --no-git`	Scan working directory without git context
`gitleaks detect —report-format json \	jq ’.’`
`gitleaks detect —report-format json \	jq ’.[] \
`docker run -v ${PWD}:/repo zricethezav/gitleaks:latest detect --source="/repo" -v`	Run Gitleaks in Docker container
`gitleaks detect --report-path baseline.json && gitleaks detect --baseline-path baseline.json`	Create and use baseline in one workflow

Configuration

Configuration File Location

Gitleaks looks for .gitleaks.toml in the repository root by default.

Basic Configuration Structure

title = "Gitleaks Configuration"

[extend]
# Use default rules and extend them
useDefault = true

[[rules]]
id = "custom-api-key"
description = "Custom API Key Pattern"
regex = '''(?i)api[_-]?key[_-]?=["']?([a-z0-9]{32,})["']?'''
tags = ["api", "key"]
secretGroup = 1

[[rules]]
id = "company-secret"
description = "Company Specific Secret Pattern"
regex = '''COMPANY_SECRET_[A-Z0-9]{20}'''
tags = ["company", "secret"]

[allowlist]
description = "Allowlist for false positives"
paths = [
  '''\.gitleaks\.toml''',
  '''(.*?)(jpg|gif|doc|pdf|bin)$''',
  '''vendor/.*''',
  '''node_modules/.*'''
]
regexes = [
  '''219-09-9999''',  # Fake SSN for testing
  '''example\.com''',
]
stopwords = [
  '''placeholder''',
  '''sample''',
  '''dummy''',
]

Advanced Rule Configuration

# Rule with entropy detection
[[rules]]
id = "high-entropy-string"
description = "High entropy string detection"
regex = '''[a-zA-Z0-9+/]{40,}'''
entropy = 4.5
secretGroup = 0
tags = ["entropy", "generic"]

# Path-specific rule
[[rules]]
id = "aws-key-in-config"
description = "AWS keys in YAML config files"
regex = '''AKIA[0-9A-Z]{16}'''
path = '''.*\.ya?ml$'''
tags = ["aws", "config"]

# Commit allowlist
[allowlist]
commits = [
  "a1b2c3d4e5f6",  # Known safe commit
]
regexTarget = "match"  # or "line"

Environment Variables

# Set custom config path
export GITLEAKS_CONFIG=/path/to/config.toml

# Set log level
export GITLEAKS_LOG_LEVEL=debug

# Disable color output
export GITLEAKS_NO_COLOR=true

Common Use Cases

Use Case 1: Pre-commit Hook Integration

Prevent secrets from being committed locally:

# Create pre-commit hook
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/sh
gitleaks protect --staged --redact --verbose
EOF

# Make executable
chmod +x .git/hooks/pre-commit

# Test the hook
git add .
git commit -m "test commit"

Use Case 2: GitHub Actions CI/CD Pipeline

Automated secret scanning in pull requests:

# .github/workflows/gitleaks.yml
name: gitleaks
on: [pull_request, push]
jobs:
  scan:
    name: gitleaks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

Use Case 3: GitLab CI Integration

Add to .gitlab-ci.yml:

gitleaks:
  stage: test
  image: zricethezav/gitleaks:latest
  script:
    - gitleaks detect --report-format json --report-path gl-secret-detection-report.json
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json
  allow_failure: false

Use Case 4: Baseline for Existing Repositories

Handle legacy secrets while catching new ones:

# Step 1: Create baseline of existing findings
gitleaks detect --report-path gitleaks-baseline.json

# Step 2: Review and document existing secrets
cat gitleaks-baseline.json | jq '.[] | {rule: .RuleID, file: .File}'

# Step 3: Use baseline in future scans (only new secrets fail)
gitleaks detect --baseline-path gitleaks-baseline.json

# Step 4: Add baseline to CI/CD
gitleaks detect --baseline-path gitleaks-baseline.json --report-format sarif --report-path results.sarif

Use Case 5: Scanning Specific Commit Range

Audit recent changes during code review:

# Scan last 5 commits
gitleaks detect --log-opts="-n 5" -v

# Scan commits from feature branch
gitleaks detect --log-opts="main..feature/new-api"

# Scan today's commits
gitleaks detect --log-opts="--since='1 day ago'"

# Scan specific author's commits this week
gitleaks detect --log-opts="--author='dev@company.com' --since='1 week ago'"

Use Case 6: Docker-based Scanning

Scan without installing Gitleaks locally:

# Scan current directory
docker run -v ${PWD}:/repo zricethezav/gitleaks:latest detect --source="/repo" -v

# Generate report
docker run -v ${PWD}:/repo zricethezav/gitleaks:latest detect --source="/repo" --report-path=/repo/report.json

# Use custom config
docker run -v ${PWD}:/repo zricethezav/gitleaks:latest detect --source="/repo" --config=/repo/.gitleaks.toml

Use Case 7: Custom Rules for Organization

Create organization-specific detection patterns:

# Create custom config
cat > .gitleaks.toml << 'EOF'
title = "Company Security Rules"

[extend]
useDefault = true

[[rules]]
id = "company-api-key"
description = "Company API Key Format"
regex = '''COMP_[A-Z]{4}_[a-z0-9]{32}'''
tags = ["company", "api-key"]

[[rules]]
id = "internal-token"
description = "Internal Service Token"
regex = '''INT_TOKEN_[A-F0-9]{40}'''
tags = ["internal", "token"]

[allowlist]
paths = [
  '''test/.*''',
  '''docs/examples/.*'''
]
EOF

# Run with custom config
gitleaks detect --config .gitleaks.toml -v

Best Practices

Enable Pre-commit Hooks: Use gitleaks protect in pre-commit hooks to catch secrets before they enter git history. This is your first line of defense.
Integrate into CI/CD Early: Add Gitleaks to your CI/CD pipeline as early as possible. Fail builds when secrets are detected to prevent them from reaching production.
Use Baseline for Legacy Code: When introducing Gitleaks to existing repositories, create a baseline to avoid overwhelming teams with historical findings while still catching new secrets.
Customize Configuration: Extend the default rules with organization-specific patterns. Add your internal secret formats and API key patterns to the .gitleaks.toml file.
Maintain an Allowlist: Use allowlists judiciously for false positives, but document why each entry is safe. Review allowlists regularly to ensure they remain valid.
Redact in Production: Always use --redact flag when running Gitleaks in CI/CD or shared environments to avoid exposing secrets in logs and reports.
Scan Multiple Branches: Don’t just scan the main branch. Configure CI/CD to scan all branches and pull requests to catch secrets before they’re merged.
Regular Full Repository Audits: Periodically run full repository scans without baselines to ensure no secrets have slipped through and to catch secrets introduced through merge conflicts.
Educate Developers: Train your team on what Gitleaks detects and why. Understanding the tool reduces false positives and increases security awareness.
Monitor Performance: For large repositories, use --threads to optimize scan time and consider --max-target-megabytes to skip large binary files that slow down scans.

Troubleshooting

Issue	Solution
Too many false positives	Create `.gitleaks.toml` with allowlist entries for known safe patterns. Use `stopwords` for common test values like “example”, “test”, “dummy”.
Scan taking too long	Use `--threads=<number>` to increase parallelization. Add large binary files to path allowlist. Use `--max-target-megabytes` to skip large files.
Missing secrets I know exist	Check if custom patterns need to be added to `.gitleaks.toml`. Verify `useDefault = true` is set to include built-in rules. Test regex patterns separately.
Pre-commit hook not working	Ensure hook is executable: `chmod +x .git/hooks/pre-commit`. Verify Gitleaks is in PATH: `which gitleaks`. Check hook script has correct shebang: `#!/bin/sh`.
Docker permission errors	Use `-v ${PWD}:/repo` with correct path. Ensure Docker has permission to mount the volume. On Linux, may need to add `:z` flag: `-v ${PWD}:/repo:z`.
Baseline not ignoring findings	Verify baseline path is correct. Ensure baseline JSON is valid: `cat baseline.json \
CI/CD pipeline failing unexpectedly	Check exit codes: use `--exit-code 0` for non-blocking scans. Review logs with `-v` flag. Verify config file is accessible in CI environment.
Config file not being loaded	Ensure file is named `.gitleaks.toml` in repo root. Use `--config` flag to specify custom location. Validate TOML syntax: use online TOML validator.
High entropy false positives	Lower entropy threshold in config: `entropy = 3.0` instead of default. Add specific high-entropy safe strings to allowlist regexes.