Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks

TL;DR: Betterleaks is a new open source secrets scanner from the author of Gitleaks, sponsored by Aikido. It's a drop-in replacement for Gitleaks with new filters, configurable validation, faster scans, more options, and built for the agentic era.‍

Why Betterleaks?

Secrets leak everywhere and I love finding them. Eight years ago I wrote the first lines of code for Gitleaks and have been obsessed with finding secrets since discovering my first live credential on GitHub. I’m in it for the love of the game.

Gitleaks grew from a small project to a name recognized by security professionals, hackers, and developers. At the time of writing, Gitleaks boasts: the most starred secrets scanner on GitHub, downloaded 26M times on GitHub and 1.2M times via `brew install`, and pulled 35M times by Docker and GHCR. It’s used both as an internal tool and sold as a product by companies big and small.

‍
So why make a new project?

To be transparent, I don’t have full control over the Gitleaks repo and name anymore. It sucks, but it also gives me the opportunity to start something fresh. Something… better?

  ○
  ○
  ●
  ○  Betterleaks v1.0.0

Betterleaks is the successor to Gitleaks. We’re dropping the “git” and slapping  “better” on it because that’s what it is, better. Normative determinism anyone?

I joined Aikido Security as Head of Secrets Scanning with a simple goal: build the best open source secrets scanner. So giddyup, we’re building it.

Here’s a quick summary of where Betterleaks is today. It’s a drop-in replacement for Gitleaks with a bunch of new features. That means your old Gitleaks CLI options will continue working and old configs will work out of the box, it’ll just run faster. Here are some of the features we ship v1 with:

• Rule Defined Validation: Validation logic in Betterleaks is written using the Common Expression Language (CEL).
• Token Efficiency Scanning: Instead of relying on entropy to filter candidate secrets, Betterleaks uses a technique based on BPE tokenization (which I wrote about in Rare Not Random). By measuring how efficiently a BPE tokenizer compresses a string, we get a nice signal boost. Against the CredData dataset, token efficiency hits 98.6% recall compared to entropy's 70.4%.
• Pure Go (No CGO): We wanted fast scanning without relying on CGO and Hyperscan. Deploy it anywhere.
• Default Encoding Detection: Betterleaks handles doubly and triply encoded secrets by default.
• More Rules - New providers powering your organization are popping up all the time and we’re focused on adding them. It’s super easy to write new rules and validation logic for Betterleaks so come on and open a PR!

Parallelized Git Scanning - Betterleaks scans git repos faster than any other tool when parallelized git scanning is enabled.

What’s next for Betterleaks? V1 already improves on Gitleaks quite a bit, but we have more planned in V2 like: 

• Scanning more sources - Betterleaks supports scanning git repos and files (including stdin) but that’s not enough. We want to scan everything and make it easy to add new sources. Like stupid easy. Like adding-a-single-file-to-the-repo-easy.
• LLM Assist - Call out to a local or remote LLM with anonymized data for an extra layer of confidence or to classify generic secrets and generate potential auth methods based on context.
• New filters - Token Efficiency is a teaser, but we have more planned.
• Auto-Revocation - Some secrets providers expose APIs for revoking secrets. We intend to support that via config.
• Permissions Mapping - Knowing if a secret is live or not is great, but know what that secret has access to and what that secret can do (like delete prod) is even better.
• Faster Speeds - There are bound to be some untapped optimizations we just gotta find them.
• Less cumbersome (better) config - Gitleaks has a solid config but it can be a little confusing to tweak at times. We want to flatten the config even further and expose CEL-based filtering rather than allowlists. Version 2.x.x’s config will be fully backwards compatible with v1 (and your old gitleaks configs).

Did I mention I’m not working alone? Maintaining Gitleaks over the years I’ve engaged with lots of community members. Probably hundreds of folks. There are three in particular that have been extraordinarily helpful and will help me maintain Betterleaks. Having four maintainers instead of one will help ensure project stability, governance, and longevity. 

1. Richard Gomez - a director of software development in the Royal Bank of Canada's Global Security group. A longtime Gitleaks contributor and Microsoft Security Response Center 2024 Most Valuable Researcher, Richard helped launch RBC's Open Source Program Office, and is passionate about strengthening the open-source ecosystem that modern security depends on.
2. Braxton Plaxco - a Senior Information Security Analyst on Red Hat's incident response team who is also obsessed with secret leak detection and OSINT. He spearheaded Red Hat's secret detection program, relying on open-source tools like Gitleaks (and now Betterleaks) as the core of their LeakTK framework. Braxton consistently looks for opportunities to upstream his team's innovations to ensure their work benefits as many people as possible.
3. Ahrav Dutta - a software engineer at Amazon who is focused on building high-performance systems and advancing open-source secret scanning. He cares about making detection faster, more scalable, and more useful for the broader security community.

Betterleaks is open sourced under MIT and joins Aikido's roster of open source projects alongside Aikido Safe Chain, Aikido Zen, Aikido Intel, Opengrep. Aikido sponsors the project, but it’s not dependent on Aikido. I joined Aikido because Willem (CTO) and I have the same shared vision of making the best open sourced secrets scanner available. I get to work on that vision by maintaining Betterleaks, an independent open-source project with transparent governance and a community-driven roadmap. 

Last, a note on developing Betterleaks for the AI agent era. Like it or not agents are here and reshaping developer’s workflows. Betterleaks is designed to be human-first, but we also need to consider the fact that agents will be operating it too. How will agents operate Betterleaks? Probably in a way similar to how agents use other CLIs like grep. Fire up Claude Code, Codex, or Cursor, and you’ll see them constantly reaching for tools like grep. They do this because a good CLI lets them use flags to tightly control the output, getting the exact answer they need without blowing up your token budget. We built Betterleaks to offer that exact same utility. So go ahead, define Betterleaks as a tool for your AI agent and tell it to scan any code it generates, or enrich your bug bounty agent by running Betterleaks when it encounters an interesting file.

Using a secrets scanner will save your bacon at one point or another so whether you’re a current Gitleaks user or completely new to secrets scanning, now is the time to give Betterleaks a spin. To help us build the best open-source secrets scanner out there, we’d massively appreciate a star on GitHub! See you in the issues and PRs :)

{{cta}}

‍