Gitleaks
Gitleaks Gitleaks is the high-speed Git leak detector for CI/CD, scanning commit history and diffs for 140+ secret patterns (API keys, tokens, passwords) with entropy & regex rules, outputting JSON/SARIF for GitHub Actions. Run via CLI or pre-commit to auto-block leaks, customize rules for org-specific tokens. Open-source from gitleaks, it's the commit sentinel for devs templating zero-leak pipelines.
Explore →TruffleHog
TruffleHog TruffleHog is the entropy-driven Git leak hunter for CI, deep-scanning full repo histories and branches for high-entropy strings like private keys with optional verification endpoints in GitLab/Jenkins. Deploy via Docker or Go binary for JSON reports, scan diffs to catch leaks pre-merge. Open-source from trufflesecurity, it's the hog that roots out buried secrets in workflows.
Explore →GitGuardian ggshield
GitGuardian ggshield ggshield is the Git leak scanner for CI with real-time diff analysis, flagging live secrets in pushes and PRs with auto-remediation via cleanup PRs in GitHub/Bitbucket. Integrate into pre-receive or pre-commit hooks, export SARIF for Azure DevOps. Open-source CLI from GitGuardian, it's the leak gatekeeper for teams templating proactive hygiene in every commit.
Explore →Yelp detect-secrets
detect-secrets detect-secrets is the baseline Git leak scanner for CI, using heuristics and plugins to detect hardcoded secrets across codebases with .secrets.baseline to suppress known false positives in GitLab CI. Run via pip in pipelines or pre-commit for JSON outputs and fail-on-new checks. Open-source from Yelp, it's the baseline bouncer for devs templating clean, auditable repos.
Explore →git-secrets
git-secrets git-secrets is the AWS Git hook enforcer for CI, blocking commits with regex-matched secrets (passwords, tokens) before they reach remote repos, with customizable patterns for Jenkins/GitHub Actions. Install via brew/apt and integrate into pre-commit for local and CI enforcement. Open-source from AWS Labs, it's the commit guard for ops templating hard stops on secret exposure.
Explore →Talisman
Talisman Talisman is the pre-push Git leak detector for CI, validating commits against YAML-defined patterns and entropy checks to block tokens and keys in GitHub PRs or CircleCI. Configure detectors per project, output logs for review. Open-source from ThoughtWorks, it's the push-time protector for teams templating instant leak rejection in daily workflows.
Explore →GitRob
GitRob GitRob is the GitHub org-wide leak scanner for CI, analyzing public repos for sensitive files and secrets using rule-based signatures with risk scoring for triage in security ops. Run via Go CLI with access tokens, export findings for dashboards. Open-source from MichaelHenriksen, it's the repo auditor for SecOps templating enterprise-wide leak sweeps.
Explore →Repo-supervisor