Question 1

How do I set up Gitleaks as a pre-commit hook?

Accepted Answer

Install pre-commit, create a .pre-commit-config.yaml file with the gitleaks repo and hook ID, then run pre-commit install, as shown in the README. This blocks commits containing secrets before they reach the repository.

Question 2

Gitleaks vs TruffleHog: which is better for secret detection?

Accepted Answer

Gitleaks focuses on regex and entropy with extensive customization, ideal for tailored CI/CD integration. TruffleHog often includes more heuristics and entropy checks for broader detection. Choose Gitleaks for fine-grained control and TruffleHog for out-of-the-box breadth.

Question 3

How to ignore false positives in Gitleaks?

Accepted Answer

Use the .gitleaksignore file to add fingerprints of known false positives, or configure allowlists in the TOML config to exclude specific commits, paths, or regex patterns, as detailed in the configuration section.

Question 4

Does Gitleaks support scanning for AWS keys specifically?

Accepted Answer

Yes, the default config includes rules for AWS keys, but you can customize or extend these in your TOML file using regex patterns and entropy settings to match your organization's key formats.

Question 5

How to generate a custom report format in Gitleaks?

Accepted Answer

Use the --report-template flag with a Go text/template file to define custom output, leveraging the sprig library for extra functions, as demonstrated in the README with the jsonextra.tmpl example.

Question 6

Can Gitleaks scan binary files or only text?

Accepted Answer

Gitleaks primarily scans text-based content; it can handle archives via the --max-archive-depth flag, but may not effectively scan binary files without specific decoding rules, limiting detection in non-text assets.

Gitleaks

What is Gitleaks?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions