Scan Any Repo for Leaked Secrets with Gitleaks

// Before you start

What you need

A Mac, Windows, or Linux computer
A terminal / command prompt open
Homebrew installed (Mac users) — or Docker installed (everyone else)
A git repository or folder you want to scan

Step 1 of 6

Install Gitleaks

2 min

Pick the install method that matches your system. Mac users can use Homebrew — one command and you're done. Everyone else can use Docker, which needs no installation beyond Docker itself. Choose one block below and paste it into your terminal.

Terminal · mac

$ # Mac (Homebrew)

$ brew install gitleaks

$ # All platforms via Docker — just pull the image

$ docker pull zricethezav/gitleaks:latest

What you should see

Homebrew: '==> Successfully installed gitleaks' Docker: 'Status: Downloaded newer image for zricethezav/gitleaks:latest'

This might happen

Homebrew says 'command not found: brew'

Install Homebrew first by visiting https://brew.sh and running the one-line installer shown there, then retry.

Step 2 of 6

Confirm the install works

1 min

Before scanning anything, make sure Gitleaks is responding. This prints the version number — if you see it, the tool is ready.

Terminal · mac

$ # Homebrew install

$ gitleaks version

$ # Docker install

$ docker run --rm zricethezav/gitleaks:latest version

What you should see

v8.24.2 (or similar version number)

Step 3 of 6

Scan a git repository for secrets

2 min

Navigate your terminal into the folder that contains the git repo you want to check, then run the scan. The 'git' command tells Gitleaks to walk through every commit in the repo's history — not just the files as they look today. Replace '/path/to/your/repo' with the actual folder path if using Docker.

Terminal · mac

$ # Homebrew install — run from inside the repo folder

$ cd /path/to/your/repo

$ gitleaks git -v

$ # Docker install — replace /path/to/your/repo with your real path

$ docker run --rm -v /path/to/your/repo:/path zricethezav/gitleaks:latest git -v /path

What you should see

If secrets are found: a table showing Finding, Secret, RuleID, File, Line, Commit, and Author for each leak, then exit code 1. If nothing is found: 'No leaks found.' and exit code 0.

This might happen

Docker reports 'invalid mount config' or 'no such file'

Make sure you use the full absolute path to your folder (e.g. /Users/yourname/projects/myrepo on Mac, or C:/Users/yourname/projects/myrepo on Windows). On Windows also enable folder sharing in Docker Desktop settings.

Step 4 of 6

Scan a plain folder (no git history needed)

1 min

If you just have a folder of files — not a git repo — use the 'dir' command instead. This checks file contents right now without looking at any commit history. Useful for config files, downloaded code, or exported archives.

Terminal · mac

$ # Homebrew install

$ gitleaks dir -v /path/to/your/folder

$ # Docker install

$ docker run --rm -v /path/to/your/folder:/path zricethezav/gitleaks:latest dir -v /path

What you should see

Same finding table as above if secrets exist, or 'No leaks found.' if clean.

Step 5 of 6

Save a report to a file

1 min

By default results only print to the screen. Add these flags to also write a JSON report you can share or store. Change 'report.json' to any filename you like. JSON is the most useful format for sharing with a developer who needs to fix the leaks.

Terminal · mac

$ # Homebrew install

$ gitleaks git -v --report-format json --report-path report.json

$ # Docker install

$ docker run --rm -v /path/to/your/repo:/path zricethezav/gitleaks:latest git -v --report-format json --report-path /path/report.json /path

What you should see

Scan output prints to screen as normal, and a file called report.json appears in your repo folder.

This might happen

report.json is empty even though leaks were shown on screen

The report file is only written when Gitleaks finishes cleanly. Make sure you are not interrupting the scan with Ctrl+C before it completes.

Step 6 of 6

Ignore a false positive with a comment

2 min

Sometimes Gitleaks flags something that is not actually a secret — a test value or a placeholder. You can tell it to skip a specific line by adding a comment at the end of that line in your file. You will need to open the file in any text editor to do this. This step requires editing one line of a file — the only editing in this guide.

Terminal · mac

$ # Add this comment to the end of the flagged line in your file:

$ # (open the file in any text editor and append the comment below)

$ your_existing_line_here # gitleaks:allow

What you should see

On the next scan, Gitleaks skips that line and does not report it as a finding.

This might happen

The line is still flagged after adding the comment

Make sure there is a space before the # and that you typed 'gitleaks:allow' exactly with no extra spaces. Also confirm you saved the file before re-running the scan.

// Status

cooked. baked. worked.

A working Gitleaks install that can scan any git repo or folder and report every detected secret with the file name, line number, and commit where it appeared — plus an optional JSON report file.

// the honest bit

The honest part

Gitleaks is officially feature-complete — the maintainer has announced no new features will be added, only security patches. It works very well for what it does today, but if you need active development and new detection rules, the maintainer is building a successor called Betterleaks. Gitleaks uses regex patterns, so it will miss secrets that do not match its built-in rules and will occasionally flag things that are not real secrets (false positives). It does not automatically remove or rotate leaked secrets — it only finds them. Fixing a leak means rotating the credential at the source (e.g. regenerating the API key) and, if needed, rewriting git history.