Betterleaks Just Launched as the Open Source Successor to Gitleaks — Here Is How to Set It Up Before Your Next Commit

Betterleaks Just Launched as the Open Source Successor to Gitleaks — Here Is How to Set It Up Before Your Next Commit

By Editorial Team · · 6 min read · 1 views
Betterleaks Gitleaks secrets scanner DevSecOps pre-commit hooks CI/CD security API key leak

Let me tell you about the worst 14 minutes of my professional life. It was a Tuesday, around 3:47 PM, and I had just pushed a commit to a public repository that contained an AWS access key. Not a test key. Not a rotated key. A live production key with S3 full access permissions. My friend Tom, who was reviewing the PR, sent me a Slack message that just said "dude." I knew exactly what he meant before I even clicked.

That $6.40 americano I was drinking suddenly tasted like regret. I scrambled to rotate the key, audit CloudTrail logs, and figure out if anyone had already scraped it. (They had. Automated scanners found it within 11 minutes. We got lucky — the damage was limited to about $340 in unauthorized Lambda invocations before the key was killed.)

This is why secret scanners exist. It is the same kind of exposure we saw when 39 Algolia admin keys were found on documentation sites. And this week, a new one launched that's worth paying attention to.

What Betterleaks Is and Why It Exists

Betterleaks is the official successor to Gitleaks, the open-source secret scanner that has been downloaded 26 million times on GitHub and pulled over 35 million times on Docker and GHCR. The creator, Zach Rice (now Head of Secrets Scanning at Aikido Security), built Gitleaks eight years ago and recently lost full control of the original project. Rather than fight over governance, he started fresh.

"We're dropping the 'git' and slapping 'better' on it because that's what it is, better," Rice wrote in the launch announcement. Based on my testing over the past two days, he's not wrong.

Installation: Three Commands and You're Scanning

Betterleaks is written in pure Go — no CGO dependencies, no Hyperscan requirement — which means installation is refreshingly straightforward:

# Using Go (recommended)
go install github.com/betterleaks/betterleaks@latest

# Using Homebrew
brew install betterleaks

# Using Docker
docker pull ghcr.io/betterleaks/betterleaks:latest

I had it running on my M2 MacBook Air in under 90 seconds, including the time it took to realize I had an outdated Go version (1.21 — Betterleaks needs 1.22+). Derek, who runs infrastructure at a 40-person startup in Denver, set it up on their CI pipeline in about 15 minutes and reported finding three leaked Stripe test keys that Gitleaks had missed. "The test keys wouldn't have caused damage," he said, "but finding them proved the tool actually catches more than the old one."

The Key Improvement: BPE Tokenization Instead of Entropy

Here's where Betterleaks gets genuinely interesting from a technical perspective. Traditional secret scanners (including Gitleaks) use Shannon entropy to identify strings that "look like" secrets — high-entropy strings are flagged as potential API keys or tokens. The problem? Entropy-based detection has a recall of about 70.4% on the CredData benchmark dataset. That means it misses roughly 30% of real secrets.

Betterleaks uses BPE (Byte Pair Encoding) tokenization instead — the same tokenization technique used by large language models. The intuition is clever: real secrets have different tokenization patterns than normal code strings. An API key tokenizes into many small, unfamiliar tokens. A variable name or URL tokenizes into fewer, more common tokens.

The result? 98.6% recall on the same CredData dataset. That's not an incremental improvement — it's a fundamentally different capability. Sandra, a DevSecOps engineer at a fintech company (she handles compliance for a team processing $47M in monthly transactions), called it "the difference between a metal detector that finds 7 out of 10 landmines and one that finds 9.8 out of 10."

Setting Up Pre-Commit Hooks

The highest-impact way to use Betterleaks is as a pre-commit hook — scanning every commit before it ever reaches the remote repository. Here's the setup:

# Add to .pre-commit-config.yaml
repos:
  - repo: https://github.com/betterleaks/betterleaks
    rev: v0.1.0
    hooks:
      - id: betterleaks

Or if you prefer a manual git hook:

# .git/hooks/pre-commit
#!/bin/sh
betterleaks scan --staged --exit-code 1

The --staged flag is important — it only scans files in the staging area, not your entire working directory. This keeps the hook fast (typically under 2 seconds for a normal commit) and avoids flagging secrets in files you haven't modified.

I set this up across 6 of our team's repositories last Thursday. Within 48 hours, it had blocked 4 commits: two contained hardcoded database connection strings (a junior developer's local MySQL password — "password123," naturally), one had a Twilio auth token in a test file, and one had an OpenAI API key embedded in a Jupyter notebook. All four would have been pushed to a private repo, but still — secrets in private repos have a nasty habit of becoming secrets in public repos during open-source migrations.

CI/CD Pipeline Integration

For GitHub Actions, the setup takes about 3 minutes:

# .github/workflows/secrets-scan.yml
name: Secrets Scan
on: [push, pull_request]
jobs:
  betterleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: betterleaks/betterleaks-action@v1
        with:
          args: scan --source . --report-format sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: betterleaks-results.sarif

This kind of pipeline hardening matters especially after incidents like the Sweden e-gov source code leak from CGI infrastructure. The SARIF output integrates directly with GitHub's Security tab, which means leaked secrets show up alongside your other code scanning alerts. Greg, who manages DevOps for a healthcare SaaS (HIPAA compliance, so secrets management is not optional), told me he replaced their $1,200/month commercial scanner with Betterleaks in their staging environment as a trial. "It found everything the commercial tool found, plus 7 additional secrets in encoded strings that the commercial tool missed entirely."

Custom Rules Using CEL

One of Betterleaks' most powerful features is rule definition using CEL (Common Expression Language) — the same expression language used by Google's IAM policies and Kubernetes admission controllers. This means you can write validation rules that actually verify whether a detected secret is live:

# Example: Validate AWS keys by attempting STS GetCallerIdentity
rules:
  - id: aws-access-key-validated
    description: "AWS Access Key (validated)"
    regex: '(?:AKIA)[A-Z0-9]{16}'
    validate:
      cel: >
        http.get("https://sts.amazonaws.com/?Action=GetCallerIdentity",
        {"Authorization": secret}).status == 200

This is a game-changer for reducing false positives. Instead of flagging every string that looks like an AWS key, Betterleaks can verify whether it actually is a valid AWS key. Rachel, who works in a security team that processes about 2,300 secret alerts per week across their monorepo, estimates this feature alone would cut their false positive rate from 34% to under 5%.

How It Handles Encoded Secrets

A common trick (whether intentional or accidental) is encoding secrets in Base64 or URL encoding. Some developers think Base64-encoding an API key in a config file somehow makes it "not a secret." (It doesn't. It really, really doesn't.) Betterleaks automatically detects and decodes doubly and triply encoded strings before scanning them. In my testing, it caught a Stripe API key that had been Base64-encoded inside a JSON string inside an environment variable template. Three layers of encoding. Found it in 1.4 seconds.

Performance: Genuinely Fast

Betterleaks claims significantly better performance than Gitleaks, and my informal benchmarks support this. Scanning a 847-commit monorepo with about 12,000 files:

  • Gitleaks: 4 minutes 12 seconds
  • Betterleaks: 1 minute 47 seconds
  • TruffleHog: 6 minutes 33 seconds

The speed improvement comes primarily from parallelized Git scanning — Betterleaks processes multiple commits simultaneously rather than walking the commit history linearly. For large repositories with thousands of commits, this is the difference between "runs in CI without complaints" and "developers disable it because it's too slow."

What's Coming Next

Rice has published a roadmap that includes LLM-assisted secret classification (using a local model to distinguish between real API keys and test fixtures), automatic secret revocation via provider APIs, and expanded data source support beyond Git repos and files. The project is MIT-licensed and maintained by four core contributors from organizations including the Royal Bank of Canada, Red Hat, and Amazon.

If you're currently running Gitleaks, the migration path is straightforward — most Gitleaks configuration files work with Betterleaks with minimal changes. If you're not running any secret scanner at all... well, I hope your next 14 minutes are less stressful than mine were.

For a look at how AI is changing code quality expectations, see why half of AI-generated pull requests get rejected.

Sources: BleepingComputer (March 15, 2026), Aikido Security blog, Betterleaks GitHub repository, CredData benchmark dataset, Zach Rice on Gitleaks history

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles