Detection Methods
Pattern Matching: Regex patterns for 200+ known credential formats Entropy Analysis: Detects high-entropy strings likely to be secrets Git History Scanning: Checks all commits, not just current code Context Awareness: Reduces false positives by examining surrounding codeSupported Secret Types
Cloud Provider Credentials
AWS:- AWS Access Key ID
- AWS Secret Access Key
- AWS Session Token
- AWS Account ID patterns
- AWS MWS Auth Token
- Azure Storage Account Keys
- Azure Service Principal credentials
- Azure Subscription Keys
- Azure CosmosDB Keys
- Azure DevOps Personal Access Tokens
- GCP API Keys
- GCP Service Account Keys (JSON)
- Google OAuth credentials
- Firebase credentials
- Google Cloud Storage keys
- DigitalOcean Access Tokens
- DigitalOcean Personal Access Tokens
- DigitalOcean OAuth tokens
- Heroku API Keys
- Heroku OAuth tokens
- Alibaba Access Keys
- Alibaba Secret Keys
SaaS/API Keys
Payment Processing:- Stripe API Keys (Live & Test)
- Stripe Publishable Keys
- Stripe Restricted Keys
- PayPal Client ID/Secret
- Square Access Tokens
- Twilio API Keys and Auth Tokens
- SendGrid API Keys
- Mailgun API Keys
- Mailchimp API Keys
- Slack Tokens and Webhooks
- Discord Tokens
- GitHub Tokens (Personal Access, OAuth)
- GitLab Tokens
- Bitbucket App Passwords
- Azure DevOps PATs
- CircleCI Tokens
- Travis CI Tokens
- Jenkins API Tokens
- HashiCorp Vault tokens
- Datadog API Keys
- New Relic API Keys
- Sentry Auth Tokens
- MongoDB Connection Strings
- PostgreSQL Connection Strings
- MySQL Connection Strings
- Redis Passwords
- Cassandra Passwords
- Elasticsearch credentials
Private Keys & Certificates
SSH Keys:- RSA Private Keys
- DSA Private Keys
- EC Private Keys
- ed25519 Private Keys
- OpenSSH Private Keys
- Private Key files (.key, .pem)
- Certificate files
- PKCS#12 (.p12, .pfx)
- Java KeyStore (.jks)
- GPG Private Keys
- PGP Private Keys
- Apple Code Signing keys
Authentication Tokens
OAuth & JWT:- OAuth Client Secrets
- OAuth Refresh Tokens
- JWT Secrets
- Bearer Tokens
- Session Tokens
- Generic API Keys
- Generic Secrets
- Generic Passwords
- Basic Auth credentials
What Gitleaks Scans
Current Codebase
- All files in repository
- Configuration files (.env, config.yaml, etc.)
- Infrastructure as Code files
- Documentation and README files
- Embedded credentials in code
Git History
- All commits across all branches
- Deleted files still in history
- Renamed files
- File content before .gitignore was added
- Merge commits
File Types Scanned
Configuration Files:.env,.env.local,.env.productionconfig.yaml,config.json,settings.py.aws/credentials,.azure/credentials.npmrc,.pypirc
- Terraform (
.tf) - Kubernetes manifests (
.yaml) - Docker Compose files
- CI/CD configs (
.gitlab-ci.yml,.github/workflows/)
- All programming languages
- Scripts (bash, python, etc.)
- Database migration files
- README.md, documentation files
- Comments in code
- Jupyter notebooks
What Gitleaks Doesn’t Detect
❌ Encrypted secrets (they look like random strings)❌ Secrets in binary files (compiled code, images, etc.)
❌ Secrets split across multiple lines (obfuscation techniques)
❌ Custom secret formats without adding custom rules
False Positive Handling
Common false positives:- Example credentials in documentation
- Test API keys in test files
- Placeholder values (
YOUR_API_KEY_HERE) - High-entropy strings that aren’t secrets
- Use
.gitleaksignorefile - Mark test files/directories for exclusion
- CodeThreat AI can filter test secrets automatically
Best Practices
Never commit secrets: Use environment variables or secret managers Rotate compromised secrets: If found in Git history, consider it compromised Use.gitignore: Prevent secrets files from being committed
Secret managers: AWS Secrets Manager, HashiCorp Vault, Azure Key Vault