Secret Scanning in CI/CD: detect-secrets vs gitleaks vs TruffleHog

A Stripe secret key exposed in a public GitHub repository starts with sk_live_. Stripe's API accepts it immediately—no additional authentication, no MFA prompt. Payment charges, refund reversals, customer data exports: all accessible to anyone who finds the key before you rotate it.

Secret leaks are not theoretical. GitGuardian's 2024 State of Secrets Sprawl report found 12.8 million new secrets exposed on public GitHub repositories in a single year. These tools are one layer of a complete credential security strategy—but picking the wrong one for your workflow costs you coverage.

Here's what each tool actually does, where it falls short, and which one belongs in your pipeline.

This post compares four open-source secret detection tools for CI/CD pipelines and pre-commit hooks. For a broader comparison that includes platform-native and commercial options, see Top 10 Tools for Detecting API Key Leaks.

The Four Contenders at a Glance

	git-secrets	detect-secrets	gitleaks	TruffleHog
Detection method	Regex only	Regex + entropy	Regex	Entropy + regex + verification
Built-in rule coverage	AWS only	~20 types	150+ types	700+ detectors
Credential verification	No	No	No	Yes
History scanning	No	No	Yes	Yes
Speed	Very fast	Moderate	Fast	Slow (with verification)
False positive rate	Low (narrow scope)	High (entropy)	Low-moderate	Very low (verified)
Pre-commit support	Native	Via pre-commit	Via pre-commit	Via pre-commit
CI/CD integration	Manual	Manual	Native (SARIF, GitHub Action)	Native (SARIF, GitHub Action)
Offline capable	Yes	Yes	Yes	No (verification phase)
Maintenance status	Stale	Active	Active	Active
Language	Shell	Python	Go	Go

git-secrets (AWS Labs)

The oldest tool in this category. AWS built git-secrets to prevent AWS credentials from leaking—and it does that narrow job well.

How it works. git-secrets installs as a Git hook. Each commit is checked against registered patterns. AWS provides a built-in ruleset (git secrets --register-aws) that catches AWS access keys (AKIA[0-9A-Z]{16}), secret keys, and account IDs. Custom patterns can be added manually.


# Install and configure for AWS
git secrets --install
git secrets --register-aws

# Add custom patterns
git secrets --add 'sk_live_[A-Za-z0-9]{24,}'
git secrets --add 'sk-proj-[A-Za-z0-9]{48,}'

Strengths:

Minimal footprint—a shell script backed by grep, no binary dependencies
Fully offline, no network calls
Fast—pattern matching is O(n) over the diff

Weaknesses:

Regex-only. No entropy analysis, no semantic understanding
No built-in patterns for most modern secrets (GitHub tokens, OpenAI keys, Stripe keys, JWT signing keys)
Cannot scan git history—checks new commits only
Effectively unmaintained. The last meaningful update was years ago

Best for: Teams running entirely in AWS who want a dependency-free hook and are comfortable writing their own regex patterns for everything else.

Verdict: Too narrow for general use. If your stack includes anything beyond AWS, you'll spend more time writing custom patterns than you save by using a lightweight tool.

detect-secrets (Yelp)

Yelp's security team built detect-secrets for a harder problem: detecting secrets in repositories with millions of lines of existing code, where a "find everything and alert" approach produces enough false positives to be useless.

How it works. detect-secrets uses a plugin architecture. Each plugin handles one secret type: HexHighEntropyString, Base64HighEntropyString, AWSKeyDetector, BasicAuthDetector, KeywordDetector, SlackDetector, and others. Each plugin applies its own combination of regex patterns and Shannon entropy thresholds.

The core innovation is the baseline file. detect-secrets scans a repository, records everything that looks like a secret, and writes the results to .secrets.baseline. From that point, the pre-commit hook only alerts on new secrets—things that weren't in the baseline.


# Generate initial baseline
detect-secrets scan > .secrets.baseline

# Audit the baseline interactively
detect-secrets audit .secrets.baseline

# Pre-commit hook configuration
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

Strengths:

Baseline workflow handles brownfield repos well—no alert flooding on day one
Plugin architecture is extensible. Custom secret types are straightforward to add
Good Python ecosystem integration—works cleanly with pre-commit hooks
Entropy-based detection catches secrets that pure regex misses
Fully offline

Weaknesses:

Higher false positive rate than gitleaks. Entropy-based detection flags random-looking strings that aren't secrets (UUIDs, hashes, test fixtures)
The baseline model requires discipline. If developers add detected secrets to the baseline without auditing them, coverage silently degrades
Slower than gitleaks on large repos
Doesn't scan history by default—only new commits via the hook
Python dependency may conflict with project requirements

Best for: Python-heavy teams with significant existing code, where a brownfield baseline approach is necessary to avoid alert fatigue on day one.

gitleaks

The most widely adopted open-source secret scanner. A single Go binary with no external dependencies, 150+ secret type rules out of the box, and native CI/CD integration.

How it works. gitleaks uses a TOML rule configuration that defines regex patterns for each secret type. Each rule has an ID, pattern, and optionally entropy thresholds and keyword requirements. The default gitleaks.toml covers AWS keys, GitHub PATs, OpenAI keys, Stripe live and test keys, database connection strings, private keys, JWT tokens, and 140+ more.


# Scan current repository
gitleaks detect --source . -v

# Scan only new commits (CI-friendly)
gitleaks detect --source . --log-opts="HEAD~1..HEAD"

# Scan with SARIF output for GitHub Advanced Security
gitleaks detect --source . --report-format sarif --report-path results.sarif

Pre-commit setup:


# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks

GitHub Actions integration:


# .github/workflows/gitleaks.yml
name: gitleaks
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Custom rules example:


# .gitleaks.toml — extend or override default rules
[[rules]]
id = "internal-service-token"
description = "Internal service authentication token"
regex = '''svc_tok_[A-Za-z0-9]{32,}'''
keywords = ["svc_tok_"]

[[rules]]
id = "custom-database-url"
description = "Database connection string with password"
regex = '''(?i)(?:postgres|mysql|mongodb)://[^:]+:[^@]+@[^/]+'''

Strengths:

Coverage breadth. 150+ built-in rules covering essentially every major service's credential format
Fast. Go binary scanning is significantly faster than Python-based tools on large histories
Flexible deployment: pre-commit hook, CI/CD step, or standalone scan
Actively maintained. New rules are added regularly as new secret formats emerge
Clear SARIF output integrates with GitHub Advanced Security, GitLab, and other platforms
Custom rules are TOML configs—readable and version-controllable
Supports history scanning with --log-opts

Weaknesses:

Regex-only in the primary rules. A secret in an unusual format that doesn't match the pattern will be missed
No credential verification. It tells you whether something looks like a Stripe secret key—not whether the key is currently valid
False positive rate depends on rule quality. The default rules are good but not perfect—base64 strings, test fixtures, and example values trigger alerts

Best for: Most teams. gitleaks is the pragmatic choice—broad coverage, easy setup, fast enough for CI, actively maintained.

TruffleHog

The most capable tool in this category. TruffleHog takes the most opinionated stance on what makes a secret detection tool valuable: verified credentials.

How it works. TruffleHog's scanning is two-phase. First, it finds candidates using entropy analysis and regex patterns. Second—and this is what distinguishes it—it verifies candidates by making real API calls to the relevant service. If a string looks like a Stripe live key, TruffleHog pings the Stripe API with a test request. If it gets back a 200, the credential is live and flagged as verified. A 401 means the credential exists in the diff but is expired or revoked.

This dramatically reduces false positives. Verified results are P0—confirmed active credentials. Unverified results need human judgment.


# Scan a repository with verification
trufflehog git file://. --only-verified

# Scan git history
trufflehog git file://. --since-commit abc123

# Scan with JSON output
trufflehog git file://. --json --only-verified

Pre-commit setup:


# .pre-commit-config.yaml
repos:
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.88.0
    hooks:
      - id: trufflehog
        args: ["git", "file://.", "--since-commit", "HEAD", "--only-verified"]

Supported verifiers include: GitHub, GitLab, AWS, GCP, Azure, Stripe, SendGrid, Slack, Twilio, Mailchimp, Shopify, Postman, npm, PyPI, Docker, OpenAI, Anthropic, and 600+ more. The list grows with every release.

Strengths:

Verified detection is the most actionable output in this category. You know if you have an active leak
Entropy-first approach catches secrets in unusual formats that pure regex misses
History scanning is thorough—specifically designed to find secrets added and then deleted from git history
Scans beyond git: S3 buckets, Syslog, Docker images, filesystems, Slack, Confluence
700+ detectors with provider-specific verification logic

Weaknesses:

Slower than gitleaks. Verification API calls add latency—a full history scan can take 10-30x longer
Network-dependent. The verification phase requires outbound internet access
The verification calls themselves are a consideration in security-sensitive environments—you're sending potentially valid credentials to external APIs to confirm they work
More complex to configure and tune
--only-verified in pre-commit hooks means unverified secrets pass through silently

Best for: Security teams who want the highest-confidence output and can accept slower scan times. Ideal for periodic history sweeps, incident response ("did this repo ever contain valid credentials?"), and compliance audits.

Choosing the Right Tool for Your Workflow

Solo Developers and Small Teams

Start with gitleaks as a pre-commit hook. It's the fastest path to coverage—a single binary, broad default rules, and no configuration required for most use cases. Add a gitleaks GitHub Action to catch anything that bypasses the local hook.

Teams with Large Existing Codebases

Consider detect-secrets for the initial rollout. The baseline model lets you deploy scanning without drowning in alerts from existing secrets. Once the baseline is clean, consider migrating to gitleaks for broader coverage and faster scanning.

Security Teams and Compliance-Driven Organizations

Layer gitleaks + TruffleHog. Use gitleaks for fast pre-commit and CI blocking (catches patterns instantly). Run TruffleHog on a scheduled basis—weekly full-history scans with verification—to find secrets that bypassed pattern matching and confirm which detections are active.


Developer commit
    │
    ▼
[gitleaks pre-commit hook]  ← Fast, offline, blocks known patterns
    │
    ▼
[Push to remote]
    │
    ▼
[gitleaks CI/CD action]     ← Catches bypassed hooks, SARIF reporting
    │
    ▼
[TruffleHog scheduled scan] ← Weekly history sweep, verified credentials

The Layering Strategy

For teams with serious secret hygiene requirements, the combination works because the tools cover different gaps:

gitleaks catches the 95% case: known credential patterns, fast, no network required
TruffleHog catches the 5% edge cases: unusual formats via entropy, deleted-then-removed secrets, and—critically—tells you which detected credentials are still active

This gives you low-latency pre-commit feedback plus high-confidence periodic validation.

Modern Secrets: OpenAI, Stripe, and AI Service Keys

A common question: which tool catches leaked OpenAI API keys, Anthropic keys, or other AI service credentials?

Both gitleaks and TruffleHog cover these. gitleaks has built-in rules for OpenAI keys (format: sk-proj-[A-Za-z0-9]{48,}), Anthropic keys, and other major AI services. TruffleHog has verifiers for OpenAI and can confirm whether a detected key is currently active—critical when you need to triage quickly.

Stripe secret keys (format: sk_live_[A-Za-z0-9]{24,}) are covered by both tools' default rulesets. If you're specifically worried about Stripe credentials, either tool will catch them in the standard format.

For a deeper look at why AI projects leak keys more frequently, see Why AI Projects Leak API Keys More Than Any Other Apps.

Beyond Open-Source: Platform-Native and Commercial Options

These four tools aren't the only option. Platform-native scanning (GitHub Secret Scanning, GitLab Secret Detection) and commercial platforms (GitGuardian, Snyk) offer additional capabilities:

GitHub Secret Scanning covers 200+ token formats and alerts both you and the token issuer—but only works on GitHub
GitGuardian provides centralized dashboards, historical monitoring, and team workflows—but requires a paid subscription
Snyk integrates secret scanning into a broader DevSecOps platform—but is also paid

For a comparison of all major options, see Top 10 Tools for Detecting API Key Leaks.

Conclusion

The right secret scanner is the one that gets used. A perfect detection tool that developers bypass because it's too slow or too noisy protects nothing.

For most teams, the answer is straightforward: gitleaks as a pre-commit hook and CI step, with periodic TruffleHog sweeps of your full history. This combination covers known patterns instantly, catches edge cases through entropy analysis, and—through verification—tells you which detections actually need emergency response.

Next steps:

Install gitleaks as a pre-commit hook today
Add a gitleaks GitHub Action to your CI pipeline
Run a one-time TruffleHog scan of your full repository history
Schedule weekly TruffleHog sweeps with --only-verified for ongoing monitoring
Review the results and rotate any active credentials found—if you discover a live leak, follow the emergency response guide

Rafter integrates gitleaks into broader code security analysis—treating credential detection as one layer in a full security assessment. Start a scan at rafter.so.

Here's what each tool actually does, where it falls short, and which one belongs in your pipeline.

The Four Contenders at a Glance

	git-secrets	detect-secrets	gitleaks	TruffleHog
Detection method	Regex only	Regex + entropy	Regex	Entropy + regex + verification
Built-in rule coverage	AWS only	~20 types	150+ types	700+ detectors
Credential verification	No	No	No	Yes
History scanning	No	No	Yes	Yes
Speed	Very fast	Moderate	Fast	Slow (with verification)
False positive rate	Low (narrow scope)	High (entropy)	Low-moderate	Very low (verified)
Pre-commit support	Native	Via pre-commit	Via pre-commit	Via pre-commit
CI/CD integration	Manual	Manual	Native (SARIF, GitHub Action)	Native (SARIF, GitHub Action)
Offline capable	Yes	Yes	Yes	No (verification phase)
Maintenance status	Stale	Active	Active	Active
Language	Shell	Python	Go	Go

git-secrets (AWS Labs)

The oldest tool in this category. AWS built git-secrets to prevent AWS credentials from leaking—and it does that narrow job well.


# Install and configure for AWS
git secrets --install
git secrets --register-aws

# Add custom patterns
git secrets --add 'sk_live_[A-Za-z0-9]{24,}'
git secrets --add 'sk-proj-[A-Za-z0-9]{48,}'

Strengths:

Minimal footprint—a shell script backed by grep, no binary dependencies
Fully offline, no network calls
Fast—pattern matching is O(n) over the diff

Weaknesses:

Regex-only. No entropy analysis, no semantic understanding
No built-in patterns for most modern secrets (GitHub tokens, OpenAI keys, Stripe keys, JWT signing keys)
Cannot scan git history—checks new commits only
Effectively unmaintained. The last meaningful update was years ago

Best for: Teams running entirely in AWS who want a dependency-free hook and are comfortable writing their own regex patterns for everything else.

Verdict: Too narrow for general use. If your stack includes anything beyond AWS, you'll spend more time writing custom patterns than you save by using a lightweight tool.

detect-secrets (Yelp)


# Generate initial baseline
detect-secrets scan > .secrets.baseline

# Audit the baseline interactively
detect-secrets audit .secrets.baseline

# Pre-commit hook configuration
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

Strengths:

Baseline workflow handles brownfield repos well—no alert flooding on day one
Plugin architecture is extensible. Custom secret types are straightforward to add
Good Python ecosystem integration—works cleanly with pre-commit hooks
Entropy-based detection catches secrets that pure regex misses
Fully offline

Weaknesses:

Higher false positive rate than gitleaks. Entropy-based detection flags random-looking strings that aren't secrets (UUIDs, hashes, test fixtures)
The baseline model requires discipline. If developers add detected secrets to the baseline without auditing them, coverage silently degrades
Slower than gitleaks on large repos
Doesn't scan history by default—only new commits via the hook
Python dependency may conflict with project requirements

Best for: Python-heavy teams with significant existing code, where a brownfield baseline approach is necessary to avoid alert fatigue on day one.

gitleaks

The most widely adopted open-source secret scanner. A single Go binary with no external dependencies, 150+ secret type rules out of the box, and native CI/CD integration.


# Scan current repository
gitleaks detect --source . -v

# Scan only new commits (CI-friendly)
gitleaks detect --source . --log-opts="HEAD~1..HEAD"

# Scan with SARIF output for GitHub Advanced Security
gitleaks detect --source . --report-format sarif --report-path results.sarif

Pre-commit setup:


# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks

GitHub Actions integration:


# .github/workflows/gitleaks.yml
name: gitleaks
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Custom rules example:


# .gitleaks.toml — extend or override default rules
[[rules]]
id = "internal-service-token"
description = "Internal service authentication token"
regex = '''svc_tok_[A-Za-z0-9]{32,}'''
keywords = ["svc_tok_"]

[[rules]]
id = "custom-database-url"
description = "Database connection string with password"
regex = '''(?i)(?:postgres|mysql|mongodb)://[^:]+:[^@]+@[^/]+'''

Strengths:

Coverage breadth. 150+ built-in rules covering essentially every major service's credential format
Fast. Go binary scanning is significantly faster than Python-based tools on large histories
Flexible deployment: pre-commit hook, CI/CD step, or standalone scan
Actively maintained. New rules are added regularly as new secret formats emerge
Clear SARIF output integrates with GitHub Advanced Security, GitLab, and other platforms
Custom rules are TOML configs—readable and version-controllable
Supports history scanning with --log-opts

Weaknesses:

Regex-only in the primary rules. A secret in an unusual format that doesn't match the pattern will be missed
No credential verification. It tells you whether something looks like a Stripe secret key—not whether the key is currently valid
False positive rate depends on rule quality. The default rules are good but not perfect—base64 strings, test fixtures, and example values trigger alerts

Best for: Most teams. gitleaks is the pragmatic choice—broad coverage, easy setup, fast enough for CI, actively maintained.

TruffleHog

The most capable tool in this category. TruffleHog takes the most opinionated stance on what makes a secret detection tool valuable: verified credentials.

This dramatically reduces false positives. Verified results are P0—confirmed active credentials. Unverified results need human judgment.


# Scan a repository with verification
trufflehog git file://. --only-verified

# Scan git history
trufflehog git file://. --since-commit abc123

# Scan with JSON output
trufflehog git file://. --json --only-verified

Pre-commit setup:


# .pre-commit-config.yaml
repos:
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.88.0
    hooks:
      - id: trufflehog
        args: ["git", "file://.", "--since-commit", "HEAD", "--only-verified"]

Strengths:

Verified detection is the most actionable output in this category. You know if you have an active leak
Entropy-first approach catches secrets in unusual formats that pure regex misses
History scanning is thorough—specifically designed to find secrets added and then deleted from git history
Scans beyond git: S3 buckets, Syslog, Docker images, filesystems, Slack, Confluence
700+ detectors with provider-specific verification logic

Weaknesses:

Slower than gitleaks. Verification API calls add latency—a full history scan can take 10-30x longer
Network-dependent. The verification phase requires outbound internet access
The verification calls themselves are a consideration in security-sensitive environments—you're sending potentially valid credentials to external APIs to confirm they work
More complex to configure and tune
--only-verified in pre-commit hooks means unverified secrets pass through silently

Choosing the Right Tool for Your Workflow

Solo Developers and Small Teams

Teams with Large Existing Codebases

Security Teams and Compliance-Driven Organizations


Developer commit
    │
    ▼
[gitleaks pre-commit hook]  ← Fast, offline, blocks known patterns
    │
    ▼
[Push to remote]
    │
    ▼
[gitleaks CI/CD action]     ← Catches bypassed hooks, SARIF reporting
    │
    ▼
[TruffleHog scheduled scan] ← Weekly history sweep, verified credentials

The Layering Strategy

For teams with serious secret hygiene requirements, the combination works because the tools cover different gaps:

gitleaks catches the 95% case: known credential patterns, fast, no network required
TruffleHog catches the 5% edge cases: unusual formats via entropy, deleted-then-removed secrets, and—critically—tells you which detected credentials are still active

This gives you low-latency pre-commit feedback plus high-confidence periodic validation.

Modern Secrets: OpenAI, Stripe, and AI Service Keys

A common question: which tool catches leaked OpenAI API keys, Anthropic keys, or other AI service credentials?

For a deeper look at why AI projects leak keys more frequently, see Why AI Projects Leak API Keys More Than Any Other Apps.

Beyond Open-Source: Platform-Native and Commercial Options

These four tools aren't the only option. Platform-native scanning (GitHub Secret Scanning, GitLab Secret Detection) and commercial platforms (GitGuardian, Snyk) offer additional capabilities:

GitHub Secret Scanning covers 200+ token formats and alerts both you and the token issuer—but only works on GitHub
GitGuardian provides centralized dashboards, historical monitoring, and team workflows—but requires a paid subscription
Snyk integrates secret scanning into a broader DevSecOps platform—but is also paid

For a comparison of all major options, see Top 10 Tools for Detecting API Key Leaks.

Conclusion

The right secret scanner is the one that gets used. A perfect detection tool that developers bypass because it's too slow or too noisy protects nothing.

Next steps:

Install gitleaks as a pre-commit hook today
Add a gitleaks GitHub Action to your CI pipeline
Run a one-time TruffleHog scan of your full repository history
Schedule weekly TruffleHog sweeps with --only-verified for ongoing monitoring
Review the results and rotate any active credentials found—if you discover a live leak, follow the emergency response guide

Rafter integrates gitleaks into broader code security analysis—treating credential detection as one layer in a full security assessment. Start a scan at rafter.so.