Skip to content
Latchkey

gitleaks "failed to load config" in CI

gitleaks tried to read the configuration you pointed it at and could not parse it. It aborts before scanning, so the failure is a config problem, not a leak.

What this error means

gitleaks exits early with "failed to load config" and a TOML decode error, or "no such file or directory" for the --config / GITLEAKS_CONFIG path.

gitleaks
9:04AM FTL failed to load config error="toml: line 14 (last key \"regex\"):
expected value but found '\n' instead"

Common causes

A TOML syntax error in .gitleaks.toml

A missing value, unclosed multi-line string, or a bad [[rules]] table stops the TOML decoder before any scan runs.

A wrong --config path in CI

The --config flag or GITLEAKS_CONFIG env points to a path that does not exist on the runner, for example a file not checked out.

How to fix it

Validate the TOML and the path

  1. Read the line number in the decode error and fix the malformed key or string.
  2. Confirm the config path exists relative to the runner working directory.
  3. Re-run gitleaks; a clean parse proceeds to the scan.
Terminal
gitleaks detect --source . --config .gitleaks.toml --no-banner

Extend the default config instead of replacing it

Base your file on the shipped default so required top-level keys are present, then add only your extra rules and allowlist.

.gitleaks.toml
[extend]
useDefault = true

[[rules]]
id = "internal-token"
regex = '''intl_[a-z0-9]{32}'''

How to prevent it

  • Lint the TOML config in CI before running the scan.
  • Prefer [extend] useDefault = true over hand-writing every rule.
  • Keep the config path stable and checked into the repo.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →