gitleaks "failed to load config" in CI
gitleaks tried to read the configuration you pointed it at and could not parse it. It aborts before scanning, so the failure is a config problem, not a leak.
What this error means
gitleaks exits early with "failed to load config" and a TOML decode error, or "no such file or directory" for the --config / GITLEAKS_CONFIG path.
9:04AM FTL failed to load config error="toml: line 14 (last key \"regex\"):
expected value but found '\n' instead"Common causes
A TOML syntax error in .gitleaks.toml
A missing value, unclosed multi-line string, or a bad [[rules]] table stops the TOML decoder before any scan runs.
A wrong --config path in CI
The --config flag or GITLEAKS_CONFIG env points to a path that does not exist on the runner, for example a file not checked out.
How to fix it
Validate the TOML and the path
- Read the line number in the decode error and fix the malformed key or string.
- Confirm the config path exists relative to the runner working directory.
- Re-run gitleaks; a clean parse proceeds to the scan.
gitleaks detect --source . --config .gitleaks.toml --no-bannerExtend the default config instead of replacing it
Base your file on the shipped default so required top-level keys are present, then add only your extra rules and allowlist.
[extend]
useDefault = true
[[rules]]
id = "internal-token"
regex = '''intl_[a-z0-9]{32}'''How to prevent it
- Lint the TOML config in CI before running the scan.
- Prefer
[extend] useDefault = trueover hand-writing every rule. - Keep the config path stable and checked into the repo.