gitleaks detect: Scan Git History for Secrets
gitleaks detect scans git history for secrets and exits 1 when at least one leak is found, 0 when clean.
detect is the default subcommand for scanning a repository that already has history. In v8 it walks commits via git log; point it at a path with --source.
What it does
gitleaks detect runs the rule set against git history. It exits 0 with no leaks, 1 when leaks are found, and 126 on a usage or config error. Use gitleaks dir (v8.19+) or --no-git to scan files on disk instead of commits.
Common usage
gitleaks detect --source . --verbose
# only the latest range in a PR
gitleaks detect --source . --log-opts="origin/main..HEAD"
# scan working tree files, not git history
gitleaks detect --source . --no-gitOptions
| Flag | What it does |
|---|---|
| --source <path> | Directory or repo to scan (default ".") |
| --no-git | Treat the path as files on disk, ignore git history |
| --log-opts <opts> | Pass git log options, e.g. a commit range |
| -c, --config <file> | Path to a .gitleaks.toml rule/allowlist config |
| --report-format <fmt> | json, csv, junit, sarif (default json) |
| -r, --report-path <file> | Write the report to a file |
| -v, --verbose | Print each finding to stdout |
| --exit-code <n> | Exit code to use when leaks are found (default 1) |
In CI
gitleaks exits 1 on a finding, which fails the job by default, so no extra wiring is needed. To collect evidence, add --report-format sarif --report-path gitleaks.sarif and upload it (see the gitleaks SARIF page). For shallow clones, fetch full history with fetch-depth: 0 or detect sees only the tip commit.
Common errors in CI
"failed to get commits: ... unknown revision" with --log-opts means the range refers to a ref the shallow checkout never fetched; set actions/checkout fetch-depth: 0. "[git] fatal: not a git repository" means --source points outside a repo; use --no-git to scan plain files. A job that mysteriously passes on a known leak usually scanned only HEAD because history was shallow.