A new open-source utility called Betterleaks has been released to scan directories, files, and git repositories for exposed secrets such as credentials, API keys, and tokens that developers may have inadvertently committed. The tool serves as an advanced replacement for the widely adopted Gitleaks scanner, developed by the same team now supported by Aikido Security. Gitleaks previously achieved over 26 million downloads on GitHub and more than 35 million pulls across Docker and GitHub Container Registry.
Betterleaks introduces several technical improvements including rule-defined validation using Common Expression Language and token efficiency scanning based on BPE tokenization rather than entropy-based detection. This approach achieves 98.6 percent recall compared to 70.4 percent on the CredData dataset. The tool also features automatic handling of doubly and triply encoded secrets, an expanded rule set for more providers, and parallelized Git scanning for faster repository analysis.
The project is maintained under the MIT license by Zach Rice, who authored Gitleaks, along with contributors from the Royal Bank of Canada, Red Hat, and Amazon. Future versions will add support for additional data sources beyond Git repositories, LLM-assisted analysis for improved secret classification, automatic secret revocation via provider APIs, and permissions mapping. The design philosophy accommodates both human-centric workflows and AI agent automation, with CLI features optimized for scanning AI-generated code. Betterleaks aims to help organizations identify exposed secrets before threat actors can discover and exploit them in public repositories.
Read more...