Gitleaks detects secrets, credentials, API keys, and other sensitive values accidentally committed to a Git repository.
It is included in this setup as a preventive security tool. Its purpose is to detect exposed secrets before they are pushed to a remote repository.
Gitleaks is installed through Homebrew:
brew install gitleaksIt is part of the curated Homebrew environment; see Homebrew setup to install everything at once.
Check that Gitleaks is available:
gitleaks versionFrom the root of a Git repository, scan the complete Git history with:
gitleaks git .To scan only the current files without inspecting the Git history:
gitleaks dir .Gitleaks returns a non-zero exit status when a potential secret is detected.
This makes it suitable for local validation scripts, pre-commit hooks, and continuous integration workflows.
Gitleaks should eventually be executed automatically through pre-commit.
The integration is intentionally handled separately from the Homebrew installation so that:
- Homebrew manages the executable.
pre-commitmanages when the scan is executed.- The repository configuration remains explicit and version-controlled.
Until the pre-commit configuration is added, scans can be executed manually with:
gitleaks git .A detected value is not always a real secret.
Before ignoring a finding:
- Confirm that the value is not an active credential.
- Revoke and replace it if it has already been exposed.
- Add a targeted exclusion only when the value is known to be safe.
Broad exclusions should be avoided because they can hide future leaks.
Remove Gitleaks with:
brew uninstall gitleaksThen remove its entry from profiles/full/Brewfile.
Any related pre-commit hook must also be removed separately.
