Scans public GitHub repositories for leaked credentials in AI coding tool configuration files (.claude/, .cursor/, .continue/, .codex/, CLAUDE.md, AGENTS.md, etc.).
Uses TruffleHog for secret detection.
Example .claude/ directory:
{
"permissions": {
"allow": [
"Bash(go build:*)",
"Bash(RAPID7_ENCRYPTED_CREDS='**eP3g488hQ23QiU4kJahhwPKs3PyE**' go test ./pkg/agents/ -run TestRules -v -count=1 -timeout 30s)",
"Bash(gcloud sql instances list:*)",
]
}
}go install github.com/niels/claudleak/cmd/claudleak@latestOr build from source:
git clone https://github.com/niels/claudleak.git
cd claudleak
go build -o claudleak ./cmd/claudleak/GITHUB_TOKEN="ghp_..." ./claudleak| Flag | Default | Description |
|---|---|---|
--token |
$GITHUB_TOKEN |
GitHub personal access token |
--max-repos |
100 |
Maximum repositories to scan |
--workers |
CPU count | Concurrent clone/scan workers |
--json |
false |
Output results as JSON |
--output |
stdout | Write results to file |
--verified-only |
false |
Only show verified credentials |
--org / --user |
Only scan repos owned by this GitHub user or org | |
--verbose |
false |
Show progress/debug info |
# Scan up to 50 repos, output JSON to file
claudleak --max-repos 50 --json --output results.json
# Verbose scan with 4 workers
claudleak --workers 4 --verbose
# Scan a specific org, only verified secrets
claudleak --org microsoft --verified-only- Discovery — Searches GitHub Code Search for repositories containing AI coding tool config files
- Clone — Clones matching repositories to a temp directory
- Scan — Runs TruffleHog against each clone, filtering findings to AI config paths
- Report — Outputs a table (or JSON) of detected secrets
cmd/claudleak/main.go CLI entrypoint
pkg/config/ Config parsing
pkg/discovery/ GitHub repo discovery
pkg/cloner/ Git clone operations
pkg/scanner/ TruffleHog secret scanning
pkg/reporter/ Table/JSON output
0— No secrets found1— Secrets found (or runtime error)2— Configuration error