Fast secret & credential scanner for codebases and git history
leaked scans your codebase and git history for accidentally committed secrets — API keys, tokens, passwords, private keys, and more. It detects 50+ secret types with zero configuration and presents results in a beautiful terminal UI.
Secrets accidentally committed to git are the #1 cause of credential breaches. Once pushed, they live forever in git history — even after deletion. leaked catches them before damage is done.
| Feature | leaked | truffleHog | gitleaks |
|---|---|---|---|
| Beautiful terminal UI | ✅ Rich panels & tables | ❌ Plain text | ❌ Plain text |
| Zero config | ✅ Works instantly | ❌ Needs setup | ✅ |
| Pre-commit hook | ✅ Built-in | ✅ | ✅ |
| Git history scan | ✅ | ✅ | ✅ |
| Pure Python | ✅ pip install | ❌ Go binary | ❌ Go binary |
| CI exit codes | ✅ | ✅ | ✅ |
| JSON export | ✅ | ✅ | ✅ |
pip install leakedOr from source:
git clone https://github.com/mimonimo/leaked.git
cd leaked
pip install -e .# Scan all files in current directory
leaked scan
# Scan a specific path
leaked scan /path/to/project
# Scan a single file
leaked scan config.py# Scan entire git history
leaked git-scan
# Scan last 50 commits
leaked git-scan -n 50
# Scan specific branch
leaked git-scan -b feature/auth# Test on staged files
leaked pre-commit
# Add to .git/hooks/pre-commit:
#!/bin/sh
leaked pre-commitOr with pre-commit:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/mimonimo/leaked
rev: v1.0.0
hooks:
- id: leaked
entry: leaked pre-commit
language: python# GitHub Actions
- name: Scan for secrets
run: |
pip install leaked
leaked scan --exit-code
# GitLab CI
secret-scan:
script:
- pip install leaked
- leaked scan --exit-code# JSON output
leaked scan -j results.json
leaked git-scan -j history-results.json# See all 50+ detection rules
leaked rulesleaked ships with 50+ detection rules across 13 categories:
| Rule | Severity | Example Pattern |
|---|---|---|
| AWS Access Key ID | CRITICAL | AKIA... |
| AWS Secret Access Key | CRITICAL | aws_secret_access_key = ... |
| GCP Service Account Key | CRITICAL | "type": "service_account" |
| GCP API Key | HIGH | AIza... |
| Azure Storage Key | CRITICAL | AccountKey=... |
| HashiCorp Vault Token | CRITICAL | hvs.xxx |
| Rule | Severity | Example Pattern |
|---|---|---|
| GitHub PAT (classic) | CRITICAL | ghp_... |
| GitHub Fine-Grained Token | CRITICAL | github_pat_... |
| GitLab PAT | CRITICAL | glpat-... |
| NPM Token | CRITICAL | npm_... |
| PyPI Token | CRITICAL | pypi-... |
| Rule | Severity | Example Pattern |
|---|---|---|
| Stripe Secret Key | CRITICAL | sk_live_... |
| Slack Bot Token | HIGH | xoxb-... |
| SendGrid API Key | HIGH | SG.xxx.xxx |
| Twilio API Key | HIGH | SK... |
| Discord Webhook | MEDIUM | discord.com/api/webhooks/... |
| Rule | Severity | Example Pattern |
|---|---|---|
| Anthropic API Key | CRITICAL | sk-ant-api03-... |
| OpenAI API Key | CRITICAL | sk-...T3BlbkFJ... |
| OpenAI Project Key | CRITICAL | sk-proj-... |
| Rule | Severity | Example Pattern |
|---|---|---|
| Private Key (RSA/EC/DSA) | CRITICAL | -----BEGIN PRIVATE KEY----- |
| JWT Token | MEDIUM | eyJhbG... |
| Database Connection String | CRITICAL | postgres://user:pass@host |
| Basic Auth in URL | HIGH | https://user:pass@host |
| Hardcoded Password | MEDIUM | password = "..." |
- E-commerce: Shopify tokens
- Messaging: Telegram, Discord bots
- Monitoring: Datadog API keys
- Container: Docker Hub PATs
- Package Registry: NPM, PyPI tokens
╔═══════════════════════════════════════════════════════╗
║ ║
║ _ _ _ ║
║ | | ___ __ _| | _____ __| | ║
║ | |/ _ \/ _` | |/ / _ \/ _` | ║
║ | | __/ (_| | < __/ (_| | ║
║ |_|\___|\__,_|_|\_\___|\__,_| ║
║ ║
║ v1.0.0 — Secret & Credential Scanner ║
║ ║
╚═══════════════════════════════════════════════════════╝
Target: /home/user/my-project
Rules: 50 detection patterns loaded
⚠ Found 3 potential secret(s)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Severity Type File Line
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✘ CRITICAL AWS Access Key ID config.py 12
✘ HIGH Slack Bot Token .env.example 3
⚠ MEDIUM Suspicious File .env 0
╭─────────────── 🔎 Scan Summary — my-project ────────────────╮
│ ╔═══════════════════════╤════════════════════════════════╗ │
│ ║ Status │ ✘ 3 SECRET(S) FOUND ║ │
│ ║ Files scanned │ 142 ║ │
│ ║ Files skipped │ 38 ║ │
│ ║ Duration │ 0.34s ║ │
│ ║ │ ║ │
│ ║ ✘ CRITICAL │ 1 ║ │
│ ║ ✘ HIGH │ 1 ║ │
│ ║ ⚠ MEDIUM │ 1 ║ │
│ ╚═══════════════════════╧════════════════════════════════╝ │
╰─────────────────────────────────────────────────────────────╯
- File Scanner — Walks the directory tree, skipping binaries, node_modules, .git, etc. Reads each text file and matches against all rules.
- Git Scanner — Iterates through git commits, extracts diffs, and scans added lines for secrets. Catches secrets that were committed and later removed.
- Pre-commit Scanner — Only checks staged changes (
git diff --cached), so it runs in milliseconds.
- Automatically skips binary files, images, fonts, archives
- Skips
node_modules,.git,__pycache__,venv,dist,build - Masks detected secrets in output (shows first 4 chars +
****) - Files > 1MB are skipped to maintain speed
- Results sorted by severity (CRITICAL first)
# Exclude test fixtures
leaked scan -e test_fixtures -e mock_data
# Multiple excludes
leaked scan -e "*.test.js" -e "fixtures/"# Exit with code 1 if any secrets found
leaked scan --exit-code
# Minimal output (no previews)
leaked scan --no-preview --exit-codeleaked is designed to help developers find and remove accidentally committed secrets from their own repositories. Always use this tool responsibly and only on codebases you have authorization to scan.
Contributions welcome! Areas of interest:
- New detection rules for additional services
- Custom rule configuration (YAML/TOML)
- Entropy-based secret detection
- IDE integrations
MIT License — see LICENSE for details.
Made with security in mind by @mimonimo