Git Leaks

Gitleaks is an open-source SAST (static application security testing) tool designed to detect hardcoded secrets, API keys, passwords, and tokens in Git repositories and source code history. Developed in Go, it can scan local repositories, remote GitHub/GitLab/Bitbucket repos, and individual commits or branches.

For OSINT investigators and security researchers, Gitleaks is one of the most effective tools for discovering credential leakage in publicly accessible codebases. Developers frequently commit secrets accidentally — AWS keys, database passwords, Stripe tokens, Twilio credentials — and even after deletion, those secrets remain in Git history and are fully recoverable by anyone with read access.

In a typical OSINT engagement, Gitleaks is run against all public repositories associated with a target organization or individual. Common findings include cloud provider API keys that grant access to live infrastructure, database connection strings pointing to production systems, hardcoded authentication tokens for internal services, and OAuth client secrets for third-party integrations.

The tool uses a regex-based rule engine with a built-in ruleset covering over 150 secret patterns. Custom rules can be added via a TOML configuration file, allowing investigators to target organization-specific secrets or custom token formats.

For corporate investigations, running Gitleaks against a target company's GitHub organization can expose their entire cloud credential inventory if their developers have poor secrets hygiene. This makes it an essential first step in any infrastructure reconnaissance workflow.

Operational considerations: Always verify that you are operating within the scope of an authorized engagement before running Gitleaks against any repository. Scanning public repositories for security research is generally acceptable, but using discovered secrets to access live systems without authorization is illegal. Use found credentials only to report the exposure.

Document each run with the repository URL, commit range scanned, and any secrets found. Pair Gitleaks with TruffleHog and GitHub's own secret scanning for comprehensive coverage.