Blog / Product & Company Updates Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Written by Zach Rice Published on: Mar 12, 2026 Table of Contents Text Link TL;DR : Betterleaks is a new open source secrets scanner from the author of Gitleaks, sponsored by Aikido. It's a drop-in replacement for Gitleaks with new filters, configurable validation, faster scans, more options, and built for the agentic era. ‍ Why Betterleaks? Secrets leak everywhere and I love finding them. Eight years ago I wrote the first lines of code for Gitleaks and have been obsessed with finding secrets since discovering my first live credential on GitHub. I’m in it for the love of the game. Gitleaks grew from a small project to a name recognized by security professionals, hackers, and developers. At the time of writing, Gitleaks boasts: the most starred secrets scanner on GitHub, downloaded 26M times on GitHub and 1.2M times via `brew install`, and pulled 35M times by Docker and GHCR. It’s used both as an internal tool and sold as a product by companies big and small. ‍ So why make a new project? To be transparent, I don’t have full control over the Gitleaks repo and name anymore. It sucks, but it also gives me the opportunity to start something fresh. Something… better? ○ ○ ● ○ Betterleaks v1 .0 .0 Betterleaks is the successor to Gitleaks. We’re dropping the “git” and slapping “better” on it because that’s what it is, better . Normative determinism anyone? I joined Aikido Security as Head of Secrets Scanning with a simple goal: build the best open source secrets scanner . So giddyup, we’re building it. Here’s a quick summary of where Betterleaks is today. It’s a drop-in replacement for Gitleaks with a bunch of new features. That means your old Gitleaks CLI options will continue working and old configs will work out of the box, it’ll just run faster. Here are some of the features we ship v1 with: Rule Defined Validation: Validation logic in Betterleaks is written using the Common Expression Language ( CEL ). Token Efficiency Scanning: Instead of relying on entropy to filter candidate secrets, Betterleaks uses a technique based on BPE tokenization (which I wrote about in Rare Not Random ). By measuring how efficiently a BPE tokenizer compresses a string, we get a nice signal boost. Against the CredData dataset, token efficiency hits 98.6% recall compared to entropy's 70.4%. Pure Go (No CGO): We wanted fast scanning without relying on CGO and Hyperscan. Deploy it anywhere. Default Encoding Detection: Betterleaks handles doubly and triply encoded secrets by default. More Rules - New providers powering your organization are popping up all the time and we’re focused on adding them. It’s super easy to write new rules and validation logic for Betterleaks so come on and open a PR! Parallelized Git Scanning - Betterleaks scans git repos faster than any other tool when parallelized git scanning is enabled. What’s next for Betterleaks? V1 already improves on Gitleaks quite a bit, but we have more planned in V2 like: Scanning more sources - Betterleaks supports scanning git repos and files (including stdin) but that’s not enough. We want to scan everything and make it easy to add new sources. Like stupid easy. Like adding-a-single-file-to-the-repo-easy. LLM Assist - Call out to a local or remote LLM with anonymized data for an extra layer of confidence or to classify generic secrets and generate potential auth methods based on context. New filters - Token Efficiency is a teaser, but we have more planned. Auto-Revocation - Some secrets providers expose APIs for revoking secrets. We intend to support that via config. Permissions Mapping - Knowing if a secret is live or not is great, but know what that secret has access to and what that secret can do (like delete prod) is even better. Faster Speeds - There are bound to be some untapped optimizations we just gotta find them. Less cumbersome (better) config - Gitleaks has a solid config but it can be a little confusing to tweak at times. We want to flatten the config even further and expose CEL-based filtering rather than allowlists. Version 2.x.x’s config will be fully backwards compatible with v1 (and your old gitleaks configs). Did I mention I’m not working alone? Maintaining Gitleaks over the years I’ve engaged with lots of community members. Probably hundreds of folks. There are three in particular that have been extraordinarily helpful and will help me maintain Betterleaks. Having four maintainers instead of one will help ensure project stability, governance, and longevity. Richard Gomez - a director of software development in the Royal Bank of Canada's Global Security group. A longtime Gitleaks contributor and Microsoft Security Response Center 2024 Most Valuable Researcher, Richard helped launch RBC's Open Source Program Office, and is passionate about strengthening the open-source ecosystem that modern security depends on. Braxton Plaxco - a Senior Information S...