Betterleaks: Gitleaks Creator Launches Faster Secrets Scanner

Zach Rice, the original creator of Gitleaks, has released a new open-source secrets scanner called Betterleaks. The tool serves as a drop-in replacement for its predecessor while introducing significant detection improvements through BPE tokenization and configurable validation rules.

Rice, now Head of Secrets Scanning at Aikido Security, developed Betterleaks after losing full control of Gitleaks—a project he started eight years ago. Gitleaks has accumulated over 26 million GitHub downloads, 35 million Docker pulls, and 19,000 GitHub stars, making it one of the most widely deployed secrets scanners in the industry.

Why Betterleaks Exists

The new project addresses limitations Rice observed in entropy-based secret detection. Traditional scanners rely on Shannon entropy to identify strings that appear random enough to be secrets. This approach works but produces significant false positives and misses certain secret formats.

Betterleaks implements what Rice calls Token Efficiency Scanning. Instead of calculating entropy, the scanner measures how efficiently a BPE (Byte Pair Encoding) tokenizer compresses candidate strings. Testing against the CredData dataset, this technique achieved 98.6% recall compared to entropy's 70.4%.

The project is released under the MIT license with sponsorship from Aikido, a Belgian company providing development security tooling.

Technical Implementation

Betterleaks is written in pure Go without CGO dependencies or reliance on Hyperscan, simplifying deployment across environments. The architecture supports parallelized git scanning—enabling the --git-workers=8 flag for faster repository analysis.

Key features include:

• Rule-Defined Validation: Detection rules use the Common Expression Language (CEL) for flexible configuration
• Recursive Decoding: Handles doubly and triply encoded secrets by default
• Configurable Regex Engine: Switch between stdlib and re2 engines based on performance requirements
• Backward Compatibility: Existing Gitleaks CLI options and TOML configurations work without modification

Installation is straightforward through multiple channels:

# Homebrew
brew install betterleaks

# Docker
docker pull ghcr.io/betterleaks/betterleaks:latest

# From source
git clone https://github.com/betterleaks/betterleaks && make betterleaks

The CLI mirrors Gitleaks patterns—betterleaks git scans repositories, betterleaks dir handles directories, and betterleaks stdin processes piped input.

Why This Matters

Secrets exposure remains a persistent problem. We've covered multiple incidents where hardcoded credentials enabled breaches, including the AppsFlyer SDK supply chain attack that hijacked cryptocurrency transactions through compromised mobile app code. Attackers frequently target exposed API keys, database credentials, and cloud tokens in public repositories.

The gap between 70.4% and 98.6% recall translates directly to secrets that would slip past traditional scanners. For organizations running CI/CD pipelines that scan every commit, improved accuracy reduces both missed secrets and alert fatigue from false positives.

Rice specifically designed Betterleaks for what he calls the "agentic era"—development environments where AI coding assistants generate code that may inadvertently include credentials. The CLI includes features optimized for automated tools that need to scan AI-generated code without human intervention.

Project Governance and Roadmap

Four maintainers oversee development: Rice alongside Richard Gomez from Royal Bank of Canada, Braxton Plaxco from Red Hat, and Ahrav Dutta from Amazon. This enterprise backing suggests long-term maintenance commitments.

Version 2 features already in planning include:

• Extended scanning sources beyond Git repositories and files
• LLM-assisted analysis for confidence scoring and classification
• Automatic secret revocation through provider APIs
• Permissions mapping to identify over-privileged credentials
• Simplified configuration syntax

The auto-revocation feature is particularly interesting. Rather than simply alerting on exposed secrets, future versions could automatically rotate compromised credentials through integration with cloud provider APIs.

Getting Started

The Betterleaks GitHub repository contains full documentation, rule definitions, and configuration examples. Organizations currently using Gitleaks can migrate by swapping the binary—existing configurations should work without changes.

For teams managing code security pipelines, the detection improvements warrant evaluation. The supply chain attacks targeting developer tools—like the recent VS Code extension campaign that distributed 72 malicious packages—underscore why catching secrets before they ship matters.

Betterleaks ships with more detection rules than Gitleaks out of the box. Teams can extend coverage through TOML configuration files that support regex patterns, entropy thresholds, keyword filtering, and allowlists for reducing false positives in specific codebases.