# AGENTS.md instructions for Gitleaks for secret scanning in repositories

Use Gitleaks for secret scanning in repositories only for: Scan repositories and working trees for leaked secrets before agents commit or open PRs.

## Default behavior

- Prefer non-interactive commands and stable output formats: json, sarif, csv, text.
- Start with read-only inspection commands before changing state.
- Show the exact command before destructive or deployment actions.
- Require explicit user approval for commands marked `requires-review` or `destructive`.

## Useful commands

- safe: `gitleaks detect --source . --report-format json --report-path gitleaks.json` — Produces a JSON report that an agent can summarize.
- safe: `gitleaks protect --staged --verbose` — Checks staged files before commit.
- requires-review: `${EDITOR:-vi} .gitleaks.toml` — Changing ignore rules can hide real leaks and requires review.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.