# Gitleaks for secret scanning in repositories
Scan repositories and working trees for leaked secrets before agents commit or open PRs.
Agent Readiness Score: 86/100
Gitleaks is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
## Install

- Homebrew: `brew install gitleaks`
- Docker: `docker run --rm -v "$PWD:/path" zricethezav/gitleaks:latest detect --source /path`

## Structured output

Supported output formats: json, sarif, csv, text.
Prefer structured output flags such as `--json`, `--format json`, or equivalent when available.

## Safe commands

- Scan working tree: `gitleaks detect --source . --report-format json --report-path gitleaks.json` — Produces a JSON report that an agent can summarize.
- Scan staged changes: `gitleaks protect --staged --verbose` — Checks staged files before commit.

## Commands requiring approval

- Edit allowlist: `${EDITOR:-vi} .gitleaks.toml` — requires-review; require explicit user approval.

## Agent instructions

- Claude Code / Codex CLI: Use Gitleaks to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval.

## Safety notes

- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.

## Metadata

Official URL: https://gitleaks.io/
GitHub: https://github.com/gitleaks/gitleaks
Docs: https://gitleaks.io/