Betterleaks, a new open-source secrets scanner to replace Gitleaks

Source: BleepingComputer

Author: Bill Toulas

ONE SENTENCE SUMMARY:

Betterleaks, an MIT-licensed successor to Gitleaks, speeds secret detection with validation, tokenization, and AI-friendly workflows for developers.

Betterleaks scans directories, files, and Git repositories for valid exposed secrets.
Secret scanners detect accidentally committed credentials, API keys, private keys, and tokens.
Attackers routinely mine public repositories’ configuration files to steal sensitive access data.
Project positions itself as a more advanced successor to the widely used Gitleaks.
Zach Rice created Betterleaks after losing full control over the original Gitleaks project.
Validation rules use CEL (Common Expression Language) to confirm findings more accurately.
BPE tokenization improves recall to 98.6% versus 70.4% entropy on CredData.
Pure Go design eliminates CGO and Hyperscan dependencies for simpler builds.
Scanner automatically detects doubly or triply encoded secrets and expands provider coverage.
Roadmap includes LLM-assisted classification, revocation APIs, more sources, and performance tuning.

Choosing validation-backed scanners reduces false positives compared with pattern-only secret detection.
Tokenization-based approaches can significantly outperform entropy heuristics for secret discovery.
Dependency-light Go tooling eases adoption in CI/CD pipelines and diverse environments.
Faster parallel Git scanning makes large-repository auditing more practical and frequent.
Upcoming AI-agent features suggest secret scanning will increasingly target AI-generated code workflows.