Find leaked
credentials. Fast.

A secrets scanner that checks source code, git history, infrastructure files, S3 buckets, and Docker images. 894 patterns, entropy analysis, live validation against ~80 APIs. Written in Rust.

$ cargo install leaktor

v0.4.1

GitHub Crates.io Documentation Changelog

leaktor scan

$ leaktor scan ./my-project --validate

Summary
Total Findings: 3
  Critical: 2    High: 1

[1] [CRITICAL] AWS Access Key
    Status: [ACTIVE] Validated via STS
    File:   src/config.rs:42:5
    Value:  AKIA**************MPLE

[2] [CRITICAL] GitHub Personal Access Token
    File:   .env:7:1
    Value:  ghp_**************************a8f2

[3] [HIGH] Stripe Secret Key
    File:   payments/billing.py:119:12
    Value:  sk_live_*******************eK1P

Scan completed in 0.04s | 312 files scanned | 3 findings

894

Regex patterns

~80

Validated services

Scan targets

Runtime deps

Detection

894 patterns across 888 secret types

Regex-based pattern matching for AWS, GCP, Azure, GitHub, Stripe, Slack, database URIs, private keys, JWTs, and hundreds more. Shannon entropy analysis catches generic high-randomness secrets that don't match known formats.

Validation

Confirms secrets are active

19 dedicated API validators (AWS STS, GitHub, Stripe, Slack, etc.) plus a service-level validator covering 60+ more. Rate-limited with configurable concurrency. Tells you which secrets are real and which are noise.

Beyond source code

6 scan targets, not just files

Filesystem, git history, S3 buckets, Docker images, stdin, and structured infrastructure files. Auto-decodes base64 in K8s Secrets, parses Terraform state, Docker Compose envs, and CloudFormation parameters.

Features

Git history scanning

Scans full commit history to surface secrets that were committed and later removed. Supports --since-commit and commit range filters.

S3 bucket scanning

Scan objects in AWS S3 buckets using the standard credential chain. Filters binary and oversized files automatically.

Docker image scanning

Export and scan Docker image filesystems. Skips system directories and binary content. Works with your local daemon.

Blast radius tracing

Find every reference to a secret across the entire codebase. Search by value, type, or file. Know exactly how far a leak has spread.

Scan diffing

Compare two JSON scan reports to see what's new, fixed, and unchanged between runs. Track remediation progress over time.

Remediation scripts

Generate rotation commands, git history cleanup instructions, and allowlist rules from scan results. Console, markdown, or executable bash script.

Baseline and allowlisting

Baseline existing findings so CI only flags new leaks. Suppress false positives by type, path glob, value regex, severity, or inline leaktor:ignore comments.

CI/CD integration

GitHub Action, pre-commit hooks, pre-commit framework support. SARIF output for GitHub Advanced Security. Non-zero exit on findings for gate enforcement.

Webhook notifications

Send findings to Slack, Microsoft Teams, or any HTTP endpoint. Formatted messages with severity, type, and file location out of the box.

Comparison

How leaktor compares to Gitleaks and TruffleHog.

	leaktor	Gitleaks	TruffleHog
Language	Rust	Go	Go
Detection rules	894	~220	900+
Entropy analysis	Yes	Basic	Yes
Live validation	~80 services	No	Yes
Git history	Yes	Yes	Yes
S3 scanning	Yes	No	Yes
Docker scanning	Yes	No	Yes
K8s / Terraform / Compose	Auto-decoded	No	Partial
Blast radius	Yes	No	No
Scan diffing	Yes	No	No
Remediation	Yes	No	No
Baseline	Yes	Yes	No
Webhooks	Slack, Teams, HTTP	No	No
Output formats	JSON, SARIF, HTML	JSON, SARIF, CSV	JSON
License	MIT	MIT	AGPL + commercial

~10k files/s

Parallel filesystem scanning via Rayon. Scales with cores.

Single binary

No runtime dependencies. Drop into any CI pipeline or server.

Low memory

Streaming scan architecture. Handles large monorepos without issues.

CLI

blast radius

$ leaktor trace AKIAIOSFODNN7EXAMPLE

Tracing secret across codebase...

  src/config.rs:42          AKIA**********MPLE
  .env:3                     AKIA**********MPLE
  deploy/k8s/secret.yaml:8   (base64 encoded)

3 references in 3 files

scan diff

$ leaktor diff before.json after.json

  + 2 new    - 1 fixed    = 5 unchanged

  New:
    + [CRITICAL] AWS Secret Key
    + [HIGH] Slack Token

  Fixed:
    - [CRITICAL] GitHub PAT at .env:7

quick reference

leaktor scan ./path
leaktor scan --validate --format sarif -o out.sarif
leaktor scan --format html -o report.html
leaktor scan --baseline base.json --fail-on-found
leaktor scan-s3 my-bucket --prefix config/
leaktor scan-docker myapp:latest

leaktor trace --type "AWS Access Key"
leaktor diff old.json new.json
leaktor remediate scan.json --format script
leaktor init --yes --baseline
leaktor list
leaktor scan --webhook-url https://hooks.slack.com/...

Install

Pick your platform.

Cargo

Rust toolchain

cargo install leaktor

Homebrew

macOS / Linux

brew tap reschjonas/tap
brew install leaktor

Scoop

Windows

scoop bucket add leaktor https://github.com/reschjonas/scoop-leaktor
scoop install leaktor

Docker

any platform

docker run --rm -v $(pwd):/scan ghcr.io/reschjonas/leaktor scan /scan

Binary

Linux / macOS / Windows

Pre-built binaries on GitHub Releases.

GitHub Action

CI/CD

- uses: reschjonas/leaktor@v0.4.1
  with:
    format: sarif
    fail-on-found: true

Find leakedcredentials. Fast.