Betterleaks: Secret Scanning for Agentic CI

Secret scanning has moved from nice-to-have to mandatory. Repos now contain generated configs, copied logs, AI-assisted code changes, and fast-moving CI pipelines. That mix creates more ways to leak API keys, tokens, and passwords. Betterleaks is a new scanner worth watching because it focuses on the operational details that matter in production: speed, flexible rules, and better signal.

What is Betterleaks?

Betterleaks is an open source secret detection tool written in Go. It scans git history, directories, files, and standard input for exposed credentials. The project launched in February 2026 and is already moving quickly, with the latest release at v1.1.1 in March.

The pitch is simple: keep the broad utility people expect from Gitleaks-style scanning, but add more control and better performance. For SRE and platform teams, that matters because secret detection only helps when it is cheap enough to run often and precise enough not to become alert noise.

Key Features

• Multiple scan targets: scan a repository with betterleaks git, a path with betterleaks dir, or pipeline output with betterleaks stdin.
• Parallelized git scanning: the tool supports --git-workers so large repos and long histories finish faster.
• Validation experiments: Betterleaks can validate some findings with CEL-based logic and HTTP checks, which helps separate dead secrets from live ones.
• Rule and regex flexibility: it supports custom config files, targeted rule enablement, and regex engine selection.
• Recursive decoding: useful for catching encoded or wrapped secrets that simple pattern matching can miss.

Installation

Install Betterleaks with one of the supported paths:

brew install betterleaks

# or build from source
git clone https://github.com/betterleaks/betterleaks
cd betterleaks
make betterleaks

A container image is also available at ghcr.io/betterleaks/betterleaks:latest.

Usage

A simple repository scan looks like this:

betterleaks git --source . --git-workers 8

Scanning a directory outside git history is equally direct:

betterleaks dir /etc

This is especially useful in CI when you want to scan generated artifacts, deployment bundles, or rendered templates before they leave the runner.

Operational Tips

Run Betterleaks in two places. First, scan commits and pull requests to stop new leaks early. Second, scan built artifacts or generated configuration in CI, because secrets often appear after templating rather than in source files.

Use baselines and scoped rules to avoid drowning in old findings. If you test the validation feature, treat it carefully and restrict outbound checks so a scanner does not become an unexpected egress path.

Conclusion

Betterleaks looks like a practical upgrade for teams that want faster secret scanning without giving up configurability. The support for repo, directory, and stdin scanning makes it easy to slot into pre-commit hooks, CI jobs, and artifact checks. If your team is tightening controls around agentic development and CI automation, this is a project worth evaluating now.

Akmatori helps SRE teams automate infrastructure operations with AI agents built for real production workflows. For reliable cloud and edge infrastructure, check out Gcore.