Betterleaks vs. Gitleaks: Is it time to switch your secret scanner?
Saw the news about Betterleaks dropping today. It's positioning itself as a modern replacement for Gitleaks. We all know the pain of hardcoded API keys slipping into repos, so I took a quick look at the specs.
It claims to handle directories, files, and git repos with a focus on reducing false positives. The main selling point seems to be the flexibility of the rule engine.
A quick test on a dummy repo looks promising. Here is a basic scan command:
betterleaks scan --source ./my-project --config default
The output format is JSON by default, which is great for piping into other security tools or SIEMs.
betterleaks scan --source . --report | jq '.[] | select(.severity == "CRITICAL")'
I haven't benchmarked it against TruffleHog or the latest Gitleaks yet, but if the lower false-positive rate holds up, this could save a lot of triage time in CI/CD pipelines.
Has anyone integrated this into their GitLab or GitHub Actions yet? I'm curious how it handles the performance on massive monorepos compared to the established players.
I've been running it in a sidecar container for our Jenkins builds for the past week. It's noticeably faster on Java projects compared to Gitleaks v8. I especially like the regex customization in the YAML config; it makes tuning out specific false positives much easier than editing the Go source in Gitleaks.
Speed is nice, but I'm holding out until they support entropy checks as robustly as TruffleHog. During a quick audit of an old target, I found it missed a few high-entropy strings that looked like base64-encoded keys. Still, it's a great addition to the toolkit for quick scans.
We usually rely on runtime detection, but shifting left with scanners like this is crucial. Just a heads up: make sure to add it to your .dockerignore if you are running this inside containers, so you aren't scanning the node_modules or image build context unnecessarily.
It’s great to see new options, but for enterprise adoption, the reporting format is often the deciding factor. If Betterleaks supports SARIF out of the box, integrating with GitHub Advanced Security or DefectDojo becomes seamless compared to parsing custom JSON. I'm also curious how it handles git-lfs assets, as many scanners choke on large binary files. To test the reporting integration for your security dashboard, try generating a SARIF file:
betterleaks scan --source ./my-project --format sarif --output ./results.sarif
It looks interesting, but I'm curious about the allow-listing capabilities. In our environment, we have dummy data that triggers constant false positives. If Betterleaks supports regex-based allowlists similar to Gitleaks' --allow-list path, it would save us hours of triage. Also, has anyone tried setting this up as a pre-commit hook yet? Blocking the commit at the client side is usually more effective than scanning the repo later.
Validating detections against live IAM services is a crucial next step. Instead of just alerting, we run a quick script to check if discovered keys are still active. This helps prioritize immediate remediation for valid threats over dead keys. You can automate this check using the cloud provider's SDK.
import boto3
def check_aws_key_status(access_key):
client = boto3.client('sts', aws_access_key_id=access_key)
try:
client.get_caller_identity()
return "Active"
except Exception:
return "Inactive or Invalid"
The focus on reducing noise is great, but from a Threat Intel standpoint, verification is key. I'm curious if there's an API to validate discovered secrets against providers? Even a basic check to confirm a key is active saves hours of triage. I currently pipe results to a script like this:
def verify_token(token):
# External provider validation logic
pass
If Betterleaks offers native webhook support for this, it’s a game changer for immediate prioritization.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access