gitleaks/gitleaks
Tooling
A pointer-driven map of the build, lint, and release tooling.
Makefile
The Makefile defines the developer-facing targets:
| Target | What it does |
|---|---|
make build |
Regenerates config/gitleaks.toml, runs go fmt, go mod tidy, then go build with version-injecting ldflags |
make test |
Regenerates config, runs go fmt, runs full test suite with --race |
make failfast |
go test -failfast ./... for a tighter inner loop |
make test-cover |
Coverage HTML report |
make lint |
golangci-lint run |
make format |
go fmt ./... |
make profile |
Builds and runs the binary under scripts/profile.sh |
make clean |
Removes profile output and *.got.*/*.out files |
make config/gitleaks.toml |
Regenerates the embedded default config from cmd/generate/config/** |
The VERSION variable is computed lazily as git fetch --tags && git tag | sort -V | tail -1, then injected into version/version.go via -ldflags.
Code generation
make config/gitleaks.toml runs go generate ./..., which invokes the //go:generate directive in cmd/generate/config/main.go:
//go:generate go run $GOFILE ../../../config/gitleaks.tomlThis builds a []*config.Rule from each cmd/generate/config/rules/*.go file, validates each rule against its sample inputs, and renders the result through cmd/generate/config/rules/config.tmpl into config/gitleaks.toml.
The CI step Validate Config runs go generate ./... && git diff --exit-code to ensure the committed gitleaks.toml is in sync with the rule sources.
Linter
.golangci.yaml configures golangci-lint v2. The active linters are revive, staticcheck, misspell, inamedparam, exhaustruct, nonamedreturns, and unconvert. The disabled list is long because the codebase predates many newer linters and hasn't been audited for full compliance. Comments in the file flag candidates ("It might be worth going through some of the disabled linters and enabling them...").
Pre-commit
.pre-commit-hooks.yaml declares two hooks for downstream users:
gitleaks— runs the native binary on staged changesgitleaks-docker— runs via the Docker image, useful when the binary isn't installed locally
Local development of Gitleaks itself doesn't require pre-commit; this config is published for users who want to scan their repos with Gitleaks during commit.
Release
.goreleaser.yml drives GoReleaser, invoked by .github/workflows/release.yml on tag pushes. It produces:
- Binaries for Linux, macOS, and Windows on amd64/arm64
- Archives (zip on Windows, tar.gz elsewhere)
- A checksums file
- GitHub release notes from commit history
The Docker image is built separately by the same workflow and published to Docker Hub (zricethezav/gitleaks) and GHCR (ghcr.io/gitleaks/gitleaks). The Dockerfile is a two-stage build: golang:1.24 for compilation, alpine:3.22 for the final image with bash, git, and openssh-client added.
Self-scanning
The repo runs Gitleaks against its own history in CI via .github/workflows/gitleaks.yml. The huge .gitleaksignore and the rule allowlist in .gitleaks.toml exist to keep this scan green despite the testdata fixtures being intentional fake secrets.
Profiling
scripts/profile.sh is a small wrapper around gitleaks ... --diagnostics=cpu for local profiling. For more flexibility, use --diagnostics directly — see debugging.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.