gitleaks/gitleaks
Lore
Gitleaks has been around since January 2018 and has accumulated nearly 1,300 commits across nine major versions. This page tells the story chronologically.
Eras
The original prototype (Jan 2018 – mid 2018)
The first commit (e1a5893 on 2018-01-27, "[init] diffing commits for all branches, work on concurrency") set the basic shape: walk a git repo's history, run regexes against each diff, report findings. The early version was tightly coupled to git history scanning — there was no dir or stdin mode yet.
Owner Zachary Rice was the sole committer for the first year of development. The project lived under github.com/zricethezav/gitleaks (which is still the Go module path you see in go.mod).
Configurability (mid 2018 – 2020)
The signature feature of this era was making detection rules user-configurable rather than hardcoded. The TOML configuration format was introduced, and the embedded default rule set (config/gitleaks.toml) became the public surface area new users would interact with most.
#422 (Global allowlist regex) was a notable expansion — allowing users to silence patterns globally instead of duplicating allowlists into every rule.
v7 to v8: the rewrite (2021 – 2022)
The v8 series, tagged starting in 2022, was a substantial rewrite. Key changes:
- The detector was extracted into a clean package (
detect/) with aDetectortype that gitleaks-as-a-library users could drive directly. sources.Sourcebecame a one-method interface, decoupling fragment production from scanning.- The keyword-prefilter (Aho-Corasick) was added in v8.6.0 to keep regex evaluation tractable as the rule set grew.
Command consolidation (Aug 2024 — v8.19.0)
Before v8.19.0 the CLI exposed detect (scan history) and protect (scan staged/diff for pre-commit) as siblings. v8.19.0 introduced top-level git, dir, and stdin commands, and hid the old detect/protect ones from --help. The legacy commands still exist in cmd/detect.go and cmd/protect.go and translate to the new code paths.
Allowlist plurality (late 2024 — v8.21.0 and v8.25.0)
Two backwards-compatible renames in this window:
- v8.21.0:
[rules.allowlist]→[[rules.allowlists]](multiple allowlists per rule) - v8.25.0:
[allowlist]→[[allowlists]](multiple global allowlists,targetRulesfor shared allowlists)
The old singular forms still parse — see the AllowList/Allowlists shim fields in ViperConfig (config/config.go) marked // TODO: Remove this in 9.x.
Decoding and archives (mid 2025)
Two related capabilities landed close together:
- Recursive decoding (
--max-decode-depth): base64/hex/percent-encoded substrings are decoded in place so rules can match the decoded value. Implemented indetect/codec/. See features/decoding. - Archive scanning (
--max-archive-depth): zip/tarball/7z/etc. contents are extracted and recursed into, with inner paths joined by!. Powered bymholt/archives. See features/archive-scanning.
Both features default to off (depth 0) so existing scans are unaffected.
Composite rules (early 2026 — v8.28.0)
Multi-part / "required" rules let a primary rule depend on auxiliary rule matches within configurable line/column proximity. Implemented in processRequiredRules (detect/detect.go). The README still flags this as experimental ("This is an experimental feature! It's subject to change so don't go sellin' a new B2B SaaS feature built on top of this feature."). See features/composite-rules.
Longest-standing features
These have survived every major rewrite and are still central:
| Feature | Introduced | Notes |
|---|---|---|
| Regex-based rules | Jan 2018 | The whole project hinges on this premise |
| Per-rule allowlists | 2019–2020 | Format renamed in v8.21.0 but semantics unchanged |
| Shannon entropy threshold | Early v7 | shannonEntropy in detect/utils.go |
gitleaks:allow inline marker |
Long-standing | Constant gitleaksAllowSignature in detect/detect.go |
.gitleaksignore fingerprints |
v8.10.0 | Documented as experimental in README |
Deprecated features
| Feature | Replaced by | When |
|---|---|---|
gitleaks detect (top-level) |
gitleaks git |
v8.19.0 — still works, hidden from --help |
gitleaks protect |
gitleaks git --pre-commit |
v8.19.0 |
gitleaks detect --no-git |
gitleaks dir |
v8.19.0 |
gitleaks detect --pipe |
gitleaks stdin |
v8.19.0 |
[rules.allowlist] (singular) |
[[rules.allowlists]] |
v8.21.0 |
[allowlist] (singular global) |
[[allowlists]] |
v8.25.0 |
detect.Fragment (type alias) |
sources.Fragment |
Will become breaking in v9 (see comment in detect/detect.go) |
Major rewrites
- v8 detector extraction (2022): pulled the scanner out of
cmd/intodetect/so external consumers could embed it. - Source interface (v8): the introduction of
sources.Sourceandsources.Fragmentdecoupled history scanning, directory walking, and stdin pipelining behind a single contract. - Pluggable regex engine (v8 series): the
regexp/package now selects the backend at compile time via thegore2regexbuild tag.
Growth trajectory
- 2018: solo project, basic git history scanning.
- 2019–2021: TOML configuration, default rule set grows beyond ~50 providers.
- 2022 (v8): rewrite into reusable detector library.
- 2024–2026: rule set climbs to ~220 providers; decoding, archives, and composite rules added.
- The repository now has 1,269 commits and 191 release tags. Recent contributor activity skews to a small core: Zachary Rice and Richard Gomez account for the bulk of changes in the last year, with several other regular contributors landing focused PRs (rule additions, bug fixes, performance work).
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.