Open-Source Wikis

/

Gitleaks

/

Lore

gitleaks/gitleaks

Lore

Gitleaks has been around since January 2018 and has accumulated nearly 1,300 commits across nine major versions. This page tells the story chronologically.

Eras

The original prototype (Jan 2018 – mid 2018)

The first commit (e1a5893 on 2018-01-27, "[init] diffing commits for all branches, work on concurrency") set the basic shape: walk a git repo's history, run regexes against each diff, report findings. The early version was tightly coupled to git history scanning — there was no dir or stdin mode yet.

Owner Zachary Rice was the sole committer for the first year of development. The project lived under github.com/zricethezav/gitleaks (which is still the Go module path you see in go.mod).

Configurability (mid 2018 – 2020)

The signature feature of this era was making detection rules user-configurable rather than hardcoded. The TOML configuration format was introduced, and the embedded default rule set (config/gitleaks.toml) became the public surface area new users would interact with most.

#422 (Global allowlist regex) was a notable expansion — allowing users to silence patterns globally instead of duplicating allowlists into every rule.

v7 to v8: the rewrite (2021 – 2022)

The v8 series, tagged starting in 2022, was a substantial rewrite. Key changes:

  • The detector was extracted into a clean package (detect/) with a Detector type that gitleaks-as-a-library users could drive directly.
  • sources.Source became a one-method interface, decoupling fragment production from scanning.
  • The keyword-prefilter (Aho-Corasick) was added in v8.6.0 to keep regex evaluation tractable as the rule set grew.

Command consolidation (Aug 2024 — v8.19.0)

Before v8.19.0 the CLI exposed detect (scan history) and protect (scan staged/diff for pre-commit) as siblings. v8.19.0 introduced top-level git, dir, and stdin commands, and hid the old detect/protect ones from --help. The legacy commands still exist in cmd/detect.go and cmd/protect.go and translate to the new code paths.

Allowlist plurality (late 2024 — v8.21.0 and v8.25.0)

Two backwards-compatible renames in this window:

  • v8.21.0: [rules.allowlist][[rules.allowlists]] (multiple allowlists per rule)
  • v8.25.0: [allowlist][[allowlists]] (multiple global allowlists, targetRules for shared allowlists)

The old singular forms still parse — see the AllowList/Allowlists shim fields in ViperConfig (config/config.go) marked // TODO: Remove this in 9.x.

Decoding and archives (mid 2025)

Two related capabilities landed close together:

  • Recursive decoding (--max-decode-depth): base64/hex/percent-encoded substrings are decoded in place so rules can match the decoded value. Implemented in detect/codec/. See features/decoding.
  • Archive scanning (--max-archive-depth): zip/tarball/7z/etc. contents are extracted and recursed into, with inner paths joined by !. Powered by mholt/archives. See features/archive-scanning.

Both features default to off (depth 0) so existing scans are unaffected.

Composite rules (early 2026 — v8.28.0)

Multi-part / "required" rules let a primary rule depend on auxiliary rule matches within configurable line/column proximity. Implemented in processRequiredRules (detect/detect.go). The README still flags this as experimental ("This is an experimental feature! It's subject to change so don't go sellin' a new B2B SaaS feature built on top of this feature."). See features/composite-rules.

Longest-standing features

These have survived every major rewrite and are still central:

Feature Introduced Notes
Regex-based rules Jan 2018 The whole project hinges on this premise
Per-rule allowlists 2019–2020 Format renamed in v8.21.0 but semantics unchanged
Shannon entropy threshold Early v7 shannonEntropy in detect/utils.go
gitleaks:allow inline marker Long-standing Constant gitleaksAllowSignature in detect/detect.go
.gitleaksignore fingerprints v8.10.0 Documented as experimental in README

Deprecated features

Feature Replaced by When
gitleaks detect (top-level) gitleaks git v8.19.0 — still works, hidden from --help
gitleaks protect gitleaks git --pre-commit v8.19.0
gitleaks detect --no-git gitleaks dir v8.19.0
gitleaks detect --pipe gitleaks stdin v8.19.0
[rules.allowlist] (singular) [[rules.allowlists]] v8.21.0
[allowlist] (singular global) [[allowlists]] v8.25.0
detect.Fragment (type alias) sources.Fragment Will become breaking in v9 (see comment in detect/detect.go)

Major rewrites

  • v8 detector extraction (2022): pulled the scanner out of cmd/ into detect/ so external consumers could embed it.
  • Source interface (v8): the introduction of sources.Source and sources.Fragment decoupled history scanning, directory walking, and stdin pipelining behind a single contract.
  • Pluggable regex engine (v8 series): the regexp/ package now selects the backend at compile time via the gore2regex build tag.

Growth trajectory

  • 2018: solo project, basic git history scanning.
  • 2019–2021: TOML configuration, default rule set grows beyond ~50 providers.
  • 2022 (v8): rewrite into reusable detector library.
  • 2024–2026: rule set climbs to ~220 providers; decoding, archives, and composite rules added.
  • The repository now has 1,269 commits and 191 release tags. Recent contributor activity skews to a small core: Zachary Rice and Richard Gomez account for the bulk of changes in the last year, with several other regular contributors landing focused PRs (rule additions, bug fixes, performance work).

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Lore – Gitleaks wiki | Factory