GitLeaks and TruffleHog are open-source tools that scan Git repositories for accidentally embedded secrets — API keys, passwords, tokens, private keys, and database connection strings.
Embedded secrets in code repositories are a frequent and critical security mistake. Even when a commit is subsequently removed, it remains in the Git history and is still discoverable. GitLeaks and TruffleHog scan the entire commit history, detecting patterns through regular expressions and entropy analysis. Both can be integrated as pre-commit hooks or into CI/CD pipelines to catch secrets before they are pushed. Any secrets found must be rotated immediately.