Betterleaks Introduces Customizable Scanning to Prevent Credential Leaks

A new open-source tool called Betterleaks scans directories, files, and Git repositories and identifies valid secrets using default or customized rules.

In general, secret scanners act as specialized utilities that scour repositories for sensitive information, including credentials, API keys, private keys, and tokens that developers accidentally commit to source code.

Meanwhile, threat actors frequently scan configuration files in public repositories for sensitive details. Therefore, this type of security utility helps developers identify exposed secrets and protect them before attackers discover them.

Betterleaks: The Successor to Gitleaks

Notably, the new Betterleaks project serves as a more advanced successor to Gitleaks. The same team maintains the project with support from Aikido, a Belgian company that provides a platform designed to secure the development cycle.

Scanning speed comparison
Source: GitHub

Furthermore, Zach Rice, Head of Secrets Scanning at Aikido Security, develops Betterleaks. Rice also authored the widely used Gitleaks, which reached 26 million downloads on GitHub and more than 35 million pulls on Docker and GitHub Container Registry (GHCR).

“Betterleaks is the successor to Gitleaks. We’re dropping the “git” and slapping “better” on it because that’s what it is, better,” Rice says.

Rice created Betterleaks after he lost full control over Gitleaks, which he started developing eight years ago. As a result, the new tool introduces several advanced capabilities.

The current feature set includes:

• Rule-defined validation using CEL (Common Expression Language)
• Token Efficiency Scanning based on BPE tokenization rather than entropy, achieving 98.6% recall vs 70.4% with entropy on the CredData dataset
• Pure Go implementation with no CGO or Hyperscan dependency
• Automatic handling of doubly or triply encoded secrets
• Expanded rule set supporting more providers
• Parallelized Git scanning that speeds up repository analysis

Planned Features for Future Releases

In addition, the developer revealed several capabilities planned for the next version of Betterleaks, including:

• Support for additional data sources beyond Git repositories and files
• LLM-assisted analysis for improved secret classification
• Additional detection filters
• Automatic secret revocation through provider APIs
• Permissions mapping
• Further performance optimizations

Regarding governance, Rice explains that the project uses the open-source MIT license. In addition, three other maintainers support the project alongside him, including contributors from Royal Bank of Canada, Red Hat, and Amazon.

Finally, Rice emphasizes that Betterleaks’ design philosophy focuses on human-centric usability while also supporting AI agent workflows. For example, the tool includes CLI features optimized for automated systems that scan AI-generated code.

Source: BleepingComputer, Bill Toulas

Read more at Impreza News