gitleaks-rs is a Rust implementation of the gitleaks secret detection rule engine. It parses the gitleaks TOML config format and provides a fast, library-first API for detecting and redacting secrets in text.
The crate ships with the official 222-rule gitleaks config embedded at compile time — zero configuration required. Just create a Scanner and start scanning.
How it works:
- Keyword pre-filter — an Aho-Corasick automaton checks each line for rule keywords, skipping >95% of regex evaluations
- Regex matching — only rules whose keywords appear in the line are evaluated
- Entropy filtering — Shannon entropy discards low-randomness matches (placeholders, examples)
- Allowlists — global and per-rule allowlists suppress false positives by path, regex, or stopword
Add gitleaks-rs to your Cargo.toml:
[dependencies]
gitleaks-rs = "0.1"use gitleaks_rs::Scanner;
fn main() {
let scanner = Scanner::default();
let text = r#"
export AWS_ACCESS_KEY_ID=AKIAQWERTYUIO2QBKPXN
export GITHUB_TOKEN=ghp_xK4mN8pQ2rT6vW0yB3dF5hJ7lO9sU1wE3a5b
safe_variable = "hello world"
"#;
let findings = scanner.scan_text(text, None);
for f in &findings {
println!(
"[{}] line {} — {} (secret: {})",
f.rule_id,
f.line_number.unwrap(),
f.description,
f.secret,
);
}
println!("\n{} secret(s) found", findings.len());
}The examples/ directory contains runnable examples:
| Example | Description |
|---|---|
basic |
Scan a string for secrets and print findings |
advanced |
Custom rules, extending defaults, redaction, path filtering |
cargo run --example basic
cargo run --example advanced- 222 built-in rules — the official gitleaks rule set is embedded at compile time
- Keyword pre-filtering — Aho-Corasick automaton skips rules whose keywords are absent, reducing regex evaluations by >95%
- Shannon entropy filtering — discards low-randomness matches (placeholders, examples)
- Global and per-rule allowlists — suppress findings by path, regex, or stopword
- Secret redaction — replace detected secrets with a configurable replacement string
- Custom configs — load your own TOML rules, build configs programmatically with
ConfigBuilder, or extend the defaults - File scanning — scan files from disk with path-based rule matching
- Zero non-Rust dependencies — no Go binary, no FFI
- Thread-safe —
ScannerisSend + Sync, shareable viaArc<Scanner>
| Type | Purpose |
|---|---|
Config |
Parsed gitleaks TOML config (rules + allowlists) |
Scanner |
Precompiled rule engine — scan_line, scan_text, scan_file, redact_* |
Finding |
A detected secret (rule ID, secret value, offsets, entropy) |
RedactResult |
Redacted text + findings + replacement count |
ConfigBuilder |
Programmatic config construction (no TOML needed) |
Error |
Parse, validation, I/O, and regex errors |
gitleaks-rs is designed for embedding in latency-sensitive tools:
- Keyword pre-filtering eliminates >95% of regex evaluations — most lines never touch the regex engine
- One-time compilation — all regexes and the Aho-Corasick automaton are built once at
Scanner::new(), not per scan - Design goal: <100ms to scan 1 MB of text with all 222 rules (not yet benchmarked)
- Design goal: <100ms for
Scanner::new()cold start (not yet benchmarked)
- API docs: https://docs.rs/gitleaks-rs
- Bug reports & feature requests: GitHub Issues
Contributions are welcome! Please open an issue to discuss your idea before submitting a pull request. See GitHub Issues for known work items.
gitleaks-rs is built against the latest stable Rust release. No MSRV policy has been established yet.
- gitleaks — the upstream Go implementation by Zach Rice.
gitleaks-rsimplements the same rule engine and uses the same TOML config format (v8.25.0). - ripsecrets — a Rust secret scanner with its own pattern set. Does not parse the gitleaks config format.
- secretscan — another Rust secret scanner with a custom rule engine. Does not support the gitleaks rule set.
gitleaks-rs differs by implementing the full gitleaks rule engine (keywords, entropy, allowlists, secretGroup, regexTarget, condition) and embedding the official 222-rule config.
MIT