Betterleaks: A New Generation of Open-Source Secrets Scanning

A new open-source tool, Betterleaks, has emerged as a successor to Gitleaks, designed to identify exposed secrets within code repositories, files, and even standard input streams. Developed by Zach Rice, the original author of Gitleaks and currently Head of Secrets Scanning at Aikido Security, Betterleaks aims to provide a more advanced and efficient solution for detecting credentials, API keys, and other sensitive information inadvertently committed to source code.

The Growing Threat of Exposed Secrets

Secret scanners are crucial tools in modern software development. Threat actors routinely scan public repositories for exposed secrets, making it essential for developers to proactively identify and protect sensitive data before it falls into the wrong hands. Betterleaks addresses this need by offering a robust and versatile scanning solution.

From Gitleaks to Betterleaks: A New Beginning

The creation of Betterleaks stems from Rice losing full control over the Gitleaks repository. This prompted the development of a new project, building upon the foundation of Gitleaks with significant improvements and new features. As Rice stated, “Betterleaks is the successor to Gitleaks. We’re dropping the “git” and slapping “better” on it because that’s what it is, better.”

Key Features of Betterleaks

• Rule-Defined Validation using CEL: Betterleaks utilizes Common Expression Language (CEL) to validate detected secrets, verifying their validity through HTTP requests.
• Token Efficiency Scanning: Employing Byte Pair Encoding (BPE) tokenization, Betterleaks achieves a 98.6% recall rate on the CredData dataset, significantly outperforming entropy-based methods which achieve 70.4%.
• Pure Go Implementation: Built entirely in Go, Betterleaks avoids dependencies on CGO or Hyperscan, simplifying deployment and reducing potential vulnerabilities.
• Automatic Handling of Encoded Secrets: The tool automatically handles doubly and triply encoded secrets, increasing its detection capabilities.
• Expanded Rule Set: Betterleaks includes an expanded rule set to cover a wider range of providers and secret types.
• Parallelized Git Scanning: Faster repository analysis is achieved through parallelized Git scanning.

Future Development and Roadmap

The development team has outlined several features planned for future versions of Betterleaks, including:

• Support for additional data sources beyond Git repositories and files.
• Integration of Large Language Models (LLMs) for improved secret classification.
• More detection filters to refine scanning accuracy.
• Automatic secret revocation via provider APIs.
• Permissions mapping for enhanced security analysis.
• Ongoing performance optimizations.

Community and Governance

Betterleaks is an open-source project licensed under the MIT license. The project is maintained by a team of contributors, including individuals from Royal Bank of Canada, Red Hat, and Amazon, ensuring a collaborative and robust development process.

Designed for the Agentic Era

Rice emphasized that Betterleaks is designed with both human usability and AI agent workflows in mind, featuring CLI options optimized for automated tools that scan AI-generated code.

Betterleaks represents a significant step forward in open-source secrets scanning, offering a powerful and versatile tool for developers and security professionals alike. Its focus on speed, accuracy, and adaptability positions it as a key component in securing the software supply chain.