A new open-source tool for scanning secrets is called Zach Rice, who made the Gitleaks project that many people use, made Betterleaks. Sponsored by security firm Aikido, Betterleaks is designed as a modern successor to Gitleaks, offering faster scanning, improved filtering, and expanded capabilities for detecting exposed credentials across codebases, files, and Git repositories. API keys, access tokens, passwords, and private credentials often get out of source code repositories or configuration files.

Attackers actively look for these exposed secrets because they can give them quick access to cloud services, databases, or internal systems. Betterleaks and other tools try to find these leaks automatically before they can be used. Rice first began developing secret detection tools eight years ago when he discovered exposed credentials on GitHub.

His first project, Gitleaks, became one of the most popular open-source secrets scanners, with millions of downloads. It is now a common security tool used by developers, businesses, and security researchers. Rice no longer has full control over the Gitleaks repository and brand, so he started a new project.

Betterleaks was made to keep up with new scanning methods for finding secrets while still working with Gitleaks workflows. Betterleaks can be used instead of Gitleaks, which means that companies can switch without having to change their current settings or command-line options. Users can still use the same commands and settings, but they will get better performance and new detection features. Betterleaks v1.0.0, the first version, includes a number of technical improvements that are meant to make scanning faster and more accurate.

Some important features are: Defined by Rules Validation: Betterleaks uses the Common Expression Language (CEL) to set up validation logic. This lets users make flexible rules for finding possible secrets. Token Efficiency Scanning: Betterleaks doesn't just use entropy-based detection.

It also looks at how well Byte Pair Encoding (BPE) tokenization works to find likely secrets. When tested against the CredData dataset, this method got 98.6% recall, while traditional entropy methods only got 70.4%. Pure Go Implementation: The tool is written entirely in Go and doesn't depend on CGO, which makes it easier to deploy in different environments while still keeping up high performance. Betterleaks can automatically find double- or triple-encoded secrets, which are often used to hide credentials.

Scanning Git Repositories in Parallel: By using parallelized processing, Git repositories can be scanned much more quickly.

Betterleaks can now scan Git repositories, directories, files, and standard input streams. This makes it a good fit for use in development pipelines, CI/CD systems, and security automation workflows. The project is also meant to be automated in the future.

Planned Version 2 features include scanning more data sources, using LLM to help classify unclear secrets, automatically revoking secrets through provider APIs, and permission mapping to figure out what exposed credentials can access. Betterleaks is an open-source project that is licensed under the MIT license. It is supported by several maintainers from companies like Amazon, Red Hat, and the Royal Bank of Canada, which helps make sure the project stays stable over time and that the community has a say in how it is run.

Betterleaks and other tools like it help developers and security teams find sensitive data before attackers can use it by giving them faster and more accurate ways to do so. This is because secret exposure is still a major security risk in modern software development. Set Google to prefer ZeroOwl