In the ecosystem of tools for development security, a new open project has emerged that aims to raise the bar in the detection of filtered secrets: Betterleaks. It is a scanner capable of analyzing Git folders, files and repositories in search of credentials, tokens, private keys and other secrets that, by accident, end up within the code history. The idea is simple and urgent: to find and mitigate secrets before the attackers test them..
Betterleaks is born as a direct evolution of a tool already known in the community: Gitleaks. Behind the project is Zach Rice, who led the development of Gitleaks and now drives this new initiative with support from Aikido, a Belgian company focused on ensuring the development cycle. You can review the code and documentation in the official repository of Betterleaks in GitHub: https: / / github.com / betterleaks / betterleaks, and read the team's explanation on Aikido's blog: https: / / www.aikido.dev / blog / betterleaks-gitleaks-successor.
Secret scanners are already a basic piece in any organization's toolbox that publishes code or works with shared repositories. Platforms such as GitHub offer secret scanning mechanisms, and specialized companies publish constant reports of unnoticed leaks of credentials. A secret in a public commission can become a direct key to attacking infrastructure, cloud services or third party accounts This is why early detection changes the risk significantly (see GitHub's documentation on secret scanning: https: / / docs.github.com / en / code-security / secret-scanning).
What makes Betterleaks different from other options? The project incorporates a number of technical decisions aimed at improving accuracy, performance and usability. One of the new developments is the validation of rules by CEL (Common Expression Language), which allows more expressive and secure conditions to be defined to confirm that a coincidence is really a secret. CEL, driven by Google, makes it easier to create logical expressions about the findings; more information in the CEL specification: https: / / github.com / google / cel-spec.
In the field of detection, Betterleaks introduces a tokenization-based approach by Byte Pair Encoding (BPE) rather than relying only on entropy measures. According to the benchmarks published by the project itself, this method achieves a significantly higher sensitivity in reference sets used to evaluate credentials detectors. BPE is a text segmentation technique widely used in modern language models and tokenizers; if you want to understand it in depth, the documentation of Hugging Face tokenizers is a good starting point: https: / / huggingface.co / docs / takenizers / python / latest / components / takenizer _ models # byte-pair-encoding.
Another important decision of the team has been to write Betterleaks completely on Go pure, eliminating dependencies that in previous projects complicated distribution and installation, such as CGO or Hyperscan. This aims to facilitate its execution in various environments, from local machines to light containers. For those who want to deepen, Hyperscan is a bookstore of regular high-performance expressions developed by Intel: https: / / github.com / intel / hyperscan.
In practice, Betterleaks also improves aspects that day by day generate noise: it automatically handles content that has been encoded several times (for example, repeated URL-encoded chains), expands its set of rules to support more service providers and parallels Git repository scanning to accelerate large-scale analysis. These are features that, combined, seek to reduce false positives and accelerate detection when there are large volumes of code.
The project is not only technical: its road map includes functions that reflect where development security is going. The ideas under study include support for data sources other than Git repositories and local files, analysis assisted by language models to better classify findings, more refined detection filters, automatic memory of secrets through supplier APIs and mapping of credentials-associated permissions. All this aims to integrate Betterleaks into automated remediation, not just alert flows.
As for the government of the project, Betterleaks is published under the MIT license and is co-workers of different organizations, which seeks to combine transparency and accountability in maintenance. The provenance of the team - with contributions from people who have worked in banking, in large open source projects and in the cloud - helps development priorities look at both the business environment and the developer community.
From the perspective of those who develop software, incorporating this kind of tools can change the dynamics of secret management. Beyond running a punctual scan, the practical recommendation is to integrate the scanner into the CI / CD channeling, combine it with policies that detect secrets in pre-commitments and establish clear rotation and revocation procedures when a leak is detected. Companies specialized in the detection of secrets publish useful guides and metrics to contextualize these risks, for example the GitGuardian blog: https: / / www.gitabaran.com / blog /.
Finally, it should be stressed that tools are useful but not a magical solution. Prevention and response require complementary technical processes, education and controls: avoid commitments with secrets through hooks, use secret and credentials managers for execution environments, and have plans to rotate keys in case of exposure. Betterleaks provides technical and practical improvements that can reduce operational risk, but its real value is obtained when integrated into sustainable security policies.
If you want to explore Betterleaks for yourself, review benchmarks or contribute, the starting point is the project repository: https: / / github.com / betterleaks / betterleaks, and for context about your relationship with Gitleaks and the reasons for the change of direction, the entry in the blog of Aikido offers a complete reading: https: / / www.aikido.dev / blog / betterleaks-gitleaks-successor.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...