3 open source tools compared. Sorted by stars. Scroll down for our analysis.
| Tool | Stars | Velocity | Score |
|---|---|---|---|
gitleaks Find secrets with Gitleaks 🔑 | 28.0k | +101/wk | 87 |
trufflehog Find, verify, and analyze leaked credentials | 26.9k | +64/wk | 75 |
detect-secrets An enterprise friendly way of detecting and preventing secrets in code. | 4.6k | - | 59 |
Stay ahead of the category
New tools and momentum shifts, every Wednesday.
It runs locally or in CI, checks every commit, and flags anything that looks like a credential. MIT license, Go. Fast. Scans entire repositories in seconds. Comes with 150+ built-in rules for common secret patterns: AWS keys, Stripe tokens, private keys, JWTs. You can add custom rules via a TOML config. Runs as a pre-commit hook or in GitHub Actions, GitLab CI, any pipeline. The CLI tool is fully free and open source. Gitleaks also offers a commercial SaaS product at gitleaks.io with team dashboards and centralized management, but the core scanner is the same. For solo developers and small teams: install it, add the pre-commit hook, done. Five minutes of setup, zero ongoing cost. Medium to large teams might want the commercial dashboard for visibility across repos. The catch: Gitleaks finds secrets, but it doesn't revoke them. When it flags a leaked AWS key, you still need to rotate it yourself. And regex-based detection means false positives happen; high-entropy strings in test fixtures will trigger alerts. You'll spend some time tuning your .gitleaks.toml allowlist.
TruffleHog finds leaked secrets in your code (API keys, passwords, tokens) and verifies whether they're actually live and valid. That's the key difference from other secret scanners. Instead of flagging every high-entropy string, TruffleHog checks if that AWS key still works, if that Slack token is active, if that database password connects. AGPL v3, Go. Scans Git repos, GitHub/GitLab orgs, S3 buckets, Docker images, and filesystems. 800+ credential detectors with built-in verification. The CLI is fast and the output tells you exactly which secrets are verified-active vs. unverified. The open source CLI is free under AGPL. TruffleSecurity offers an Enterprise platform with a dashboard, API, team management, and continuous monitoring. Pricing is custom. For solo developers and small teams: the CLI is everything you need. Run it on your repos, pipe it into CI, done. Medium teams: the CLI still works, but the Enterprise dashboard adds visibility. Large teams: Enterprise for org-wide scanning and compliance reporting. The catch: AGPL license. If you're building a product that incorporates TruffleHog, the copyleft terms require you to open source your code. For internal use it doesn't matter, but SaaS products need to be careful. Also, verification means TruffleHog actually attempts to authenticate with found credentials. In rare cases, this could trigger rate limits or account lockouts on the service being tested.
detect-secrets stops credentials from getting committed to your repo in the first place. It scans code for things that look like passwords, API keys, and tokens, and it's built to run as a pre-commit hook so a leaked secret gets caught before it ever lands in git history. Open source, from Yelp, free. Its trick is a baseline file: it records the secrets it already knows about, including false positives you've marked, so it only alerts on new ones. That keeps it quiet enough to actually leave enabled, which is the whole game with secret scanning. Setup is a pip install and a pre-commit config, and it runs locally with no service. Fully free, no paid tier. It sits in a crowded space: Gitleaks and TruffleHog are the other open source options, and each has a slightly different angle. detect-secrets leans hardest into the pre-commit, baseline-driven workflow, which makes it a strong default for stopping leaks at the source rather than finding them after. The catch: it catches secrets that match its detectors and heuristics, not every possible secret. A credential in an unusual format can slip past, and the baseline approach means a secret already in your history won't get flagged. It's prevention going forward, not a cleanup tool for what already leaked.