Gitleaks Creator Launches Betterleaks, Next-Generation Open-Source Secrets Scanner
Key Takeaways
- ▸Betterleaks achieves 98.6% recall using token efficiency-based detection compared to 70.4% with traditional entropy methods
- ▸The tool maintains full backward compatibility with Gitleaks while offering superior performance and a cleaner pure-Go codebase
- ▸Future versions will integrate LLM assistance, auto-revocation APIs, permissions mapping, and multi-source scanning capabilities
Summary
Zricethezav, the original creator of Gitleaks, has launched Betterleaks, a new open-source secrets scanner sponsored by Aikido Security. Betterleaks serves as a spiritual successor to Gitleaks, which has become the most-starred secrets scanner on GitHub with 26 million downloads on GitHub and 1.2 million via Homebrew. The creator developed Betterleaks after losing full control of the Gitleaks repository, seeking to build "something better" with fresh opportunities for innovation.
Betterleaks is designed as a drop-in replacement for Gitleaks, maintaining backward compatibility with existing CLI options and configurations while delivering significant performance and functionality improvements. The v1.0.0 release introduces several advanced features including Rule Defined Validation using Common Expression Language (CEL), Token Efficiency Scanning based on BPE tokenization (achieving 98.6% recall versus entropy's 70.4%), pure Go implementation without CGO dependencies, default encoding detection, parallelized Git scanning, and an expanded rule set for new providers.
The roadmap for v2 includes expanded scanning sources beyond Git repositories, LLM-assisted secret validation and classification, additional filtering mechanisms, auto-revocation capabilities for supported secret providers, permissions mapping to identify what secrets can access, performance optimizations, and simplified configuration workflows. Betterleaks is being positioned as a tool built for the "agentic era" of security scanning.
- The project represents a fresh start for the original Gitleaks creator, enabled by loss of control over the original repository
Editorial Opinion
Betterleaks represents a compelling advancement in secrets detection, particularly the switch from entropy-based filtering to BPE tokenization—a technically sound improvement backed by substantial recall gains. However, the fragmentation of the ecosystem around Gitleaks raises questions about maintainability and community consolidation in critical security tooling. While the planned LLM-assisted features are intriguing, the security community should carefully evaluate whether additional complexity in secret detection justifies the trade-offs, especially given the proven track record of the original Gitleaks project.
