Git Secret Scanner — Leaked API Keys & Credentials (gitleaks) avatar

Git Secret Scanner — Leaked API Keys & Credentials (gitleaks)

Pricing

$50.00 / 1,000 secret founds

Go to Apify Store
Git Secret Scanner — Leaked API Keys & Credentials (gitleaks)

Git Secret Scanner — Leaked API Keys & Credentials (gitleaks)

Scan any public Git repository for leaked secrets — API keys, tokens, passwords, private keys — using the open-source gitleaks engine. Secrets are masked in output. For authorized security audits and your own repositories.

Pricing

$50.00 / 1,000 secret founds

Rating

0.0

(0)

Developer

daehwan kim

daehwan kim

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

5 days ago

Last modified

Share

Scan any public Git repository for leaked secrets — API keys, access tokens, passwords, private keys, database URLs, and 150+ other credential types — powered by gitleaks (MIT), the most widely used open-source secret-detection engine. Discovered secrets are masked by default, so you get the leak's rule, file, line, and commit without re-exposing the raw credential.

Built for developers, security engineers, and DevSecOps teams who need to audit a repository for accidentally committed secrets — before attackers find them.

Legal & ethical notice: This Actor is an unofficial integration of gitleaks (gitleaks/gitleaks) and is not affiliated with or endorsed by the original project. Scan only public repositories that you own or are authorized to audit. Secret values are masked by default. Use the results to remediate leaks, not to exploit them. Comply with all applicable laws and the repository's terms of service.

What does this Actor do?

Give it a public repo URL (e.g. https://github.com/owner/repo) and it will:

  1. Clone the repository (current files, or full commit history if you enable scanHistory).
  2. Run gitleaks' 150+ detection rules to find hardcoded secrets.
  3. Return each finding — rule, file, line number, commit, and a masked preview of the secret.

Running on Apify gives you scheduling, a REST API, dataset exports (JSON/CSV/Excel), and monitoring — so you can audit repos on a recurring schedule and catch new leaks early.

Why use this Actor?

  • Pre-release security audit — make sure no API keys shipped in your code.
  • Supply-chain / dependency review — check a third-party public repo before you adopt it.
  • Continuous monitoring — schedule scans and diff results to catch newly committed secrets.
  • Incident response — quickly enumerate where a leaked credential appears across history.

How to use it

  1. Paste a public repo URL (https://github.com/owner/repo).
  2. Leave maskSecrets on (recommended). Turn on scanHistory for a deeper, slower scan of every commit.
  3. Run it. Each detected secret becomes one dataset row.
  4. Export to CSV/JSON/Excel or pull via the API. Schedule for ongoing monitoring.

Input

FieldTypeDescription
repoUrlstringPublic HTTPS repo URL (GitHub/GitLab/Bitbucket). Required.
scanHistorybooleanScan full commit history (slower, deeper). Default false.
maskSecretsbooleanMask secret values in output (default true, recommended).
maxResultsintegerCap on findings returned/charged (default 200, max 1000).
timeoutintegerMax seconds for clone + scan (default 300).

Output

Each detected secret is one dataset record. Download as JSON, HTML, CSV, or Excel.

{
"repoUrl": "https://github.com/owner/repo",
"ruleId": "github-pat",
"secretType": "Uncovered a GitHub Personal Access Token...",
"filePath": "config/.env",
"startLine": 12,
"commit": "a1b2c3d",
"secretMasked": "ghp_…ef (len 40)",
"entropy": "4.42",
"scannedAt": "2026-06-29T00:00:00+00:00"
}

Data fields

FieldDescription
ruleIdgitleaks rule that matched (e.g. aws-access-token, github-pat)
secretTypeHuman description of the secret type
filePathFile where the secret was found (repo-relative)
startLineLine number
commitCommit hash (when scanning history)
secretMaskedMasked preview of the secret (full value hidden unless maskSecrets:false)
entropyShannon entropy of the match

Pricing / Cost estimation

Pay-per-result: $0.05 per leaked secret discovered. A clean repo costs nothing (no findings = no charge); a repo with a handful of leaks costs a few cents. Invalid input and clean scans are free. New Apify users get free monthly credits.

Tips & advanced options

  • Start with scanHistory:false (fast). Enable it only when you need to find secrets buried in old commits.
  • Keep maskSecrets:true — you get the rule, file, and line to remediate without re-leaking the value. Turn it off only on your own repos when you need the raw value.
  • Schedule weekly scans and diff results to catch newly committed secrets.

FAQ, disclaimers & support

Is this legal? It scans only public repositories you provide — the same code anyone can git clone. Secrets are masked by default and the tool is intended for defensive auditing and remediation. Scan only repos you own or are authorized to audit, and use findings to fix leaks, not exploit them.

Known limitations: Detection follows gitleaks' rule set; very large histories may hit the timeout (raise timeout or use scanHistory:false). Private repos are not supported (public only).

  • Found a bug or need a custom security solution? Open an issue in the Issues tab.

Build your full security & OSINT stack:

⭐ Love it? Leave a Review

Your rating helps other developers secure their repos. Rate it here.