Git Secret Scanner — Leaked API Keys & Credentials (gitleaks)
Pricing
$50.00 / 1,000 secret founds
Git Secret Scanner — Leaked API Keys & Credentials (gitleaks)
Scan any public Git repository for leaked secrets — API keys, tokens, passwords, private keys — using the open-source gitleaks engine. Secrets are masked in output. For authorized security audits and your own repositories.
Pricing
$50.00 / 1,000 secret founds
Rating
0.0
(0)
Developer
daehwan kim
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
5 days ago
Last modified
Categories
Share
Scan any public Git repository for leaked secrets — API keys, access tokens, passwords, private keys, database URLs, and 150+ other credential types — powered by gitleaks (MIT), the most widely used open-source secret-detection engine. Discovered secrets are masked by default, so you get the leak's rule, file, line, and commit without re-exposing the raw credential.
Built for developers, security engineers, and DevSecOps teams who need to audit a repository for accidentally committed secrets — before attackers find them.
Legal & ethical notice: This Actor is an unofficial integration of gitleaks (gitleaks/gitleaks) and is not affiliated with or endorsed by the original project. Scan only public repositories that you own or are authorized to audit. Secret values are masked by default. Use the results to remediate leaks, not to exploit them. Comply with all applicable laws and the repository's terms of service.
What does this Actor do?
Give it a public repo URL (e.g. https://github.com/owner/repo) and it will:
- Clone the repository (current files, or full commit history if you enable
scanHistory). - Run gitleaks' 150+ detection rules to find hardcoded secrets.
- Return each finding — rule, file, line number, commit, and a masked preview of the secret.
Running on Apify gives you scheduling, a REST API, dataset exports (JSON/CSV/Excel), and monitoring — so you can audit repos on a recurring schedule and catch new leaks early.
Why use this Actor?
- Pre-release security audit — make sure no API keys shipped in your code.
- Supply-chain / dependency review — check a third-party public repo before you adopt it.
- Continuous monitoring — schedule scans and diff results to catch newly committed secrets.
- Incident response — quickly enumerate where a leaked credential appears across history.
How to use it
- Paste a public repo URL (
https://github.com/owner/repo). - Leave
maskSecretson (recommended). Turn onscanHistoryfor a deeper, slower scan of every commit. - Run it. Each detected secret becomes one dataset row.
- Export to CSV/JSON/Excel or pull via the API. Schedule for ongoing monitoring.
Input
| Field | Type | Description |
|---|---|---|
repoUrl | string | Public HTTPS repo URL (GitHub/GitLab/Bitbucket). Required. |
scanHistory | boolean | Scan full commit history (slower, deeper). Default false. |
maskSecrets | boolean | Mask secret values in output (default true, recommended). |
maxResults | integer | Cap on findings returned/charged (default 200, max 1000). |
timeout | integer | Max seconds for clone + scan (default 300). |
Output
Each detected secret is one dataset record. Download as JSON, HTML, CSV, or Excel.
{"repoUrl": "https://github.com/owner/repo","ruleId": "github-pat","secretType": "Uncovered a GitHub Personal Access Token...","filePath": "config/.env","startLine": 12,"commit": "a1b2c3d","secretMasked": "ghp_…ef (len 40)","entropy": "4.42","scannedAt": "2026-06-29T00:00:00+00:00"}
Data fields
| Field | Description |
|---|---|
ruleId | gitleaks rule that matched (e.g. aws-access-token, github-pat) |
secretType | Human description of the secret type |
filePath | File where the secret was found (repo-relative) |
startLine | Line number |
commit | Commit hash (when scanning history) |
secretMasked | Masked preview of the secret (full value hidden unless maskSecrets:false) |
entropy | Shannon entropy of the match |
Pricing / Cost estimation
Pay-per-result: $0.05 per leaked secret discovered. A clean repo costs nothing (no findings = no charge); a repo with a handful of leaks costs a few cents. Invalid input and clean scans are free. New Apify users get free monthly credits.
Tips & advanced options
- Start with
scanHistory:false(fast). Enable it only when you need to find secrets buried in old commits. - Keep
maskSecrets:true— you get the rule, file, and line to remediate without re-leaking the value. Turn it off only on your own repos when you need the raw value. - Schedule weekly scans and diff results to catch newly committed secrets.
FAQ, disclaimers & support
Is this legal? It scans only public repositories you provide — the same code anyone can git clone. Secrets are masked by default and the tool is intended for defensive auditing and remediation. Scan only repos you own or are authorized to audit, and use findings to fix leaks, not exploit them.
Known limitations: Detection follows gitleaks' rule set; very large histories may hit the timeout (raise timeout or use scanHistory:false). Private repos are not supported (public only).
- Found a bug or need a custom security solution? Open an issue in the Issues tab.
🔗 Related Actors by ntriqpro
Build your full security & OSINT stack:
- dnstwist-osint — Typosquatting & phishing domain detector
- maigret-actor — Username OSINT across 3000+ sites
- email-osint-search — Find which 120+ sites an email is registered on
- theharvester-osint — Subdomains, hosts & emails for a domain
⭐ Love it? Leave a Review
Your rating helps other developers secure their repos. Rate it here.