Aikido Security has officially launched Betterleaks, a new open-source secrets scanning tool designed to replace the widely used Gitleaks utility. The project aims to identify credentials and API keys committed accidentally to source code repositories before threat actors exploit them. Zach Rice, the original creator of Gitleaks, now leads development under the stewardship of the Belgian firm to ensure consistent maintenance and governance.
Betterleaks introduces significant technical improvements over its predecessor, including rule-defined validation using Common Expression Language for greater flexibility. The tool utilizes BPE tokenization for token efficiency scanning, achieving 98.6% recall on the CredData dataset compared to 70.4% with traditional entropy methods. A pure Go implementation removes dependencies on CGO or Hyperscan to streamline deployment within complex continuous integration pipelines.
This release follows a period of uncertainty regarding the governance of the original Gitleaks project which gained massive popularity over the last decade. Rice originally developed the utility eight years ago, accumulating 26 million downloads on GitHub before losing full control over the codebase. Consequently, the team decided to fork the project into a more advanced successor to ensure continued development and maintainability without external interference. The shift ensures the tool remains accessible to the community despite corporate backing.
Governance of the new tool operates under a permissive MIT license with critical support from the Aikido development platform team. Rice confirmed that three additional maintainers are now involved, including contributors from the Royal Bank of Canada, Red Hat, and Amazon. This broad institutional backing aims to stabilize the project against the single-maintainer risks that frequently affected previous iterations of open-source security software.
Regarding the rebranding strategy, Rice emphasized the intent to provide superior detection capabilities to a wider audience. Betterleaks is the successor to Gitleaks, he stated, noting they dropped the git prefix to reflect the expanded scope beyond just version control. He remarked that the name change signifies the tool is simply better than what came before, aligning with the project's enhanced feature set.
Technical enhancements also address complex security scenarios such as doubly or triply encoded secrets that often bypass traditional detection logic. The expanded rule set covers a wider variety of providers to catch leaked tokens across different cloud platforms and identity management systems. Parallelized Git scanning further accelerates repository analysis, significantly reducing the time required for large-scale security audits in enterprise environments.
Future iterations of the software plan to support additional data sources beyond standard Git repositories and local files to cover more attack vectors. Planned features include LLM-assisted analysis for improved secret classification and automatic secret revocation via provider APIs to mitigate damage immediately. The roadmap also outlines performance optimizations and more granular detection filters for enterprise environments requiring strict compliance standards.
This development addresses a critical gap in modern supply chain security as threat actors increasingly scan public repositories for sensitive information. Utilities like this help organizations identify sensitive information before attackers can harvest it for malicious purposes or ransomware extortion. The tool specifically accommodates AI agent workflows, recognizing that automated code generation requires new scanning methodologies to prevent leakage. Protecting these keys is essential as digital infrastructure grows more complex.
The release signals a maturation in the open-source security tooling ecosystem led by experienced practitioners who understand the developer experience. Developers will likely monitor adoption rates as teams migrate from existing scanners to the new standard for protecting their intellectual property. Continued updates from Aikido and the contributor group will determine the tool long-term viability in the competitive security market.
