Gitleaks is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
Supports machine-readable scan output suitable for agent summaries and CI reports.
Can run in shell, CI, or agent sessions without prompts for common scanning tasks.
Scanning is generally safe, but remediation, ignore rules, and policy changes require review.
Help output and documented examples are sufficient for building AGENTS.md command rules.
Install options
$ brew install gitleaks $ docker run --rm -v "$PWD:/path" zricethezav/gitleaks:latest detect --source /path Common commands
$ gitleaks detect --source . --report-format json --report-path gitleaks.json Produces a JSON report that an agent can summarize.
$ gitleaks protect --staged --verbose Checks staged files before commit.
$ ${EDITOR:-vi} .gitleaks.toml Changing ignore rules can hide real leaks and requires review.
Agent usage examples
Use Gitleaks to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval. Safety notes
- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.
Agent workflow
Use Gitleaks before an agent commits or opens a PR. Generate a JSON or SARIF report, summarize exact file paths and rule IDs, and stop before editing allowlists.
Approval boundary
Allowlist edits, history rewrites, secret rotation, and deletion of evidence must require user review.