86 /100
Gitleaks is useful for security-oriented agent workflows when scans stay report-first and remediation requires approval.
Structured output 88/100
Supports machine-readable scan output suitable for agent summaries and CI reports.
Non-interactive use 90/100
Can run in shell, CI, or agent sessions without prompts for common scanning tasks.
Safety boundaries 84/100
Scanning is generally safe, but remediation, ignore rules, and policy changes require review.
Agent docs 78/100
Help output and documented examples are sufficient for building AGENTS.md command rules.
安装方式
Homebrew
$ brew install gitleaks Docker
$ docker run --rm -v "$PWD:/path" zricethezav/gitleaks:latest detect --source /path 常用命令
Scan working tree · 安全
$ gitleaks detect --source . --report-format json --report-path gitleaks.json Produces a JSON report that an agent can summarize.
Scan staged changes · 安全
$ gitleaks protect --staged --verbose Checks staged files before commit.
Edit allowlist · 需确认
$ ${EDITOR:-vi} .gitleaks.toml Changing ignore rules can hide real leaks and requires review.
Agent 使用示例
Claude Code / Codex CLI
Use Gitleaks to scan and summarize findings. Prefer JSON/SARIF output. Do not edit ignore rules, update dependencies, or delete files without approval. 安全说明
- Run scans in read-only/report mode before allowing an agent to modify files or suppress findings.
- Treat ignore-file edits, policy changes, dependency updates, and destructive cleanup as approval-required.
- Prefer JSON or SARIF output so the agent can cite exact findings instead of paraphrasing terminal text.
Agent 工作流
在 Agent 提交代码或创建 PR 之前运行 Gitleaks。输出 JSON 或 SARIF 报告,汇总具体文件路径和规则 ID,并在修改 allowlist 前停止。
审批边界
allowlist 修改、历史重写、密钥轮换和删除证据都必须人工确认。