leakferret Install

Open source · MIT · Rust

The secret scanner that finds the keys actually live.

leakferret is an open-source secret scanner — one fast Rust binary that is engine, CLI, and MCP server. It finds hardcoded API keys, confirms which are still live by calling the provider, and rewrites the leak to read from an environment variable instead. A modern alternative to trufflehog and gitleaks.

Get started Install MCP ★ Star on GitHub

🔒 The full secret never leaves your machine — only a redacted AKIA…4XYZ preview ever leaves the process.

  • 60+secret types detected
  • 25+providers verified live
  • 1static Rust binary
  • 0servers · accounts · telemetry
leakferret mascot — a ferret holding an asterisk key

Runs in your terminal, your CI, and inside your coding agent

  • Claude Code
  • Cursor
  • Continue
  • Claude Desktop
  • GitHub Actions
  • VS Code
  • npm
  • RubyGems
  • Go
  • crates.io

See it work

One command finds the leak, classifies it, and rewrites the literal to read from an environment variable — raw secret values never leave the machine.

leakferret verify .
leakferret scans a repo, flags a leaked AWS key and GitHub token, classifies each as real, fixture, or unknown, then rewrites the hardcoded literal to read from an environment variable

A real run, unedited. verify adds a harmless provider call on top of scan to confirm which keys are still live; rewrite turns the literal into an os.environ / process.env / ENV.fetch lookup.

Step through it yourself

leakferret scan .
$ leakferret scan app/config.py
 
app/config.py
L8 aws_access_key UNKNOWN HIGH AKIA…X8VT
L9 aws_secret_key UNKNOWN CRITICAL 7bQ2…nP9q
 
2 findings · regex pre-filter only — run verify to confirm which are live

Install in one line

Every package ships the same prebuilt binary. Pick your ecosystem.

# Rust / crates.io
cargo install leakferret-cli
leakferret scan .

scan respects .gitignore and reads dotfiles like .env. Add --git to walk commit history. Every wrapper honors a LEAKFERRET_BIN override for offline use.

One binary, every job

scan

Regex pre-filter over the working tree — fast, .gitignore-aware, reads dotfiles.

verify

Calls the provider to confirm which keys are actually live, not just pattern matches.

rewrite

Swaps the literal for an env-var lookup and seeds env / Vault / Doppler / AWS / Infisical.

baseline

HMAC-fingerprints known findings so CI fails only on new leaks — never the raw secret.

mcp

Starts the MCP server so a coding agent can scan, verify, and rewrite before it commits.

…or gate every pull request

# .github/workflows/secrets.yml
- uses: leakferrethq/leakferret-action@v1
  with:
    verify-mode: only-verified   # fail only on confirmed-live keys
    fail-on: any

Uploads SARIF to GitHub Code Scanning, so findings show up inline on the PR.

…or block the commit before it happens

# .git/hooks/pre-commit  — offline, no network calls
leakferret verify . --verify-mode none --fail-on any

--fail-on any exits non-zero on any non-fixture finding, so the commit is blocked; documented examples like AKIAIOSFODNN7EXAMPLE are still ignored. Pair with leakferret baseline init to block only on new secrets.

The hook fires in any git client — terminal, GitHub Desktop, the VS Code Source Control panel — since they all run git's pre-commit hook. It's local convenience, though: anyone (or any AI agent) can skip it with git commit --no-verify, so make the GitHub Action the enforcing gate — it runs server-side on every push and PR, where --no-verify can't reach.

A five-station pipeline

Each station only sees what it needs, and the raw secret never advances past disk.

  1. 1

    Scan

    A fast regex pre-filter over your files. Respects .gitignore, reads dotfiles, and with --git walks history.

  2. 2

    Catalog

    Candidates are checked against a signed database of known-public examples — Stripe test keys, AKIAIOSFODNN7EXAMPLE, jwt.io samples — so documented fixtures never raise a false alarm.

  3. 3

    Classify

    Each candidate gets a verdict: real, fixture, or unknown. Runs offline, or asks the host editor/agent's own model — no extra API key, no added cost.

  4. 4

    Verify

    One harmless API call to the provider confirms a key is live. ~25 providers covered natively, with a trufflehog fallback. The call goes straight to the provider — leakferret has no servers.

  5. 5

    Rewrite

    Swaps the hardcoded literal for an env-var lookup, appends to .env.example, and prints seed commands for your secret manager.

Model Context Protocol

A secret check your coding agent can run itself

Agents hardcode secrets too, and nobody reviews their diffs line by line. leakferret exposes its pipeline over MCP so the agent self-checks before it commits.

  • Tools: scan_repository, classify_candidates, verify_finding, propose_rewrite, baseline_diff
  • Works with Claude Code, Cursor, Continue, and Claude Desktop
  • Classifies inline using the model the agent already has
// add to your mcpServers config
{
  "mcpServers": {
    "leakferret": {
      "command": "npx",
      "args": ["@leakferret/mcp"]
    }
  }
}

What you get

Provider verification

~25 providers natively — AWS SigV4, GitHub, GitLab, Stripe, OpenAI, Anthropic, Slack, Twilio, SendGrid, Mailgun, Datadog, Heroku, npm, PyPI, DigitalOcean, Hugging Face, Groq, Replicate, Notion, Postman, Figma, Linear, Square, Shopify, Databricks — plus a trufflehog fallback. Detects 60+ secret types.

Privacy by construction

The raw secret is never serialized, logged, or sent. Only a first-4 + last-4 preview leaves the process. A dedicated test enforces it.

Agent-applied rewrites

ENV.fetch / os.environ / process.env swaps, plus seed commands for env, Vault, Doppler, AWS Secrets Manager, or Infisical.

Signed fixture catalog

An Ed25519-signed database of known-public example keys, bundled with the binary and refreshable, so documented samples never page you.

Baselines, not noise

One-way HMAC fingerprints of known findings — never the raw secret — so CI fails only on new leaks.

Reports that fit your pipeline

Colored terminal, JSON for scripting, and SARIF for GitHub Code Scanning via the official Action.

How it compares

 gitleakstrufflehogGitHub MCPleakferret
Fast regex pre-filter
Live provider verification
In-place env-var rewrite
Signed known-public catalog
MCP server for coding agents
Works without a GitHub account
No servers · no telemetry
Open source

gitleaks is a fast regex scanner; leakferret matches that pre-filter and adds verification. trufflehog verifies too — leakferret adds the MCP/agent layer, the in-place rewrite, and the signed catalog. GitHub's MCP secret scanning flags pattern matches inside the GitHub ecosystem; leakferret confirms a key is live, rewrites it, and runs on any repo or host with no account in the path.

Full comparison: leakferret vs trufflehog, gitleaks & GitGuardian →

Questions

Does leakferret send my secrets anywhere?

No. The raw secret value never leaves your machine — it is never serialized, logged, or sent in any network message or model prompt. Only a redacted first-4 + last-4 preview (like AKIA…4XYZ) ever leaves the process. Verification calls go straight from your machine to the provider; leakferret has no servers and collects nothing. A dedicated test enforces this invariant.

Is leakferret a trufflehog, gitleaks, or GitGuardian alternative?

Yes. leakferret is an open-source alternative to trufflehog, gitleaks, GitGuardian, and detect-secrets. Like gitleaks it runs as a fast pre-commit hook; like trufflehog it verifies which keys are actually live by calling the provider; and it adds two things those tools don't: an in-place rewrite that moves the secret to an environment variable, and an MCP server so AI coding agents can self-check before they commit. It's free, MIT-licensed, runs with no account or servers, and works on any repo or host.

Is it really free?

Yes. The engine, CLI, MCP server, and every language wrapper are MIT-licensed and free forever. The fixture catalog data is CC-BY-SA-4.0. No account, no telemetry.

Which providers can it verify?

Around 25 natively: AWS (SigV4), GitHub, GitLab, Stripe, OpenAI, Anthropic, Slack, Twilio, SendGrid, Mailgun, Datadog, Heroku, npm, PyPI, DigitalOcean, Hugging Face, Groq, Replicate, Notion, Postman, Figma, Linear, Square, Shopify, and Databricks — with a trufflehog binary fallback for the long tail.

How is it different from gitleaks or trufflehog?

gitleaks is a fast regex scanner; leakferret matches that pre-filter and adds live provider verification. trufflehog verifies too — leakferret adds the MCP layer so coding agents can self-check, the in-place env-var rewrite, and a signed catalog of known-public keys so documented examples never page you.

Does leakferret work in CI?

Yes. There's an official GitHub Action that installs the binary, scans, and uploads SARIF to Code Scanning. A baseline of one-way HMAC fingerprints lets CI fail only on new leaks. JSON and SARIF output formats are built in.

Can a coding agent use leakferret over MCP?

Yes. It exposes the pipeline over the Model Context Protocol so a coding agent (Claude Code, Cursor, Continue, Claude Desktop) can scan, classify, verify, and propose rewrites before it commits — classifying inline with the model it already has. It's listed in the MCP Registry as io.github.leakferrethq/leakferret.

Can leakferret scan git history for secrets?

Yes. Run leakferret scan --git to walk commit history and report the commit that introduced each secret, not just the working tree. Combine it with a baseline so you only fail on newly added leaks.

Isn't this what GitHub's MCP secret scanning does?

GitHub's tool flags that a string matches a secret pattern, through push protection, inside the GitHub ecosystem. leakferret goes further on the two things that matter most: it verifies the key is actually live by calling the provider (so you fix what's exploitable, not regex noise), and it rewrites the leak in place to read from an environment variable. It also runs on any repo, any host, and local or uncommitted code — with no GitHub account in the path. Detection versus verification plus a fix.

Is leakferret more accurate than GitHub push protection?

On the thing that causes false alarms, yes — because leakferret can verify. GitHub's push protection pattern-matches your commits and blocks anything that looks like a secret, with no way to tell a real key from a test fixture. leakferret matches the same shapes, then takes the extra step: a harmless call to the provider to confirm the key is actually live, so in verify mode it won't cry wolf on a fake token. We found this out the funny way — GitHub's push protection once blocked a commit to leakferret's own repo because it was sure a fake test token was a real Hugging Face key. It wasn't; it was a string typed to match a regex. Detection sees a shape and sounds the alarm; verification checks whether the key actually works.

Scan your repo in the next minute.

Free and open source under MIT. No account, no servers, no telemetry.

Install ★ Star on GitHub