# leakferret > Open-source secret scanner that finds hardcoded secrets and API keys, verifies which are actually live by calling the provider, and rewrites them to read from environment variables. One fast Rust binary that is a CLI, a pre-commit hook, a GitHub Action, and an MCP server for AI coding agents. A modern alternative to trufflehog, gitleaks, and GitGuardian. Free and MIT-licensed. The full secret value never leaves your machine. ## Docs and source - [Documentation](https://leakferret.com/docs/): install, CLI reference, MCP setup, CI, verifiers, fixture catalog, privacy model - [GitHub repository](https://github.com/leakferrethq/leakferret): source for the engine, CLI, and MCP server - [Releases](https://github.com/leakferrethq/leakferret/releases): prebuilt, signed binaries ## Install - Rust: `cargo install leakferret-cli` - npm: `npm i -g @leakferret/cli` - Ruby: `gem install leakferret` - Go: `go install github.com/leakferrethq/leakferret-go/cmd/leakferret@latest` - MCP (Claude Code): `claude mcp add leakferret -- npx -y @leakferret/mcp` ## How it works (five stations) - Scan: regex pre-filter over files (60+ secret types); respects .gitignore, reads dotfiles, `--git` walks commit history - Catalog: signed database of known-public example keys so documented samples never false-alarm - Classify: real / fixture / unknown — offline or via the host editor/agent model, no extra API key - Verify: one harmless API call to the provider confirms a key is live (~25 providers natively, plus a trufflehog fallback) - Rewrite: swaps the literal for an env-var lookup, appends to .env.example, and seeds the secret manager ## How it compares - vs gitleaks: leakferret matches the fast regex pre-filter and adds live provider verification - vs trufflehog: leakferret also verifies, and adds the MCP/agent layer, the in-place rewrite, and a signed catalog - vs GitHub push protection: leakferret confirms a key is live (not just a pattern match), rewrites it, and needs no GitHub account ## Key facts - Free and open source; MIT-licensed engine/CLI/MCP/wrappers; catalog data CC-BY-SA-4.0 - No servers, no account, no telemetry — the raw secret never leaves your machine - Listed in the MCP Registry as io.github.leakferrethq/leakferret - Verifies AWS (SigV4), GitHub, GitLab, Stripe, OpenAI, Anthropic, Slack, Twilio, SendGrid, Mailgun, Datadog, Heroku, npm, PyPI, DigitalOcean