Integrate Gitleaks with Vulnetix. Scan git repositories and directories for leaked secrets, API keys, and tokens.
Install & scan
$ go install github.com/zricethezav/gitleaks/v8@latest $ gitleaks dir . -f sarif --report-path gitleaks.sarif
Run Gitleaks in CI
Scan on every push and upload the results to Vulnetix:
- name: Install Gitleaks run: go install github.com/zricethezav/gitleaks/v8@latest - name: Run Gitleaks run: gitleaks dir . -f sarif --report-path gitleaks.sarif - name: Upload to Vulnetix run: vulnetix upload --file gitleaks.sarif
How Vulnetix compares — better together
Vulnetix does not replace Gitleaks. Keep running it. Vulnetix sits on top of Gitleaks — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
| Capability | Vulnetix | Gitleaks |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✓ Core: regex + entropy detection of hardcoded credentials across git history, files, archives; SARIF output |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Gitleaks does well
- Fast, ubiquitous open-source git secret scanner — 160+ built-in regex rules (AWS, GitHub PATs, Slack, Stripe, Google, SSH keys, JWTs) plus entropy scoring to cut noise
- First-class output and workflow support: SARIF, JSON, CSV, JUnit and custom templates; pre-commit hook, baseline/incremental scanning, and full git-history walking
- Scans beyond live files — archives (zip/tar), stdin, and encoded (base64/hex) secrets, with easily extended TOML custom rules
Where Vulnetix adds to it: Gitleaks is a best-in-class git secret finder but does regex/entropy only — no live-credential verification and no other scan class. Vulnetix ingests Gitleaks SARIF into one prioritised queue, deduplicates it against its own built-in secret scanner and its SAST/SCA/IaC/container/malware findings, and adds exploit-intel prioritisation, versioned VEX and SSVC that Gitleaks has no concept of. Better together: keep Gitleaks in pre-commit, let Vulnetix consolidate and triage.
No migration, no rip-and-replace. Gitleaks keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Gitleaks results in Vulnetix
Upload Gitleaks SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.