Tool integration

Gitleaks Integration Guide

Git secret scanner with SARIF output

Get a Free API Key

Integrate Gitleaks with Vulnetix. Scan git repositories and directories for leaked secrets, API keys, and tokens.

CLI toolSARIF

Install & scan

$ go install github.com/zricethezav/gitleaks/v8@latest
$ gitleaks dir . -f sarif --report-path gitleaks.sarif

Run Gitleaks in CI

Scan on every push and upload the results to Vulnetix:

- name: Install Gitleaks
  run: go install github.com/zricethezav/gitleaks/v8@latest
- name: Run Gitleaks
  run: gitleaks dir . -f sarif --report-path gitleaks.sarif
- name: Upload to Vulnetix
  run: vulnetix upload --file gitleaks.sarif

How Vulnetix compares — better together

Vulnetix does not replace Gitleaks. Keep running it. Vulnetix sits on top of Gitleaks — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CapabilityVulnetixGitleaks
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git historyCore: regex + entropy detection of hardcoded credentials across git history, files, archives; SARIF output
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Gitleaks does well

Where Vulnetix adds to it: Gitleaks is a best-in-class git secret finder but does regex/entropy only — no live-credential verification and no other scan class. Vulnetix ingests Gitleaks SARIF into one prioritised queue, deduplicates it against its own built-in secret scanner and its SAST/SCA/IaC/container/malware findings, and adds exploit-intel prioritisation, versioned VEX and SSVC that Gitleaks has no concept of. Better together: keep Gitleaks in pre-commit, let Vulnetix consolidate and triage.

No migration, no rip-and-replace. Gitleaks keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Gitleaks results in Vulnetix

Upload Gitleaks SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Gitleaks documentation ↗  ·  Source repository ↗

Wire Gitleaks into your CI/CD pipeline →