Zach Rice, the creator of Gitleaks, just released Betterleaks—a from-scratch rewrite of his popular secrets scanner with one feature that sets it apart: it’s designed to be called by AI coding agents.
After losing full control over Gitleaks (26 million downloads, 35 million Docker pulls), Rice built Betterleaks as an MIT-licensed successor with better detection, faster scanning, and flag-based output specifically for tools like Claude Code and Cursor.
Why This Matters for AI-Assisted Development
AI coding agents run CLI tools as subprocesses and consume their output. The problem: most security tools weren’t designed with token overhead in mind. Verbose output wastes context window space and money.
Betterleaks addresses this with controllable output modes. Agents can request minimal JSON for automated workflows or detailed output when human review is needed. No parsing hacks required.
This isn’t theoretical. Rice explicitly designed the tool for the pattern where agents reach for CLI utilities with predictable, machine-readable output.
98.6% Recall vs 70.4%
The headline improvement is detection accuracy. Gitleaks uses Shannon entropy to distinguish random-looking strings (potential secrets) from readable text. Betterleaks replaces this with Token Efficiency—a measure of how well a BPE tokenizer compresses strings.
The logic: natural language compresses efficiently into long tokens. API keys, passwords, and random strings compress poorly into many short tokens. Against the CredData dataset, Token Efficiency achieved 98.6% recall compared to 70.4% for entropy-based detection.
That’s not just a benchmark improvement. It means fewer missed credentials leaking into your repositories.
Technical Changes
Betterleaks drops several Gitleaks dependencies:
Pure Go, no CGO: Eliminates the Hyperscan library requirement. Deploys anywhere without native library dependencies.
Handles encoding by default: Scans doubly and triply encoded secrets without configuration. This catches the base64-wrapped credentials that entropy-based scanners often miss.
Archive support: Scans nested archives—zips inside zips—automatically.
CEL-based validation: Rule authors write validation logic in Common Expression Language instead of regex. More expressive, easier to maintain.
Parallelized git scanning: Uses Go’s concurrency to scan repositories faster than serial approaches.
Output formats include JSON, CSV, JUnit, SARIF, and custom templates. The SARIF support integrates directly with GitHub Code Scanning.
Drop-In Replacement
If you’re running Gitleaks in CI/CD, migration is straightforward. Betterleaks accepts the same CLI flags and configuration file format. Swap the binary, run your existing commands.
# Old command
gitleaks detect --source . --report-format json
# Same command works with Betterleaks
betterleaks detect --source . --report-format jsonWhat This Means for AI Security
The broader pattern here is tool developers building for AI consumers. Betterleaks won’t be the last security tool designed with agents as first-class users.
For teams running AI coding agents, this matters. Automated workflows can now:
- Let agents write code
- Have Betterleaks scan for accidentally committed secrets
- Consume results without manual intervention
- Flag issues before they reach production
This closes a gap where AI-generated code could introduce credentials that traditional CI/CD might catch too late.
Getting Started
Betterleaks is available on GitHub under the MIT license. Install via:
# Go install
go install github.com/zricethezav/betterleaks@latest
# Homebrew
brew install betterleaks
# Docker
docker pull ghcr.io/zricethezav/betterleaksFor AI agent integration, the key flags are --report-format json for machine-readable output and --exit-code for CI/CD status codes.
Whether you’re migrating from Gitleaks or adding secrets scanning to an AI-assisted workflow, Betterleaks is worth evaluating. The detection improvements alone justify testing it against your repositories.