Betterleaks - New Open-Source Secrets Scanner Released
Basically, Betterleaks is a tool that helps find leaked passwords in code.
Zach Rice has launched Betterleaks, an open-source tool for scanning git repositories for leaked credentials. This new tool enhances security with advanced filtering techniques. Developers can easily integrate it into their workflows to protect sensitive information.
What It Does
Betterleaks is an open-source tool designed to scan git repositories, directories, and standard input for leaked secrets such as credentials, API keys, tokens, and passwords. Created by Zach Rice, the original author of Gitleaks, this new tool serves as a drop-in replacement for its predecessor. It maintains compatibility with existing CLI flags and configuration files, making it easy for users to transition without any hassle.
The tool utilizes an innovative approach called Token Efficiency, which is based on byte pair encoding (BPE) tokenization. Unlike Gitleaks, which relied on Shannon entropy to identify potential secrets, Betterleaks measures how efficiently a tokenizer compresses a string. This method effectively filters out false positives, achieving an impressive 98.6% recall compared to Gitleaks' 70.4%.
Key Features
Betterleaks is built in pure Go and does not require native library dependencies, allowing for seamless deployment across various environments. It offers support for scanning archives, including nested ones, and provides output in multiple formats such as JSON, CSV, JUnit, and SARIF. Additionally, it includes features for handling doubly and triply encoded secrets, making it robust against complex cases.
The tool also supports parallelized git scanning, significantly reducing scan times. This feature is particularly beneficial for engineering teams that need to ensure their code repositories remain secure from accidental leaks of sensitive information.
Planned Improvements
Looking ahead, the roadmap for Betterleaks includes exciting features not present in the current version. Rice has mentioned plans for LLM-assisted classification, where anonymized candidate secrets will be analyzed by a language model for additional context. Furthermore, there are intentions to implement auto-revocation support for credential providers that offer revocation APIs, enhancing the tool's functionality.
Another planned feature is permissions mapping, which will help users understand what access a detected secret carries. These enhancements aim to make Betterleaks an even more powerful tool for developers and security teams alike.
How to Get Started
Betterleaks is available for free on GitHub, making it accessible for anyone interested in enhancing their security practices. Its design allows for easy integration with AI coding agents, ensuring that it can be utilized effectively in modern development environments. By adopting Betterleaks, organizations can significantly improve their defenses against credential leaks and bolster their overall security posture.
The launch of Betterleaks marks a significant step forward in the ongoing battle against secret leaks in code. As more organizations adopt such tools, the landscape of software security continues to evolve, emphasizing the importance of proactive measures in protecting sensitive information.
Help Net Security