Open source · MIT · Rust
Find the secrets that are actually live.
leakferret is one fast Rust binary — engine, CLI, and MCP server. It finds hardcoded keys, confirms which are still live by calling the provider, and rewrites the leak to read from an environment variable instead.
🔒 The full secret never leaves your machine — only a redacted AKIA…4XYZ preview ever leaves the process.
See it work
One command finds the leak, proves it's live, and hands you the fix.
$ leakferret verify . scanning 1,204 files · 3 candidates src/settings.py:14 aws_secret_access_key REAL · LIVE wJal…EKEY verified against AWS STS (HTTP 200) → rewrite: os.environ["AWS_SECRET_ACCESS_KEY"] .env:3 stripe_secret_key FIXTURE sk_test…p7dc documented Stripe test key (catalog) README.md:88 github_pat UNKNOWN ghp_…s1Az could not verify (offline) ────────────────────────────────────────────── 3 findings · 1 live · 1 fixture · 1 unknown raw secret values never left this machine
Install in one line
Every package ships the same prebuilt binary. Pick your ecosystem.
# npm npm i -g @leakferret/cli # Ruby gem install leakferret # Go go install github.com/leakferrethq/leakferret-go/cmd/leakferret@latest # Rust, from source cargo install leakferret-cli
Then scan the working tree:
$ leakferret scan .scan respects .gitignore and reads dotfiles like .env. Add --git to walk commit history. Every wrapper honors a LEAKFERRET_BIN override for offline use.
…or gate every pull request
# .github/workflows/secrets.yml - uses: leakferrethq/leakferret-action@v1 with: verify-mode: only-verified # fail only on confirmed-live keys fail-on: any
Uploads SARIF to GitHub Code Scanning, so findings show up inline on the PR.
A five-station pipeline
Each station only sees what it needs, and the raw secret never advances past disk.
- 1
Scan
A fast regex pre-filter over your files. Respects
.gitignore, reads dotfiles, and with--gitwalks history. - 2
Catalog
Candidates are checked against a signed database of known-public examples — Stripe test keys,
AKIAIOSFODNN7EXAMPLE, jwt.io samples — so documented fixtures never raise a false alarm. - 3
Classify
Each candidate gets a verdict: real, fixture, or unknown. Runs offline, or asks the host editor/agent's own model — no extra API key, no added cost.
- 4
Verify
One harmless API call to the provider confirms a key is live. ~15 providers covered natively, with a trufflehog fallback. The call goes straight to the provider — leakferret has no servers.
- 5
Rewrite
Swaps the hardcoded literal for an env-var lookup, appends to
.env.example, and prints seed commands for your secret manager.
Model Context Protocol
A secret check your coding agent can run itself
Agents hardcode secrets too, and nobody reviews their diffs line by line. leakferret exposes its pipeline over MCP so the agent self-checks before it commits.
- Tools:
scan_repository,classify_candidates,verify_finding,propose_rewrite,baseline_diff - Works with Claude Code, Cursor, Continue, and Claude Desktop
- Classifies inline using the model the agent already has
// add to your mcpServers config
{
"mcpServers": {
"leakferret": {
"command": "npx",
"args": ["@leakferret/mcp"]
}
}
}
What you get
Provider verification
AWS SigV4, GitHub, GitLab, Stripe, OpenAI, Anthropic, Slack, Twilio, SendGrid, Mailgun, Datadog, Heroku, npm, PyPI, DigitalOcean — plus a trufflehog fallback.
Privacy by construction
The raw secret is never serialized, logged, or sent. Only a first-4 + last-4 preview leaves the process. A dedicated test enforces it.
Agent-applied rewrites
ENV.fetch / os.environ / process.env swaps, plus seed commands for env, Vault, Doppler, AWS Secrets Manager, or Infisical.
Signed fixture catalog
An Ed25519-signed database of known-public example keys, bundled with the binary and refreshable, so documented samples never page you.
Baselines, not noise
One-way HMAC fingerprints of known findings — never the raw secret — so CI fails only on new leaks.
Reports that fit your pipeline
Colored terminal, JSON for scripting, and SARIF for GitHub Code Scanning via the official Action.
How it compares
| gitleaks | trufflehog | leakferret | |
|---|---|---|---|
| Fast regex pre-filter | ✓ | ✓ | ✓ |
| Live provider verification | — | ✓ | ✓ |
| Signed known-public catalog | — | — | ✓ |
| Agent-applied env-var rewrites | — | — | ✓ |
| MCP server for coding agents | — | — | ✓ |
gitleaks is a fast regex scanner; leakferret matches that pre-filter and adds verification. trufflehog verifies too — leakferret adds the MCP/agent layer, the rewrite, and the signed catalog.
Questions
Does leakferret send my secrets anywhere?
No. The raw secret value never leaves your machine — it is never serialized, logged, or sent in any network message or model prompt. Only a redacted first-4 + last-4 preview (like AKIA…4XYZ) ever leaves the process. Verification calls go straight from your machine to the provider; leakferret has no servers and collects nothing. A dedicated test enforces this invariant.
Is it really free?
Yes. The engine, CLI, MCP server, and every language wrapper are MIT-licensed and free forever. The fixture catalog data is CC-BY-SA-4.0. No account, no telemetry.
Which providers can it verify?
Around 15 natively: AWS (SigV4), GitHub, GitLab, Stripe, OpenAI, Anthropic, Slack, Twilio, SendGrid, Mailgun, Datadog, Heroku, npm, PyPI, and DigitalOcean — with a trufflehog binary fallback for the long tail.
How is it different from gitleaks or trufflehog?
gitleaks is a fast regex scanner; leakferret matches that pre-filter and adds live provider verification. trufflehog verifies too — leakferret adds the MCP layer so coding agents can self-check, the in-place env-var rewrite, and a signed catalog of known-public keys so documented examples never page you.
Does it work in CI?
Yes. There's an official GitHub Action that installs the binary, scans, and uploads SARIF to Code Scanning. A baseline of one-way HMAC fingerprints lets CI fail only on new leaks. JSON and SARIF output formats are built in.
What does the MCP server do?
It exposes the pipeline over the Model Context Protocol so a coding agent (Claude Code, Cursor, Continue, Claude Desktop) can scan, classify, verify, and propose rewrites before it commits — classifying inline with the model it already has.
Scan your repo in the next minute.
Free and open source under MIT. No account, no servers, no telemetry.