Install gitleaks and configure a rules file that covers your organization's secret patterns (API keys, tokens, certificates)
Add a pre-commit hook that runs gitleaks detect on staged changes before allowing a commit to proceed
Configure trufflehog to scan the full git history of a repository to identify previously committed secrets
Set up a server-side pre-receive hook (or a CI check on every push) to block pushes containing detected secrets
Establish a process for rotating and revoking any secrets that are found, and document findings in an incident log
Tune both tools' allow-list configurations to suppress known false positives while preserving detection fidelity
Known gotchas
Pre-commit hooks only run in environments where the hook is installed; contributors who bypass hooks or use git directly without hook setup will not be checked — server-side enforcement is essential
Regex-based secret detection produces false positives on test fixtures and example files; an overly broad allow-list created to suppress these can also suppress real secrets
Rotating a leaked secret is necessary but not sufficient; the original secret may be cached by external services or have been used for unauthorized access before detection
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp