Install gitleaks via the official release binary or `brew install gitleaks`
Run `gitleaks detect --source . --report-format json --report-path gitleaks-report.json` in CI to scan the working tree
For full history scans on new repositories, use `gitleaks detect --log-opts='--all'` to check every commit
Review the report JSON for `Description`, `Secret`, `File`, and `Commit` fields to triage findings
Add a `gitleaks protect --staged` pre-commit hook via the gitleaks documentation to prevent secrets from being committed in the first place
Known gotchas
Gitleaks uses regex rules that can produce false positives on high-entropy strings that are not actual credentials; maintain a `.gitleaksignore` file with SHA-fingerprinted false positives rather than broad path exclusions
Scanning full repository history on a large monorepo can be slow and memory-intensive; use `--log-opts` to scope the scan to recent commits in incremental CI runs
The `--redact` flag replaces matched secret values in the report with `REDACTED`; enable it when reports are stored in shared artifact stores accessible to users without need-to-know
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp