Check for secret material

ripsecrets

• GitHub
• Rust
• Focussed on pre-commit
• AUR package ripsecrets fails to build (2025-12)
• Issues:
  • Doesn't catch all secrets detected by gitleaks i.e.

Install:

stew install sirwart/ripsecrets

Pre-commit config:

  - repo: https://github.com/sirwart/ripsecrets
    rev: v0.1.11
    hooks:
      # Native rust-based hook not implemented yet in prek
      # - id: ripsecrets
      - id: ripsecrets-system

Usage:

ripsecrets notifications.md

trufflehog

• GitHub
• Go

Install:

pacman install trufflehog-bin

Scan local file:

trufflehog filesystem notifications.md

gitleaks

• gitleaks
• Diskussion about what passwords to protect
• pre-commit-hook integration
• Megalinter integration
• Configuration

Install:

sudo pacman -S gitleaks

Scan git history:

gitleaks detect -v

Ignore/allow false-positives:

• Add a # gitleaks:allow at the end of the line with an allowed false-positive
• For retroactive ignores from already committed false-positives add the fingerprint shown by gitleaks detect -v to a .gitleaksignore, see this repos .gitleaksignore as example

secretlint

• GitHub
• Megalinter integration
• Configuration
  • .secretlintignore
• Not available in Arch/AUR, Mason, Mise

Install:

eget secretlint/secretlint

Run using podman:

alias secretlint="podman run -v `pwd`:`pwd` -w `pwd` --rm -it docker.io/secretlint/secretlint secretlint '**/*'"

talisman

• GitHub
• No ad-hoc cli scanning

If you are sure you want to ignore detected secret material:

echo 'aarwolf.yaml # ignore:filecontent' >> .talismanignore

git-secrets

• Stale, no new release including pre-commit support
• Last tag 2019
• Example pre-commit-hooks.yml
• Doesn't detect a kubeconfig file!