Custom MCP server wrapping Gitleaks for detecting secrets and credentials in git repositories and files.
| Tool | Description |
|---|---|
gitleaks_scan_repo |
Scan a git repository including commit history |
gitleaks_scan_dir |
Scan a directory without git history |
gitleaks_detect |
Quick scan text content for secrets |
get_scan_results |
Retrieve previous scan results |
list_active_scans |
Show running scans |
docker build -t gitleaks-mcp .
docker run -it --rm gitleaks-mcp{
"mcpServers": {
"gitleaks": {
"command": "docker",
"args": ["run", "-i", "--rm", "gitleaks-mcp:latest"]
}
}
}{
"mcpServers": {
"gitleaks": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "/path/to/repos:/repos:ro",
"gitleaks-mcp:latest"
]
}
}
}- API keys (AWS, GCP, Azure, Stripe, etc.)
- Passwords and tokens
- Private keys (SSH, PGP)
- Database connection strings
- OAuth secrets
- JWT tokens
- And 150+ other secret patterns
| Variable | Default | Description |
|---|---|---|
GITLEAKS_OUTPUT_DIR |
/app/output |
Scan output directory |
GITLEAKS_TIMEOUT |
300 |
Default scan timeout (seconds) |
GITLEAKS_MAX_CONCURRENT |
2 |
Maximum concurrent scans |
- Secrets in output are automatically masked (first 4 chars visible)
- Always obtain written authorization before scanning repositories
- Be careful with scan outputs - they may contain partial secrets
MIT