Background
CodeLens's current secrets command is regex-only. This leads to:
- High false-positive rate — generic patterns like
password match test fixtures and comments
- High miss rate — no entropy analysis, no Git history scan, no structured rule library
- No ecosystem awareness — doesn't understand AWS key format, GitHub PAT format, Stripe key format, etc.
Gitleaks is a purpose-built secrets scanner with 600+ maintained rules, entropy scoring, structured JSON output, and active development. It is the de-facto standard for secrets detection in CI pipelines.
Goal
Upgrade codelens secrets to use gitleaks as its primary backend when available, with a graceful fallback to the existing regex scanner when gitleaks is not installed.
# Same interface, better results
codelens secrets .
codelens secrets . --format json
codelens secrets . --no-gitleaks # force regex fallback
Implementation
# Detection
def _gitleaks_available() -> bool:
return subprocess.run(['gitleaks', 'version'], capture_output=True).returncode == 0
# Invocation
subprocess.run([
'gitleaks', 'detect',
'--source', path,
'--report-format', 'json',
'--report-path', tmp_output,
'--no-git', # scan working tree, not git history (optional: add --git flag)
'--exit-code', '0' # don't fail on findings — we handle exit ourselves
])
Result normalizer: map gitleaks JSON output fields to CodeLens's existing findings schema:
gitleaks.RuleID → type
gitleaks.Description → message
gitleaks.File + gitleaks.StartLine → file + line
gitleaks.Secret → redacted match (show first 4 chars + ***)
gitleaks.Tags → category
Fallback behavior: if gitleaks not found, run existing regex scanner with a [warning] in output: gitleaks not found — using built-in regex scanner (lower accuracy). Install gitleaks for best results.
Definition of Done
Source of Truth
Why not replace the regex scanner entirely
Some environments cannot install binaries (locked-down CI, read-only filesystems). The regex fallback ensures codelens secrets always works, everywhere, without setup — gitleaks is an opt-in upgrade, not a hard dependency.
Background
CodeLens's current
secretscommand is regex-only. This leads to:passwordmatch test fixtures and commentsGitleaks is a purpose-built secrets scanner with 600+ maintained rules, entropy scoring, structured JSON output, and active development. It is the de-facto standard for secrets detection in CI pipelines.
Goal
Upgrade
codelens secretsto use gitleaks as its primary backend when available, with a graceful fallback to the existing regex scanner when gitleaks is not installed.Implementation
Result normalizer: map gitleaks JSON output fields to CodeLens's existing findings schema:
gitleaks.RuleID→typegitleaks.Description→messagegitleaks.File+gitleaks.StartLine→file+linegitleaks.Secret→ redactedmatch(show first 4 chars +***)gitleaks.Tags→categoryFallback behavior: if gitleaks not found, run existing regex scanner with a
[warning]in output:gitleaks not found — using built-in regex scanner (lower accuracy). Install gitleaks for best results.Definition of Done
_gitleaks_available()detection inscripts/commands/secrets.py--no-gitleaksflag to force regex fallback (useful for testing)stats.backendfield in output:"gitleaks"or"regex"SKILL.mdupdated: note that gitleaks improves accuracy, link to install docssync_command_count.py --applyrun (count unchanged — same command, upgraded backend)Source of Truth
gitleaks detect --report-format json --helpscripts/commands/secrets.py— normalizer plugs in herebrew install gitleaks/go install/ GitHub releases binaryWhy not replace the regex scanner entirely
Some environments cannot install binaries (locked-down CI, read-only filesystems). The regex fallback ensures
codelens secretsalways works, everywhere, without setup — gitleaks is an opt-in upgrade, not a hard dependency.