Hardcoded secrets in Git are a category of mistake that never gets less embarrassing. An AWS access key pushed to a public repo gets scraped by bots within minutes and burned spinning up crypto miners on your account — this is documented behavior, not theoretical risk. The fix is automated scanning, and Gitleaks is the open-source tool most teams reach for when they don't want to pay a commercial scanner's per-developer rate. We pulled Gitleaks into several sample repos to see how it actually behaves: where it shines, where it produces noise, and how the CLI flow compares to commercial alternatives like GitGuardian. This is the writeup. What Gitleaks Actually Catches Gitleaks ships with a default ruleset of well over 100 regex patterns covering the usual suspects: AWS access keys, GitHub personal access tokens, Slack webhooks, Stripe live keys, Google API keys, private SSH keys, and JWT-shaped strings. The patterns are written in TOML and live in the repo at config/gitleaks.toml .…