Gitleaks Integration

Gitleaks Integration brings Gitleaks-based secret detection into Burp Suite's passive scanning workflow. It scans HTTP responses for hardcoded secrets such as API keys, tokens, and passwords using the official Gitleaks rule set, without requiring any external binaries or processes.

Features

• Parses the official gitleaks.toml rule format directly
• Fetch the latest rules from the Gitleaks repository with one click, or load a custom or company-specific config file
• Recursively decodes and scans Base64-encoded payloads up to two levels deep
• Configurable redaction level controls how much of a detected secret is masked in the issue detail view

Usage

1. After loading the extension, open "Settings" and navigate to the "Gitleaks Integration" panel. Click "Update" to fetch the latest rules, or specify a path to a custom .toml configuration file.
2. Browse your target application. The extension passively scans each HTTP response and raises audit issues for any secrets detected.
3. To verify a finding, right-click it in the Issues table, and view step-by-step manual instructions.