Drop a repo and scan every file for hardcoded API keys, tokens, and private keys. It runs on your own box — so you never hand your source, or its secrets, to someone else's cloud.
A hardcoded token in a commit, a .env that slipped into a zip — that's how breaches start. Guardwright finds them so you can rotate before anyone else does.
A .zip of the codebase. We unpack it in an isolated sandbox and never run it.
150+ rules for AWS/GCP keys, GitHub & Slack tokens, private keys, JWTs, and generic high-entropy secrets.
A severity-ranked report with file and line — the value itself stays redacted, so the report is safe to share.
Think about what a cloud secret scanner asks for: upload your entire source tree — including the secrets — to their servers. That's the one category where "just use our cloud" makes the least sense.
The scan runs on your box. Your keys aren't copied to a third party you now have to trust.
Code is unpacked to a temp dir, scanned, and deleted in the same request. No database, no retention.
Findings show the rule, file, and line — never the secret. The report is safe to paste into a ticket.
Scan free in the browser. Upgrade for CI gating, larger repos, and the self-host license.
No. The zip is unpacked to a temporary directory, scanned, and deleted in the same request. Nothing is written to a database, and secret values are redacted out of the report entirely.
150+ rules via the MIT gitleaks engine: AWS/GCP/Azure keys, GitHub/GitLab/Slack/Stripe tokens, private keys, JWTs, and generic high-entropy strings.
The engine allowlists well-known example keys (like AWS's docs sample) to cut false positives, and the paid tiers let you add your own allowlist.
Yes — the Solo tier adds a CLI/CI action, and the self-host license runs the whole scanner on your infrastructure, air-gap friendly.