Evaluate Betterleaks as Gitleaks replacement in reusable workflows

[CybotTM]

Context

Betterleaks is a new secrets scanner from the original Gitleaks maintainers — drop-in compatible with .gitleaks.toml, GITLEAKS_CONFIG, and gitleaks:allow pragmas. v1.1.2 released 2026-04-08, MIT, actively developed.

New features over Gitleaks

• CEL-based live secret validation (fires HTTP probe to check if leaked secret is active)
• Parallelized git scanning (--git-workers)
• Recursive decoding (catches SHA1-HULUD style obfuscation)
• Regex engine switching (stdlib/re2)
• Token efficiency filter

Current state

.github/workflows/gitleaks.yml uses gitleaks/gitleaks-action@v2.3.9. That action has had no commits since July 2025.

Why parked (not switching now)

1. No first-party Action. Only dortort/betterleaks-action exists (0 stars, unvetted) — we'd lose SARIF upload + PR comments handled by gitleaks-action today.
2. Thin track record. Betterleaks is ~2 months old on v1.x; too new for a security-critical CI gate across all org repos.
3. Scan speed isn't our bottleneck. Our secret-scan job already finishes in seconds.

Revisit triggers

Re-evaluate when any of these happen:

• An official betterleaks/betterleaks-action ships with SARIF + PR comment support
• gitleaks/gitleaks-action goes 12+ months without commits or gets archived
• Gitleaks license terms tighten in a way that affects our org usage
• Betterleaks reaches v2.0 with stable feature set

Escape hatch

If we ever need to switch fast, the path is: pin the betterleaks binary from a release tag, run it via run: step, pipe SARIF output into github/codeql-action/upload-sarif. Config is already compatible — no rule migration needed.

References

• Betterleaks repo: https://github.com/betterleaks/betterleaks
• Engine background: https://lookingatcomputer.substack.com/p/regex-is-almost-all-you-need
• Current workflow: .github/workflows/gitleaks.yml:43