Theres laughter in my head as I remember being at a SANS training years ago doing a lab precisely on this topic. Guy two tables over starts saying how he didn't know this and had to make an some urgent call to his team because this was a massive problem. Didnt see him for the next 1.5 hrs. More on reddit.com

tldr; Don’t rely only on SAST for secrets. Use a dedicated scanner at minimum, and if compliance/visibility matter, consider something like GitGuardian or or Trufflehog enterprise I’ve been working in AppSec / secure software development for quite a while, and have had to set up secret scanning across different teams and stacks. Here’s how I’ve seen it play out in practice: 1. SAST vs. dedicated secret scanning Even though some SAST tools advertise secret detection, they’re rarely as strong as dedicated tools. Secret scanning requires updated regexes, entropy checks, and context awareness — things SAST engines don’t focus on. In most setups, SAST is for code issues (injection, unsafe patterns, etc.), while secret scanning runs separately (pre-commit hooks, CI jobs, or continuous repo monitoring). 2. GitGuardian vs. Trufflehog (enterprise) GitGuardian → polished SaaS, strong detection accuracy, dashboards, audit/compliance features, and easy integrations (Slack/Jira/SIEM). Great if you want visibility across the org. Trufflehog → very flexible, great for scanning histories and many backends (git, S3, GCP, etc.), but you’ll need to invest more engineering effort if you want compliance/reporting at scale.Some teams actually pair them: Trufflehog for deep historical sweeps, GitGuardian for ongoing monitoring. 3. Alternatives Gitleaks (what you’re already using) → solid for CI/CD pipelines but is not as polished as GG or TH for paid versions. detect-secrets (Yelp) → good for pre-commit hooks, but not as actively maintained. ggshield (GitGuardian CLI) → gives you both local and pipeline scanning tied to their SaaS backend. Custom regex rules → handy for company-specific formats (internal API keys, JWTs, etc.). Typical workflow Pre-commit/pre-push: lightweight hooks (detect-secrets/gitleaks). CI/CD: thorough scans (gitleaks/trufflehog). Continuous monitoring: enterprise SaaS (GitGuardian). More on reddit.com

GitHub has scanning for private repos as well of course, you just have to pay for it More on reddit.com

There are some free open source tools you can use like gitleaks, tools from ShiftLeftSecurity. If you're more into python, there are some secret scanning libraries. If you're more into javascript, there are a few npm libraries that you can use. All of these are up to you to experiment and see which fits your use case. Remember that its not just about scanning its also preventing, so using IDE extensions or plugins is something you can add, checks during pull requests and scanning of history, should complement your efforts. Can also add git hooks for the checks, but i would rather educate my dev's and make them more security-aware with good practices of secure coding. More on reddit.com