ggshield

Ggshield catches that before it reaches your remote repository. It scans your commits for secrets (API keys, passwords, certificates, private keys) and blocks the push if it finds any. Picture a pre-commit hook that prevents your worst 'oh no' moments.

MIT license, Python CLI. Runs as a Git hook, in CI/CD pipelines, or as a standalone scanner. Uses GitGuardian's detection engine which recognizes 400+ types of secrets. Also scans for infrastructure-as-code misconfigurations (Terraform, CloudFormation, Kubernetes).

The free tier covers individual developers: unlimited local scanning, up to 25 developers on GitGuardian's platform with basic features. Paid plans start at $60/developer/month for teams, which adds historical scanning, dashboards, incident management, and remediation workflows. Solo developers: free and you should install it today. There's no reason not to have secret detection in your Git hooks. Small teams (2-25): free tier covers you. Growing teams: $60/dev/mo adds value when you need historical scanning and incident workflows. Large orgs: enterprise pricing for SAML SSO, custom detectors, and API access.

The catch: the real power is in GitGuardian's cloud platform, not just the CLI. The free CLI scans current commits, but finding secrets already buried in your Git history requires the paid platform. TruffleHog and Gitleaks are fully free alternatives that scan history locally, less polished, but no per-developer pricing.