{ "openapi": "3.0.1", "info": { "title": "Betterleaks Cloud - GitHub & S3 Secret Scanner", "description": "Cloud-hosted Betterleaks v1.3.1 (the successor to Gitleaks, by the original author). Scan GitHub orgs/users/repos/PRs/issues/actions/gists, single git URLs, or S3/R2 buckets. Optional live validation probes each secret against the vendor API to flag which ones are still active.", "version": "0.3", "x-build-id": "ecAnke1ZVQibnWFAo" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/anshumanatrey~betterleaks-cloud/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-anshumanatrey-betterleaks-cloud", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/anshumanatrey~betterleaks-cloud/runs": { "post": { "operationId": "runs-sync-anshumanatrey-betterleaks-cloud", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/anshumanatrey~betterleaks-cloud/run-sync": { "post": { "operationId": "run-sync-anshumanatrey-betterleaks-cloud", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "mode" ], "properties": { "mode": { "title": "Scan mode", "enum": [ "github", "global_github", "git", "s3", "dir", "stdin" ], "type": "string", "description": "Which betterleaks command to run. 'global_github' is our addition - GitHub Code Search picks candidate repos then runs betterleaks on each.", "default": "github" }, "target_url": { "title": "Target URL (github / git / s3 modes)", "type": "string", "description": "github: https://github.com/owner | https://github.com/owner/repo | https://github.com/owner/repo/pull/123. git: any clone URL. s3: https://bucket.s3.amazonaws.com/prefix/ or https://account.r2.cloudflarestorage.com/..." }, "global_search_query": { "title": "Search query (global_github mode)", "type": "string", "description": "Required for global_github mode. Used as the GitHub Code Search query to discover candidate repos. Examples: 'CASHFREE_APP_ID', 'rzp_live_', '\"sk-ant-api03-\"'." }, "global_max_repos": { "title": "Max unique repos to scan (global_github mode)", "minimum": 1, "maximum": 200, "type": "integer", "description": "Cap on how many unique repos to scan. Each repo runs betterleaks separately, so cost scales linearly. Default 25.", "default": 25 }, "github_token": { "title": "GitHub Personal Access Token", "type": "string", "description": "Required for github mode (recommended) and REQUIRED for global_github mode (Code Search is auth-only). Generate at github.com/settings/tokens. 'public_repo' scope is enough for public repos." }, "include": { "title": "Include these resource types (github mode)", "uniqueItems": true, "type": "array", "description": "Pick which GitHub surfaces to scan. Default = repos.", "items": { "type": "string", "enum": [ "repos", "forks", "prs", "pr-comments", "issues", "issue-comments", "actions", "action-artifacts", "discussions", "releases", "release-assets", "gists" ] } }, "exclude": { "title": "Exclude these resource types (github mode)", "uniqueItems": true, "type": "array", "description": "Subtracts from the include list. Lets you scan everything except certain resource types.", "items": { "type": "string", "enum": [ "repos", "forks", "prs", "pr-comments", "issues", "issue-comments", "actions", "action-artifacts", "discussions", "releases", "release-assets", "gists" ] } }, "exclude_repo": { "title": "Exclude repos matching these glob patterns (github mode)", "uniqueItems": true, "type": "array", "description": "Examples: 'archived-*', 'docs-*'.", "items": { "type": "string" } }, "actions_workflow": { "title": "Only scan these GitHub Actions workflow files (github mode)", "uniqueItems": true, "type": "array", "description": "Workflow filenames like 'ci.yml'. Empty = scan all workflows.", "items": { "type": "string" } }, "since": { "title": "Only scan API items created after this date (github mode)", "type": "string", "description": "YYYY-MM-DD or RFC3339." }, "until": { "title": "Only scan API items created before this date (github mode)", "type": "string", "description": "github mode. Pair with 'since' for a date window." }, "git_workers": { "title": "Parallel git workers per repo", "minimum": 0, "maximum": 64, "type": "integer", "description": "git / github modes. 0 = single process (lowest memory). Higher = faster, more memory.", "default": 0 }, "log_opts": { "title": "Git log options pass-through", "type": "string", "description": "git / github modes. Passed verbatim to 'git log'. Examples: '--all --since=2024-01-01', '--author=alice', '-S secret_string'." }, "git_platform": { "title": "Git platform (link format)", "enum": [ "", "github", "gitlab" ], "type": "string", "description": "git mode. Used to generate permalinks. 'github' or 'gitlab'." }, "validation": { "title": "Enable live secret validation", "type": "boolean", "description": "Probe each detected secret against its vendor API. Off by default. Only rules that ship with a 'validate' CEL clause will actually probe.", "default": false }, "validation_status": { "title": "Only include findings with these validation statuses", "type": "string", "description": "Comma-separated list. Options: valid, invalid, revoked, unknown, error. Empty = include all." }, "validation_timeout": { "title": "Validation HTTP request timeout (seconds)", "minimum": 1, "maximum": 300, "type": "integer", "description": "Per-request timeout for vendor API probes. Default 10s.", "default": 10 }, "validation_workers": { "title": "Concurrent validation workers", "minimum": 1, "maximum": 100, "type": "integer", "description": "Parallel validation HTTP requests. Default 10.", "default": 10 }, "validation_debug": { "title": "Include raw HTTP responses in validation output", "type": "boolean", "description": "Useful for debugging CEL validators. Verbose.", "default": false }, "validation_extract_empty": { "title": "Include empty extractor values in ValidationMeta", "type": "boolean", "description": "Include validation extractor results even when they are empty strings.", "default": false }, "validation_env_vars": { "title": "Env vars accessible to validation CEL", "type": "string", "description": "Comma-separated env var names. Some rules' validators need extra credentials." }, "s3_access_key": { "title": "S3 access key (s3 mode)", "type": "string", "description": "Leave blank + check 'Anonymous' for public buckets." }, "s3_secret_key": { "title": "S3 secret key (s3 mode)", "type": "string", "description": "s3 mode. Paired with access key for AWS / S3-compatible authentication." }, "s3_session_token": { "title": "S3 session token (s3 mode)", "type": "string", "description": "For IAM role / temporary credentials." }, "s3_anonymous": { "title": "Anonymous (s3 mode - public buckets only)", "type": "boolean", "description": "s3 mode. Skip credentials entirely - scans only public buckets/objects.", "default": false }, "s3_region": { "title": "S3 region (s3 mode)", "type": "string", "description": "Required for non-AWS endpoints. 'auto' for R2, 'us-east-1' for AWS, etc." }, "s3_max_object_size": { "title": "S3 max object size (bytes)", "minimum": 0, "type": "integer", "description": "Skip objects larger than this. 0 = default 250 MiB.", "default": 0 }, "s3_workers": { "title": "S3 concurrent object fetches", "minimum": 0, "maximum": 256, "type": "integer", "description": "0 = default 16.", "default": 0 }, "dir_source_url": { "title": "Tarball / zip URL to download (dir mode)", "type": "string", "description": "Public HTTPS URL of a .tar.gz or .zip archive. We download, extract, then run 'betterleaks dir' on it." }, "dir_follow_symlinks": { "title": "Follow symlinks (dir mode)", "type": "boolean", "description": "dir mode. Scan files that are symbolic links to other files.", "default": false }, "stdin_content": { "title": "Raw text content to scan (stdin mode)", "type": "string", "description": "Paste the full text you want scanned. Limited by Apify input size cap (~5MB)." }, "redact": { "title": "Redact secrets in output (0-100)", "minimum": 0, "maximum": 100, "type": "integer", "description": "Percentage of secret to MASK in output (0 = show all, 75 = show 25% / mask 75%, 100 = fully redacted). Useful when sharing findings externally.", "default": 0 }, "match_context": { "title": "Context around each match", "type": "string", "description": "Format: 'NL' for N lines (e.g. '5L') or 'NC' for N characters (e.g. '100C'). Empty = no context." }, "verbose": { "title": "Verbose scan log", "type": "boolean", "description": "Enable detailed scan progress in the actor log.", "default": false }, "log_level": { "title": "Log level", "enum": [ "", "trace", "debug", "info", "warn", "error", "fatal" ], "type": "string", "description": "trace / debug / info / warn / error / fatal.", "default": "" }, "legacy_print": { "title": "Use legacy key-value verbose format", "type": "boolean", "description": "Use the legacy gitleaks-style verbose output format (key/value pairs).", "default": false }, "no_color": { "title": "Disable color in output", "type": "boolean", "description": "Disable ANSI color codes in the verbose output. Default ON for cloud logs.", "default": true }, "no_banner": { "title": "Suppress betterleaks banner", "type": "boolean", "description": "Suppress the betterleaks ASCII banner at start of run. Default ON for cleaner logs.", "default": true }, "enable_rule": { "title": "Only run these rule IDs", "uniqueItems": true, "type": "array", "description": "Whitelist. Empty = run all built-in rules.", "items": { "type": "string" } }, "custom_config_toml": { "title": "Custom betterleaks config (TOML)", "type": "string", "description": "Paste a full TOML config to override built-in rules. See https://github.com/betterleaks/betterleaks/blob/main/.betterleaks.toml" }, "ignore_gitleaks_allow": { "title": "Ignore 'gitleaks:allow' comments in code", "type": "boolean", "description": "When ON, allowlist comments in source code are ignored.", "default": false }, "gitleaks_ignore_path": { "title": "Path to gitleaks ignore file", "type": "string", "description": "Default '.'." }, "baseline_url": { "title": "Baseline report URL", "type": "string", "description": "Public HTTPS URL of a previous report JSON. Findings present in baseline will be filtered out (only NEW leaks are reported)." }, "max_target_megabytes": { "title": "Max file size to scan (MB)", "minimum": 0, "maximum": 5000, "type": "integer", "description": "Skip files larger than this. Default 100.", "default": 100 }, "max_archive_depth": { "title": "Max nested archive scanning depth", "minimum": 0, "maximum": 10, "type": "integer", "description": "0 = do not extract archives. Higher values let scanner reach into zip-in-zip-in-jar.", "default": 0 }, "max_decode_depth": { "title": "Recursive decoding depth limit", "minimum": 0, "maximum": 20, "type": "integer", "description": "Default 5. Controls how deep base64/url-decoding goes.", "default": 5 }, "timeout_seconds": { "title": "Command timeout (seconds, 0 = no limit)", "minimum": 0, "maximum": 7200, "type": "integer", "description": "Hard cap on the whole scan duration.", "default": 0 }, "regex_engine": { "title": "Regex engine", "enum": [ "", "re2", "stdlib" ], "type": "string", "description": "Default re2 (fast, no backtracking). stdlib supports more features.", "default": "" }, "experiments": { "title": "Comma-separated experimental features", "type": "string", "description": "Upstream feature flags. Refer to betterleaks docs." }, "report_template": { "title": "Report template content", "type": "string", "description": "Go text/template content for custom report format. Advanced." }, "diagnostics": { "title": "Enable diagnostics", "type": "string", "description": "Comma-separated: cpu, mem, trace, http. Outputs perf profiles to the actor log." }, "exit_on_findings": { "title": "Exit with code 1 when findings are present", "type": "boolean", "description": "Default ON. Turn OFF for monitoring (run never fails on leaks).", "default": true } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } }