diff --git a/.devcontainer/Dockerfile.bootstrap b/.devcontainer/Dockerfile.bootstrap
index 001885d8..dce98f60 100644
--- a/.devcontainer/Dockerfile.bootstrap
+++ b/.devcontainer/Dockerfile.bootstrap
@@ -52,15 +52,6 @@ RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
     chmod +x /usr/bin/asdf && \
     rm -rf /tmp/asdf.tar.gz 
 
-# install gitsecrets
-RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \
-    cd /tmp/git-secrets && \
-    make install && \
-    cd && \
-    rm -rf /tmp/git-secrets && \
-    mkdir -p /usr/share/secrets-scanner && \
-    chmod 755 /usr/share/secrets-scanner && \
-    curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
 
 USER vscode
 
@@ -89,6 +80,3 @@ COPY .devcontainer/.tool-versions.bootstrap /home/vscode/.tool-versions
 # install python before poetry to ensure correct python version is used
 RUN asdf install python; \
     asdf install
-
-RUN git-secrets --register-aws --global && \
-  git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt
diff --git a/README.md b/README.md
index 1ca4ecad..d4458d75 100644
--- a/README.md
+++ b/README.md
@@ -52,7 +52,7 @@ asdf install and setup for these so they are available globally as vscode user
  - actionlint
  - ruby (for GitHub Pages)
 
-Install and setup git-secrets.   
+Install and setup gitleaks.   
 
 # Using the images
 ## Project setup
@@ -89,7 +89,6 @@ RUN if [ -n "${DOCKER_GID}" ]; then \
     },
     "updateRemoteUserUID": false,
   },
-  "postAttachCommand": "git-secrets --register-aws; git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt",
   "mounts": [
     "source=${env:HOME}${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind",
     "source=${env:HOME}${env:USERPROFILE}/.ssh,target=/home/vscode/.ssh,type=bind",
@@ -180,7 +179,7 @@ Check targets (`check.mk`)
 - `cfn-guard-cdk` - validates `cdk.out` against cfn-guard rulesets and writes outputs to `.cfn_guard_out/`
 - `cfn-guard-terraform` - validates `terraform_plans` against cfn-guard rulesets and writes outputs to `.cfn_guard_out/`
 - `actionlint` - runs actionlint against GitHub Actions
-- `secret-scan` - runs git-secrets or gitleaks (including scanning history) against the repository
+- `secret-scan` - runs gitleaks (including scanning history) against the repository
 - `guard-<ENVIRONMENT_VARIABLE>` - checks if an environment variable is set and errors if it is not
 - `zizmor` - runs [zizmor](https://github.com/zizmorcore/zizmor) in the local directory to check github workflows and actions
 - `syft-generate-sbom` - uses syft to generate an sbom in cyclonedx-json format. This *does not* include dev dependencies. Outputs file to .sbom/sbom.cdx.json. 
diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk
index 8d0aa7a9..c108556a 100644
--- a/src/base/.devcontainer/Mk/check.mk
+++ b/src/base/.devcontainer/Mk/check.mk
@@ -84,11 +84,7 @@ actionlint:
 	actionlint
 
 secret-scan:
-	@if [ -f .gitallowed ]; then \
-		git-secrets --scan-history .; \
-	else \
-		gitleaks -v --redact git; \
-	fi
+	gitleaks -v --redact git
 
 guard-%:
 	@ if [ "${${*}}" = "" ]; then \
diff --git a/src/base/.devcontainer/scripts/lifecycle/post_create.sh b/src/base/.devcontainer/scripts/lifecycle/post_create.sh
index 27a71f1f..6e9991f5 100755
--- a/src/base/.devcontainer/scripts/lifecycle/post_create.sh
+++ b/src/base/.devcontainer/scripts/lifecycle/post_create.sh
@@ -3,12 +3,3 @@
 set -euo pipefail
 
 echo "Running common post-create script"
-
-
-# Install git-secrets, register AWS patterns and NHS rules in an idempotent way
-if ! git config --get-all secrets.patterns | grep -Fq AKIA; then
-  git-secrets --register-aws
-fi
-if ! git config --get-all secrets.providers | grep -Fxq "cat /usr/share/secrets-scanner/nhsd-rules-deny.txt"; then
-  git-secrets --add-provider -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt
-fi
diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh
index 699a0595..2c096441 100755
--- a/src/base/.devcontainer/scripts/root_install.sh
+++ b/src/base/.devcontainer/scripts/root_install.sh
@@ -45,17 +45,6 @@ VERSION="${DIRENV_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_direnv.sh"
 # install yq
 VERSION="${YQ_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_yq.sh"
 
-# install gitsecrets
-# this should be removed once we have migrated all repos to gitleaks
-git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets
-cd /tmp/git-secrets
-make install
-cd
-rm -rf /tmp/git-secrets
-mkdir -p /usr/share/secrets-scanner
-chmod 755 /usr/share/secrets-scanner
-curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt
-
 # get cfn-guard ruleset
 tmp_dir="$(mktemp -d)"
 trap 'rm -rf "${tmp_dir}"' EXIT