Description
detect-secrets is an enterprise-grade secret detection tool by Yelp. It scans codebases for hardcoded secrets using entropy analysis, keyword matching, and custom plugins. It maintains a baseline file to track known/allowed secrets and integrates into CI/CD pipelines.
Installation
BASH
pip3 install detect-secretsBasic Usage
BASH
# Create baseline
detect-secrets scan > .secrets.baseline
# Audit baseline (review detected secrets)
detect-secrets audit .secrets.baseline
# Scan for new secrets
detect-secrets scan --baseline .secrets.baselineAdvanced Usage
BASH
# Scan specific files
detect-secrets scan path/to/file.py
# Exclude files
detect-secrets scan --exclude-files '.*\.test\.py$'
# Custom plugins only
detect-secrets scan --list-all-plugins
detect-secrets scan --disable-plugin HexHighEntropyString
# Pre-commit hook
detect-secrets-hook --baseline .secrets.baselineCommon Workflows
BASH
# Initial setup for a project
cd project/
detect-secrets scan > .secrets.baseline
detect-secrets audit .secrets.baseline # Mark false positives
# CI/CD integration
detect-secrets scan --baseline .secrets.baseline || exit 1
# Pre-commit hook (using pre-commit framework)
# .pre-commit-config.yaml:
# - repo: https://github.com/Yelp/detect-secrets
# hooks:
# - id: detect-secrets
# args: ['--baseline', '.secrets.baseline']