# Output to stdout
detect-secrets scan
# Write to a baseline file
detect-secrets scan --update .secrets.baseline# By default, detect-secrets uses plugins specified in the baseline file
detect-secrets scan --update .secrets.baseline
# Additional CLI options can be used to overwrite the plugins specified in baseline
detect-secrets scan --update .secrets.baseline --use-all-pluginsdetect-secrets scan --no-verify# Use all plugins
detect-secrets scan --use-all-plugins
# Skip some plugins
detect-secrets scan --use-all-plugins --no-keyword-scan --no-db2-scan# Scan files tracked by git
# By default, files in .gitignore are ignored
detect-secrets scan
# Scan on specific files
detect-secrets scan file1 file2
# Scan all files except for .gitignore
detect-secrets scan --all-files# This also displays all supported plugins
detect-secrets scan --string "api_key='something'"
# Skip a specific plugin
detect-secrets scan --string "api_key='something'" --no-keyword-scan# Exclude Python regex-matched files and directories, applies to all plugins
detect-secrets scan --exclude-files 'package-lock.json|another_file_name|dir_name'
# Exclude Python regex-matched lines, applies to all plugins
detect-secrets scan package-lock.json --exclude-lines 'integrity'
# Exclude a list of keywords defined in a file, applies to all plugins
echo REPLACE_ME > word_list_file
detect-secrets scan --string "api_key='REPLACE_ME'" --word-list word_list_file
# Exclude Python regex-matched keywords, applies to the keyword plugin only
detect-secrets scan --string "api_key='something'" --keyword-exclude "api_key"detect-secrets scan --base64-limit <new_limit_in_number>
detect-secrets scan --hex-limit <new_limit_in_number>detect-secrets audit .secrets.baselinedetect-secrets audit --display-results .secrets.baselineSupports most options from detect-secrets scan
# .pre-commit-config.yaml, placed in the root directory of the git repository
- repo: https://github.com/ibm/detect-secrets
rev: master
hooks:
- id: detect-secrets
args: [--baseline, .secrets.baseline]# .pre-commit-config.yaml, placed in the root directory of the git repository
- repo: https://github.com/ibm/detect-secrets
rev: master
hooks:
- id: detect-secrets
args: [--baseline, .secrets.baseline, --use-all-plugins]# .pre-commit-config.yaml, placed in the root directory of the git repository
- repo: https://github.com/ibm/detect-secrets
rev: master
hooks:
- id: detect-secrets
args:
[
--baseline,
.secrets.baseline,
--use-all-plugins,
--no-keyword-scan,
]Fail pre-commit if there are non-auditied entries in baseline file, even if the entries are in files not part of current commit.
# .pre-commit-config.yaml, placed in the root directory of the git repository
- repo: https://github.com/ibm/detect-secrets
rev: master
hooks:
- id: detect-secrets
args:
[
--baseline,
.secrets.baseline,
--use-all-plugins,
--fail-on-unaudited,
]v6+ (file: .husky/pre-commit):
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
detect-secrets-hook --baseline .secrets.baseline $(git diff --cached --name-only)Before v6 (file: package.json):
"husky": {
"hooks": {
"pre-commit": "detect-secrets-hook --baseline .secrets.baseline $(git diff --cached --name-only)"
}
}detect-secrets-hook --baseline .secrets.baseline --use-all-plugins