The detect-secrets tool

detect-secrets is the tool used to detect potential secrets left over in the committed code.

It has been setup in the pre-commit hooks and in the pipeline to block publishing these.

detect-secrets uses a baseline file to store its configuration (activated filters, whitelisted secrets, …).

Getting Started

You may need to install detect-secrets into your system:

$ pip install detect-secrets

The baseline has been created with the command

$ detect-secrets scan > .secrets.baseline

If you only need to update it with newly detected secrets, you can use the command:

$ detect-secrets scan –baseline .secrets.baseline

Detected new secrets

If detect-secrets detected some new secrets, pre-commit hooks will forbid you from committing these.

The following command allows you to review them and either remove them from committed code or acknowledge that this is not an actual secret and let it through:

$ detect-secrets audit .secrets.baseline