Description

[](https://github.com/bridgecrewio/detect-secrets/actions/workflows/release.yml?query=branch%3Amaster++) [](https://pypi.org/project/bc-detect-secrets/) [](#) # detect-secrets # Notice This is a fork of the [detect-secrets](https://github.com/Yelp/detect-secrets) repo by Yelp and is officially supported by Bridgecrew. ## About `detect-secrets` is an aptly named module for (surprise, surprise) **detecting secrets** within a code base. However, unlike other similar packages that solely focus on finding secrets, this package is designed with the enterprise client in mind: providing a **backwards compatible**, systematic means of: 1. Preventing new secrets from entering the code base, 2. Detecting if such preventions are explicitly bypassed, and 3. Providing a checklist of secrets to roll, and migrate off to a more secure storage. This way, you create a [separation of concern](https://en.wikipedia.org/wiki/Separation_of_concerns): accepting that there may *currently* be secrets hiding in your large repository (this is what we refer to as a _baseline_), but preventing this issue from getting any larger, without dealing with the potentially gargantuan effort of moving existing secrets away. It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any *new* secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time. For a look at recent changes, please see [CHANGELOG.md](CHANGELOG.md). If you are looking to contribute, please see [CONTRIBUTING.md](CONTRIBUTING.md). For more detailed documentation, check out our other [documentation](docs/). ## Examples ### Quickstart: Create a baseline of potential secrets currently found in your git repository. ```bash $ detect-secrets scan > .secrets.baseline ``` or, to run it from a different directory: ```bash $ detect-secrets -C /path/to/directory scan > /path/to/directory/.secrets.baseline ``` **Scanning non-git tracked files:** ```bash $ detect-secrets scan test_data/ --all-files > .secrets.baseline ``` ### Adding New Secrets to Baseline: This will rescan your codebase, and: 1. Update/upgrade your baseline to be compatible with the latest version, 2. Add any new secrets it finds to your baseline, 3. Remove any secrets no longer in your codebase This will also preserve any labelled secrets you have. ```bash $ detect-secrets scan --baseline .secrets.baseline ``` For baselines older than version 0.9, just recreate it. ### Alerting off newly added secrets: **Scanning Staged Files Only:** ```bash $ git diff --staged --name-only -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline ``` **Scanning All Tracked Files:** ```bash $ git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline ``` ### Viewing All Enabled Plugins: ```bash $ detect-secrets scan --list-all-plugins ArtifactoryDetector AWSKeyDetector AzureStorageKeyDetector BasicAuthDetector CloudantDetector DiscordBotTokenDetector GitHubTokenDetector Base64HighEntropyString HexHighEntropyString IbmCloudIamDetector IbmCosHmacDetector JwtTokenDetector KeywordDetector MailchimpDetector NpmDetector PrivateKeyDetector SendGridDetector SlackDetector SoftlayerDetector SquareOAuthDetector StripeDetector TwilioKeyDetector ``` ### Disabling Plugins: ```bash $ detect-secrets scan --disable-plugin KeywordDetector --disable-plugin AWSKeyDetector ``` If you want to **only** run a specific plugin, you can do: ```bash $ detect-secrets scan --list-all-plugins | \ grep -v 'BasicAuthDetector' | \ sed "s#^#--disable-plugin #g" | \ xargs detect-secrets scan test_data ``` ### Auditing a Baseline: This is an optional step to label the results in your baseline. It can be used to narrow down your checklist of secrets to migrate, or to better configure your plugins to improve its signal-to-noise ratio. ```bash $ detect-secrets audit .secrets.baseline ``` ### Usage in Other Python Scripts **Basic Use:** ```python from detect_secrets import SecretsCollection from detect_secrets.settings import default_settings secrets = SecretsCollection() with default_settings(): secrets.scan_file('test_data/config.ini') import json print(json.dumps(secrets.json(), indent=2)) ``` **More Advanced Configuration:** ```python from detect_secrets import SecretsCollection from detect_secrets.settings import transient_settings secrets = SecretsCollection() with transient_settings({ # Only run scans with only these plugins. # This format is the same as the one that is saved in the generated baseline. 'plugins_used': [ # Example of configuring a built-in plugin { 'nam