Quantify the success of your plugins based on the labelled results in yourīaseline. only-false Only includes false positives in the report only-real Only includes real secrets in the report To be used with the report mode (-report). report Displays a report with the secrets detectedĭisplay a summary with all the findings and the made decisions. stats Displays the results of an interactive auditing session which diff Allows the comparison of two baseline files, in order toĮffectively distinguish the difference between various plugin The highest signal-to-noise ratio for their environment.įilename Audit a given baseline file to distinguish the difference Usage: detect-secrets audit Īuditing a baseline allows analysts to label results, and optimize plugins for We recommend setting this up as a pre-commit hook. baseline FILENAME Explicitly ignore secrets through a baseline generated May be a python moduleĭetect_invalid_file) or aĭetect_invalid_file Text file with a list of words, if a secret contains a If secrets match this regex, it will be ignored. If filenames match this regex, it will be ignored. If lines match this regex, it will be ignored. only-verified Only flags secrets that can be verified.
n, -no-verify Disables additional verification of secrets via Must be between 0.0 and 8.0, defaults to 3.0.Ĭonfigure settings for filtering out secrets after they are flagged by the Must be between 0.0 and 8.0, defaults to 4.5. Sets the entropy limit for high entropy strings. Specify path to custom secret detector plugin. list-all-plugins Lists all plugins that will be used for the scan. Plugins are enabled unless explicitly disabled. Slim baselines will need to be remade to be audited.Ĭonfigure settings for each secret scanning ruleset. However, theyĪre not compatible with the `audit` functionality, and slim Slim baselines are created with the intention of Provided, it will always use the latest plugins However, this may also mean it doesn't perform the To loading the plugins specified by that baseline. If a baseline is provided, detect-secrets will default
baseline FILENAME If provided, will update existing baseline by all-files Scan all files recursively (as compared to only This helps verify that individual exceptions only-allowlisted Only scans the lines that are flagged with `allowlist string Scans an individual string, and displays configured h, -help show this help message and exit Path Scans the entire codebase and outputs a snapshot of scan_file( 'test_data/config.ini') Installation # disabling default filters), we can do so as such. # If we want to make any further adjustments to the created settings object (e.g. 'path': 'file://private-filters/example.py::is_identified_by_ML_model', # This is an example of using the function `is_identified_by_ML_model` within the # local file `./private-filters/example.py`. # We can also specify whichever additional filters we want.
'path': 'file:///Users/aaronloo/Documents/github/detect-secrets/testing/plugins.py', # Example of configuring a built-in plugin # This format is the same as the one that is saved in the generated baseline. # Only run scans with only these plugins. settings import transient_settings secrets = SecretsCollection() Examples Quickstart:Ĭreate a baseline of potential secrets currently found in your git repository.įrom detect_secrets import SecretsCollection from detect_secrets. If you are looking to contribute, please see CONTRIBUTING.md.įor more detailed documentation, check out our other documentation. This way, it avoids the overhead ofĭigging through all git history, as well as the need to scan the entire repository every time.įor a look at recent changes, please see CHANGELOG.md. To identify whether any new secret has been committed.
It does this by running periodic diff outputs against heuristically crafted regex statements, Without dealing with the potentially gargantuous effort of moving existing secrets away. (this is what we refer to as a baseline), but preventing this issue from getting any larger,
However, unlike other similar packages that solely focus on finding secrets, this package isĭesigned with the enterprise client in mind: providing a backwards compatible, systematic Detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a