← 返回命令列表

Linux command

detect-secrets 命令

文件

复制后可按需替换文件名、目录或参数。

常用示例

Scan a directory for secrets

detect-secrets scan [path/to/directory]

Scan and create baseline file

detect-secrets scan > [.secrets.baseline]

Audit baseline file

detect-secrets audit [.secrets.baseline]

Scan specific files

detect-secrets scan [file1] [file2]

Scan with all plugins

detect-secrets scan --all-files [path]

Update existing baseline

detect-secrets scan --baseline [.secrets.baseline]

Run as pre-commit hook

detect-secrets-hook --baseline [.secrets.baseline]

说明

detect-secrets is a tool for detecting secrets (passwords, API keys, tokens) accidentally committed to code repositories. It scans files for patterns matching known secret formats and flags potential exposures. The tool uses multiple detection plugins: high-entropy strings, keyword patterns (password, api_key), and format-specific detectors (AWS keys, private keys, etc.). A baseline file tracks known secrets to avoid repeated alerts on intentional entries. The audit workflow allows reviewing detected secrets interactively, marking them as true positives, false positives, or skipped. Pre-commit hook integration prevents new secrets from being committed.

参数

scan
Scan files for potential secrets.
audit
Interactively audit detected secrets.
--baseline _file_
Use existing baseline for comparison.
--all-files
Scan all files, not just tracked by git.
--exclude-files _regex_
Regex pattern for files to exclude.
--exclude-lines _regex_
Regex pattern for lines to exclude.
--exclude-secrets _regex_
Regex pattern for secret values to exclude.
--list-all-plugins
List available detection plugins.
--no-verify
Disable verification of detected secrets.
-f, --force-use-all-plugins
Enable all detection plugins.

FAQ

What is the detect-secrets command used for?

detect-secrets is a tool for detecting secrets (passwords, API keys, tokens) accidentally committed to code repositories. It scans files for patterns matching known secret formats and flags potential exposures. The tool uses multiple detection plugins: high-entropy strings, keyword patterns (password, api_key), and format-specific detectors (AWS keys, private keys, etc.). A baseline file tracks known secrets to avoid repeated alerts on intentional entries. The audit workflow allows reviewing detected secrets interactively, marking them as true positives, false positives, or skipped. Pre-commit hook integration prevents new secrets from being committed.

How do I run a basic detect-secrets example?

Run `detect-secrets scan [path/to/directory]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does scan do in detect-secrets?

Scan files for potential secrets.