Add a pre-commit hook so developers cannot accidentally commit API keys or passwords to your repository
Generate a baseline of existing secrets in a legacy codebase and immediately block any new ones from being added
Review flagged items interactively to mark false positives and reduce noise over time
Scan files programmatically in CI test pipelines using the detect-secrets Python API
| yelp/detect-secrets | reverseclabs/drozer | locuslab/tcn | |
|---|---|---|---|
| Stars | 4,511 | 4,512 | 4,513 |
| Language | Python | Python | Python |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 2/5 | 3/5 | 3/5 |
| Audience | developer | developer | researcher |
Figures from each repo's GitHub metadata at analysis time.
Detect-secrets is a tool built by Yelp that scans code repositories for accidentally committed secrets, such as API keys, passwords, tokens, and other credentials that should not be stored in source code. Rather than trying to dig through an entire repository's history to find every secret ever committed, it takes a more practical approach: it creates a snapshot called a baseline that records all the secrets currently present in the codebase, then focuses its attention on preventing any new secrets from being added going forward. The core workflow has three parts. First, you run a scan to generate a baseline file listing all the secrets already found in the code. This is stored as a JSON file in your repository. Second, you configure the tool to run as a pre-commit check, so that any time a developer tries to commit new code, it scans only the changed files against the baseline. If something looks like a new secret that is not already in the baseline, the commit is blocked. Third, there is an audit command that lets you review the baseline interactively, marking items as real secrets or false positives, which helps reduce noise over time. The tool comes with a long list of built-in detection plugins, each targeting a specific type of credential: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, private keys, JWT tokens, Twilio keys, SendGrid keys, and many more. Plugins can be individually enabled or disabled. You can also write and load your own custom detection plugins if your organization uses credential formats not covered by the defaults. Filters, including custom ones, can be applied to reduce false positives. Installation is straightforward through pip or Homebrew. The tool also exposes a Python API, so developers can import it directly into scripts or testing pipelines and scan files programmatically with custom plugin and filter configurations. The design philosophy is explicitly enterprise-oriented: it acknowledges that large, existing codebases likely already contain some secrets and does not demand you fix everything before you can start using it. You accept the current state as the baseline, stop the bleeding immediately, and then work through the backlog on your own timeline.
A Python tool that scans your codebase for accidentally committed secrets like API keys and passwords, blocks new ones via pre-commit hooks, and lets you audit and triage existing findings using a baseline file.
Mainly Python. The stack also includes Python, pip.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.