whatisgithub

What is detect-secrets?

yelp/detect-secrets — explained in plain English

Analysis updated 2026-06-26

4,511PythonAudience · developerComplexity · 2/5Setup · easy

In one sentence

A Python tool that scans your codebase for accidentally committed secrets like API keys and passwords, blocks new ones via pre-commit hooks, and lets you audit and triage existing findings using a baseline file.

Mindmap

mindmap
  root((detect-secrets))
    What it does
      Scans for secrets
      Blocks new commits
      Baseline file
      Audit and triage
    Detection plugins
      AWS and GitHub keys
      JWT and Stripe tokens
      Custom plugins
    Workflow
      Generate baseline
      Pre-commit check
      Audit command
    Setup
      pip install
      Python API
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Add a pre-commit hook so developers cannot accidentally commit API keys or passwords to your repository

USE CASE 2

Generate a baseline of existing secrets in a legacy codebase and immediately block any new ones from being added

USE CASE 3

Review flagged items interactively to mark false positives and reduce noise over time

USE CASE 4

Scan files programmatically in CI test pipelines using the detect-secrets Python API

What is it built with?

Pythonpip

How does it compare?

yelp/detect-secretsreverseclabs/drozerlocuslab/tcn
Stars4,5114,5124,513
LanguagePythonPythonPython
Setup difficultyeasymoderatemoderate
Complexity2/53/53/5
Audiencedeveloperdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

So what is it?

Detect-secrets is a tool built by Yelp that scans code repositories for accidentally committed secrets, such as API keys, passwords, tokens, and other credentials that should not be stored in source code. Rather than trying to dig through an entire repository's history to find every secret ever committed, it takes a more practical approach: it creates a snapshot called a baseline that records all the secrets currently present in the codebase, then focuses its attention on preventing any new secrets from being added going forward. The core workflow has three parts. First, you run a scan to generate a baseline file listing all the secrets already found in the code. This is stored as a JSON file in your repository. Second, you configure the tool to run as a pre-commit check, so that any time a developer tries to commit new code, it scans only the changed files against the baseline. If something looks like a new secret that is not already in the baseline, the commit is blocked. Third, there is an audit command that lets you review the baseline interactively, marking items as real secrets or false positives, which helps reduce noise over time. The tool comes with a long list of built-in detection plugins, each targeting a specific type of credential: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, private keys, JWT tokens, Twilio keys, SendGrid keys, and many more. Plugins can be individually enabled or disabled. You can also write and load your own custom detection plugins if your organization uses credential formats not covered by the defaults. Filters, including custom ones, can be applied to reduce false positives. Installation is straightforward through pip or Homebrew. The tool also exposes a Python API, so developers can import it directly into scripts or testing pipelines and scan files programmatically with custom plugin and filter configurations. The design philosophy is explicitly enterprise-oriented: it acknowledges that large, existing codebases likely already contain some secrets and does not demand you fix everything before you can start using it. You accept the current state as the baseline, stop the bleeding immediately, and then work through the backlog on your own timeline.

Copy-paste prompts

Prompt 1
I ran detect-secrets scan on my repo and got a baseline JSON file with 47 entries. Walk me through using the audit command to review each entry and mark false positives.
Prompt 2
Set up detect-secrets as a pre-commit hook in my Python project so any new API keys or passwords are automatically blocked at commit time.
Prompt 3
Write a custom detect-secrets plugin that detects our internal credential format, which looks like MYAPP_KEY_ followed by 32 hex characters.
Prompt 4
Show me a minimal Python script that imports the detect-secrets API to scan a list of files and return any findings without using the command line.
Prompt 5
My detect-secrets baseline keeps flagging the same test fixture file. How do I configure a custom filter to exclude that file from all scans?

Frequently asked questions

What is detect-secrets?

A Python tool that scans your codebase for accidentally committed secrets like API keys and passwords, blocks new ones via pre-commit hooks, and lets you audit and triage existing findings using a baseline file.

What language is detect-secrets written in?

Mainly Python. The stack also includes Python, pip.

How hard is detect-secrets to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is detect-secrets for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.