{"id":1947,"library":"bc-detect-secrets","title":"detect-secrets (Bridgecrew Fork)","description":"detect-secrets (Bridgecrew fork) is a Python tool designed for detecting secrets within a codebase. It focuses on enterprise use cases by providing a systematic way to prevent new secrets, detect explicit bypasses, and offer a checklist for secret migration. Unlike tools that solely find secrets, it emphasizes baseline management to allow for gradual remediation of existing secrets while blocking new ones. The current version is 1.5.47, and it is actively maintained on GitHub.","status":"active","version":"1.5.47","language":"en","source_language":"en","source_url":"https://github.com/bridgecrewio/detect-secrets","tags":["security","secret-management","pre-commit","static-analysis","SAST","credential-scanning","devsecops"],"install":[{"cmd":"pip install bc-detect-secrets","lang":"bash","label":"Basic Installation"},{"cmd":"pip install bc-detect-secrets[word_list]","lang":"bash","label":"With Word List Support"}],"dependencies":[{"reason":"Required system utility for differential scanning on Linux/macOS. May need separate installation on Windows.","package":"diffutils","optional":false},{"reason":"Required system utility for JSON processing on Linux/macOS. May need separate installation on Windows.","package":"jq","optional":false},{"reason":"Optional dependency for enhanced secret detection using custom word lists.","package":"word_list","optional":true}],"imports":[{"note":"Used for programmatic collection and management of detected secrets.","symbol":"SecretsCollection","correct":"from detect_secrets import SecretsCollection"},{"note":"Context manager for temporarily modifying detect-secrets settings, such as plugin configurations.","symbol":"transient_settings","correct":"from detect_secrets.settings import transient_settings"},{"note":"Access point for initializing and interacting with detection plugins programmatically.","symbol":"plugins","correct":"from detect_secrets.core import plugins"}],"quickstart":{"code":"# 1. Navigate to your repository root.\n# 2. Run the scan command to create an initial baseline file.\n#    This file records all currently detected 'secrets' to be ignored in future scans.\ndetect-secrets scan > .secrets.baseline\n\n# 3. (Optional) Add to .pre-commit-config.yaml for Git hook integration:\n#    - repo: https://github.com/bridgecrewio/detect-secrets\n#      rev: 1.5.47 # Use the current version\n#      hooks:\n#        - id: detect-secrets\n#          args: ['--baseline', '.secrets.baseline']\n\n# 4. To update the baseline with new secrets or remove old ones:\ndetect-secrets scan --update .secrets.baseline","lang":"bash","description":"The primary quickstart involves using the command-line interface to create a baseline file. This file (`.secrets.baseline`) tracks existing 'secrets' in your repository, allowing the tool to focus on preventing *new* leaks. The baseline can then be used with pre-commit hooks or CI/CD pipelines."},"warnings":[{"fix":"Update CLI commands to use subcommands (e.g., `detect-secrets scan` instead of `detect-secrets --scan`) and the `--update` flag for baseline management. Consult the latest documentation for correct syntax.","message":"Older versions (primarily Yelp's original detect-secrets before version 1.0) changed CLI flag syntax. `--audit` and `--scan` became subcommands `audit` and `scan`. `scan --import <baseline>` became `scan --update <baseline>`. While the `bc-detect-secrets` fork aims for backwards compatibility, awareness of these changes is important if migrating from very old setups or consulting legacy documentation.","severity":"breaking","affected_versions":"<1.0 (Yelp/detect-secrets), review for bc-detect-secrets migrations"},{"fix":"When scanning repositories with untracked files or when the repository is not a Git repo, append `--all-files` to your `detect-secrets scan` command.","message":"By default, `detect-secrets scan` only operates on files tracked by Git. Untracked files or scanning outside a Git repository will require the `--all-files` flag to be included in the scan command.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Do not use the `--slim` flag when generating baselines that you intend to audit. If a slim baseline has already been created, it will need to be regenerated without the `--slim` flag to enable auditing.","message":"Creating 'slim' baselines using the `--slim` flag will make them incompatible with the `audit` functionality. If you intend to audit your baseline, avoid using the `--slim` option.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your editor saves `.secrets.baseline` files using UTF-8 with BOM encoding to prevent parsing issues.","message":"When working on Windows, the `.secrets.baseline` file might encounter encoding issues. It is recommended to save this file with UTF-8 with BOM (Byte Order Mark) encoding.","severity":"gotcha","affected_versions":"All versions on Windows"},{"fix":"Verify that you have installed `bc-detect-secrets` via pip and are consulting the GitHub repository at `github.com/bridgecrewio/detect-secrets` for documentation and issue tracking.","message":"This library (`bc-detect-secrets`) is a fork maintained by Bridgecrew of the original `detect-secrets` by Yelp. While aiming for compatibility, users should be aware of this distinction and ensure they are installing the correct package (`bc-detect-secrets`) and referring to the Bridgecrew repository and documentation for the most accurate information.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}