{"id":2469,"library":"detect-secrets","title":"Detect Secrets","description":"Detect-secrets is a tool designed to identify and prevent sensitive information, such as API keys, passwords, and other credentials, from being committed into source code repositories. It leverages various detectors, including regex, keyword, and optional machine learning-based algorithms. The current version is 1.5.0, with minor releases typically occurring every few months.","status":"active","version":"1.5.0","language":"en","source_language":"en","source_url":"https://github.com/Yelp/detect-secrets","tags":["security","static analysis","secrets detection","pre-commit","devsecops"],"install":[{"cmd":"pip install detect-secrets","lang":"bash","label":"Basic Installation"},{"cmd":"pip install 'detect-secrets[ml]'","lang":"bash","label":"Installation with ML-based Gibberish Detector"}],"dependencies":[{"reason":"Required for the optional ML-based gibberish-detector feature. Installed via the `[ml]` extra.","package":"scikit-learn","optional":true}],"imports":[{"note":"Primary function for programmatic scanning of files or directories.","symbol":"run_as_library","correct":"from detect_secrets.core.usage import run_as_library"},{"note":"Used to configure scanning parameters programmatically.","symbol":"TransientSettings","correct":"from detect_secrets.settings import TransientSettings"},{"note":"For programmatic interaction with baseline files, e.g., creating or updating.","symbol":"Baseline","correct":"from detect_secrets.core.baseline import Baseline"}],"quickstart":{"code":"import os\nimport tempfile\nfrom pathlib import Path\nfrom detect_secrets.core.usage import run_as_library\n\ndef run_detect_secrets_scan():\n    with tempfile.TemporaryDirectory() as tmpdir:\n        repo_path = Path(tmpdir)\n        \n        # Create a dummy file with a fake secret\n        (repo_path / \"my_project\").mkdir()\n        (repo_path / \"my_project\" / \"config.py\").write_text(\n            \"API_KEY = 'AKIAIOSFODNN7EXAMPLE' # This is a fake AWS key, DO NOT USE\n            DB_PASSWORD = 'supersecretpassword123'\n            SECRET_PHRASE = 'NotARealSecret'\n            \")\n        \n        print(f\"Scanning directory: {repo_path}\")\n        \n        # Run the scan\n        # 'plugins_used': None lets detect-secrets use its default plugin set.\n        # 'secret_type_mapping': None uses default mappings.\n        # 'mount_paths': Specify the path to scan.\n        scan_results = run_as_library(\n            plugins_used=None,\n            secret_type_mapping=None,\n            mount_paths=[str(repo_path)]\n        )\n        \n        # Process results\n        if scan_results.data:\n            print(\"\\n--- Detected Secrets ---\")\n            for filepath, secrets in scan_results.data.items():\n                print(f\"File: {filepath}\")\n                for secret in secrets:\n                    print(f\"  - Type: {secret.type}, Hashed Secret: {secret.hashed_secret}\")\n        else:\n            print(\"\\nNo secrets detected.\")\n\nif __name__ == '__main__':\n    run_detect_secrets_scan()","lang":"python","description":"This quickstart demonstrates how to programmatically scan a temporary directory containing a file with simulated secrets using `detect-secrets`. It initializes a temporary directory, creates a file with some fake credentials, and then uses `run_as_library` to perform the scan and print the detected secret types."},"warnings":[{"fix":"Upgrade your Python environment to 3.9 or higher to maintain compatibility and receive updates.","message":"Support for Python 3.6 and 3.7 was dropped in v1.5.0. Python 3.8 support will also be removed in a future release (likely after its EOL in October 2024).","severity":"breaking","affected_versions":">=1.5.0"},{"fix":"Install `detect-secrets` with the `[ml]` extra: `pip install 'detect-secrets[ml]'`.","message":"The ML-based `gibberish-detector` (introduced in v1.1.0) is not included in the default installation. It requires an 'extra' package.","severity":"gotcha","affected_versions":">=1.1.0"},{"fix":"Initialize your repository with `detect-secrets init` to create a default config, and generate a baseline with `detect-secrets scan --baseline .secrets.baseline` to ignore existing secrets.","message":"For effective use, especially with `pre-commit` hooks, `detect-secrets` heavily relies on configuration files (`.detect-secrets.yaml`) and a baseline file (`.secrets.baseline`). Skipping these can lead to excessive false positives or missed secrets.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}