An enterprise-friendly Python tool for detecting and preventing secrets from entering codebases with a baseline approach.
detect-secrets is a Python tool that scans codebases to find and prevent secrets like API keys, passwords, and tokens from being committed. It helps teams avoid security risks by detecting secrets in source code and providing a systematic way to block new ones while managing existing issues through a baseline.
Development and security teams in enterprises who need to prevent accidental commits of secrets to version control systems, especially those managing large codebases with legacy secrets.
Developers choose detect-secrets for its enterprise-friendly baseline approach, which avoids the overhead of fixing all historical secrets at once, and its extensive plugin system that supports custom detectors and filters for high precision.
An enterprise friendly way of detecting and preventing secrets in code.
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
Creates and updates a baseline of existing secrets, allowing teams to prevent new ones without upfront remediation of all legacy issues, as highlighted in the philosophy section.
Uses a modular plugin architecture with over 25 built-in detectors (e.g., AWSKeyDetector, GitHubTokenDetector) and supports custom plugins for tailored secret detection.
Easily configurable as a Git pre-commit hook via frameworks like pre-commit, blocking new secrets before commits with inline allowlisting for controlled exceptions.
Offers configurable regex patterns, file exclusions, and word lists to reduce false positives, and supports advanced filters like gibberish detection with additional packages.
Admits in caveats that it misses multi-line secrets and certain default passwords, relying on heuristics that aren't foolproof without developer education.
Requires significant tuning of plugins and filters to balance precision and recall, with multiple tools (scan, hook, audit) and options that can overwhelm new users.
Has known problems on Windows with baseline file encoding, depends on Git version >=1.8.5, and advanced features need extra packages like pyahocorasick for word lists.