[{"data":1,"prerenderedAt":419},["ShallowReactive",2],{"blog-how-to/secret-scanning":3},{"id":4,"title":5,"body":6,"category":400,"date":401,"dateModified":401,"description":402,"draft":403,"extension":404,"faq":405,"featured":403,"headerVariant":406,"image":405,"keywords":405,"meta":407,"navigation":408,"ogDescription":409,"ogTitle":405,"path":410,"readTime":405,"schemaOrg":411,"schemaType":412,"seo":413,"sitemap":414,"stem":415,"tags":416,"twitterCard":417,"__hash__":418},"blog/blog/how-to/secret-scanning.md","How to Enable Secret Scanning",{"type":7,"value":8,"toc":373},"minimark",[9,13,17,21,27,32,88,92,95,137,147,153,157,160,177,192,212,228,232,235,239,245,249,255,259,263,269,273,279,283,286,290,296,300,307,313,335,354],[10,11],"category-badge",{"category":12},"How-To Guide",[14,15,5],"h1",{"id":16},"how-to-enable-secret-scanning",[18,19,20],"p",{},"Automatic detection of exposed credentials",[22,23,24],"tldr",{},[18,25,26],{},"TL;DR:\nEnable GitHub secret scanning in your repository settings. Set up pre-commit hooks with detect-secrets or gitleaks to catch secrets before they're committed. Add secret scanning to your CI/CD pipeline as a final safety net. All three layers together provide defense in depth.",[28,29,31],"h2",{"id":30},"defense-in-depth-strategy","Defense in Depth Strategy",[33,34,35,51],"table",{},[36,37,38],"thead",{},[39,40,41,45,48],"tr",{},[42,43,44],"th",{},"Layer",[42,46,47],{},"When",[42,49,50],{},"Tool",[52,53,54,66,77],"tbody",{},[39,55,56,60,63],{},[57,58,59],"td",{},"Pre-commit hook",[57,61,62],{},"Before commit",[57,64,65],{},"detect-secrets, gitleaks",[39,67,68,71,74],{},[57,69,70],{},"CI/CD pipeline",[57,72,73],{},"On push/PR",[57,75,76],{},"GitHub Actions, GitLab CI",[39,78,79,82,85],{},[57,80,81],{},"Repository scanning",[57,83,84],{},"After push",[57,86,87],{},"GitHub Secret Scanning",[28,89,91],{"id":90},"option-1-github-secret-scanning","Option 1: GitHub Secret Scanning",[18,93,94],{},"GitHub automatically scans public repositories. For private repos on Team/Enterprise plans:",[96,97,99,104],"step",{"number":98},"1",[100,101,103],"h3",{"id":102},"enable-in-repository-settings","Enable in repository settings",[105,106,107,111,125,131],"ol",{},[108,109,110],"li",{},"Go to your repository on GitHub",[108,112,113,114,118,119,118,122],{},"Click ",[115,116,117],"strong",{},"Settings"," → ",[115,120,121],{},"Security",[115,123,124],{},"Code security and analysis",[108,126,127,128],{},"Enable ",[115,129,130],{},"Secret scanning",[108,132,127,133,136],{},[115,134,135],{},"Push protection"," to block pushes with secrets",[96,138,140,144],{"number":139},"2",[100,141,143],{"id":142},"review-alerts","Review alerts",[18,145,146],{},"When secrets are detected, GitHub creates alerts in Security → Secret scanning alerts. You'll also receive email notifications.",[148,149,150],"tip-box",{},[18,151,152],{},"Push Protection:\nWhen enabled, GitHub blocks pushes that contain detected secrets, giving you a chance to remove them before they enter the repository.",[28,154,156],{"id":155},"option-2-pre-commit-hooks-with-detect-secrets","Option 2: Pre-commit Hooks with detect-secrets",[18,158,159],{},"Catch secrets before they ever enter git history:",[96,161,162,166],{"number":98},[100,163,165],{"id":164},"install-detect-secrets","Install detect-secrets",[167,168,173],"pre",{"className":169,"code":171,"language":172},[170],"language-text","pip install detect-secrets pre-commit\n","text",[174,175,171],"code",{"__ignoreMap":176},"",[96,178,179,183,189],{"number":139},[100,180,182],{"id":181},"create-baseline-file","Create baseline file",[167,184,187],{"className":185,"code":186,"language":172},[170],"# Scan your codebase and create a baseline\ndetect-secrets scan > .secrets.baseline\n",[174,188,186],{"__ignoreMap":176},[18,190,191],{},"Review the baseline file and remove any false positives.",[96,193,195,199,206],{"number":194},"3",[100,196,198],{"id":197},"configure-pre-commit","Configure pre-commit",[18,200,201,202,205],{},"Create ",[174,203,204],{},".pre-commit-config.yaml",":",[167,207,210],{"className":208,"code":209,"language":172},[170],"repos:\n  - repo: https://github.com/Yelp/detect-secrets\n    rev: v1.4.0\n    hooks:\n      - id: detect-secrets\n        args: ['--baseline', '.secrets.baseline']\n        exclude: package-lock.json\n",[174,211,209],{"__ignoreMap":176},[96,213,215,219,225],{"number":214},"4",[100,216,218],{"id":217},"install-the-hook","Install the hook",[167,220,223],{"className":221,"code":222,"language":172},[170],"pre-commit install\n",[174,224,222],{"__ignoreMap":176},[18,226,227],{},"Now, every commit will be scanned for new secrets.",[28,229,231],{"id":230},"option-3-gitleaks","Option 3: Gitleaks",[18,233,234],{},"Another popular option, especially for CI/CD:",[100,236,238],{"id":237},"local-usage","Local Usage",[167,240,243],{"className":241,"code":242,"language":172},[170],"# Install (macOS)\nbrew install gitleaks\n\n# Install (go)\ngo install github.com/gitleaks/gitleaks/v8@latest\n\n# Scan current directory\ngitleaks detect --source . -v\n\n# Scan git history\ngitleaks detect --source . --log-opts=\"--all\"\n",[174,244,242],{"__ignoreMap":176},[100,246,248],{"id":247},"pre-commit-hook","Pre-commit Hook",[167,250,253],{"className":251,"code":252,"language":172},[170],"repos:\n  - repo: https://github.com/gitleaks/gitleaks\n    rev: v8.18.1\n    hooks:\n      - id: gitleaks\n",[174,254,252],{"__ignoreMap":176},[28,256,258],{"id":257},"option-4-cicd-pipeline-integration","Option 4: CI/CD Pipeline Integration",[100,260,262],{"id":261},"github-actions","GitHub Actions",[167,264,267],{"className":265,"code":266,"language":172},[170],"name: Security Scan\n\non: [push, pull_request]\n\njobs:\n  gitleaks:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - name: Gitleaks\n        uses: gitleaks/gitleaks-action@v2\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n",[174,268,266],{"__ignoreMap":176},[100,270,272],{"id":271},"using-trufflehog","Using TruffleHog",[167,274,277],{"className":275,"code":276,"language":172},[170],"name: TruffleHog Scan\n\non: [push, pull_request]\n\njobs:\n  trufflehog:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - name: TruffleHog\n        uses: trufflesecurity/trufflehog@main\n        with:\n          path: ./\n          base: main\n          head: HEAD\n",[174,278,276],{"__ignoreMap":176},[28,280,282],{"id":281},"handling-false-positives","Handling False Positives",[18,284,285],{},"Sometimes scanners flag test data or example values. Here's how to handle them:",[100,287,289],{"id":288},"with-detect-secrets","With detect-secrets",[167,291,294],{"className":292,"code":293,"language":172},[170],"# Update baseline to include known false positives\ndetect-secrets scan --baseline .secrets.baseline\n\n# Audit the baseline interactively\ndetect-secrets audit .secrets.baseline\n",[174,295,293],{"__ignoreMap":176},[100,297,299],{"id":298},"with-gitleaks","With gitleaks",[18,301,302,303,306],{},"Create a ",[174,304,305],{},".gitleaks.toml"," configuration file:",[167,308,311],{"className":309,"code":310,"language":172},[170],"[allowlist]\ndescription = \"Allow example and test files\"\npaths = [\n  '''\\.env\\.example$''',\n  '''test/fixtures/''',\n]\nregexes = [\n  '''example_api_key''',\n  '''test_secret''',\n]\n",[174,312,310],{"__ignoreMap":176},[314,315,316,323,329],"faq-section",{},[317,318,320],"faq-item",{"question":319},"What types of secrets can these tools detect?",[18,321,322],{},"Most tools detect API keys (Stripe, AWS, OpenAI), access tokens (GitHub, GitLab), private keys, database connection strings, and more. They use pattern matching and entropy analysis to identify potential secrets.",[317,324,326],{"question":325},"Will secret scanning slow down my commits?",[18,327,328],{},"Pre-commit hooks typically add 1-3 seconds to each commit. CI/CD scanning runs in parallel with other checks. The small time cost is worth the protection against leaked credentials.",[317,330,332],{"question":331},"What should I do when a secret is detected?",[18,333,334],{},"If detected before commit: remove it and use environment variables instead. If already pushed: rotate the credential immediately, then clean git history if needed. Treat any pushed secret as compromised.",[18,336,337,340,345,346,345,350],{},[115,338,339],{},"Related guides:",[341,342,344],"a",{"href":343},"/blog/how-to/hide-api-keys","How to Hide API Keys"," ·\n",[341,347,349],{"href":348},"/blog/how-to/rotate-api-keys","How to Rotate API Keys",[341,351,353],{"href":352},"/blog/how-to/remove-secrets-git-history","Remove Secrets from Git History",[355,356,357,363,368],"related-articles",{},[358,359],"related-card",{"description":360,"href":361,"title":362},"Step-by-step guide to sanitizing user input. HTML sanitization, XSS prevention with DOMPurify, server-side sanitization,","/blog/how-to/sanitize-input","How to Sanitize User Input",[358,364],{"description":365,"href":366,"title":367},"Step-by-step guide to securing API keys in web applications. Environment variables, server-side handling, key rotation, ","/blog/how-to/secure-api-keys","How to Secure API Keys in Your Web App",[358,369],{"description":370,"href":371,"title":372},"Step-by-step guide to building a secure login form. Prevent brute force attacks, handle credentials safely, and implemen","/blog/how-to/secure-login-form","How to Build a Secure Login Form",{"title":176,"searchDepth":374,"depth":374,"links":375},2,[376,377,382,388,392,396],{"id":30,"depth":374,"text":31},{"id":90,"depth":374,"text":91,"children":378},[379,381],{"id":102,"depth":380,"text":103},3,{"id":142,"depth":380,"text":143},{"id":155,"depth":374,"text":156,"children":383},[384,385,386,387],{"id":164,"depth":380,"text":165},{"id":181,"depth":380,"text":182},{"id":197,"depth":380,"text":198},{"id":217,"depth":380,"text":218},{"id":230,"depth":374,"text":231,"children":389},[390,391],{"id":237,"depth":380,"text":238},{"id":247,"depth":380,"text":248},{"id":257,"depth":374,"text":258,"children":393},[394,395],{"id":261,"depth":380,"text":262},{"id":271,"depth":380,"text":272},{"id":281,"depth":374,"text":282,"children":397},[398,399],{"id":288,"depth":380,"text":289},{"id":298,"depth":380,"text":299},"how-to","2026-01-23","Set up automatic secret detection in your repositories. Enable GitHub secret scanning, configure pre-commit hooks, and catch exposed API keys before they cause damage.",false,"md",null,"yellow",{},true,"Set up automatic secret detection in your repositories.","/blog/how-to/secret-scanning","[object Object]","HowTo",{"title":5,"description":402},{"loc":410},"blog/how-to/secret-scanning",[],"summary_large_image","9Kade-ZQxXeO_liGLnBdyKl6sEnq3ZJ0MUXJfAvsVbM",1775843927681]