/

Scanner Configuration

Configuration File

The Secret Scanner is configured using a JSON file named bytehide.secrets.json in your project root. This file controls all aspects of the scanner's behavior.

{
  "Name": "My Project Scanner",
  "Environment": "production",
  "ProjectToken": "<Your project token>",
  "RunConfiguration": "*",
  "Enabled": true,
  "DisplayCode": true,
  "Actions": {
    "export": {
      "enabled": true,
      "encrypt": false,
      "prefix": "auto_"
    },
    "notifications": {
      "email": [
        "9e4fc46c-893a-4d73-9efa-6ee92e856580"
      ]
    }
  }
}

Required Settings

SettingDescription
ProjectTokenYour ByteHide project token. Get this from your project settings.
EnvironmentThe environment context (e.g., "development", "staging", "production").

Optional Settings

SettingDefaultDescription
Name(Project name)A custom name for this scanner configuration.
RunConfiguration"*"When to run the scanner ("debug", "release", or "*" for all).
EnabledtrueEnable or disable the scanner.
DisplayCodefalseStore code snippets with detected secrets in the ByteHide panel.

Actions Configuration

Actions determine what happens when secrets are detected. You can configure these actions in the Scanner Workflow panel of your ByteHide project.

Export Action

Secure Export

All secrets are automatically encrypted when exported to the Secrets Manager, ensuring your sensitive data remains protected.

The export action automatically extracts hardcoded secrets during compilation, imports them into the Secrets Manager, and replaces the original code with a secure call to the manager using the secret's key. This process removes hardcoded secrets from the compiled binary while maintaining the application's functionality.

"export": {
  "enabled": true,
  "encrypt": false,
  "prefix": "auto_"
}
SettingDefaultDescription
enabledtrueEnable automatic export of detected secrets.
encryptfalseEncrypt the secret key in the compiled binary.
prefix"auto_"Prefix added to automatically exported secrets.

Important

The encrypt setting determines whether the key names of secrets (like "stripe-token") should be encrypted in the binary output. The values of all secrets are always encrypted regardless of this setting.

Notifications

Configure which channels receive notifications when secrets are detected:

"notifications": {
  "email": [
    "9e4fc46c-893a-4d73-9efa-6ee92e856580"
  ]
}

You can configure notification channels in the Scanner Workflow panel:

Scanner Workflow Notifications

Scanner Workflow

Scanner Workflow

In the Scanner Workflow panel, you can set up your detection workflow:

  1. Environments: Specify which environment this configuration applies to
  2. Detect on: Choose build configurations to scan (Debug, Release, or Always)
  3. Actions: Configure what happens when secrets are detected (Export or Do nothing)
  4. Messages: Set up notification channels (Email, Webhook, Slack, etc.)

Environment Variables

You can also configure the scanner using environment variables:

BYTEHIDE_SECRETS_TOKEN=your-token
BYTEHIDE_SECRETS_ENVIRONMENT=production
BYTEHIDE_SECRETS_ENABLED=true

Next Steps

Previous
Installation