Scanner Configuration
Configuration File
The Secret Scanner is configured using a JSON file named bytehide.secrets.json in your project root. This file controls all aspects of the scanner's behavior.
{
"Name": "My Project Scanner",
"Environment": "production",
"ProjectToken": "<Your project token>",
"RunConfiguration": "*",
"Enabled": true,
"DisplayCode": true,
"Actions": {
"export": {
"enabled": true,
"encrypt": false,
"prefix": "auto_"
},
"notifications": {
"email": [
"9e4fc46c-893a-4d73-9efa-6ee92e856580"
]
}
}
}
Required Settings
| Setting | Description |
|---|---|
ProjectToken | Your ByteHide project token. Get this from your project settings. |
Environment | The environment context (e.g., "development", "staging", "production"). |
Optional Settings
| Setting | Default | Description |
|---|---|---|
Name | (Project name) | A custom name for this scanner configuration. |
RunConfiguration | "*" | When to run the scanner ("debug", "release", or "*" for all). |
Enabled | true | Enable or disable the scanner. |
DisplayCode | false | Store code snippets with detected secrets in the ByteHide panel. |
Actions Configuration
Actions determine what happens when secrets are detected. You can configure these actions in the Scanner Workflow panel of your ByteHide project.
Export Action
Secure Export
All secrets are automatically encrypted when exported to the Secrets Manager, ensuring your sensitive data remains protected.
The export action automatically extracts hardcoded secrets during compilation, imports them into the Secrets Manager, and replaces the original code with a secure call to the manager using the secret's key. This process removes hardcoded secrets from the compiled binary while maintaining the application's functionality.
"export": {
"enabled": true,
"encrypt": false,
"prefix": "auto_"
}
| Setting | Default | Description |
|---|---|---|
enabled | true | Enable automatic export of detected secrets. |
encrypt | false | Encrypt the secret key in the compiled binary. |
prefix | "auto_" | Prefix added to automatically exported secrets. |
Important
The encrypt setting determines whether the key names of secrets (like "stripe-token") should be encrypted in the binary output. The values of all secrets are always encrypted regardless of this setting.
Notifications
Configure which channels receive notifications when secrets are detected:
"notifications": {
"email": [
"9e4fc46c-893a-4d73-9efa-6ee92e856580"
]
}
You can configure notification channels in the Scanner Workflow panel:
Scanner Workflow
In the Scanner Workflow panel, you can set up your detection workflow:
- Environments: Specify which environment this configuration applies to
- Detect on: Choose build configurations to scan (
Debug,Release, orAlways) - Actions: Configure what happens when secrets are detected (
ExportorDo nothing) - Messages: Set up notification channels (
Email,Webhook,Slack, etc.)
Environment Variables
You can also configure the scanner using environment variables:
BYTEHIDE_SECRETS_TOKEN=your-token
BYTEHIDE_SECRETS_ENVIRONMENT=production
BYTEHIDE_SECRETS_ENABLED=true