How to integrate ByteHide Secrets scanner in CI/CD?

Install the Secrets CLI tool, configure authentication with project token, add scanning step to your pipeline YAML, and set up fail conditions for found secrets.

How to configure custom secret patterns?

Create a .bytehide-secrets.json config file with custom regex patterns, entropy thresholds, and file exclusions to detect organization-specific secret formats.

How to handle false positives in secret scanning?

Use ignore comments in code, configure exclusion rules in config file, adjust entropy thresholds, or whitelist specific patterns that are not actual secrets.

Multi-Environment Setup

Environment isolation

ByteHide Secrets allows you to store different values for the same secret key across multiple environments. This ensures proper isolation between development, staging, and production configurations.

Understanding Environments

Environments allow you to manage separate sets of secrets for different stages of your application lifecycle:

Development: Used during local development
Staging: For testing before production deployment
Production: For your live application
Custom environments: Create any custom environment you need

Creating Environments

Environments are created in the ByteHide cloud panel:

Navigate to your project
Go to the Settings tab
In the Environments section, click Add
Enter a name for your environment (e.g., "staging")
Optionally connect a repository to this environment
Click Save

Environment Management Click to expand

Setting Environment-Specific Secrets

Once you've created environments, you can set environment-specific values for each secret key:

Go to the Keys tab in your project
Click Create secret to add a new secret
Enter a key name (e.g., "database-connection")
Add values for each environment
Click Save

Multi-Environment Secret Click to expand

Accessing Environment-Specific Secrets

Set Environment at Initialization

The most common approach is to set the environment via environment variables:

package main

import (
    "fmt"
    "log"

    "github.com/bytehide/bytehide-secrets-go/secrets"
)

func main() {
    // Set environment via environment variable
    // BYTEHIDE_SECRETS_ENVIRONMENT=production

    // Auto-initializes from environment variables
    connStr, err := secrets.Get("database-connection") // Gets production value
    if err != nil {
        log.Fatal(err)
    }
    fmt.Println("Connection:", connStr)
}

package main

import (
    "fmt"
    "log"

    "github.com/bytehide/bytehide-secrets-go/secrets"
)

func main() {
    // Set environment via environment variable
    // BYTEHIDE_SECRETS_ENVIRONMENT=production

    // Auto-initializes from environment variables
    connStr, err := secrets.Get("database-connection") // Gets production value
    if err != nil {
        log.Fatal(err)
    }
    fmt.Println("Connection:", connStr)
}

Or directly for testing/development:

// Initialize with explicit credentials (not recommended for production)
err := secrets.UnsecureInitialize("your-token", "production")
if err != nil {
    log.Fatal(err)
}

// Now all secret requests will use "production" environment
connStr, err := secrets.Get("database-connection")

// Initialize with explicit credentials (not recommended for production)
err := secrets.UnsecureInitialize("your-token", "production")
if err != nil {
    log.Fatal(err)
}

// Now all secret requests will use "production" environment
connStr, err := secrets.Get("database-connection")

Environment Configuration in Different Scenarios

Local Development

Bash

# Linux/macOS
export BYTEHIDE_SECRETS_TOKEN=your-token
export BYTEHIDE_SECRETS_ENVIRONMENT=development

# Windows (Command Prompt)
set BYTEHIDE_SECRETS_TOKEN=your-token
set BYTEHIDE_SECRETS_ENVIRONMENT=development

# Linux/macOS
export BYTEHIDE_SECRETS_TOKEN=your-token
export BYTEHIDE_SECRETS_ENVIRONMENT=development

# Windows (Command Prompt)
set BYTEHIDE_SECRETS_TOKEN=your-token
set BYTEHIDE_SECRETS_ENVIRONMENT=development

Docker Deployment

DOCKERFILE

FROM golang:1.21-alpine

WORKDIR /app
COPY . .
RUN go build -o myapp .

ENV BYTEHIDE_SECRETS_TOKEN=your-token
ENV BYTEHIDE_SECRETS_ENVIRONMENT=production

CMD ["./myapp"]

FROM golang:1.21-alpine

WORKDIR /app
COPY . .
RUN go build -o myapp .

ENV BYTEHIDE_SECRETS_TOKEN=your-token
ENV BYTEHIDE_SECRETS_ENVIRONMENT=production

CMD ["./myapp"]

CI/CD Pipeline

In your CI/CD workflows, set the appropriate environment:

YAML

# GitHub Actions example
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      # ...
      - name: Set ByteHide Environment
        run: |
          # For staging branch
          if [[ "${{ github.ref }}" == "refs/heads/develop" ]]; then
            echo "BYTEHIDE_SECRETS_ENVIRONMENT=staging" >> $GITHUB_ENV
          # For main branch
          elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            echo "BYTEHIDE_SECRETS_ENVIRONMENT=production" >> $GITHUB_ENV
          else
            echo "BYTEHIDE_SECRETS_ENVIRONMENT=development" >> $GITHUB_ENV
          fi

# GitHub Actions example
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      # ...
      - name: Set ByteHide Environment
        run: |
          # For staging branch
          if [[ "${{ github.ref }}" == "refs/heads/develop" ]]; then
            echo "BYTEHIDE_SECRETS_ENVIRONMENT=staging" >> $GITHUB_ENV
          # For main branch
          elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            echo "BYTEHIDE_SECRETS_ENVIRONMENT=production" >> $GITHUB_ENV
          else
            echo "BYTEHIDE_SECRETS_ENVIRONMENT=development" >> $GITHUB_ENV
          fi

Best Practices

Environment Naming Convention

Use consistent environment names across your organization:

development (or dev)
testing (or test)
staging (or stg)
production (or prod)

Value Consistency

Maintain the same key structure across environments with different values:

CODE

api-key:
  - development: "sk_test_123"
  - staging: "sk_test_456"
  - production: "sk_live_789"

api-key:
  - development: "sk_test_123"
  - staging: "sk_test_456"
  - production: "sk_live_789"