How to integrate ByteHide Secrets scanner in CI/CD?

Install the Secrets CLI tool, configure authentication with project token, add scanning step to your pipeline YAML, and set up fail conditions for found secrets.

How to configure custom secret patterns?

Create a .bytehide-secrets.json config file with custom regex patterns, entropy thresholds, and file exclusions to detect organization-specific secret formats.

How to handle false positives in secret scanning?

Use ignore comments in code, configure exclusion rules in config file, adjust entropy thresholds, or whitelist specific patterns that are not actual secrets.

Secret Scanner Installation

Before you begin

You'll need:

A ByteHide account and project token
Go 1.19 or higher installed
Node.js 16+ installed (required by the scanner engine)

Installation Options

Choose your preferred installation method:

Install from Source

Bash

git clone https://github.com/bytehide/bytehide-secrets-scanner-wrappers.git
cd bytehide-secrets-scanner-wrappers/wrappers/go
go build -o bytehide-secrets .

git clone https://github.com/bytehide/bytehide-secrets-scanner-wrappers.git
cd bytehide-secrets-scanner-wrappers/wrappers/go
go build -o bytehide-secrets .

Install Globally

Bash

go install github.com/bytehide/bytehide-secrets-scanner-wrappers/wrappers/go@latest

go install github.com/bytehide/bytehide-secrets-scanner-wrappers/wrappers/go@latest

Basic Setup

After installation, initialize the scanner configuration:

Bash

./bytehide-secrets init

./bytehide-secrets init

This interactive command will create a bytehide.secrets.json file in your project root directory:

JSON

{
  "token": "<your-project-token>",
  "appName": "My Go Project",
  "environment": "development",
  "sync": true,
  "fix": false,
  "anonymize": false
}

{
  "token": "<your-project-token>",
  "appName": "My Go Project",
  "environment": "development",
  "sync": true,
  "fix": false,
  "anonymize": false
}

Security Warning

Never commit your bytehide.secrets.json file to source control. Add it to your .gitignore file.

Verify Installation

After installation, run a scan to verify everything is working:

Bash

./bytehide-secrets scan

./bytehide-secrets scan

The scanner will automatically:

Check if scanning is enabled for your configuration
Scan source code for secrets
Report any findings to your ByteHide dashboard
Export detected secrets to your ByteHide Secrets Manager (if configured)

Makefile Integration

You can integrate the scanner into your build process using a Makefile:

MAKEFILE

.PHONY: scan-secrets
scan-secrets:
	bytehide-secrets scan .

.PHONY: build
build: scan-secrets
	go build -o myapp .

.PHONY: scan-secrets
scan-secrets:
	bytehide-secrets scan .

.PHONY: build
build: scan-secrets
	go build -o myapp .

Then run:

Bash

make build

make build

go:generate Integration

Add to your Go file for scanning during code generation:

//go:generate bytehide-secrets scan .

//go:generate bytehide-secrets scan .

Then run:

Bash

go generate

go generate

Scanner Workflow

The Secret Scanner integrates into your development workflow:

Installation: Build from source or install globally
Configuration: Set up the scanner via the JSON file or init command
Scanning: Run manually or automatically during builds
Reporting: Detected secrets appear in your ByteHide dashboard
Action: Export, fix, or receive alerts about found secrets

Installation Options

Install from Source

Install Globally

Basic Setup

Verify Installation

Makefile Integration

go:generate Integration

Scanner Workflow

What's Next?