/

Scanner Configuration

Configuration File

The Secret Scanner is configured using a JSON file named bytehide.secrets.json in your project root. This file controls all aspects of the scanner's behavior.

JSON
{
  "token": "<your-project-token>",
  "appName": "My Java Project",
  "environment": "production",
  "sync": true,
  "report": "security/scan-results.json",
  "reportFormat": "json",
  "anonymize": false,
  "fix": false
}

Required Settings

Security Best Practice

It's recommended to use environment variables for sensitive settings rather than storing them in your configuration file. This helps prevent accidental secret exposure.

SettingDescription
tokenYour ByteHide project token. For better security, use the BYTEHIDE_SECRETS_TOKEN environment variable instead.
environmentThe environment context (e.g., "development", "staging", "production"). Can be set with BYTEHIDE_SECRETS_ENVIRONMENT (defaults to "production" if missing).

Optional Settings

SettingDefaultDescription
appName"MyApp"A custom name for this scanner configuration.
synctrueExport detected secrets to ByteHide Secrets Manager.
report""Path to export a local report file (empty for no report).
reportFormat"json"Format for local reports ("json" or "yaml").
anonymizefalseMask actual secret values in logs and reports.
fixfalseAutomatically replace detected secrets with secure calls.

CLI Commands

Configure the scanner behavior using command-line arguments that override the JSON configuration:

Initialization

Bash
java -jar bytehide-secrets-scanner.jar init

This interactive wizard helps you set up your scanner configuration.

Manual Scanning

Bash
java -jar bytehide-secrets-scanner.jar scan [PATH] [OPTIONS]
OptionDescription
--tokenByteHide project token
--app-nameApplication name for identification
--environmentEnvironment name
--syncExport to ByteHide Secrets Manager
--reportPath for local report file
--report-formatReport format (json/yaml)
--anonymizeMask secret values
--fixReplace secrets with secure calls

Example:

Bash
java -jar bytehide-secrets-scanner.jar scan ./src --report ./reports/secrets.json --fix

Using as a Library

You can also use the scanner programmatically in your Java code:

Java
import com.bytehide.secrets.scanner.core.SecretsScanner;
import com.bytehide.secrets.scanner.core.ScanOptions;

public class Example {
    public static void main(String[] args) {
        try {
            SecretsScanner scanner = new SecretsScanner();

            ScanOptions options = new ScanOptions.Builder()
                .path("./src")
                .token("your-bytehide-token")
                .appName("MyApp")
                .environment("production")
                .fix(true)
                .report("./scan-results.json")
                .reportFormat("json")
                .build();

            int exitCode = scanner.scan(options);

            if (exitCode == 0) {
                System.out.println("No secrets found!");
            } else {
                System.out.println("Secrets detected. Check the report.");
            }

        } catch (Exception e) {
            System.err.println("Error: " + e.getMessage());
        }
    }
}

Detection Capabilities

The ByteHide Secrets Scanner includes advanced detection methods:

  • Pattern Matching: Identifies known secret formats from over 6,000 detection rules
  • Entropy Analysis: Detects high-entropy strings that may be secrets
  • Contextual Analysis: Understands variable names and surrounding code
  • Provider-Specific Plugins: Specialized detectors for AWS, Azure, GitHub, Stripe, and many more

Environment Variables

You can configure key settings using environment variables:

Bash
BYTEHIDE_SECRETS_TOKEN=your-project-token
BYTEHIDE_SECRETS_ENVIRONMENT=production

Configuration Precedence

Settings are applied in the following order (later overrides earlier):

  1. Default values
  2. bytehide.secrets.json file
  3. Environment variables
  4. Command-line arguments

Next Steps

Previous
Installation
Next
GitHub Integration