How to integrate ByteHide Secrets scanner in CI/CD?

Install the Secrets CLI tool, configure authentication with project token, add scanning step to your pipeline YAML, and set up fail conditions for found secrets.

How to configure custom secret patterns?

Create a .bytehide-secrets.json config file with custom regex patterns, entropy thresholds, and file exclusions to detect organization-specific secret formats.

How to handle false positives in secret scanning?

Use ignore comments in code, configure exclusion rules in config file, adjust entropy thresholds, or whitelist specific patterns that are not actual secrets.

Secret Scanner Installation

Before you begin

You'll need:

A ByteHide account and project token
Node.js 14.x or higher installed
npm 6.x or higher or yarn 1.x or higher

Installation Options

Choose your preferred installation method:

npm

Bash

npm install @bytehide/secrets-scanner --save-dev

npm install @bytehide/secrets-scanner --save-dev

yarn

Bash

yarn add @bytehide/secrets-scanner --dev

yarn add @bytehide/secrets-scanner --dev

Basic Setup

After installation, create a bytehide.secrets.json file in your project root directory:

JSON

{
  "token": "<your-project-token>",
  "appName": "My JavaScript Project",
  "environment": "development",
  "sync": true,
  "reportFormat": "json",
  "anonymize": false,
  "fix": true
}

{
  "token": "<your-project-token>",
  "appName": "My JavaScript Project",
  "environment": "development",
  "sync": true,
  "reportFormat": "json",
  "anonymize": false,
  "fix": true
}

Alternatively, use the initialization command for an interactive setup:

Bash

npx bytehide-secrets init

npx bytehide-secrets init

Security Warning

Never commit your bytehide.secrets.json file or tokens to source control. Add it to your .gitignore file and consider using environment variables instead.

Verify Installation

After installation, run a scan to verify everything is working:

Bash

npx bytehide-secrets scan

npx bytehide-secrets scan

The scanner will automatically:

Check if scanning is enabled for your configuration
Scan both source code and compiled artifacts for secrets
Report any findings to your ByteHide dashboard
Export detected secrets to your ByteHide Secrets Manager (if configured)

Prebuild Integration

For automatic scanning before each build, add a prebuild script to your package.json:

JSON

{
  "scripts": {
    "prebuild": "bytehide-secrets scan",
    "build": "your-build-command"
  }
}

{
  "scripts": {
    "prebuild": "bytehide-secrets scan",
    "build": "your-build-command"
  }
}

This ensures the scanner runs automatically whenever you build your project:

Bash

npm run build

npm run build

Scanner Workflow

The Secret Scanner integrates into your development workflow:

Installation: Add the npm/yarn package to your project
Configuration: Set up the scanner via the JSON file or init command
Scanning: Run manually or automatically during builds
Reporting: Detected secrets appear in your ByteHide dashboard
Action: Export, fix, or receive alerts about found secrets

Installation Options

npm

yarn

Basic Setup

Verify Installation

Prebuild Integration

Scanner Workflow

What's Next?