How to integrate ByteHide Secrets scanner in CI/CD?

Install the Secrets CLI tool, configure authentication with project token, add scanning step to your pipeline YAML, and set up fail conditions for found secrets.

How to configure custom secret patterns?

Create a .bytehide-secrets.json config file with custom regex patterns, entropy thresholds, and file exclusions to detect organization-specific secret formats.

How to handle false positives in secret scanning?

Use ignore comments in code, configure exclusion rules in config file, adjust entropy thresholds, or whitelist specific patterns that are not actual secrets.

Scanner Configuration

Configuration File

The Secret Scanner is configured using a JSON file named bytehide.secrets.json in your project root. This file controls all aspects of the scanner's behavior.

JSON

{
  "token": "<your-project-token>",
  "appName": "My PHP Project",
  "environment": "production",
  "sync": true,
  "report": "security/scan-results.json",
  "reportFormat": "json",
  "anonymize": false,
  "fix": false
}

{
  "token": "<your-project-token>",
  "appName": "My PHP Project",
  "environment": "production",
  "sync": true,
  "report": "security/scan-results.json",
  "reportFormat": "json",
  "anonymize": false,
  "fix": false
}

Required Settings

Security Best Practice

It's recommended to use environment variables for sensitive settings rather than storing them in your configuration file. This helps prevent accidental secret exposure.

Setting	Description
`token`	Your ByteHide project token. For better security, use the `BYTEHIDE_SECRETS_TOKEN` environment variable instead.
`environment`	The environment context (e.g., `"development"`, `"staging"`, `"production"`). Can be set with `BYTEHIDE_SECRETS_ENVIRONMENT` (defaults to `"production"` if missing).

Optional Settings

Setting	Default	Description
`appName`	`"MyApp"`	A custom name for this scanner configuration.
`sync`	`true`	Export detected secrets to ByteHide Secrets Manager.
`report`	`""`	Path to export a local report file (empty for no report).
`reportFormat`	`"json"`	Format for local reports (`"json"` or `"yaml"`).
`anonymize`	`false`	Mask actual secret values in logs and reports.
`fix`	`false`	Automatically replace detected secrets with secure calls.

CLI Commands

Configure the scanner behavior using command-line arguments that override the JSON configuration:

Initialization

Bash

vendor/bin/bytehide-secrets init

vendor/bin/bytehide-secrets init

This interactive wizard helps you set up your scanner configuration.

Manual Scanning

Bash

vendor/bin/bytehide-secrets scan [PATH] [OPTIONS]

vendor/bin/bytehide-secrets scan [PATH] [OPTIONS]

Option	Description
`--token`	ByteHide project token
`--app-name`	Application name for identification
`--environment`	Environment name
`--sync`	Export to ByteHide Secrets Manager
`--report`	Path for local report file
`--report-format`	Report format (`json`/`yaml`)
`--anonymize`	Mask secret values
`--fix`	Replace secrets with secure calls

Example:

Bash

vendor/bin/bytehide-secrets scan ./src --report ./reports/secrets.json --fix

vendor/bin/bytehide-secrets scan ./src --report ./reports/secrets.json --fix

Using as a Library

You can also use the scanner programmatically in your PHP code:

PHP

<?php

require_once 'vendor/autoload.php';

use ByteHide\SecretsScanner\SecretsScanner;
use ByteHide\SecretsScanner\ScanOptions;

try {
    $scanner = new SecretsScanner();

    $options = new ScanOptions();
    $options
        ->setPath('./src')
        ->setToken('your-bytehide-token')
        ->setAppName('MyApp')
        ->setEnvironment('production')
        ->setFix(true)
        ->setReport('./scan-results.json')
        ->setReportFormat('json');

    $exitCode = $scanner->scan($options);

    if ($exitCode === 0) {
        echo "No secrets found!\n";
    } else {
        echo "Secrets detected. Check the report.\n";
    }

} catch (\Exception $e) {
    echo "Error: " . $e->getMessage() . "\n";
}

<?php

require_once 'vendor/autoload.php';

use ByteHide\SecretsScanner\SecretsScanner;
use ByteHide\SecretsScanner\ScanOptions;

try {
    $scanner = new SecretsScanner();

    $options = new ScanOptions();
    $options
        ->setPath('./src')
        ->setToken('your-bytehide-token')
        ->setAppName('MyApp')
        ->setEnvironment('production')
        ->setFix(true)
        ->setReport('./scan-results.json')
        ->setReportFormat('json');

    $exitCode = $scanner->scan($options);

    if ($exitCode === 0) {
        echo "No secrets found!\n";
    } else {
        echo "Secrets detected. Check the report.\n";
    }

} catch (\Exception $e) {
    echo "Error: " . $e->getMessage() . "\n";
}

Detection Capabilities

The ByteHide Secrets Scanner includes advanced detection methods:

Pattern Matching: Identifies known secret formats from over 6,000 detection rules
Entropy Analysis: Detects high-entropy strings that may be secrets
Contextual Analysis: Understands variable names and surrounding code
Provider-Specific Plugins: Specialized detectors for AWS, Azure, GitHub, Stripe, and many more

Environment Variables

You can configure key settings using environment variables:

Bash

BYTEHIDE_SECRETS_TOKEN=your-project-token
BYTEHIDE_SECRETS_ENVIRONMENT=production

BYTEHIDE_SECRETS_TOKEN=your-project-token
BYTEHIDE_SECRETS_ENVIRONMENT=production

Configuration Precedence

Settings are applied in the following order (later overrides earlier):

Default values
bytehide.secrets.json file
Environment variables
Command-line arguments

Configuration File

Required Settings

Optional Settings

CLI Commands

Initialization

Manual Scanning

Using as a Library

Detection Capabilities

Environment Variables

Configuration Precedence

Next Steps