How to integrate ByteHide Secrets scanner in CI/CD?

Install the Secrets CLI tool, configure authentication with project token, add scanning step to your pipeline YAML, and set up fail conditions for found secrets.

How to configure custom secret patterns?

Create a .bytehide-secrets.json config file with custom regex patterns, entropy thresholds, and file exclusions to detect organization-specific secret formats.

How to handle false positives in secret scanning?

Use ignore comments in code, configure exclusion rules in config file, adjust entropy thresholds, or whitelist specific patterns that are not actual secrets.

Secret Scanner Installation

Before you begin

You'll need:

A ByteHide account and project token
PHP 7.4 or higher installed
Composer package manager
Node.js 16+ installed (required by the scanner engine)

Installation Options

Choose your preferred installation method:

Using Composer

Bash

composer require bytehide/secrets-scanner --dev

composer require bytehide/secrets-scanner --dev

Or add to your composer.json:

JSON

{
    "require-dev": {
        "bytehide/secrets-scanner": "^0.1"
    }
}

{
    "require-dev": {
        "bytehide/secrets-scanner": "^0.1"
    }
}

Then run:

Bash

composer install

composer install

Basic Setup

After installation, initialize the scanner configuration:

Bash

vendor/bin/bytehide-secrets init

vendor/bin/bytehide-secrets init

This interactive command will create a bytehide.secrets.json file in your project root directory:

JSON

{
  "token": "<your-project-token>",
  "appName": "My PHP Project",
  "environment": "development",
  "sync": true,
  "fix": false,
  "anonymize": false
}

{
  "token": "<your-project-token>",
  "appName": "My PHP Project",
  "environment": "development",
  "sync": true,
  "fix": false,
  "anonymize": false
}

Security Warning

Never commit your bytehide.secrets.json file to source control. Add it to your .gitignore file.

Verify Installation

After installation, run a scan to verify everything is working:

Bash

vendor/bin/bytehide-secrets scan

vendor/bin/bytehide-secrets scan

The scanner will automatically:

Check if scanning is enabled for your configuration
Scan source code for secrets
Report any findings to your ByteHide dashboard
Export detected secrets to your ByteHide Secrets Manager (if configured)

Composer Scripts Integration

For automatic scanning, add the scanner to your Composer scripts:

JSON

{
    "scripts": {
        "scan-secrets": "bytehide-secrets scan",
        "pre-install-cmd": "bytehide-secrets scan",
        "pre-update-cmd": "bytehide-secrets scan"
    }
}

{
    "scripts": {
        "scan-secrets": "bytehide-secrets scan",
        "pre-install-cmd": "bytehide-secrets scan",
        "pre-update-cmd": "bytehide-secrets scan"
    }
}

Then run:

Bash

composer scan-secrets

composer scan-secrets

Or it will run automatically before composer install or composer update.

Scanner Workflow

The Secret Scanner integrates into your development workflow:

Installation: Add the Composer package to your project
Configuration: Set up the scanner via the JSON file or init command
Scanning: Run manually or automatically via Composer scripts
Reporting: Detected secrets appear in your ByteHide dashboard
Action: Export, fix, or receive alerts about found secrets

Installation Options

Using Composer

Basic Setup

Verify Installation

Composer Scripts Integration

Scanner Workflow

What's Next?