How to integrate ByteHide Secrets scanner in CI/CD?

Install the Secrets CLI tool, configure authentication with project token, add scanning step to your pipeline YAML, and set up fail conditions for found secrets.

How to configure custom secret patterns?

Create a .bytehide-secrets.json config file with custom regex patterns, entropy thresholds, and file exclusions to detect organization-specific secret formats.

How to handle false positives in secret scanning?

Use ignore comments in code, configure exclusion rules in config file, adjust entropy thresholds, or whitelist specific patterns that are not actual secrets.

CI/CD Integration

Automated project scanning

The ByteHide Secrets Scanner can be easily integrated into any CI/CD pipeline where Python and Node.js are available.

Build Integration

If you have the scanner integrated into your Makefile or build scripts (see Scanner Installation), it will run automatically in any CI/CD environment. This is the simplest approach.

Repository-Level Git Integration

If you prefer deeper integration at the Git repository level, you can use our:

GitHub Integration

This option provides additional features like pull request scanning and automatic comments.

DevOps-Only Integration

Important note

This DevOps-only configuration is only recommended for advanced users. For most cases, the build integration is sufficient and easier to maintain.

If you don't want the scanner in your project build, you can integrate it only in your DevOps pipeline:

GitHub Actions

YAML

name: Secrets Scanner

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3

    - name: Setup Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: Setup Node.js
      uses: actions/setup-node@v3
      with:
        node-version: '18'

    - name: Install scanner
      run: pip install bytehide-secrets-scanner

    - name: Create scanner config
      run: |
        echo '{
          "token": "${{ secrets.BYTEHIDE_TOKEN }}",
          "appName": "CI Scanner",
          "environment": "ci",
          "sync": true,
          "anonymize": false
        }' > bytehide.secrets.json

    - name: Run scanner
      run: bytehide-secrets scan

name: Secrets Scanner

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3

    - name: Setup Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'

    - name: Setup Node.js
      uses: actions/setup-node@v3
      with:
        node-version: '18'

    - name: Install scanner
      run: pip install bytehide-secrets-scanner

    - name: Create scanner config
      run: |
        echo '{
          "token": "${{ secrets.BYTEHIDE_TOKEN }}",
          "appName": "CI Scanner",
          "environment": "ci",
          "sync": true,
          "anonymize": false
        }' > bytehide.secrets.json

    - name: Run scanner
      run: bytehide-secrets scan

GitLab CI/CD

YAML

image: python:3.11

stages:
  - scan

scan_secrets:
  stage: scan
  before_script:
    - apt-get update && apt-get install -y nodejs npm
    - pip install bytehide-secrets-scanner
  script:
    - |
      echo '{
        "token": "'$BYTEHIDE_TOKEN'",
        "appName": "GitLab CI Scanner",
        "environment": "gitlab-ci",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json
    - bytehide-secrets scan

image: python:3.11

stages:
  - scan

scan_secrets:
  stage: scan
  before_script:
    - apt-get update && apt-get install -y nodejs npm
    - pip install bytehide-secrets-scanner
  script:
    - |
      echo '{
        "token": "'$BYTEHIDE_TOKEN'",
        "appName": "GitLab CI Scanner",
        "environment": "gitlab-ci",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json
    - bytehide-secrets scan

Using tox

You can also integrate the scanner with tox:

INI

# tox.ini
[tox]
envlist = scan, py311

[testenv:scan]
deps = bytehide-secrets-scanner
commands = bytehide-secrets scan .

# tox.ini
[tox]
envlist = scan, py311

[testenv:scan]
deps = bytehide-secrets-scanner
commands = bytehide-secrets scan .

Then run:

Bash

tox -e scan

tox -e scan

Environment-Specific Configuration

You can use different scanner configurations for different environments:

YAML

# For development builds
- name: Create dev scanner config
  if: ${{ github.ref == 'refs/heads/develop' }}
  run: |
    echo '{
      "environment": "development",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

# For production builds
- name: Create prod scanner config
  if: ${{ github.ref == 'refs/heads/main' }}
  run: |
    echo '{
      "environment": "production",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

# For development builds
- name: Create dev scanner config
  if: ${{ github.ref == 'refs/heads/develop' }}
  run: |
    echo '{
      "environment": "development",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

# For production builds
- name: Create prod scanner config
  if: ${{ github.ref == 'refs/heads/main' }}
  run: |
    echo '{
      "environment": "production",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

Viewing Results

After the CI/CD pipeline runs, you can view the scanning results in your ByteHide dashboard. The results will include:

Detected secrets by type and location
The commit and branch where the secret was found
Confidence level of the detection
Link to the specific code location

Build Integration

Repository-Level Git Integration

DevOps-Only Integration

GitHub Actions

GitLab CI/CD

Using tox

Environment-Specific Configuration

Viewing Results

Next Steps