How to integrate ByteHide Secrets scanner in CI/CD?

Install the Secrets CLI tool, configure authentication with project token, add scanning step to your pipeline YAML, and set up fail conditions for found secrets.

How to configure custom secret patterns?

Create a .bytehide-secrets.json config file with custom regex patterns, entropy thresholds, and file exclusions to detect organization-specific secret formats.

How to handle false positives in secret scanning?

Use ignore comments in code, configure exclusion rules in config file, adjust entropy thresholds, or whitelist specific patterns that are not actual secrets.

Secret Scanner Installation

Before you begin

You'll need:

A ByteHide account and project token
Python 3.7 or higher installed
Node.js 16+ installed (required by the scanner engine)

Installation

Install the ByteHide Secret Scanner using pip:

Bash

pip install bytehide-secrets-scanner

pip install bytehide-secrets-scanner

Basic Setup

After installation, initialize the scanner configuration:

Bash

bytehide-secrets init

bytehide-secrets init

This interactive command will create a bytehide.secrets.json file in your project root directory:

JSON

{
  "token": "<your-project-token>",
  "appName": "My Python Project",
  "environment": "development",
  "sync": true,
  "fix": false,
  "anonymize": false
}

{
  "token": "<your-project-token>",
  "appName": "My Python Project",
  "environment": "development",
  "sync": true,
  "fix": false,
  "anonymize": false
}

Security Warning

Never commit your bytehide.secrets.json file to source control. Add it to your .gitignore file.

Verify Installation

After installation, run a scan to verify everything is working:

Bash

bytehide-secrets scan

bytehide-secrets scan

The scanner will automatically:

Check if scanning is enabled for your configuration
Scan source code for secrets
Report any findings to your ByteHide dashboard
Export detected secrets to your ByteHide Secrets Manager (if configured)

Build Integration

For automatic scanning, you can add the scanner to your build or test pipeline:

Using a Makefile

MAKEFILE

.PHONY: scan-secrets
scan-secrets:
	bytehide-secrets scan .

.PHONY: test
test: scan-secrets
	pytest tests/

.PHONY: scan-secrets
scan-secrets:
	bytehide-secrets scan .

.PHONY: test
test: scan-secrets
	pytest tests/

Using setup.cfg or pyproject.toml

Add a custom script entry to run the scanner before tests:

TOML

# pyproject.toml
[tool.pytest.ini_options]
# Run scanner as part of your test suite

# pyproject.toml
[tool.pytest.ini_options]
# Run scanner as part of your test suite

Bash

bytehide-secrets scan && pytest tests/

bytehide-secrets scan && pytest tests/

Scanner Workflow

The Secret Scanner integrates into your development workflow:

Installation: Install the pip package
Configuration: Set up the scanner via the JSON file or init command
Scanning: Run manually or automatically during builds
Reporting: Detected secrets appear in your ByteHide dashboard
Action: Export, fix, or receive alerts about found secrets

Installation

Basic Setup

Verify Installation

Build Integration

Using a Makefile

Using setup.cfg or pyproject.toml

Scanner Workflow

What's Next?