explaingit

yelp/detect-secrets

4,511Python
This is a quick first-pass explanation. The richer sections — use-cases, tech stack, setup, prompts — are still being generated.

TLDR

Detect-secrets is a tool built by Yelp that scans code repositories for accidentally committed secrets, such as API keys, passwords, tokens, and other credentials that should not be stored in source code.

Mindmap

A visual breakdown will appear here once this repo is fully enriched.

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

In plain English

Detect-secrets is a tool built by Yelp that scans code repositories for accidentally committed secrets, such as API keys, passwords, tokens, and other credentials that should not be stored in source code. Rather than trying to dig through an entire repository's history to find every secret ever committed, it takes a more practical approach: it creates a snapshot called a baseline that records all the secrets currently present in the codebase, then focuses its attention on preventing any new secrets from being added going forward. The core workflow has three parts. First, you run a scan to generate a baseline file listing all the secrets already found in the code. This is stored as a JSON file in your repository. Second, you configure the tool to run as a pre-commit check, so that any time a developer tries to commit new code, it scans only the changed files against the baseline. If something looks like a new secret that is not already in the baseline, the commit is blocked. Third, there is an audit command that lets you review the baseline interactively, marking items as real secrets or false positives, which helps reduce noise over time. The tool comes with a long list of built-in detection plugins, each targeting a specific type of credential: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, private keys, JWT tokens, Twilio keys, SendGrid keys, and many more. Plugins can be individually enabled or disabled. You can also write and load your own custom detection plugins if your organization uses credential formats not covered by the defaults. Filters, including custom ones, can be applied to reduce false positives. Installation is straightforward through pip or Homebrew. The tool also exposes a Python API, so developers can import it directly into scripts or testing pipelines and scan files programmatically with custom plugin and filter configurations. The design philosophy is explicitly enterprise-oriented: it acknowledges that large, existing codebases likely already contain some secrets and does not demand you fix everything before you can start using it. You accept the current state as the baseline, stop the bleeding immediately, and then work through the backlog on your own timeline.

Open on GitHub → Explain another repo

← yelp on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.