detect-secrets scans only staged files and misses history in CI
By default the detect-secrets pre-commit hook only inspects staged changes, and in CI a shallow clone means earlier commits are not on the runner. A secret added before the scan was adopted is missed.
What this error means
CI is green even though a known secret exists in an older commit, because the hook only scanned the current diff and the clone was shallow.
pre-commit run detect-secrets --files src/new.py
detect-secrets...........................................Passed
# secret in an earlier commit (config/old.py) was never scannedCommon causes
The hook scans staged files only
The pre-commit integration inspects the current diff, so secrets already committed before adoption are not re-examined.
A shallow clone hides earlier commits
With fetch-depth: 1, older commits are not present, so even a full scan cannot see history-resident secrets.
How to fix it
Scan the whole tree with full history
- Check out with
fetch-depth: 0so all files and history are present. - Run detect-secrets across all files, not only the staged diff.
- Compare the result against the committed baseline.
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: pre-commit run detect-secrets --all-filesDo a one-time full-repo scan when adopting the tool
Generate the initial baseline from a complete scan so pre-existing secrets are captured and audited.
detect-secrets scan > .secrets.baseline
detect-secrets audit .secrets.baselineHow to prevent it
- Use
--all-filesandfetch-depth: 0for the CI backstop scan. - Generate the initial baseline from a full repository scan.
- Do not rely on the staged-diff hook alone to catch old secrets.