Skip to content
Latchkey

detect-secrets scans only staged files and misses history in CI

By default the detect-secrets pre-commit hook only inspects staged changes, and in CI a shallow clone means earlier commits are not on the runner. A secret added before the scan was adopted is missed.

What this error means

CI is green even though a known secret exists in an older commit, because the hook only scanned the current diff and the clone was shallow.

detect-secrets
pre-commit run detect-secrets --files src/new.py
detect-secrets...........................................Passed
# secret in an earlier commit (config/old.py) was never scanned

Common causes

The hook scans staged files only

The pre-commit integration inspects the current diff, so secrets already committed before adoption are not re-examined.

A shallow clone hides earlier commits

With fetch-depth: 1, older commits are not present, so even a full scan cannot see history-resident secrets.

How to fix it

Scan the whole tree with full history

  1. Check out with fetch-depth: 0 so all files and history are present.
  2. Run detect-secrets across all files, not only the staged diff.
  3. Compare the result against the committed baseline.
.github/workflows/ci.yml
- uses: actions/checkout@v4
  with:
    fetch-depth: 0
- run: pre-commit run detect-secrets --all-files

Do a one-time full-repo scan when adopting the tool

Generate the initial baseline from a complete scan so pre-existing secrets are captured and audited.

Terminal
detect-secrets scan > .secrets.baseline
detect-secrets audit .secrets.baseline

How to prevent it

  • Use --all-files and fetch-depth: 0 for the CI backstop scan.
  • Generate the initial baseline from a full repository scan.
  • Do not rely on the staged-diff hook alone to catch old secrets.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →