Talisman "Potential secrets detected" blocks the push in CI
Talisman scans staged changes for secret-like filenames, content patterns, and high entropy. When it finds a match it prints "Potential secrets detected" and exits non-zero, blocking the commit or push.
What this error means
Talisman prints a table of "Potential secrets" with the filename and reason (for example "The file name ... failed checks against the pattern") and fails the step.
Talisman Report:
+-----------------+-------------------------------------------------------+
| FILE | ERRORS |
+-----------------+-------------------------------------------------------+
| deploy/id_rsa | The file name "id_rsa" failed checks against |
| | the pattern ^.+_rsa$ |
+-----------------+-------------------------------------------------------+Common causes
A secret-like file or content was staged
Talisman matched a filename pattern (such as *_rsa), a content pattern, or a high-entropy string in the staged changes.
A false positive on a fixture or key-shaped value
A test key file or long random token trips a pattern even though it is not a real secret.
How to fix it
Remove a real secret or add a checksum ignore
- Inspect each flagged file and reason in the report.
- If it is a real secret, remove it, rotate it, and load it from a secret store.
- For a verified false positive, add a checksum-pinned entry to
.talismanrc.
fileignoreconfig:
- filename: tests/fixtures/id_rsa
checksum: 4f1b...pinned-sha256Generate the ignore entry from Talisman
Let Talisman compute the checksum so the ignore stays valid only for the exact file content you approved.
talisman --checksum='tests/fixtures/id_rsa'How to prevent it
- Pin ignores by checksum so edited files are re-flagged.
- Rotate any real secret Talisman catches.
- Run Talisman as a pre-push hook so pushes are checked before CI.