Skip to content
Latchkey

detect-secrets audit: Triage the Baseline

detect-secrets audit steps through every candidate in the baseline so you can label each as a real secret or a false positive.

A raw baseline is just candidates. The audit pass is where a human marks which ones are real, so the baseline becomes a trustworthy allowlist of known-safe matches.

What it does

detect-secrets audit <baseline> opens an interactive review: for each candidate it shows the file/line and you mark it real, false, or skip. Decisions are recorded as is_secret flags in the baseline. --report prints a non-interactive summary suitable for CI logs.

Common usage

Terminal
# interactively triage candidates
detect-secrets audit .secrets.baseline
# non-interactive report of unaudited / real secrets
detect-secrets audit --report .secrets.baseline
# show only what is still unaudited
detect-secrets audit --report --only-real .secrets.baseline

Options

FlagWhat it does
<baseline>The .secrets.baseline to audit
--reportNon-interactive summary instead of the prompt
--only-realIn a report, show only confirmed real secrets
--only-falseShow only confirmed false positives
--jsonMachine-readable report output

In CI

Audit is interactive, so do it locally and commit the labeled baseline; in CI use --report to assert there are no unaudited or real entries left. A clean pipeline means every candidate has been triaged and none is a confirmed live secret.

Common errors in CI

"No baseline found" means the path is wrong or the file was not committed. An interactive audit hanging in CI means you forgot --report; the prompt waits on stdin forever. If --report --only-real lists entries, a real secret slipped into the baseline and must be removed and rotated.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →