detect-secrets audit: Triage the Baseline
detect-secrets audit steps through every candidate in the baseline so you can label each as a real secret or a false positive.
A raw baseline is just candidates. The audit pass is where a human marks which ones are real, so the baseline becomes a trustworthy allowlist of known-safe matches.
What it does
detect-secrets audit <baseline> opens an interactive review: for each candidate it shows the file/line and you mark it real, false, or skip. Decisions are recorded as is_secret flags in the baseline. --report prints a non-interactive summary suitable for CI logs.
Common usage
# interactively triage candidates
detect-secrets audit .secrets.baseline
# non-interactive report of unaudited / real secrets
detect-secrets audit --report .secrets.baseline
# show only what is still unaudited
detect-secrets audit --report --only-real .secrets.baselineOptions
| Flag | What it does |
|---|---|
| <baseline> | The .secrets.baseline to audit |
| --report | Non-interactive summary instead of the prompt |
| --only-real | In a report, show only confirmed real secrets |
| --only-false | Show only confirmed false positives |
| --json | Machine-readable report output |
In CI
Audit is interactive, so do it locally and commit the labeled baseline; in CI use --report to assert there are no unaudited or real entries left. A clean pipeline means every candidate has been triaged and none is a confirmed live secret.
Common errors in CI
"No baseline found" means the path is wrong or the file was not committed. An interactive audit hanging in CI means you forgot --report; the prompt waits on stdin forever. If --report --only-real lists entries, a real secret slipped into the baseline and must be removed and rotated.