Integrate detect-secrets with Vulnetix. Scan code for secrets using heuristics and rules, with a baseline system for tracking known secrets and false positives.
Install & scan
$ uv run --with detect-secrets detect-secrets --version $ uv run --with detect-secrets detect-secrets scan > .secrets.baseline
Run detect-secrets in CI
Scan on every push and upload the results to Vulnetix:
- name: Run detect-secrets
run: |
pip install detect-secrets
detect-secrets scan --baseline .secrets.baseline
detect-secrets audit --report .secrets.baseline
- name: Upload to Vulnetix
run: vulnetix upload --file .secrets.baseline
How Vulnetix compares — better together
Vulnetix does not replace detect-secrets. Keep running it. Vulnetix sits on top of detect-secrets — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
| Capability | Vulnetix | detect-secrets |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✓ Core: regex + entropy + keyword detection with 27 plugins and baseline management |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What detect-secrets does well
- Baseline workflow is best-in-class for legacy codebases: snapshots existing secrets so CI only fails on net-new ones, letting teams adopt scanning without rotating everything first
- 27 pluggable detectors combining regex, keyword and Shannon-entropy heuristics, extensible with custom plugins and filters
- Optional gibberish/ML detector and audit tooling to label true vs false positives and cut noise
- Lightweight pre-commit hook integration and pure-CLI operation with no server dependency
Where Vulnetix adds to it: detect-secrets is a focused secrets engine; Vulnetix runs its own secret scanning but, more importantly, ingests detect-secrets output and dedups it into one prioritised queue alongside SAST/SCA/IaC/container findings, adds exploit-intel, VEX and SSVC that detect-secrets has no concept of. Better together: keep detect-secrets' baseline gate in pre-commit, let Vulnetix consolidate and prioritise across scanners.
No migration, no rip-and-replace. detect-secrets keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise detect-secrets results in Vulnetix
Upload detect-secrets SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.