Tool integration

detect-secrets Integration Guide

Enterprise secret detection with baseline management

Get a Free API Key

Integrate detect-secrets with Vulnetix. Scan code for secrets using heuristics and rules, with a baseline system for tracking known secrets and false positives.

CLI toolSARIF

Install & scan

$ uv run --with detect-secrets detect-secrets --version
$ uv run --with detect-secrets detect-secrets scan > .secrets.baseline

Run detect-secrets in CI

Scan on every push and upload the results to Vulnetix:

- name: Run detect-secrets
  run: |
    pip install detect-secrets
    detect-secrets scan --baseline .secrets.baseline
    detect-secrets audit --report .secrets.baseline
- name: Upload to Vulnetix
  run: vulnetix upload --file .secrets.baseline

How Vulnetix compares — better together

Vulnetix does not replace detect-secrets. Keep running it. Vulnetix sits on top of detect-secrets — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CapabilityVulnetixdetect-secrets
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git historyCore: regex + entropy + keyword detection with 27 plugins and baseline management
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What detect-secrets does well

Where Vulnetix adds to it: detect-secrets is a focused secrets engine; Vulnetix runs its own secret scanning but, more importantly, ingests detect-secrets output and dedups it into one prioritised queue alongside SAST/SCA/IaC/container findings, adds exploit-intel, VEX and SSVC that detect-secrets has no concept of. Better together: keep detect-secrets' baseline gate in pre-commit, let Vulnetix consolidate and prioritise across scanners.

No migration, no rip-and-replace. detect-secrets keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise detect-secrets results in Vulnetix

Upload detect-secrets SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

detect-secrets documentation ↗  ·  Source repository ↗

Wire detect-secrets into your CI/CD pipeline →