Wondering what’s next for npm?Check out our public roadmap! »


    1.0.6 • Public • Published


    A developer-friendly secrets detection tool for CI and pre-commit hooks

    npm version license downloads build codecov Known Vulnerabilities Security Responsible Disclosure


    The detect-secrets npm package is a Node.js-based wrapper for Yelp's detect-secrets tool that aims to provide an accessible and developer-friendly method of introducing secrets detection in pre-commit hooks.

    Yelp's detect-secrets is based on Python and requires explicit installation from developers. Moreover, its installation may be challenging in different operating systems. detect-secrets aims to alleviate this challenge by:

    1. Attempt to locate Yelp's detect-secrets tool, and if it exists in the path to execute it.

    If it fails it continues to:

    1. Attempt to locate the docker binary and if it exists it will download and execute the docker container for lirantal/detect-secrets which has Yelp's detect-secrets inside the image.

    If this fails as well:

    1. Exit with a warning message


    The above described fallback strategy is used to find an available method of executing the detect-secrets tool to protect the developer from leaking secrets into source code control.


    npm install --save detect-secrets

    This will expose detect-secrets-launcher Node.js executable file.

    Another way to invoke it is with npx which will download and execute the detect-secrets wrapper on the fly:

    npx detect-secrets [arguments]


    If you're using husky to manage pre-commit hooks configuration, then enabling secrets detection is as simple as adding another hook entry.

    "husky": {
        "hooks": {
          "pre-commit": "detect-secrets-launcher src/*"

    If you're using husky and lint-staged to manage pre-commit hooks configuration and running static code analysis on staged files, then enabling secrets detection is as simple as adding another lint-staged entry.

    A typical setup will look like this as an example:

    "husky": {
      "hooks": {
        "pre-commit": "lint-staged"
    "lint-staged": {
      "linters": {
        "**/*.js": [
          "detect-secrets-launcher --baseline .secrets-baseline"

    If you're not using a baseline file (it is created using Yelp's server-side detect-secrets tool) then you can simply omit this out and keep it as simple as detect-secrets-launcher.


    To scan the index.js file within a repository for the potential of leaked secrets inside it run the following:

    detect-secrets-launcher index.js

    Note that index.js has to be staged and versioned control. Any other plain file that is not known to git will not be scanned.


    Please consult CONTIRBUTING for guidelines on contributing to this project.


    detect-secrets © Liran Tal, Released under the Apache-2.0 License.


    npm i detect-secrets

    DownloadsWeekly Downloads






    Unpacked Size

    36.6 kB

    Total Files


    Last publish


    • avatar