# Install detect-secrets with Homebrew, Nix

Enterprise friendly way of detecting and preventing secrets in code. Version 1.5.0 via Homebrew; verified 2026-05-20.

## Install

```sh
sudo av install brew:detect-secrets
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install detect-secrets
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#detect-secrets
```

  Evidence: nixpkgs package indexes: detect-secrets from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

## Package facts

- **Package key:** brew:detect-secrets
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/detect-secrets>
- **Version:** 1.5.0
- **Source summary:** Enterprise friendly way of detecting and preventing secrets in code
- **Homepage:** <https://github.com/Yelp/detect-secrets>
- **Repository:** <https://github.com/Yelp/detect-secrets>
- **Upstream docs:** <https://github.com/Yelp/detect-secrets#readme>
- **License:** Apache-2.0
- **Source archive:** <https://files.pythonhosted.org/packages/69/67/382a863fff94eae5a0cf05542179169a1c49a4c8784a9480621e2066ca7d/detect_secrets-1.5.0.tar.gz>
- **Last updated:** 2026-05-20T12:50:03Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- detect-secrets (cli)
- detect-secrets-hook (cli)
- detect-secrets (alias)
- detect-secrets-hook (alias)

## Dependencies

- certifi
- libyaml
- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.5.0
- Package-manager updated: 2026-05-20
- Local data: ok
- Upstream repository: https://github.com/Yelp/detect-secrets
- info: No cached GitHub release or tag data was available.
## Project history and usage

detect-secrets is Yelp's open-source command-line scanner for finding secrets in code and, more importantly, preventing newly introduced secrets from entering a repository. Its README describes the baseline workflow as a way to accept existing findings while blocking new ones.

### Project history

The GitHub repository was created in December 2017, and the README presents the tool as enterprise-friendly secret detection. Its changelog shows continued 1.x releases through 2024, including new detectors for GitLab, Telegram, PyPI, OpenAI, and IP addresses, plus support for newer Python versions.

### Adoption history

detect-secrets was designed for large repositories where immediately removing every old secret-like value may be impractical. The baseline model helped it fit pre-commit hooks and CI workflows: teams generate .secrets.baseline, audit it, and then use detect-secrets-hook or scans to catch new findings.

### How it is used

The standard package-manager workflow is to install the CLI, run detect-secrets scan into .secrets.baseline, and wire detect-secrets-hook into staged-file or tracked-file checks. The README also documents auditing the baseline and tuning detectors and filters for local policy.

### Why package nerds care

Package nerds care about detect-secrets because it is a practical DevSecOps CLI with a persistent config artifact rather than a one-shot grep-like scanner. It sits alongside pre-commit, GitHub secret scanning, trufflehog-style tools, and policy-driven CI checks.

### Timeline

- 2017: GitHub repository created for Yelp/detect-secrets.
- 2020: 0.14.x releases continued the pre-1.0 series.
- 2022: 1.2.0 added CI and release-pipeline work plus new token detectors.
- 2024: 1.5.0 added OS-agnostic baseline support and more modern token detectors.

### Related projects

- The project is commonly used with pre-commit-style hooks, CI pipelines, and other secret-scanning tools that enforce repository hygiene.

### Sources

- <https://github.com/Yelp/detect-secrets>
- <https://github.com/Yelp/detect-secrets/blob/master/README.md>
- <https://github.com/Yelp/detect-secrets/blob/master/CHANGELOG.md>
- <https://api.github.com/repos/Yelp/detect-secrets>


## Security Notes

No matching local secret-handling manifest was found for detect-secrets. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: .secrets.baseline
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** detect-secrets
- **Version Scheme:** 0
- **Revision:** 9
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - detect-secrets: normalized package name match | nixpkgs package indexes: detect-secrets from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [git-hound](https://www.automicvault.com/pkg/brew/git-hound/) - Shares av.db curated category or tags: cli, pre-commit, secret-scanning, security.
- [gitleaks](https://www.automicvault.com/pkg/brew/gitleaks/) - Shares av.db curated category or tags: cli, devsecops, secret-scanning, security.
- [git-secrets](https://www.automicvault.com/pkg/brew/git-secrets/) - Shares av.db curated category or tags: cli, secret-scanning, security.
- [kingfisher](https://www.automicvault.com/pkg/brew/kingfisher/) - Shares av.db curated category or tags: cli, secret-scanning, security.
- [mantra](https://www.automicvault.com/pkg/brew/mantra/) - Shares av.db curated category or tags: cli, secret-scanning, security.
- [squealer](https://www.automicvault.com/pkg/brew/squealer/) - Shares av.db curated category or tags: cli, secret-scanning, security.
- [tartufo](https://www.automicvault.com/pkg/brew/tartufo/) - Shares av.db curated category or tags: cli, secret-scanning, security.
- [bomber](https://www.automicvault.com/pkg/brew/bomber/) - Shares av.db curated category or tags: cli, devsecops, security.
- [cycode](https://www.automicvault.com/pkg/brew/cycode/) - Both packages touch the same language runtime or ecosystem. Shared terms: certifi, cli, devsecops, libyaml, python.

## Combined YAML source

View the package source record on GitHub. [combined/detect-secrets.yml](https://github.com/automic-vault/db/blob/main/combined/detect-secrets.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
