The right place for secret scanning is in a pre-commit hook or a CI pipeline — caught at the door, never written to history. The next-best place is retroactively, against the repos you already have, before someone else finds them for you.
This walks through running our secret scanner against an existing repository on disk.
Prerequisites
- The Blue Lantern on-prem toolkit installed.
- Credits allocated (or auto-refresh enabled).
gitavailable locally if you need to clone the repo.- A scan caps out at 500 credits (~$0.50) regardless of repo size, so cost is bounded.
Running the scan
Clone the repo first, if you don't already have it:
git clone some-git-repository.git
Then run the scanner against the directory:
bluelantern --target ./some-git-repository run secret-scanner
Results land in /results in your configured data directory. Run bluelantern ui to browse them at http://localhost:9090/results.
Pipeline-friendly version
If you're running this manually you'll want to wire it into CI before long. Our GitHub Actions guide walks through the workflow, including how to surface findings as PR warnings instead of breaking builds.