Stashbase

Scan

Command to scan your codebase for hard-coded secrets

The scan command uses AI to detect secrets within your codebase, helping to catch exposed credentials or sensitive data before they are committed or deployed.

stashbase scan <COMMAND> [OPTIONS]

Commands

  • staged (alias: pre-commit) scans staged files.
  • changes (alias: diff) scans working directory changes (staged + unstaged).
  • unpushed (alias: pre-push) scans commits not yet pushed to remote.
  • install installs a git hook block for automatic scan checks.
  • uninstall uninstalls a git hook block for scan checks.
  • config manages scan config files.

Config auto-discovery

stashbase automatically loads stashbase-scan.yaml from the Git repository root for these commands:

  • stashbase scan staged
  • stashbase scan changes
  • stashbase scan unpushed

You can still override this with an explicit config path:

stashbase scan staged -c ./path/to/custom-scan.yaml

Staged

Scan staged changes in your local git repository for secrets. Alias for this command is scan pre-commit.

stashbase scan staged [OPTIONS]

Options

Prop

Type

Examples

# Output as json
stashbase scan staged --json

# Using baseline file
stashbase scan staged --baseline baseline.json

# Using config file
stashbase scan staged --config config.yaml

# Exclude files
stashbase scan staged --exclude-files "*.js" "*.ts"

Changes

Scan staged and unstaged changes in your local git repository for secrets. Alias for this command is scan diff.

stashbase scan changes [OPTIONS]

Options

Prop

Type

Examples

# Output as json
stashbase scan changes --json

# Using baseline file
stashbase scan changes --baseline baseline.json

# Using config file
stashbase scan changes --config config.yaml

# Exclude files
stashbase scan changes --exclude-files "*.js" "*.ts"

Unpushed

Use this command to scan unpushed commits in your local git repository for secrets. Alias for this command is scan pre-push.

stashbase scan unpushed [OPTIONS]

Options

Prop

Type

Examples

# Output as json
stashbase scan unpushed --json

# Scan all unpushed commits
stashbase scan unpushed

# Using baseline file
stashbase scan unpushed --baseline baseline.json

# Using config file
stashbase scan unpushed --config config.yaml

# Exclude files
stashbase scan unpushed --exclude-files "*.js" "*.ts"

# Scan only the last 5 unpushed commits
stashbase scan unpushed --last 5

Install

Install a scan hook block into a git hook file.

stashbase scan install <hook>

Options

Prop

Type

Examples

# Install into default pre-commit hook
stashbase scan install pre-commit

# Install into default pre-push hook
stashbase scan install pre-push

# Install into a custom Husky hook file
stashbase scan install pre-commit --file .husky/pre-commit

Uninstall

Uninstall a scan hook block from a git hook file.

stashbase scan uninstall <hook>

Options

Prop

Type

Examples

# Uninstall from default pre-commit hook
stashbase scan uninstall pre-commit

# Uninstall from default pre-push hook
stashbase scan uninstall pre-push

# Uninstall from a custom Husky hook file
stashbase scan uninstall pre-push --file .husky/pre-push

Config

Manage scan config files.

stashbase scan config <COMMAND>

Commands

  • init creates a starter scan config file.
  • validate validates a scan config file.

Init

Create a starter scan config file.

stashbase scan config init [OPTIONS]

Options

Prop

Type

Examples

# Create config in default location
stashbase scan config init

# Create config at a custom path
stashbase scan config init --file .stashbase/scan.yaml

# Overwrite existing config
stashbase scan config init --force

Validate

Validate a scan config file.

stashbase scan config validate [OPTIONS]

Options

Prop

Type

Examples

# Validate default config
stashbase scan config validate

# Validate a specific config file
stashbase scan config validate --config .stashbase/scan.yaml
Learn more about scans in Scans docs.

On this page