Scan
Command to scan your codebase for hard-coded secrets
The scan command uses AI to detect secrets within your codebase, helping to catch exposed credentials or sensitive data before they are committed or deployed.
stashbase scan <COMMAND> [OPTIONS]Commands
staged(alias:pre-commit) scans staged files.changes(alias:diff) scans working directory changes (staged + unstaged).unpushed(alias:pre-push) scans commits not yet pushed to remote.installinstalls a git hook block for automatic scan checks.uninstalluninstalls a git hook block for scan checks.configmanages scan config files.
Config auto-discovery
stashbase automatically loads stashbase-scan.yaml from the Git repository root for these commands:
stashbase scan stagedstashbase scan changesstashbase scan unpushed
You can still override this with an explicit config path:
stashbase scan staged -c ./path/to/custom-scan.yamlStaged
Scan staged changes in your local git repository for secrets.
Alias for this command is scan pre-commit.
stashbase scan staged [OPTIONS]Options
Prop
Type
Examples
# Output as json
stashbase scan staged --json
# Using baseline file
stashbase scan staged --baseline baseline.json
# Using config file
stashbase scan staged --config config.yaml
# Exclude files
stashbase scan staged --exclude-files "*.js" "*.ts"Changes
Scan staged and unstaged changes in your local git repository for secrets.
Alias for this command is scan diff.
stashbase scan changes [OPTIONS]Options
Prop
Type
Examples
# Output as json
stashbase scan changes --json
# Using baseline file
stashbase scan changes --baseline baseline.json
# Using config file
stashbase scan changes --config config.yaml
# Exclude files
stashbase scan changes --exclude-files "*.js" "*.ts"Unpushed
Use this command to scan unpushed commits in your local git repository for secrets.
Alias for this command is scan pre-push.
stashbase scan unpushed [OPTIONS]Options
Prop
Type
Examples
# Output as json
stashbase scan unpushed --json
# Scan all unpushed commits
stashbase scan unpushed
# Using baseline file
stashbase scan unpushed --baseline baseline.json
# Using config file
stashbase scan unpushed --config config.yaml
# Exclude files
stashbase scan unpushed --exclude-files "*.js" "*.ts"
# Scan only the last 5 unpushed commits
stashbase scan unpushed --last 5Install
Install a scan hook block into a git hook file.
stashbase scan install <hook>Options
Prop
Type
Examples
# Install into default pre-commit hook
stashbase scan install pre-commit
# Install into default pre-push hook
stashbase scan install pre-push
# Install into a custom Husky hook file
stashbase scan install pre-commit --file .husky/pre-commitUninstall
Uninstall a scan hook block from a git hook file.
stashbase scan uninstall <hook>Options
Prop
Type
Examples
# Uninstall from default pre-commit hook
stashbase scan uninstall pre-commit
# Uninstall from default pre-push hook
stashbase scan uninstall pre-push
# Uninstall from a custom Husky hook file
stashbase scan uninstall pre-push --file .husky/pre-pushConfig
Manage scan config files.
stashbase scan config <COMMAND>Commands
initcreates a starter scan config file.validatevalidates a scan config file.
Init
Create a starter scan config file.
stashbase scan config init [OPTIONS]Options
Prop
Type
Examples
# Create config in default location
stashbase scan config init
# Create config at a custom path
stashbase scan config init --file .stashbase/scan.yaml
# Overwrite existing config
stashbase scan config init --forceValidate
Validate a scan config file.
stashbase scan config validate [OPTIONS]Options
Prop
Type
Examples
# Validate default config
stashbase scan config validate
# Validate a specific config file
stashbase scan config validate --config .stashbase/scan.yaml