Secret detection exclusions

Secret detection may detect something that’s not actually a secret. For example, if you use a fake value as a placeholder in your code, it might be detected and possibly blocked.

To avoid false positives, define a secret detection exclusion. A secret detection exclusion defines a path, a raw value or a rule from the default ruleset to exclude from secret detection. You can define multiples of each type of exclusion for a project.

In the first iteration of this feature:

• Exclusions can only be defined for each project.
• Exclusions apply only to secret push protection.

For an overview, see Secret Detection Exclusions - Demonstration.

Add an exclusion

Define an exclusion to avoid false positives from secret detection.

Note the following before defining an exclusion:

• The maximum number of path-based exclusions per project is 10.
• The maximum depth for path-based exclusions is 20.
• Glob patterns are interpreted with Ruby’s File.fnmatch with the flags File::FNM_PATHNAME | File::FNM_DOTMATCH | File::FNM_EXTGLOB.

Prerequisites:

• You must have the Maintainer role for the project.

To define an exclusion:

1. In the left sidebar, select Search or go to and navigate to your project or group.
2. Select Secure > Security configuration.
3. Scroll down to Secret push protection.
4. Turn on the Secret push protection toggle.
5. Select Configure Secret Detection ( ).
6. Select Add exclusion to open the exclusion form.
7. Enter the details of the exclusion, then select Add Exclusion.