Client-side secret detection
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
When you create an issue, propose a merge request, or write a comment, you might accidentally post a secret. For example, you might paste in the details of an API request or an environment variable that contains an authentication token. If a secret is leaked it could be used to do harm.
Client-side secret detection helps to minimize the risk of that happening. When you edit the description or comment in an issue or merge request, GitLab checks if it contains a secret. If a secret is found, a warning message is displayed. You can then edit the description or comment to remove the secret before posting your message, or add the description or comment as it is. This check occurs in your browser, so the secret is not revealed to anyone else unless you add it to GitLab. The check is always on; you don’t have to set it up.
Client-side secret detection checks only the following for secrets:
- Comments in issues or merge requests.
- Descriptions of issues or merge requests.
For details of which types of secrets are covered by client-side secret detection, see Detected secrets.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support