Secret detection exclusions
-
Introduced as an experiment in GitLab 17.5 with a flag named
secret_detection_project_level_exclusions
. Enabled by default.
Secret detection may detect something that’s not actually a secret. For example, if you use a fake value as a placeholder in your code, it might be detected and possibly blocked.
To avoid false positives, define a secret detection exclusion. A secret detection exclusion defines a path, a raw value or a rule from the default ruleset to exclude from secret detection. You can define multiples of each type of exclusion for a project.
In the first iteration of this feature:
- Exclusions can only be defined for each project.
- Exclusions apply only to secret push protection.
For an overview, see Secret Detection Exclusions - Demonstration.
Add an exclusion
Define an exclusion to avoid false positives from secret detection.
Note the following before defining an exclusion:
- The maximum number of path-based exclusions per project is 10.
- The maximum depth for path-based exclusions is 20.
- Glob patterns are interpreted with Ruby’s
File.fnmatch
with the flagsFile::FNM_PATHNAME | File::FNM_DOTMATCH | File::FNM_EXTGLOB
.
Prerequisites:
- You must have the Maintainer role for the project.
To define an exclusion:
- In the left sidebar, select Search or go to and navigate to your project or group.
- Select Secure > Security configuration.
- Scroll down to Secret push protection.
- Turn on the Secret push protection toggle.
- Select Configure Secret Detection ().
- Select Add exclusion to open the exclusion form.
- Enter the details of the exclusion, then select Add Exclusion.