Secret detection exclusions
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
- Status: Experiment
Secret detection may detect something that’s not actually a secret. For example, if you use a fake value as a placeholder in your code, it might be detected and possibly blocked.
To avoid false positives you can exclude from secret detection:
- A path.
- A raw value.
- A rule from the default ruleset.
You can define multiple exclusions for a project.
Restrictions
The following restrictions apply:
- Exclusions can only be defined for each project.
- Exclusions apply only to secret push protection.
- The maximum number of path-based exclusions per project is 10.
- The maximum depth for path-based exclusions is 20.
For an overview, see Secret Detection Exclusions - Demo.
Add an exclusion
Define an exclusion to avoid false positives from secret detection.
Prerequisites:
- You must have at least the Maintainer role for the project.
To define an exclusion:
- In the left sidebar, select Search or go to and go to your project or group.
- Select Secure > Security configuration.
- Scroll down to Secret push protection.
- Turn on the Secret push protection toggle.
- Select Configure Secret Detection ( ).
- Select Add exclusion to open the exclusion form.
- Enter the details of the exclusion, then select Add exclusion.
Path exclusions support glob patterns which are supported and interpreted with the Ruby method
File.fnmatch
with the flags
File::FNM_PATHNAME | File::FNM_DOTMATCH | File::FNM_EXTGLOB
.
Rule exclusions support any of the IDs listed in the default ruleset. For example,
gitlab_personal_access_token
is the rule ID for GitLab personal access tokens.