Secret detection exclusions

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated Status: Experiment
History
The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.

Secret detection may detect something that’s not actually a secret. For example, if you use a fake value as a placeholder in your code, it might be detected and possibly blocked.

To avoid false positives, define a secret detection exclusion. A secret detection exclusion defines a path, a raw value or a rule from the default ruleset to exclude from secret detection. You can define multiples of each type of exclusion for a project.

In the first iteration of this feature:

For an overview, see Secret Detection Exclusions - Demonstration.

Add an exclusion

Define an exclusion to avoid false positives from secret detection.

Note the following before defining an exclusion:

  • The maximum number of path-based exclusions per project is 10.
  • The maximum depth for path-based exclusions is 20.
  • Glob patterns are interpreted with Ruby’s File.fnmatch with the flags File::FNM_PATHNAME | File::FNM_DOTMATCH | File::FNM_EXTGLOB.

Prerequisites:

  • You must have the Maintainer role for the project.

To define an exclusion:

  1. In the left sidebar, select Search or go to and navigate to your project or group.
  2. Select Secure > Security configuration.
  3. Scroll down to Secret push protection.
  4. Turn on the Secret push protection toggle.
  5. Select Configure Secret Detection ().
  6. Select Add exclusion to open the exclusion form.
  7. Enter the details of the exclusion, then select Add Exclusion.