Secret false positive detection

Secret false positive detection automatically analyzes secret detection findings to identify potential false positives. Dismissing secrets that are likely not actual security risks reduces noise in your vulnerability report.

When a secret detection scan runs, GitLab Duo automatically analyzes each finding to determine the likelihood that it’s a false positive. Detection is available for all secret types detected by GitLab secret detection.

The GitLab Duo assessment includes information about each false positive detection result:

• Confidence score: A numerical score indicating the likelihood that the finding is a false positive.
• Explanation: Reasons why the finding may or may not be a true positive.
• Visual indicator: A badge in the vulnerability report that shows the assessment result.

Results are based on AI analysis and should be reviewed by security professionals. This feature requires GitLab Duo with an active subscription.

Running secret false positive detection

The flow runs automatically in the following scenarios:

• A secret detection scan completes successfully on the default branch.
• The scan detects secrets.
• GitLab Duo features are enabled for the project or group.

You can also manually trigger analysis for existing vulnerabilities:

1. In the top bar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Select the vulnerability you want to analyze.
4. In the upper-right corner, select Check for false positive.

Related links

• Secret detection false positive detection.
• Vulnerability report.
• Secret detection.