Skip to content

Secret detection exclusions

DETAILS: Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated Status: Experiment

FLAG: The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.

Secret detection may detect something that's not actually a secret. For example, if you use a fake value as a placeholder in your code, it might be detected and possibly blocked.

To avoid false positives, define a secret detection exclusion. A secret detection exclusion defines a path, a raw value or a rule from the default ruleset to exclude from secret detection. You can define multiples of each type of exclusion for a project.

In the first iteration of this feature:

For an overview, see Secret Detection Exclusions - Demonstration.

Add an exclusion

Define an exclusion to avoid false positives from secret detection.

Note the following before defining an exclusion:

  • The maximum number of path-based exclusions per project is 10.
  • The maximum depth for path-based exclusions is 20.
  • Glob patterns are interpreted with Ruby's File.fnmatch with the flags File::FNM_PATHNAME | File::FNM_DOTMATCH | File::FNM_EXTGLOB.

Prerequisites:

  • You must have the Maintainer role for the project.

To define an exclusion:

  1. In the left sidebar, select Search or go to and navigate to your project or group.
  2. Select Secure > Security configuration.
  3. Scroll down to Secret push protection.
  4. Turn on the Secret push protection toggle.
  5. Select Configure Secret Detection ({settings}).
  6. Select Add exclusion to open the exclusion form.
  7. Enter the details of the exclusion, then select Add Exclusion.