Secret detection exclusions - Gitlabhq

Tier: Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Status: Experiment

Introduced as an experiment in GitLab 17.5 with a flag named secret_detection_project_level_exclusions. Enabled by default.
Feature flag secret_detection_project_level_exclusions removed in GitLab 17.7.

Secret detection may detect something that's not actually a secret. For example, if you use a fake value as a placeholder in your code, it might be detected and possibly blocked.

To avoid false positives and optimize performance, you can exclude from secret detection:

A path.
A raw value.
A rule from the default ruleset.

You can define multiple exclusions for a project.

Restrictions

The following restrictions apply:

Exclusions can only be defined for each project.
Exclusions apply only to secret push protection.
The maximum number of path-based exclusions per project is 10.
The maximum depth for path-based exclusions is 20.

<i class="fa-youtube-play" aria-hidden="true"></i> For an overview, see secret detection exclusions - demo.

Add an exclusion

Define an exclusion to avoid false positives from secret detection.

Prerequisites:

You must have the Security Manager, Maintainer or Owner role for the project.

To define an exclusion:

In the top bar, select Search or go to and find your project or group.
Select Secure > Security configuration.
Scroll down to Secret push protection.
Turn on the Secret push protection toggle.
Select Configure Secret Detection ({{< icon name="settings" >}}).
Select Add exclusion to open the exclusion form.
Enter the details of the exclusion, then select Add exclusion.

Path exclusions support glob patterns which are supported and interpreted with the Ruby method File.fnmatch with the flags File::FNM_PATHNAME | File::FNM_DOTMATCH | File::FNM_EXTGLOB.

Rule exclusions support any of the IDs listed in the default ruleset. For example, gitlab_personal_access_token is the rule ID for GitLab personal access tokens.