Secret detection exclusions

DETAILS: Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated Status: Experiment

• Introduced as an experiment in GitLab 17.5 with a flag named secret_detection_project_level_exclusions. Enabled by default.

FLAG: The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.

Secret detection may detect something that's not actually a secret. For example, if you use a fake value as a placeholder in your code, it might be detected and possibly blocked.

To avoid false positives, define a secret detection exclusion. A secret detection exclusion defines a path, a raw value or a rule from the default ruleset to exclude from secret detection. You can define multiples of each type of exclusion for a project.

In the first iteration of this feature:

• Exclusions can only be defined for each project.
• Exclusions apply only to secret push protection.

Add an exclusion

Define an exclusion to avoid false positives from secret detection.

Note the following before defining an exclusion:

• The maximum number of path-based exclusions per project is 10.
• The maximum depth for path-based exclusions is 20.
• Glob patterns are interpreted with Ruby's File.fnmatch with the flags File::FNM_PATHNAME | File::FNM_DOTMATCH | File::FNM_EXTGLOB.

Prerequisites:

• You must have the Maintainer role for the project.

To define an exclusion:

1. In the left sidebar, select Search or go to and navigate to your project or group.
2. Select Secure > Security configuration.
3. Scroll down to Secret push protection.
4. Turn on the Secret push protection toggle.
5. Select Configure Secret Detection ({settings}).
6. Select Add exclusion to open the exclusion form.
7. Enter the details of the exclusion, then select Add Exclusion.