Secrets Configuration

Overview

Ignore Secrets

Allow-list specific secrets when you have rotated them or verified that they are safe to retain:

secrets:
  ignore:
    - value: my-aws-key
      reason: Rotated and stored in the secure vault
      expiry: "2024-09-30"

Supported fields:

value — Plain-text value to ignore (use sparingly).
sha256 — Hash of the secret value (preferred).
pattern — Regex or substring pattern to match.
reason — Human-readable justification.
expiry — ISO UTC timestamp when the exception should lapse.
repositories — Optional list of repositories (owner/name) that the rule applies to.

Custom Rules

Define bespoke detectors:

secrets:
  custom_patterns:
    my-custom-rule-1:
      secret_regex: "mycustomregex"
    my-custom-rule-2:
      description: Detects tokens issued by internal auth service
      secret_regex: "mysecret[0-9]+"
      secret_regex_group: 0
      entropy: 4.0
      path_regex: ".*"
      keywords: ["package", "func"]

Set custom_patterns_override_global: true in a repository configuration to replace the organisation defaults instead of merging with them.

PreviousContainer Configuration NextAPI Configuration

Last updated 1 day ago

Was this helpful?