Book a Demo

Configuration - Secrets

Ignore Secrets

You can ignore specific secrets from being reported as findings by adding them to the whitelist.

secrets:
  ignore:
    - value: my-aws-key
      reason: this aws key has been rotated by john smith

Ignore fields:

  • value - The secret value to ignore

  • reason - The reason for ignoring the secret

  • expiry - The expiry date of the ignore rule. The format is YYYY-MM-DD.

  • pattern - The pattern to match against the secret. The pattern can be a regex pattern or a substring pattern.

  • sha256 - The SHA256 hash of the secret value. This is used to match against the secret value.

  • repositories - A list of repositories to apply the ignore rule to. The format is owner/repo.

Custom Rules

You can define custom rules to match against the secrets. custom_patterns is a map of custom rule IDs to custom rules. The only required field is the secret_regex field.

secrets:
  custom_patterns:
    my-custom-rule-1:
      secret_regex: "mycustomregex"
    my-custom-rule-2:
      description: This is a custom rule for finding secrets in go files
      secret_regex: "mysecret[0-9]+"
      secret_regex_group: 0
      entropy: 4.0
      path_regex: ".*"
      keywords: [ "package", "func" ] # only go files

Custom rule fields:

  • description - A description of the custom rule

  • secret_regex - A regex pattern to match against the secret

  • secret_regex_group - The group in the regex pattern that contains the secret. Defaults to 0.

  • entropy - The minimum entropy of the secret. Defaults to 0.

  • path_regex - A regex pattern to match against the file path. Defaults to .*.

  • keywords - A list of keywords to match against the file content. Defaults to [].

You can override the entire global configuration in a repository config file by setting custom_patterns_override_global to true. Otherwise the repository config will be merged with the global configuration. If a repository config has a custom rule with the same ID as a global custom rule, the repository config will take precedence.

secrets:
  custom_patterns_override_global: true
  custom_patterns:
    my-custom-rule-1:
      secret_regex: "mycustomregex"
PreviousConfiguration - DependenciesNextCode Scanning

Last updated

© 2023 Nullify | All Rights Reserved.