Configuration - Secrets
Ignore Secrets
You can ignore specific secrets from being reported as findings by adding them to the whitelist.
secrets:
ignore:
- value: my-aws-key
reason: this aws key has been rotated by john smithIgnore fields:
value- The secret value to ignorereason- The reason for ignoring the secretexpiry- The expiry date of the ignore rule. The format isYYYY-MM-DD.pattern- The pattern to match against the secret. The pattern can be a regex pattern or a substring pattern.sha256- The SHA256 hash of the secret value. This is used to match against the secret value.repositories- A list of repositories to apply the ignore rule to. The format isowner/repo.
Custom Rules
You can define custom rules to match against the secrets. custom_patterns is a map of custom rule IDs to custom rules. The only required field is the secret_regex field.
secrets:
custom_patterns:
my-custom-rule-1:
secret_regex: "mycustomregex"
my-custom-rule-2:
description: This is a custom rule for finding secrets in go files
secret_regex: "mysecret[0-9]+"
secret_regex_group: 0
entropy: 4.0
path_regex: ".*"
keywords: [ "package", "func" ] # only go filesCustom rule fields:
description- A description of the custom rulesecret_regex- A regex pattern to match against the secretsecret_regex_group- The group in the regex pattern that contains the secret. Defaults to 0.entropy- The minimum entropy of the secret. Defaults to 0.path_regex- A regex pattern to match against the file path. Defaults to.*.keywords- A list of keywords to match against the file content. Defaults to[].
You can override the entire global configuration in a repository config file by setting custom_patterns_override_global to true. Otherwise the repository config will be merged with the global configuration. If a repository config has a custom rule with the same ID as a global custom rule, the repository config will take precedence.
secrets:
custom_patterns_override_global: true
custom_patterns:
my-custom-rule-1:
secret_regex: "mycustomregex"Last updated
Was this helpful?