The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

How to Enable GitLab Secret Detection

Enable GitLab Secret Detection on your project to identify secrets committed to your repository.
For more information, see Secret Detection practice

.

Configure your pipeline

Add the following to your .gitlab-ci.yml and push to your repository:

include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml
Tip

To avoid cloning the repository locally, GitLab can generate this change for you. Requires Maintainer role. Go to Secure > Security configuration , find the Pipeline secret detection row, and select Configure with a merge request .

Extend the detection ruleset

This feature requires GitLab Ultimate — the version delivered on this platform.

To add custom secret patterns to the detection ruleset:

  1. Create a .gitlab/ directory at the root of your repository if it does not already exist.
  2. Create a file named secret-detection-ruleset.toml in this directory.
  3. Add your custom rules:
[extend]
path = "/gitleaks.toml"

[[rules]]
description = "My custom API Key"
id = "my-custom-api-key"
keywords = ["apikey", "api_key"]
regex = "(some-regex-for-this-rule)(?i)[a-z0-9]{32}"

Enable Secret Push Protection

Secret Push Protection blocks commits containing secrets before they reach the repository.

Requires GitLab Ultimate. Secret Detection must be enabled on your project first.
  1. Navigate to your project’s repository:

    • In the left sidebar, go to Secure > Security configuration .
  2. Enable Secret Push Protection:

    • Find the Secret Push Protection toggle and switch it on.
  3. (Optional) Add exclusions:

    • Select the configuration icon to add exclusions based on paths, raw values, or specific rules.

To verify, try pushing a file containing a dummy secret — GitLab should block the push if the feature is configured correctly.

spp-enable