How to add custom secret detection rules¶
This guide covers how to add custom secret detection rules which will be used by all projects.
Warning
Be careful about adding rules which may result in a large number of false positives. Try to make any matching rules as specific as possible.
Use the gitleaks playground to experiment with rules. Ideally make
use of the entropy field in the rule to filter out low-entropy results.
For example:
[[rules]]
id = "example-secret"
title = "Example high-entropy secret in Django settings"
description = "Detects hich entropy Django secret keys"
keywords = ["password"]
entropy=4
regex = '''SECRET_KEY="[a-zA-Z0-9+/_-]{1,50}"'''
You can test the rule before opening a MR by:
- Include the rules above in an inline ruleset.
- Temporarily add the following to your
.gitlab-ci.ymlfile:
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml
When you push the branch, an additional secret detection job will run using your configuration.
Once you are happy with the rule, open an MR adding custom rule configuration to
configuration/secret-detection/gitleaks.toml in the ci-templates repo.
Summary¶
In this guide you learned how to add custom secret detection rules to the common set used by all DevOps projects.