Feature Request: GitLab-maintained SECRET_DETECTION_EXCLUDED_PATHS

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

GitLab could maintain a default exclusion list for secret detection that automatically excludes third-party dependency directories, rather than requiring users to manually configure SECRET_DETECTION_EXCLUDED_PATHS.

Benefits

Focus secret detection on user code where secrets are actually problematic
Better user experience
Performance improvement: Skip scanning large dependency directories
Reduced false positives

Problem Statement

Currently, GitLab's secret detection scanner runs on third-party dependencies (e.g., node_modules/@aws-sdk, etc.), which creates unnecessary noise and false positives. Secret detection should only focus on scanning user-authored source code for secrets.

This results in vulnerabilities like:

Current Workaround

Users must manually configure exclusions:

variables:   
  SECRET_DETECTION_EXCLUDED_PATHS: "node_modules/@aws-sdk,vendor/,site-packages/"

Edited Aug 12, 2025 by 🤖 GitLab Bot 🤖