Cartoon rock climber using proper security techniques while climbing a rock wall

Customizing the scope of secret scanning

Nicholas Liffen
Nicholas Liffen // Director, GitHub Advanced Security // GitHub

Sometimes, you might have a reason to commit a secret to a repository, such as when you want to provide a fake secret in documentation or in an example application. In these scenarios, you can quickly dismiss the alert and document the reasons. But there may be cases where you want to ignore a directory entirely to avoid creating false positive alerts at scale. For example, you might have a monolithic application with several integrations containing a file of dummy keys that could set off numerous false alerts to triage.

To do this, you just need to add a simple custom YAML configuration file to your repository and add a few lines to it. LinkedIn will provide some insights along the way.

In this guide, you will learn:

  • How to create a secret scanning configuration file

  • How to exclude files and folders from secret scanning

  • Best practices for deciding what to exclude and what not to

1. Create a secret scanning configuration file.

Enable secret scanning if you haven't already.

In the /.github/ directory of your Web Goat repository, select Add file and then Create new file.

Name the file secret_scanning.yml.

2. Edit the configuration file.

Paste the following into the file:

paths-ignore:
  - "docs/**"

This tells secret scanning to ignore everything in the docs directory. You can use this example file as a template to add the files and folders you’d like to exclude from your own repositories.

We use secret scanning on thousands ofrepositories across LinkedIn, but we don't have any exemptions set at the organization level. Instead, we enable developers to handle their own exemptions at the repository level. This empowers them to avoid unnecessary alerts in, for example, unit testing folders or third-party packages that wouldn't include any LinkedIn secrets, without the need to wait for security to implement changes. 

We do, however, encourage developers to communicate with our security team about what they exclude.

The best practices we recommend include:

- Minimize the number of directories excluded.

- Be as precise as possible when defining exclusions.

- Explain why a particular file or folder is excluded in a comment in the YAML file.

- Inform the security team what files and folders you've excluded, and why.

- Review the YAML file on a regular basis.

Aashna Sethi
Aashna Sethi // Information Security Engineer // LinkedIn

3. Verify that the folder is excluded from secret scanning.

Open the repository's readme.md file from the docs directory.

Paste the following pre-invalidated Azure DevOps PAT anywhere in the file:

pfnm5xd56muu7srpsme5jxeiwo23vuyavuyo2msziwy34ca7oaha

You should be able to commit the change with no warning from push protection.

On the repository's Security tab, select Secret scanning from the sidebar.

There should be no new alerts for the secret we just introduced into the readme.md file.

Up next: Customize your dependency review configuration

We’ve now covered the most common CodeQL and secret scanning customizations. In the next guide we’ll take a look at some common configuration tweaks for dependency review.