Denoise via Secret Keyword Filter

The Secret Keyword Filter reduces noise in secrets scanning. It lets workspace admins skip lines that contain known safe keywords before gitleaks evaluates them.

Use Cases

Use the Secret Keyword Filter when:

• The same false positive appears across many files or repositories

• The trigger is a stable string, such as a config key or variable name

• You want a workspace-wide setting instead of per-line comments

Do not use it as a general allowlist replacement. It complements gitleaks allowlists. It does not replace them.

How to add Secret Keyword Filter

Step 1. Go to Settings → Advanced → Secret Keyword filter and click Manage

Step 2. Add a keyword in the input fields. Multiple can be added.

Step 3. Hit save and run a scan for the changes to apply

Important notes

• Minimum 5 characters: shorter keywords are rejected

• Case-sensitive: MySecret and mysecret are different keywords

• Next scan only: saved changes apply to future scans only

How matching works

This filter uses plain string matching. It is not a regex filter.

If a configured keyword appears anywhere on a line, that full line is excluded from secrets detection.

Example:

If EXAMPLE_TOKEN is in the keyword list, the first line is skipped. The second line is still scanned.

If the first line contained a real secret as well, that secret would also be skipped. The filter works at line level, not token level.

Best practices

• Use specific keywords, not generic terms

• Prefer stable identifiers like config keys or variable names

• Add multiple casing variants when needed

• Review matches carefully before saving

• Re-scan after changes to confirm noise dropped without hiding real issues

Good candidates:

• EXAMPLE_SENDGRID_KEY

• dummyStripeSecret

• integration_test_token

Poor candidates:

• token

• secret

• auth

Alternative Suppression Methods

Use the Secret Keyword Filter for repeated, workspace-wide false positives.

Use code comments when you want to suppress a single known-safe line in code.

Use .aikido file exclusions when you want to exclude specific files or paths from scanning.