Description:
We are using GitLab’s Secret Detection feature with the SECRET_DETECTION_EXCLUDED_PATHS CI/CD variable to exclude specific files and paths from being flagged as vulnerabilities. However, the exclusions are not being applied, and flagged vulnerabilities for excluded files continue to appear in the Secret Detection report.
Steps to Reproduce:
- Added the following exclusions to the SECRET_DETECTION_EXCLUDED_PATHS CI/CD variable via Settings > CI/CD > Variables:
Path/to/my/**, code/folders
Re-ran the pipeline to apply the updated configuration.
3. Despite the changes, the Secret Detection report still includes vulnerabilities from excluded files, such as:
• File: Path/to/my/** (flagged as PKCS8 private key on line 1)
Expected Behavior:
Files and paths specified in the SECRET_DETECTION_EXCLUDED_PATHS variable should be excluded from the Secret Detection report.
Actual Behavior:
Exclusions are not applied, and vulnerabilities for excluded files are still reported.
Request:
Please investigate why the SECRET_DETECTION_EXCLUDED_PATHS variable and .gitleaksignore file are not excluding paths as expected. Guidance on resolving this issue or confirmation of a bug would be appreciated.
Let me know if you’d like to add any more specific details!