How to Tune Entropy vs Regex Detection in a Secret Scanner
Regex catches known token shapes precisely; entropy catches unknown random strings but is noisier, so combine them.
Use regex rules for tokens with a fixed format, and add an entropy threshold on a rule to flag random-looking values regex would miss, tuning the threshold to control noise.
Steps
- Write regex rules for tokens with a known prefix or shape.
- Add an
entropyfloor to a generic rule for unknown secrets. - Raise the threshold if hashes and UUIDs cause false positives.
Config
.gitleaks.toml
[[rules]]
id = "generic-high-entropy"
description = "Generic high-entropy string"
regex = '''(?i)(secret|token|key)\s*[:=]\s*['"]?([a-z0-9/+]{32,})'''
entropy = 4.3
keywords = ["secret", "token", "key"]Gotchas
- A low entropy threshold flags git SHAs, base64 assets, and UUIDs as secrets.
- Entropy alone cannot verify liveness; confirm a flagged value before assuming it is a live credential.
Related guides
How to Add Custom Regex Rules to a Secret ScannerDetect organization-specific tokens by adding custom regex rules to a secret scanner such as Gitleaks, matchi…
How to Measure a Secret Scanner False Positive RateTrack a secret scanner false positive rate by labeling triaged findings as real or noise, then computing the…