Skip to content
Latchkey

How to Tune Entropy vs Regex Detection in a Secret Scanner

Regex catches known token shapes precisely; entropy catches unknown random strings but is noisier, so combine them.

Use regex rules for tokens with a fixed format, and add an entropy threshold on a rule to flag random-looking values regex would miss, tuning the threshold to control noise.

Steps

  • Write regex rules for tokens with a known prefix or shape.
  • Add an entropy floor to a generic rule for unknown secrets.
  • Raise the threshold if hashes and UUIDs cause false positives.

Config

.gitleaks.toml
[[rules]]
id = "generic-high-entropy"
description = "Generic high-entropy string"
regex = '''(?i)(secret|token|key)\s*[:=]\s*['"]?([a-z0-9/+]{32,})'''
entropy = 4.3
keywords = ["secret", "token", "key"]

Gotchas

  • A low entropy threshold flags git SHAs, base64 assets, and UUIDs as secrets.
  • Entropy alone cannot verify liveness; confirm a flagged value before assuming it is a live credential.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →