Skip to content
Latchkey

How to Exclude Test Fixtures From Secret Scanning

Fixtures full of fake keys generate noise; a narrow path exclusion quiets them without blinding the scanner elsewhere.

Add a scoped paths allowlist for fixture directories only. Keep the exclusion as specific as possible so a real secret committed outside those paths is still caught.

Steps

  • Confirm the directory holds only intentionally fake values.
  • Add a narrow paths allowlist for exactly that directory.
  • Re-run the scan to confirm real paths are still covered.

Config

.gitleaks.toml
[allowlist]
description = "Fake keys used only in test fixtures"
paths = [
  '''(^|/)tests/fixtures/.*''',
  '''(^|/)__fixtures__/.*''',
]

Gotchas

  • A broad pattern like tests/.* can hide a real key a developer drops into a test by mistake.
  • Fake keys should still be structurally invalid; a real-looking test key can itself be a live secret.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →