How to Exclude Test Fixtures From Secret Scanning
Fixtures full of fake keys generate noise; a narrow path exclusion quiets them without blinding the scanner elsewhere.
Add a scoped paths allowlist for fixture directories only. Keep the exclusion as specific as possible so a real secret committed outside those paths is still caught.
Steps
- Confirm the directory holds only intentionally fake values.
- Add a narrow
pathsallowlist for exactly that directory. - Re-run the scan to confirm real paths are still covered.
Config
.gitleaks.toml
[allowlist]
description = "Fake keys used only in test fixtures"
paths = [
'''(^|/)tests/fixtures/.*''',
'''(^|/)__fixtures__/.*''',
]Gotchas
- A broad pattern like
tests/.*can hide a real key a developer drops into a test by mistake. - Fake keys should still be structurally invalid; a real-looking test key can itself be a live secret.
Related guides
How to Allowlist Secret Scan False Positives SafelySuppress confirmed false positives in a secret scanner with a scoped allowlist that requires a justification…
How to Measure a Secret Scanner False Positive RateTrack a secret scanner false positive rate by labeling triaged findings as real or noise, then computing the…