Skip to main content

Customize detection

Configure detectors#

Activate or deactivate detectors#

In your workspace settings, under the Secrets detection section, you can choose to deactivate detectors if you wish to.

When you deactivate a detector:

  • you will not receive a notification for incidents that this detector raises,
  • incidents for deactivated detectors will not be displayed in your dashboard. However, the detector will still detect and store such incidents shall you reactivate the detector later.

Secrets detectors list

Custom detectors#

It is not possible to customize the detectors provided with the GitGuardian library. However, you can create your own custom detectors using regular expressions. Please note that this feature is currently in beta and is only available for workspaces under our Business plan (or in Business trial).

  1. Navigate to Settings > Secrets Detection
  2. In the navigation bar, click Table of Detectors (or scroll down until you get there)
  3. Click Add a custom detector, a modal will open

Add a custom detector

  1. Enter the details for your new custom detector:
    • You must at least provide the name for your detector, and a set of examples for the format of your internal secret pattern.
    • If you have the regular expression for the desired pattern, please provide it.
    • You can provide additional information on the pattern, surrounding content or additional match requirements for the secret format you're after.

Add a custom detector - form

Once submitted, you will be able to track your custom secret detector request. Our engineering team will acknowledge the request and get in touch with you to validate the regular expression. Due to the nature of regular expressions and the potential for high volumes of alerts, it is important we review the results returned by your custom pattern to ensure precise and high fidelity alerts before deploying it to your workspace.

This feature is designed to help you detect secrets specific to your organization (e.g internal API tokens), all requests for detecting patterns like Personal Identifiable Information (PII) or Protected Health Information (PHI) will be rejected.

Requests in the submitted state can be edited or deleted. Requests in acknowledged or under implementation state however cannot be deleted.

Add a custom detector - ticket

Only Managers can create custom detector requests.

Please note that every workspace is only allowed to have 5 custom detector requests at a time. To place a new request, you will have to wait until one of your requests is accepted or rejected, or you can simply delete one of your submitted requests.

Exclude filepaths#

By scanning your entire git history, or simply due to your software development activity, you could have many incidents on your GitGuardian dashboard. Decreasing the number of incidents and focusing only on those that matter most is therefore key. This feature only applies to secrets incidents.


In your workspace settings, under the Secrets detection section, you can configure the filepaths you want to exclude from secrets detection. These excluded filepaths will be applied to all repositories monitored by GitGuardian.

When a secret is leaked on an excluded filepath:

  • you will not receive any notification,
  • no incident will be created in your dashboard.

Note that newly created filepath exclusions will also apply to existing secret incidents and these would therefore be removed from your secret incidents table.

Filepath exclusion

You have the ability to test a filepath against your exclusion list to verify your configuration.

Filepath format#

The filepath format is a subset of the glob-style pattern. It uses the “/” character to separate each element of the path (POSIX norm), and allows the special “*” character as a wildcard. Additionally, the “**” sequence can be used to recursively match any number of directories.


If you misuse the glob-style pattern, GitGuardian will automatically correct your input. For instance:

  • src/**/**/**/tests/ will be corrected to src/**/test
  • **/src/** will be corrected to src/