Skip to main content
Skip table of contents

Allow-listing Detected Secrets

Allow-listing vulnerabilities in your code

If you have a particular secret that you would like to allow, you can do so using the following inline comment:

Python allow-listing Example

PY 
 API_KEY = "my-secret-that-is-not-a-secret"  # pragma: allowlist secret

Java allow-listing Example

All language comments are supported, so for example, allow-listing in Java would look like the following:

JAVA 
String myApprovedSecret = "ThisIsAnExampleSecret" // pragma: allowlist-secret not actually a secret";


Just make sure that the allow-listing is inline! Multi-line allow-listing is not supported.

Full list of supported comment containers for the pragma

  • # comment

  • //comment

  • /* comment */

  • ' comment

  • <!-- comment -->

The allowlist pragma must be introduced in the same commit as the false positive

One thing to keep in mind is that if you’re pushing multiple commits, they will all be scanned individually, and one of the older commits you’re adding may be missing the allowlist pragma. For example,

  1. git add proxy-password-file

  2. git commit proxy-password-file -m “Update proxy settings”

  3. git push => rejected due to embedded password

  4. Update proxy-password-file to add # pragma: allowlist secret

  5. git commit proxy-password-file -m “Allowlist proxy settings

  6. git push

When step 6 executes, both the commits from step 2 and step 5 will be scanned. In the #2 commit there is a failure detected, but no allowlist pragma is present, so the commit is considered in violation. The #5 commit passes all checks, but since there is one failing commit in the push, the whole push is rejected.

The per-commit scanning ensures that if a secret was added in one commit and subsequently removed in another commit, it will still be found. It’s important to catch this situation, because the secret has not been properly cleaned from history.

Allow-listing specific files / paths (since version 1.10.0)

You can also specify list of files / folders for which all found vulnerabilities should be marked as allow-listed for a specific repository.

Per-repository allowlist configuration

Allow-listed files can be also configured on a repository level in soteri-security.yml file. Just add allow_list section and add list of paths you want to allow, like in example below:

YAML 
custom_rules:
  # comment
rules:
  # comment
allowlist_paths:
  - file1
  - file2.*

To make pre-repository configuration files work, you need to enable it in global plugin settings. See additional details here:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close