Secrets scanner

Last updated: Apr 20, 2026

Quick scan vs. configuration file

The secrets scanner supports two modes of operation.

Quick scan — scan a file or directory directly from the command line, without a configuration file. Only verified rules are applied:

ss scan /path/to/repository

This outputs findings to the console by default. Use --strict to exit with a non-zero status code when secrets are found, which is useful for CI/CD pipelines:

ss scan /path/to/repository --strict

Configuration file — use a YAML configuration file for more advanced scenarios: including or excluding specific paths, adjusting the entropy threshold, enabling preview rules, or writing results to a file:

ss scan --config config.yaml

The rest of this page describes the configuration file options in detail.

General configuration file keys

Here is an overview of the general configuration file keys. Remember that this applies to all of Fluid Attacks' scanners.

working_dir: .
language: EN
strict: false
output:
  file_path: ./Fluid-Attacks-Results.sarif

Specific configuration file keys

The following key is available for the secrets scanner, and it can be used to configure secret detection over a repository.

ss

This key configures which files are scanned and how detection is tuned. All options are optional:

include: Paths to files or directories to scan, relative to working_dir. If omitted, the entire working_dir is scanned.
exclude: Gitignore-style patterns for files or directories to exclude. The .git/ directory is always excluded automatically.
min_entropy: Minimum Shannon entropy threshold for a match to be reported. Accepts a value between 0.0 and 8.0. Defaults to 3.0. Lower values report more findings; higher values reduce false positives.
feature_preview: When set to true, enables detection rules that are still in beta and pending approval. Defaults to false.

For example:

ss:
  include:
    - src/
    - config/
  exclude:
    - vendor/
    - "**/*.lock"
  min_entropy: 3.5
  feature_preview: false

Output configuration

Use the top-level output key to write results to a file:

file_path (optional): Path where the report will be written. The format is inferred from the file extension: use .sarif for a SARIF 2.1.0 report, or .csv for a CSV report. If omitted, findings are printed to the console only.

output:
  file_path: /results/fluid-attacks-results.sarif

Configuration file examples

Scanning a repository

language: EN
working_dir: /path/to/repository
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  include:
    - src/

Excluding paths

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  include:
    - src/
    - config/
  exclude:
    - vendor/
    - "**/*.lock"
    - "**/node_modules/"

Tuning entropy to reduce false positives

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  min_entropy: 4.0

Enabling preview rules

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  feature_preview: true

Failing the pipeline on findings

language: EN
strict: true
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  include:
    - src/

Exporting results as CSV

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.csv
ss:
  include:
    - src/

Have a question about the scanner or encountered a problem? Read "Scanner FAQ".

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Secrets scanner

On this page