Find and fixUse the CLIUse a configuration fileSecrets scanner

Secrets scanner

Last updated: Jun 25, 2026

Quick scan vs. configuration file

The secrets scanner supports two modes of operation.

Quick scan — scan a file or directory directly from the command line, without a configuration file. Only verified rules are applied:

ss scan /path/to/repository

This outputs findings to the console by default. Use --strict to exit with a non-zero status code when secrets are found, which is useful for CI/CD pipelines:

ss scan /path/to/repository --strict

Configuration file — use a YAML configuration file for more advanced scenarios: including or excluding specific paths, adjusting the entropy threshold, enabling preview rules, or writing results to a file:

ss scan --config config.yaml

The rest of this page describes the configuration file options in detail.

For common configuration file keys that apply to all scanners, see Use a configuration file.

Specific configuration file keys

The following key is available for the secrets scanner, and it can be used to configure secret detection over a repository.

ss

This key configures which files are scanned and how detection is tuned. All options are optional:

  • include: Paths to files or directories to scan, relative to working_dir. If omitted, the entire working_dir is scanned.
  • exclude: Gitignore-style patterns for files or directories to exclude. The .git/ directory is always excluded automatically.
  • min_entropy: Minimum Shannon entropy threshold for a match to be reported. Accepts a value between 0.0 and 8.0. Defaults to 3.0. Lower values report more findings; higher values reduce false positives.
  • feature_preview: When set to true, enables detection rules that are still in beta and pending approval. Defaults to false.

For example:

ss:
  include:
    - src/
    - config/
  exclude:
    - vendor/
    - "**/*.lock"
  min_entropy: 3.5
  feature_preview: false

Output configuration

Use the top-level output key to write results to a file:

  • file_path (optional): Path where the report will be written. The format is inferred from the file extension: use .sarif for a SARIF 2.1.0 report, or .csv for a CSV report. If omitted, findings are printed to the console only.
output:
  file_path: /results/fluid-attacks-results.sarif

Configuration file examples

Scanning a repository

language: EN
working_dir: /path/to/repository
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  include:
    - src/

Excluding paths

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  include:
    - src/
    - config/
  exclude:
    - vendor/
    - "**/*.lock"
    - "**/node_modules/"

Tuning entropy to reduce false positives

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  min_entropy: 4.0

Enabling preview rules

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  feature_preview: true

Failing the pipeline on findings

language: EN
strict: true
working_dir: .
output:
  file_path: /results/fluid-attacks-results.sarif
ss:
  include:
    - src/

Exporting results as CSV

language: EN
working_dir: .
output:
  file_path: /results/fluid-attacks-results.csv
ss:
  include:
    - src/

SCA scanner

Learn to configure the scans of the Fluid Attacks SCA scanner.

Automatic remediation

Learn to use the generative AI integrated with the Fluid Attacks VS Code extension to automatically remediate some of your software security vulnerabilities.

On this page

Quick scan vs. configuration fileSpecific configuration file keysssOutput configurationConfiguration file examplesScanning a repositoryExcluding pathsTuning entropy to reduce false positivesEnabling preview rulesFailing the pipeline on findingsExporting results as CSV