Filters documentation

PatrykX1 · Feb 1, 2021 · cbb42d5 · cbb42d5
1 parent fb16538
commit cbb42d5
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -266,6 +266,8 @@ filter options:
                         If lines match this regex, it will be ignored.
   --exclude-files EXCLUDE_FILES
                         If filenames match this regex, it will be ignored.
+  --exclude-secrets EXCLUDE_SECRETS
+                        If secrets match this regex, it will be ignored.
   --word-list WORD_LIST_FILE
                         Text file with a list of words, if a secret contains a
                         word in the list we ignore it.
@@ -318,6 +320,8 @@ filter options:
                         If lines match this regex, it will be ignored.
   --exclude-files EXCLUDE_FILES
                         If filenames match this regex, it will be ignored.
+  --exclude-secrets EXCLUDE_SECRETS
+                        If secrets match this regex, it will be ignored.
   --word-list WORD_LIST_FILE
                         Text file with a list of words, if a secret contains a
                         word in the list we ignore it.
@@ -430,6 +434,12 @@ specific pattern. You can specify a regex rule as such:
 $ detect-secrets scan --exclude-lines 'password = (blah|fake)'
 ```
 
+Or you can specify multiple regex rules as such:
+
+```bash
+$ detect-secrets scan --exclude-lines 'password = blah' --exclude-lines 'password = fake'
+```
+
 #### --exclude-files
 
 Sometimes, you want to be able to ignore certain files in your scan. You can specify a regex
@@ -439,6 +449,27 @@ pattern to do so, and if the filename meets this regex pattern, it will not be s
 $ detect-secrets scan --exclude-files '.*\.signature$'
 ```
 
+Or you can specify multiple regex patterns as such:
+
+```bash
+$ detect-secrets scan --exclude-files '.*\.signature$' --exclude-files '.*/i18n/.*'
+```
+
+#### --exclude-secrets
+
+Sometimes, you want to be able to ignore certain secret values in your scan. You can specify
+a regex rule as such:
+
+```bash
+$ detect-secrets scan --exclude-secrets '(fakesecret|\${.*})'
+```
+
+Or you can specify multiple regex rules as such:
+
+```bash
+$ detect-secrets scan --exclude-secrets 'fakesecret' --exclude-secrets '\${.*})'
+```
+
 #### --word-list
 
 If you know there are certain fake password values that you want to ignore, you can also use

diff --git a/docs/filters.md b/docs/filters.md
@@ -52,6 +52,7 @@ the `detect_secrets.filters` namespace.
 | `heuristic.is_non_text_file`                     | Ignores non-text files (e.g. archives, images).                                     |
 | `regex.should_exclude_line`                      | Powers the [`--exclude-lines` functionality](../README.md#--exclude-lines).         |
 | `regex.should_exclude_file`                      | Powers the [`--exclude-files` functionality](../README.md#--exclude-files).         |
+| `regex.should_exclude_secret`                    | Powers the [`--exclude-secrets` functionality](../README.md#--exclude-secrets).     |
 | `wordlist.should_exclude_secret`                 | Powers the [`--word-list` functionality](../README.md#--word-list).                 |
 
 ## Configuring Filters