Secret scanning

Secure your project with Netlify’s Secrets Controller, which includes secret scanning for marked environment variables, the environment variable secrets policy, and enhanced secret scanning that uses smart detection to automatically find secrets without any manual configuration.

Netlify’s Secrets Controller helps you secure your project with the following:

• allows you to mark an environment variable as a secret value
• starts secret scanning for any environment variable marked as secret
• applies the environment variable secrets policy, which ensures that secret values cannot be copied, changed, or exposed.
• proactively scans for potential secrets with smart detection to automatically find secrets without any manual configuration (no need to mark or add any environment variables)

Learn more about how the Secrets Controller works in our Secrets Controller documentation.

Secret scanning with smart detection

This feature is available on Pro and Enterprise plans.

Smart detection automatically scans for potential secrets in your repository code and build output.

Unlike Netlify’s standard secret scanning, smart detection doesn’t require any manual configuration or environment variables.

When Netlify detects a potential secret, the following will happen:

• The build will automatically fail to prevent a secret exposure
• The deploy log will identify the location of the exposed secret for you to review

Resolve a secret detection

If smart detection flags a secret value, we recommend you remove the value from your project based on the location shared in your deploy log and then redeploy your project.

To find the location of the exposed secret, check your deploy log at Site dashboard > Deploys.

After removing the secret value you should no longer see it detected in subsequent deploys.

Manage false positives

If smart detection flags a string that is not a secret, you can add this string to a safelist to prevent smart detection from flagging the string as a secret value for your project again.

To add a false positive to a safelist:

1. For your project, go to Project configuration > Environment variables and choose Add a variable and then Add a single variable.

2. Give this variable the key name SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES.

3. Add the strings you want to add to the safelist as the value of this variable, separated by commas for each false positive and then select Create variable.

4. To re-deploy your project, go to Deploys and choose Trigger deploy > Deploy project.

Note

You can also manage environment variables through the Netlify CLI or API for automated workflows.

Turn off smart detection

Caution

Consider adding false positives to a safelist instead of turning off smart detection, to make sure your project continues to benefit from the enhanced protections.

To turn off smart detection:

1. For your project, go to Project configuration > Environment variables.

2. Under Environment variables, expand SECRETS_SCAN_SMART_DETECTION_ENABLED and use the Options menu to select Edit. Set the environment variable to false across all available scopes and confirm your changes.

Mark environment variable as secret

You can mark environment variables as secret values in the Netlify UI, CLI, or API.

This ideal when you’re working with known sensitive values, such as API keys, tokens, or credentials and also want a centralized place to store the value as you collaborate on different deployments of your project.

To learn more about how to do this, check out these docs:

• Get started with Environment Variables
• Secrets Controller