Netlify Docs
Ask Netlify

Contact

Site & team management /Security /

Secret scanning

Secure your project with Netlify’s Secrets Controller, which includes secret scanning for marked environment variables, the environment variable secrets policy, and enhanced secret scanning that uses smart detection to automatically find secrets without any manual configuration.

Netlify’s Secrets Controller helps you secure your project with the following:

Learn more about how the Secrets Controller works in our Secrets Controller documentation.

# Secret scanning with smart detection

This feature is available on Pro and Enterprise plans.

Smart detection automatically scans for potential secrets in your repository code and build output.

Unlike Netlify’s standard secret scanning, smart detection doesn't require any manual configuration or environment variables.

When Netlify detects a potential secret, the following will happen:

  • The build will automatically fail to prevent a secret exposure
  • The deploy log will identify the location of the exposed secret for you to review

# Resolve a secret detection

If smart detection flags a secret value, we recommend you remove the value from your project based on the location shared in your deploy log and then redeploy your project.

To find the location of the exposed secret, check your deploy log at

Deploys
.

After removing the secret value you should no longer see it detected in subsequent deploys.

# Manage false positives

If smart detection flags a string that is not a secret, you can add this string to a safelist to prevent smart detection from flagging the string as a secret value for your project again.

To add a false positive to a safelist:

  1. For your project, go to

    Project configuration Environment variables
    and choose Add a variable and then Add a single variable.

  2. Give this variable the key name SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES.

  3. Add the strings you want to add to the safelist as the value of this variable, separated by commas for each false positive and then select Create variable.

    Example of how to add environment variable to a project with added to a safelist

  4. To re-deploy your project, go to Deploys and choose Trigger deploy > Deploy project.

    UI drop-down menu options that show up after you select the Trigger deploy button

# Turn off smart detection

Consider adding false positives to a safelist instead of turning off smart detection, to make sure your project continues to benefit from the enhanced protections.

To turn off smart detection:

  1. For your project, go to

    Project configuration Environment variables
    .

  2. Under Environment variables, expand SECRETS_SCAN_SMART_DETECTION_ENABLED and use the Options menu to select Edit. Set the environment variable to false across all available scopes and confirm your changes.

# Mark environment variable as secret

You can mark environment variables as secret values in the Netlify UI, CLI, or API.

This ideal when you’re working with known sensitive values, such as API keys, tokens, or credentials and also want a centralized place to store the value as you collaborate on different deployments of your project.

To learn more about how to do this, check out these docs: