Guardy
🔍 Scan

🚫 Ignoring Secrets

How to exclude files and suppress false positives

Ignoring Files & Secrets

Four ways to exclude files or suppress false positives:

1. .guardyignore File

For files not in .gitignore. Uses same syntax as .gitignore.

# .guardyignore
docs/examples/        # Documentation with example secrets
test/fixtures/        # Test data
.claude/              # Development notes

Note: Files in .gitignore are already ignored by Guardy.

2. Scanner Exclude

Same as .guardyignore but in config:

# .guardy.yaml
scanner:
  exclude:
    - "docs/examples/**"
    - "**/*.sample"

3. Comment Directives

Ignore specific lines in code:

// guardy:ignore
const key = "sk_test_1234";

// guardy:ignore-next
const token = "example_token";

Works with //, #, /*, <!-- comments.

4. Allowlists

Specific Strings

scanner:
  allowlist:
    strings:
      - "sk_test_4eC39HqLyjWDarjtT1zdp7dc"  # Stripe test key

Specific Files

scanner:
  allowlist:
    files:
      - "README.md"

Pattern-Based

scanner:
  allowlist:
    patterns:
      - regex: 'FAKE_[A-Z_]+'
        reason: "Test constants"

Priority Order

  1. .guardyignore / scanner.exclude → File never scanned
  2. Comment directives → Line ignored during scan
  3. allowlist.files → File results discarded
  4. allowlist.patterns → Pattern matches discarded
  5. allowlist.strings → Exact matches discarded

When to Use What

  • .guardyignore → Directories and file patterns not in .gitignore
  • scanner.exclude → Same as .guardyignore, just in config
  • Comment directives → Specific lines of code
  • allowlist.strings → Known false positives (test keys, examples)
  • allowlist.patterns → Systematic false positive patterns

🔗 Integration

Integrate scanner with Git hooks and CI/CD pipelines

👨‍🍳 Cookbook

Practical examples and workflows for secret scanning

On this page

Ignoring Files & Secrets1. .guardyignore File2. Scanner Exclude3. Comment Directives4. AllowlistsSpecific StringsSpecific FilesPattern-BasedPriority OrderWhen to Use What