Skip to main content

Why didn't Semgrep Secrets find these example secrets?

One common pattern in code is to include a placeholder value or format indicator for a secret rather than a real secret value. Where possible, Semgrep Secrets rules are intentionally written to minimize matches with this type of placeholder to avoid false positives, since the primary concern is identifying real secrets accidentally committed, especially if they are still valid.

As a result, if you have a line such as:


Semgrep does not flag this line, because the key contains the string EXAMPLE and that's recognized as being a placeholder rather than a valid AWS access key.

If you'd like to flag this type of usage, you can consider writing a custom Secrets rule, or reach out to support to discuss your question further with the team.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.