# Secret Scanning in Quality Gates > **Intro:** Secret scanning should not be a side report that nobody reads. It should participate in the same release decision logic as SAST, SCA, DAST, and policy checks. > > **What this page includes** > > * how to turn secret scanning into a gate > * example gate thresholds > * sample GitLab aggregation pattern > * director-level metrics to track ## Gate design principles A useful secret gate is: * **strict on verified or obviously real findings**; * **tunable on low-confidence findings**; * **fast enough** to run on every merge request; * **paired with a response process** so developers know what to do next. ## Recommended threshold model | Signal | Suggested policy | | -------------------------------------------- | ---------------------------------- | | Verified secret | fail immediately | | High-confidence cloud credential | fail immediately | | New secret in modified line | fail merge request | | Historic secret during onboarding | warn and create remediation ticket | | Known false positive with approved allowlist | pass but keep logged | | Old finding reopened | fail after grace window | ## Example GitLab gate aggregation stage ```yaml security_gate: stage: verify image: python:3.12-alpine needs: - job: gitleaks_scan artifacts: true - job: trufflehog_scan artifacts: true script: - python snippets/secrets/secret-gate-aggregate.py allow_failure: false ``` ## Example aggregation logic The aggregation script should: 1. load JSON artifacts from Gitleaks and TruffleHog; 2. count verified findings and untriaged findings; 3. optionally map detector types to business severity; 4. exit non-zero when blocking thresholds are exceeded. See [secret-gate-aggregate.py](https://github.com/D3One/Product-Security-Gitbook/blob/main/snippets/secrets/secret-gate-aggregate.py). ## Metrics that belong on the dashboard * repositories with secret scanning enabled; * median time to revocation; * number of verified secret leaks per quarter; * repeat leaks by team or service; * mean time from finding to merge-fix; * ratio of false positives to real findings. ## Cross-links * [🔐 Repository Secret Scanning](/application-security-and-secure-sdlc/index-1/repository-secret-scanning.md) * [GitLab CI YAML Deep Dive](/devsecops-cicd-and-supply-chain/index-1/gitlab-ci-yaml-deep-dive.md) * [Gate Aggregation Scripts](/devsecops-cicd-and-supply-chain/index-1/gate-aggregation-scripts.md) * [📈 Product Security Director Metrics](/metrics-audit-risk-evidence-and-compliance/index/product-security-director-metrics.md) ![Footer](/files/fQNzMAKOWjRP989toSYF) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/devsecops-cicd-and-supply-chain/index-1/secret-scanning-quality-gates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.