This release adds a more precise way to handle secrets scan results when you have a known, acceptable match that you do not want to keep seeing.
New Capabilities
You can now allowlist an individual secrets finding instead of ignoring the entire secrets check. This helps you keep the scan active while suppressing just the specific match you have reviewed.
The preflight ignore command now supports an optional path for secrets: use preflight ignore secrets [path] to add a one-off exception for a project-relative file path.
Allowlist entries support ** style globs, and can optionally include a fingerprint. When you pin a fingerprint, you will be alerted again if the matched value changes, and allowlisting one match will not hide other matches in the same file.
Documentation
Added guidance on allowlisting a single secrets finding, including why pinning a fingerprint is recommended and how path matching works.