# Secret and PII Scanning

OX scans your environment for exposed secrets and sensitive information across source code, Git history, containers, runtime assets, and CI/CD systems.

Different organizations often require different detection behavior depending on their environment, development practices, and security requirements.

For example:

* Development teams may intentionally use mock credentials or placeholder values that should not generate findings
* Organizations may use proprietary token structures or internal credentials that are not recognized by OX by default
* Security teams may want to focus remediation efforts only on active and exploitable credentials

OX allows you to adapt secret and PII detection behavior to your organization's needs.

Custom detection and exclusion patterns apply across supported OX scanning engines.

| Area               | Supported detections                           |
| ------------------ | ---------------------------------------------- |
| Secrets scan       | Secrets and PII in code and Git history        |
| CI/CD posture      | Secrets echoed in workflow logs                |
| Container security | Secrets and PII in containers                  |
| Cloud context      | Secrets and PII in runtime and cloud functions |

## Common security goals

| Goal                                                      | Recommended capability              |
| --------------------------------------------------------- | ----------------------------------- |
| Ignore development-only credentials or placeholder values | Exclude Secret/PII Patterns         |
| Reduce repeated false positives                           | Exclude Secret/PII Patterns         |
| Detect proprietary API tokens or internal credentials     | Custom Secret/PII Pattern Detection |
| Detect organization-specific PII formats                  | Custom Secret/PII Pattern Detection |
| Prioritize active credentials over inactive secrets       | Secret Validation                   |

> Note: Use exclusions to suppress known false positives. Use custom detection to identify additional secrets or PII that OX does not currently recognize.

## Configuring secret and PII detection

1. Go to **Settings** > **Scan settings** > **Secrets**.

<figure><img src="/files/ykiRsyikTExueJg4LUkh" alt="" width="563"><figcaption></figcaption></figure>

2. Enable the required option.

| Option                              | What it does                                                     |
| ----------------------------------- | ---------------------------------------------------------------- |
| Secret Validation                   | Checks whether supported detected secrets are active             |
| Exclude Secret/PII Patterns         | Prevents matching patterns from being reported as findings       |
| Custom Secret/PII Pattern Detection | Allows OX to detect organization-specific secret or PII patterns |

3. Configure the required exclusion or custom detection patterns in the relevant section.

Changes are applied automatically after they are updated.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ox.security/scan-and-analyze-with-ox/scanning/managing-secret-and-pii-detection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.