When credentials like API keys and passwords are committed to repositories, they become targets for unauthorized access. Secret scanning automatically detects these exposed secrets so you can secure them before they're exploited.
Tip
At any time, you can run a free assessment of your organization's code for leaked secrets.
To generate a report, open the Security tab for your organization, display the Assessments page, then click Scan your organization.
How secret scanning protects your code
Secret scanning scans your entire Git history on all branches of your repository for API keys, passwords, tokens, and other known secret types. GitHub also periodically rescans repositories when new secret types are added.
GitHub also automatically scans:
- Descriptions and comments in issues
- Titles, descriptions, and comments, in open and closed historical issues
- Titles, descriptions, and comments in pull requests
- Titles, descriptions, and comments in GitHub Discussions
- Wikis
- Secret gists
Secret scanning alerts and remediation
When secret scanning finds a potential secret, GitHub generates an alert on your repository's Security tab with details about the exposed credential.
Review the alert and rotate the affected credential immediately to ensure it can no longer be used. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.
Partner integration
GitHub partners with a large variety of service providers to validate detected secrets. When a partner secret is detected, we notify the provider so they can take action, such as revoking the credential. Partner secrets are reported directly to the provider and aren't displayed in your repository alerts. For more information, see Secret scanning partner program.
Customizability
Beyond the default detection of partner and provider secrets, you can expand and customize secret scanning to fit your needs.
-
Non-provider patterns. Expand detection to secrets that aren't tied to a specific service provider, such as private keys, connection strings, and generic API keys.
-
Custom patterns. Define your own regular expressions to detect organization-specific secrets that aren't covered by default patterns.
-
Validity checks. Prioritize remediation by checking whether detected secrets are still active.
-
Copilot secret scanning. Use AI to detect unstructured secrets like passwords, or to generate regular expressions for custom patterns.
How can I access this feature?
Secret scanning is available for the following repository types:
- Public repositories: Secret scanning runs automatically for free.
- Organization-owned private and internal repositories: Available with GitHub Secret Protection enabled on GitHub Team or GitHub Enterprise Cloud.
- User-owned repositories: Available on GitHub Enterprise Cloud with Enterprise Managed Users. Available on GitHub Enterprise Server when the enterprise has GitHub Secret Protection enabled.
Next steps
- If you've received an alert, see Manage secret scanning alerts to learn how to review, resolve, and remediate exposed secrets.
- If you're securing an organization, see Running the secret risk assessment for your organization to determine your organization's exposure to leaked secrets.
Further reading
- For a complete list of supported secrets and service providers, see Supported secret scanning patterns.