GitHub provides a secret risk assessment report that organization owners and security managers can generate to evaluate the exposure of an organization to leaked secrets. The secret risk assessment is an on-demand, point-in-time scan of the code within an organization that:
- Shows any leaked secrets within the organization
- Shows the kinds of secrets that are leaked outside the organization
- Provides actionable insights for remediation For more information about the report, see About the secret risk assessment.
You can generate the secret risk assessment report for your organization, review it, and export the results to CSV.
Note
The secret risk assessment report is currently in public preview and subject to change. If you have feedback or questions, please join the discussion in GitHub Community – we’re listening.
Generating an initial secret risk assessment
-
On GitHub, navigate to the main page of the organization.
-
Under your organization name, click Security.
-
In the sidebar, under "Security", click Assessments.
-
To generate the secret risk assessment, click Scan your organization.
If you're an organization owner and you've opted in for email notifications, GitHub will send you an email to let you know when the report is ready to view.
Rerunning the secret risk assessment
Tip
You can only generate the report once every 90 days. We recommend that you implement GitHub Secret Protection for continuous secret monitoring and prevention. See Choosing GitHub Secret Protection.
-
On GitHub, navigate to the main page of the organization.
-
Under your organization name, click Security.
-
In the sidebar, under "Security", click Assessments.
-
Towards the top right side of the existing report, click .
-
Select Rerun scan.
If you're an organization owner and you've opted in for email notifications, GitHub will send you an email to let you know when the report is ready to view.
Viewing the secret risk assessment
-
On GitHub, navigate to the main page of the organization.
-
Under your organization name, click Security.
-
In the sidebar, under "Security", click Assessments. You can see the most recent report on this page.
Exporting the secret risk assessment to CSV
-
On GitHub, navigate to the main page of the organization.
-
Under your organization name, click Security.
-
In the sidebar, under "Security", click Assessments.
-
Towards the top right side of the report, click .
-
Select Download CSV.
The secret risk assessment CSV file includes the following information.
| CSV column | Name | Description |
|---|---|---|
| A | Organization Name | The name of the organization the secret was detected in |
| B | Name | The token name for the type of secret |
| C | Slug | The normalized string for the token. This corresponds to Token in the table of supported secrets. See Supported secret scanning patterns. |
| D | Push Protected | A boolean to indicate whether the secret would be detected and blocked by push protection if it were enabled |
| E | Non-Provider Pattern | A boolean to indicate whether the secret matched a non-provider pattern and would generate an alert if secret scanning with non-provider patterns were enabled |
| F | Secret Count | An aggregate count of the active and inactive secrets found for the token type |
| G | Repository Count | An aggregate count of distinct repositories in which the secret type was found, including public, private, internal, and archived repositories |
Next steps
Now that you've generated secret risk assessment for your organization, learn how to interpret the results. See Interpreting secret risk assessment results.