Defining custom patterns for secret scanning

Defining a custom pattern for a repository

Before defining a custom pattern, you must ensure that Secret Protection is enabled on your repository. For more information, see Enabling secret scanning for your repository.

1. On GitHub, navigate to the main page of the repository.

2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

   

3. In the "Security" section of the sidebar, click Advanced Security.

4. Under "Secret Protection", to the right of "Custom patterns", click New pattern.

5. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.

   1. In the "Pattern name" field, type a name for your pattern.
   2. In the "Secret format" field, type a regular expression for the format of your secret pattern.
   3. You can click More options to provide other surrounding content or additional match requirements for the secret format. See Custom patterns reference.
   4. Provide a sample test string to make sure your configuration is matching the patterns you expect.
   

6. When you're ready to test your new custom pattern, to identify matches in the repository without creating alerts, click Save and dry run.

7. When the dry run finishes, you'll see a sample of results (up to 1000). Review the results and identify any false positive results.

   

8. Edit the new custom pattern to fix any problems with the results, then, to test your changes, click Save and dry run.

9. When you're satisfied with your new custom pattern, click Publish pattern.

10. Optionally, to enable push protection for your custom pattern, click Enable. For more information, see About push protection.

    Note

    The "Enable" button isn't available until after the dry run succeeds and you publish the pattern.

After your pattern is created, secret scanning scans for any secrets in your entire Git history on all branches present in your GitHub repository. For more information on viewing secret scanning alerts, see Manage secret scanning alerts.

Defining a custom pattern for an organization

Before defining a custom pattern, you must ensure that you enable secret scanning for the repositories that you want to scan in your organization. You can use security configurations to enable secret scanning on all repositories in your organization. For more information, see About enabling security features at scale.

1. In the upper-right corner of GitHub, click your profile picture, then click Organizations.

2. Next to the organization, click Settings.

3. In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Global settings.

4. Under "Custom patterns", click New pattern.

5. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.

   1. In the "Pattern name" field, type a name for your pattern.
   2. In the "Secret format" field, type a regular expression for the format of your secret pattern.
   3. You can click More options to provide other surrounding content or additional match requirements for the secret format. See Custom patterns reference.
   4. Provide a sample test string to make sure your configuration is matching the patterns you expect.
   

6. When you're ready to test your new custom pattern, to identify matches in select repositories without creating alerts, click Save and dry run.

7. Select the repositories where you want to perform the dry run.

   • To perform the dry run across the entire organization, select All repositories in the organization.
   • To specify the repositories where you want to perform the dry run, select Selected repositories, then search for and select up to 10 repositories.

8. When you're ready to test your new custom pattern, click Run.

9. When the dry run finishes, you'll see a sample of results (up to 1000). Review the results and identify any false positive results.

   

10. Edit the new custom pattern to fix any problems with the results, then, to test your changes, click Save and dry run.

11. When you're satisfied with your new custom pattern, click Publish pattern.

12. Optionally, to enable push protection for your custom pattern, click Enable. For more information, see About push protection.

    Note

    • The option to enable push protection is visible for published patterns only.
    • Push protection for custom patterns will only apply to repositories in your organization that have secret scanning as push protection enabled.
    • Enabling push protection for commonly found custom patterns can be disruptive to contributors.

After your pattern is created, secret scanning scans for any secrets in repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found and can review the alert in the repository where the secret is found. For more information on viewing secret scanning alerts, see Manage secret scanning alerts.

Defining a custom pattern for an enterprise account

Before defining a custom pattern, you must ensure that you enable secret scanning for your enterprise account. For more information, see Enabling GitHub Advanced Security products for your enterprise.

1. In the top-right corner of GitHub Enterprise Server, click your profile picture, then click Enterprise settings.

2. At the top of the page, click Policies.

3. Under "Policies", click Advanced Security.

4. Under "Advanced Security", click Security features.

5. Under "Secret scanning custom patterns", click New pattern.

6. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.

   1. In the "Pattern name" field, type a name for your pattern.
   2. In the "Secret format" field, type a regular expression for the format of your secret pattern.
   3. You can click More options to provide other surrounding content or additional match requirements for the secret format. See Custom patterns reference.
   4. Provide a sample test string to make sure your configuration is matching the patterns you expect.
   

7. When you're ready to test your new custom pattern, to identify matches in the enterprise without creating alerts, click Save and dry run.

8. Search for and select up to 10 repositories where you want to perform the dry run.

9. When you're ready to test your new custom pattern, click Run.

10. When the dry run finishes, you'll see a sample of results (up to 1000). Review the results and identify any false positive results.

    

11. Edit the new custom pattern to fix any problems with the results, then, to test your changes, click Save and dry run.

12. When you're satisfied with your new custom pattern, click Publish pattern.

13. Optionally, to enable push protection for your custom pattern, click Enable. For more information, see About push protection.

    Note

    • To enable push protection for custom patterns, secret scanning as push protection needs to be enabled at the enterprise level.
    • Enabling push protection for commonly found custom patterns can be disruptive to contributors.

After your pattern is created, secret scanning scans for any secrets in repositories within your organizations with GitHub Secret Protection enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing secret scanning alerts, see Manage secret scanning alerts.

Further reading

• Managing custom patterns
• Metrics for custom patterns