О оценке секретного риска

About exposure to leaked secrets

Assessing your exposure to leaked secrets is crucial if you want to prevent:

• Exploitation by bad actors. Malicious actors can use leaked secrets such as API keys, passwords, and tokens to gain unauthorized access to systems, databases, and sensitive information. Leaked secrets can lead to data breaches, compromising user data and potentially causing significant financial and reputational damage. See industry examples and in-depth discussion in Understanding your organization's exposure to secret leaks in GitHub Executive Insights.

• Regulatory problems. Many industries have strict regulatory requirements for data protection, and leaked secrets can result in non-compliance with regulations, leading to legal penalties and fines.

• Service disruptions. Unauthorized access to systems can lead to service disruptions, impacting the availability and reliability of services provided to users.

• Loss of trust. Customers expect robust security measures to protect their data, and exposure to leaked secrets can erode trust and confidence in your organization's ability to safeguard information.

• Costly fallout. Addressing the fallout from leaked secrets can be costly, involving incident response efforts, security audits, and potential compensation for affected parties.

Regularly assessing your exposure to leaked secrets is good practice to help identify vulnerabilities, implement necessary security measures, and ensure that any compromised secrets are promptly rotated and invalidated.

About secret risk assessment

GitHub provides a secret risk assessment report that organization owners and security managers can generate to evaluate the exposure of an organization to leaked secrets. The secret risk assessment is an on-demand, point-in-time scan of the code within an organization that:

• Shows any leaked secrets within the organization
• Shows the kinds of secrets that are leaked outside the organization
• Provides actionable insights for remediation

The secret risk assessment report provides the following insights:

• Total secrets—Aggregate count of exposed secrets detected within the organization.
• Public leaks—Distinct secrets found in your organization's public repositories.
• Preventable leaks—Secrets that could have been protected, using GitHub Secret Protection features such as secret scanning and push protection.
• Secret locations—Locations that are scanned for the report. The free secret risk assessment scans only the code in your organization, including the code in archived repositories. You can extend the surface being scanned to cover content in pull requests, issues, wikis, and GitHub Discussions with GitHub Secret Protection.
• Secret categories—Distribution of the types of secrets that are leaked. Secrets can be partner secrets, which are strings that match secrets issued by service providers in our partner program, or generic secrets, which are non-provider patterns such as SSH keys, database connection strings, and JSON web tokens.
• Repositories with leaks—Repositories where leaked secrets were detected, out of all the repositories scanned.

Because the secret risk assessment report is based on your repositories, regardless of the enablement status of GitHub Secret Protection features, you can see your current exposure to leaked secrets, and understand better how GitHub can help you prevent future secret leaks.

Next steps

Now that you know about the secret risk assessment report, you may want to learn how to:

• Generate the report to see your organization risk. See Viewing the secret risk assessment report for your organization.
• Interpret the results of the report. See Interpreting secret risk assessment results.
• Enable GitHub Secret Protection to improve your secret leak footprint. See Choosing GitHub Secret Protection.