Organizing remediation efforts for leaked secrets

Systematically organize and manage the remediation of leaked secrets using security campaigns and alert assignments.

Кто может использовать эту функцию?

Organization owners, security managers, and users with the admin role

В этой статье

Introduction

In this tutorial, you'll organize remediation efforts for leaked secrets. You'll learn how to:

  • Create security campaigns to track remediation work
  • Assign alerts based on ownership
  • Monitor remediation progress
  • Communicate with stakeholders

Prerequisites

Step 1: Review your secret scanning alerts

Before taking action, you need to understand the current state of your organization's security alerts.

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the left sidebar, under "Alerts", click the symbol to the right of Secret scanning.

  4. In the dropdown list, select Default. Default relates to supported patterns and specified custom patterns.

  5. Alternatively, you can select Generic to review unstructured secrets like passwords. However, generic patterns typically produce more false positives than default patterns, so consider reviewing these alerts after addressing higher-priority leaks.

  6. Review the total number of open alerts and repositories affected.

  7. Use filters to identify the most urgent alerts and prioritize your remediation efforts.

    • To show leaks in public repositories, use publicly-leaked.
    • To show secret leaks found in more than one repository within the same organization or enterprise, use is:multi-repository.
    • To show secrets that are still valid, use validity:active.
    • To filter by specific service credentials (AWS, Azure, GitHub), use provider:.
    • To filter by specific token types, use secret-type:.

  8. Optionally, in the sidebar under "Metrics," click Secret scanning to see:

    • Secret types that have been blocked or bypassed most frequently
    • Repositories with the most blocked pushes or bypasses

Step 2: Create a security campaign

You can set up a security campaign to organize and track your remediation work across repositories.

  1. Navigate to your organization and click Security.
  2. On the left panel, select Campaigns.
  3. Click Create campaign , then either:
    • Select a pre-defined Secrets campaign template.
    • Use custom filters to target specific alerts (for example, is:open provider:azure or is:open validity:active).
  4. Review the alerts (maximum 1000) and adjust filters if needed.
  5. Click Save as and choose Publish campaign.
  6. Fill out your campaign information, then click Publish campaign.

Step 3: Assign alerts to team members

After creating your campaign, you'll want to assign individual alerts to the developers responsible for fixing them.

  1. On your campaign page, click to expand a repository and view its alerts.
  2. Click an alert to open its details page.
  3. In the right sidebar, click Assignees.
  4. Select a developer you want to fix the alert. Typically, this is the person who committed the secret or the repository administrator where the leak is detected. They must have write access.

Step 4: Monitor remediation progress

Once alerts are assigned, you need to regularly track your campaign's progress to ensure timely completion.

  1. On your campaign page, review the campaign summary. You'll see:
    • Campaign progress: How many alerts are closed (fixed or dismissed) or still left to review
    • Status: How many days until the campaign's due date
  2. You can explore campaign details:
    • Expand any repository to see its progress in alert remediation.
    • Set Group by to None to show a list of all alerts.
    • Use filters to focus on specific repositories or alerts.
  3. Identify areas needing attention based on repositories with the most open alerts or no recent progress, then reach out to support those repository maintainers or assignees.

Step 5: Communicate with stakeholders

Throughout the remediation process, you should keep stakeholders informed with regular progress updates. You can use information from your campaign dashboard to help you generate these updates.

  1. Navigate to the campaign dashboard.
  2. Identify the information you want to include in your reports. Consider these key metrics:
    • Alerts resolved this week
    • Remaining open alerts
    • On-track vs. at-risk items
    • Notable achievements or blockers
  3. Incorporate the metrics into your update, then distribute via email, Slack, Teams, or security meetings.

Step 6: Document remediation procedures

Finally, you should create standardized procedures to make future remediation efforts more efficient.

  1. Develop secret-type-specific guides. For example:
    • AWS credentials: How to rotate access keys and update services
    • GitHub tokens: How to revoke and regenerate Personal Access Tokens
    • API keys: Service-specific rotation procedures
    • Database credentials: Safe rotation without service disruption
  2. Create a remediation checklist.
    1. Verify the secret is actually leaked.
    2. Determine if the secret is still active.
    3. Revoke or rotate the compromised secret.
    4. Update all systems using the old secret.
    5. Test that systems function with new credentials.
    6. Document the incident and remediation steps.
    7. Mark the alert as resolved.
  3. Establish escalation paths.
    • Define when to escalate to security leadership.
    • Identify subject matter experts for different secret types.
    • Create incident response procedures for critical leaks.