About secret scanning

GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

Кто может использовать эту функцию?

Secret scanning доступен для следующих типов репозитория:

  • Репозитории, принадлежащие организации, с GitHub Advanced Security включено
  • Пользовательские репозитории для предприятий с GitHub Advanced Security включены

В этой статье

About secret scanning

Secret scanning is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, secret scanning scans commits in repositories for known types of secrets and alerts repository administrators upon detection.

Secret scanning scans your entire Git history on all branches present in your GitHub repository for secrets, even if the repository is archived. GitHub will also periodically run a full Git history scan for new secret types in existing content in repositories with GitHub Advanced Security enabled where secret scanning is enabled when new supported secret types are added.

Additionally, secret scanning scans:

  • Описания и комментарии в проблемах
  • Заголовки, описания и комментарии в открытых и закрытых исторических проблемах
  • Заголовки, описания и комментарии в запросах на вытягивание
  • Заголовки, описания и комментарии в GitHub Discussions
  • Секретные сути. Уведомление отправляется соответствующему партнёру, когда в секретной сути обнаруживается паттерн партнёра.

When a supported secret is leaked, GitHub generates a secret scanning alert. Alerts are reported on the Security tab of repositories on GitHub, where you can view, evaluate, and resolve them. For more information, see Управление оповещениями о проверке секретов.

For information about the secrets and service providers supported by secret scanning, see Поддерживаемые шаблоны сканирования секретов.

You can use the REST API to monitor results from secret scanning across your repositories or organization. For more information about API endpoints, see Конечные точки REST API для проверки секретов.

You can also use security overview to see an organization-level view of which repositories have enabled secret scanning and the alerts found. For more information, see About security overview.

Вы можете проверить действия, выполненные в ответ на оповещения secret scanning с помощью средств GitHub. Дополнительные сведения см. в разделе Auditing security alerts.

How secret scanning works

Below is a typical workflow that explains how secret scanning works:

  • Detection: Secret scanning automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.

  • Alerts: When a potential secret is detected, GitHub generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see About secret scanning alerts.

  • Review: When a secret is detected, you'll need to review the alert details provided.

  • Remediation: You then need to take appropriate action to remediate the exposure. This should always include rotating the affected credential to ensure it is no longer usable. It may also include removing the secret from the repository's history (using tools like git-filter-repo; see Удаление конфиденциальных данных из репозитория for more details) though this will likely involve a heavy cost in time and effort, and is usually unnecessary if the credentials have been revoked.

  • Monitoring: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed.

About the benefits of secret scanning

  • Enhanced security: Secret scanning scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors.

  • Automated detection: The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves.

  • Real-time alerts: When a secret is detected, secret scanning provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions.

  • Custom pattern support: Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment.

  • Ability to detect non-provider patterns: You can expand the detection to include non-provider patterns such as connection strings, authentication headers, and private keys, for your repository or organization.

Customizing secret scanning

Once secret scanning is enabled, you can customize it further:

Detection of non-provider patterns

Scan for and detect secrets that are not specific to a service provider, such as private keys and generic API keys. For more information, see Включение проверки секретов для шаблонов, отличных от поставщика.

Performing validity checks

Validity checks help you prioritize alerts by telling you which secrets are active or inactive. For more information, see Оценка оповещений от сканирования секретов.

Defining custom patterns

Define your own patterns for secrets used by your organization that secret scanning can scan for and detect. For more information, see Определение пользовательских шаблонов для проверки секретов.

Further reading