About secret scanning alerts

About types of alerts

有两种类型的 机密扫描警报：

• 机密扫描警报：在存储库中检测到支持的机密时，在存储库的安全选项卡中向用户报告。
• 推送保护警报：当参与者绕过推送保护时，在存储库的安全选项卡中向用户报告。
• 合作伙伴警报：直接向属于 secret scanning 合作伙伴计划的机密提供方报告。 这些警报不会在存储库的安全选项卡中报告。

About user alerts

When GitHub detects a supported secret in a repository that has secret scanning enabled, a user alert is generated and displayed in the Security tab of the repository.

User alerts can be of the following types:

• Default alerts, which relate to supported patterns and specified custom patterns.
• Generic alerts, which can have a higher ratio of false positives or secrets used in tests.

GitHub displays generic alerts in a different list to default alerts, making triaging a better experience for users. For more information, see 查看和筛选机密扫描警报.

如果访问资源需要配对的凭据，则只有在同一文件中检测到该配对的两个凭据时，机密扫描才会创建警报。 这可确保最关键的泄漏不会隐藏在有关部分泄漏的信息后面。 对匹配还有助于减少误报，因为对的两个元素必须一起使用才能访问提供商的资源。

About push protection alerts

Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the Security tab of the repository. To see all push protection alerts for a repository, you must filter by bypassed: true on the alerts page. For more information, see 查看和筛选机密扫描警报.

如果访问资源需要配对的凭据，则只有在同一文件中检测到该配对的两个凭据时，机密扫描才会创建警报。 这可确保最关键的泄漏不会隐藏在有关部分泄漏的信息后面。 对匹配还有助于减少误报，因为对的两个元素必须一起使用才能访问提供商的资源。

About partner alerts

When GitHub detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of GitHub's secret scanning partner program. For more information about 合作伙伴的机密扫描警报, see 密码扫描合作伙伴计划 and 支持的机密扫描模式.

Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert.

Next steps

• 查看和筛选机密扫描警报

Further reading

• 支持的机密扫描模式
• 为机密扫描定义自定义模式
• 为非提供程序模式启用机密扫描
• 使用 Copilot 机密扫描负责任地检测通用机密