When credentials like API keys and passwords are committed to repositories, they become targets for unauthorized access. Secret scanning automatically detects these exposed secrets so you can secure them before they're exploited.
How secret scanning protects your code
Secret scanning scans your entire Git history on all branches of your repository for API keys, passwords, tokens, and other known secret types. GitHub also periodically rescans repositories when new secret types are added.
GitHub also automatically scans:
- Descriptions and comments in issues
- Titles, descriptions, and comments, in open and closed historical issues
- Titles, descriptions, and comments in pull requests
- Titles, descriptions, and comments in GitHub Discussions
- Secret gists
注意
The scanning of content in pull requests and GitHub Discussions is currently in beta and subject to change.
Secret scanning alerts and remediation
When secret scanning finds a potential secret, GitHub generates an alert on your repository's Security tab with details about the exposed credential.
Review the alert and rotate the affected credential immediately to ensure it can no longer be used. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.
Customizability
Beyond the default detection of partner and provider secrets, you can expand and customize secret scanning to fit your needs.
- Non-provider patterns. Expand detection to secrets that aren't tied to a specific service provider, such as private keys, connection strings, and generic API keys.
- Custom patterns. Define your own regular expressions to detect organization-specific secrets that aren't covered by default patterns.
- Validity checks. Prioritize remediation by checking whether detected secrets are still active.
How can I access this feature?
Secret scanning is available for the following repository types:
- Public repositories: Secret scanning runs automatically for free.
- Organization-owned private and internal repositories: Available with GitHub Advanced Security enabled on GitHub Team or GitHub Enterprise Cloud.
- User-owned repositories: Available on GitHub Enterprise Cloud with Enterprise Managed Users. Available on GitHub Enterprise Server when the enterprise has GitHub Advanced Security enabled.
Next steps
- If you've received an alert, see Manage secret scanning alerts to learn how to review, resolve, and remediate exposed secrets.
Further reading
- For a complete list of supported secrets and service providers, see Supported secret scanning patterns.