Secret scanning for non-provider patterns [Public Beta] (#44908)

Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Courtney Claessens <courtneycl@github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2023-11-03 21:39:36 +00:00
parent 91a64f0edc
commit 79fb607375
7 changed files with 123 additions and 11 deletions
--- a/assets/images/help/repository/secret-scanning-click-other-button.png
+++ b/assets/images/help/repository/secret-scanning-click-other-button.png
--- a/content/code-security/secret-scanning/about-secret-scanning.md
+++ b/content/code-security/secret-scanning/about-secret-scanning.md
@@ -38,10 +38,11 @@ Additionally, {% data variables.product.prodname_secret_scanning %} scans the ti

 1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below.

-1. **{% data variables.secret-scanning.user_alerts_caps %}.** {% ifversion fpt %}The following users can enable and configure additional scanning:
-   - Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own.
-   - Organizations owning _public_ repositories, on any of these repositories.
-   - Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositorites when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %}
+1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}.
+   {% ifversion fpt %}The following users can enable and configure additional scanning:
+      - Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own.
+      - Organizations owning _public_ repositories, on any of these repositories.
+      - Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositorites when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %}

  Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %}

@@ -79,7 +80,7 @@ You cannot change the configuration of {% data variables.product.prodname_secret

 {% ifversion ghes or ghae %}{% data variables.secret-scanning.user_alerts_caps %} is available on all organization-owned repositories as part of {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories.{% endif %}{% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts_caps %} are available for free on all public repositories{% endif %}{% ifversion fpt %}.{% endif %}{%ifversion ghec %}, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %} When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %}

-{% ifversion secret-scanning-issue-body-comments %}{% data reusables.secret-scanning.scan-issue-description-and-comments %}{% endif %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings. {% endif %}For more information, see "{% ifversion fpt or ghec %}[Supported secrets for user alerts](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-user-alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns){% endif %}."
+{% ifversion secret-scanning-issue-body-comments %}{% data reusables.secret-scanning.scan-issue-description-and-comments %}{% endif %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}."

 If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes or ghae %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."

--- a/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md
+++ b/content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md
@@ -51,17 +51,33 @@ You can also enable {% data variables.product.prodname_secret_scanning %} for mu

   ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}

+{% ifversion secret-scanning-non-provider-patterns %}
+
+1. Optionally, if you want to enable the detection of non-provider patterns, click **Scan for non-provider patterns**. For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning %} alerts](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}."
+
+   {% data reusables.secret-scanning.non-provider-patterns-beta %}
+
+{% endif %}
+
 {% ifversion secret-scanning-push-protection %}
+
 1. Optionally, if you want to enable push protection, click **Enable** to the right of "Push protection." {% data reusables.secret-scanning.push-protection-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
-   ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section. Next to an indented item marked "Push protection," the "Enable" button is highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-enable-push-protection.png)
+
+   ![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section. The "Enable" button is highlighted in a dark orange outline in the "Push protection" section.](/assets/images/help/repository/secret-scanning-enable-push-protection.png)
+
 {% endif %}
 {% ifversion ghae %}
 1. Before you can enable {% data variables.product.prodname_secret_scanning %}, you need to enable {% data variables.product.prodname_GH_advanced_security %} first. To the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**.
+
   ![Enable {% data variables.product.prodname_GH_advanced_security %} for your repository.](/assets/images/enterprise/github-ae/repository/enable-ghas-ghae.png)
+
 1. Click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository** to confirm the action.
+
   ![Confirm enabling {% data variables.product.prodname_GH_advanced_security %} for your repository.](/assets/images/enterprise/github-ae/repository/enable-ghas-confirmation-ghae.png)
+
 1. To the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Enable**.
   ![Enable {% data variables.product.prodname_secret_scanning %} for your repository.](/assets/images/enterprise/github-ae/repository/enable-secret-scanning-ghae.png)
+
 {% endif %}

 {% ifversion fpt %}
@@ -105,7 +121,7 @@ You can configure a _secret_scanning.yml_ file to exclude directories from {% da

    {% endnote %}

-You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#managing-secret-scanning-alerts)."
+You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."

 {% ifversion not fpt %}

--- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md
+++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md
@@ -22,8 +22,15 @@ shortTitle: Manage secret alerts

 {% data reusables.secret-scanning.beta %}

+{% ifversion secret-scanning-non-provider-patterns %}
+
+## Managing alerts from high confidence patterns
+
+{% else %}
+
 ## Managing {% data variables.secret-scanning.alerts %}

+{% endif %}
 {% ifversion fpt or ghec %}
 {% note %}

@@ -41,8 +48,14 @@ shortTitle: Manage secret alerts

   {% data reusables.secret-scanning.validity-check-partner-patterns-enabled %}
 {% endif %}
-1. Under "{% data variables.product.prodname_secret_scanning_caps %}" click the alert you want to view. {% ifversion secret-scanning-validity-check-partner-patterns %}
-1. Optionally, to perform a validity check on the token, on the top right-hand side of the alert, click {% octicon "sync" aria-hidden="true" %} **Verify secret**. For more information, see "[Validating partner patterns](#validating-partner-patterns)." <br><br>
+1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view.{% ifversion secret-scanning-non-provider-patterns %}
+   {% note %}
+
+   **Note:** The **High confidence** view is the default view for the list of {% data variables.product.prodname_secret_scanning %} alerts. If the detection of non-provider patterns is enabled for your repository or organization, you'll need to use a different view to be able to see non-provider alerts. For more information, see "[Managing alerts from non-provider patterns](#managing-alerts-from-non-provider-patterns)" below.
+
+   {% endnote %}
+   {% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}
+1. Optionally, to perform a validity check on the token, on the top right-hand side of the alert, click {% octicon "sync" aria-hidden="true" %} **Verify secret**. For more information, see "[Validating partner patterns](#validating-partner-patterns)."
   {% note %}

   **Note:** You can only perform on-demand validity checks for patterns detected in the repository if automatic validity checks have been enabled for the repository. For more information, see "[Allowing validity checks for partner patterns in a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository)."
@@ -72,6 +85,37 @@ shortTitle: Manage secret alerts
 1. Click **Close alert**.
 {% endif %}

+{% ifversion secret-scanning-non-provider-patterns %}
+
+## Managing alerts from non-provider patterns
+
+{% data reusables.secret-scanning.non-provider-patterns-beta %}
+
+Non-provider patterns are patterns such as private keys, and have a higher rate of false positive than high confidence patterns.
+
+As an organization owner, or repository administrator, you need to enable the detection of non-provider patterns in your organization or repository for {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)."
+
+Non-provider alerts are different from high confidence alerts. Non-provider alerts:
+
+- Are not shown in security overview.
+- Are listed in a different view from high confidence alerts. That view is called "Other".
+- Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %}.
+- Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts).
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
+1. On the top right corner of the list of {% data variables.product.prodname_secret_scanning %} alerts, click **Other**.
+
+   ![Screenshot of the list of {% data variables.product.prodname_secret_scanning %} alerts. A button, titled "Other", is highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-click-other-button.png)
+
+1. Click the alert you want to view.
+1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert.
+1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline.
+1. Click **Close alert**.
+
+{% endif %}
+
 {% ifversion secret-scanning-validity-check-partner-patterns %}

 ## Validating partner patterns
--- a/content/code-security/secret-scanning/secret-scanning-patterns.md
+++ b/content/code-security/secret-scanning/secret-scanning-patterns.md
@@ -49,6 +49,17 @@ Partner alerts are alerts that are sent to the secret providers whenever a secre

 {% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}.

+{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types:
+
+- High confidence alerts, which relate to supported patterns and specified custom patterns.
+- Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys.
+
+{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[Managing alerts from non-provider patterns](/code-security/secret-scanning/managing-alerts-from-secret-scanning#managing-alerts-from-non-provider-patterns)."
+
+{% data reusables.secret-scanning.non-provider-patterns-beta %}
+
+{% endif %}
+
 You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %}

 {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
@@ -82,11 +93,41 @@ Push protection alerts are user alerts that are reported by push protection. {%
 This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token{% ifversion secret-scanning-validity-check %}, as well as whether a validity check is performed on the token{% endif %}.
 - **Provider**—name of the token provider.{% ifversion fpt or ghec %}
 - **Partner**—token for which leaks are reported to the relevant token partner. Applies to public repositories only.
- **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}{% ifversion ghes or ghae %}
- **{% data variables.product.prodname_secret_scanning_caps %} alert**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.{% endif %}{% ifversion secret-scanning-push-protection %}
+- **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}
+  - Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %}, {% data variables.product.prodname_secret_scanning %}.
+  - Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
+  - For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)."
+  {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes or ghae %}
+- **{% data variables.product.prodname_secret_scanning_caps %} alert**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}
+  - Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled.
+  - Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% else %} Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.{% endif %}{% endif %}
+{% ifversion secret-scanning-push-protection %}
 - **Push protection**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled.{% endif %}{% ifversion secret-scanning-validity-check %}
 - **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes > 3.8 %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %}{% endif %}

+{% ifversion secret-scanning-non-provider-patterns %}
+
+### Non-provider patterns
+
+{% data reusables.secret-scanning.non-provider-patterns-beta %}
+
+| Provider | Token |
+|----------|:--------------------|
+|  Generic | http_basic_authentication_header |
+|  Generic | http_bearer_authentication_header |
+|  Generic | mongodb_connection_string |
+|  Generic | mysql_connection_string |
+|  Generic | openssh_private_key |
+|  Generic | pgp_private_key |
+|  Generic | postgres_connection_string |
+|  Generic | rsa_private_key |
+
+Push protection and validity checks are not supported for non-provider patterns.
+
+### High confidence patterns
+
+{% endif %}
+
 <!-- FPT version of table -->
 {% ifversion fpt %}

--- a/data/features/secret-scanning-non-provider-patterns.yml
+++ b/data/features/secret-scanning-non-provider-patterns.yml
@@ -0,0 +1,5 @@
+# Reference: #10154.
+# Secret scanning for non-provider patterns [Public Beta]
+versions:
+  ghec: '*'
+  ghes: '>3.12'
--- a/data/reusables/secret-scanning/non-provider-patterns-beta.md
+++ b/data/reusables/secret-scanning/non-provider-patterns-beta.md
@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** The detection of non-provider patterns is currently in beta and subject to change.
+
+{% endnote %}