jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-23 21:07:12 -05:00
Code Issues Projects Releases Wiki Activity

more edits

Browse Source
This commit is contained in:
Anne-Marie
2024-09-24 10:36:48 +00:00
parent e8b9cebfdf
commit 9bb8835411
3 changed files with 33 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md
View File

@@ -21,25 +21,10 @@ allowTitleToDifferFromFilename: true
Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets:
* For a compromised {% data variables.product.github %} {% data variables.product.pat_generic %}:
{% ifversion secret-scanning-report-secret-github-pat %}
* Report the leaked token to {% data variables.product.github %}. {% data variables.product.github %} will then automatically revoke the token. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)."
* Update any services that use the old token.{% else %}
* Delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."{% endif %}
{%- ifversion token-audit-log %}
* {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
{%- endif %}
* For all other secrets:
* First verify that the secret committed to {% data variables.product.product_name %} is valid. {% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check).{% endif %}
* If the secret is valid, create a new secret, update any services that use the old secret, and then delete the old secret.
{% ifversion fpt or ghec %}
> [!NOTE]
> If a secret is detected in a public repository on {% data variables.product.github %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
{% endif %}
* First verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**. For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}For more information, see "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %}
* Report the leaked token to {% data variables.product.github %}. For more information, see "[Reporting a leaked secret](#reporting-a-leaked-secret)."{% endif %}
* Review and update any services that use the old token. If required, delete the compromised token and create a new token.
* Check your security logs for any unauthorized activity. [TODO - LINK?]
{% ifversion secret-scanning-report-secret-github-pat %}
@@ -48,7 +33,33 @@ Once a secret has been committed to a repository, you should consider the secret
> [!NOTE]
> {% data reusables.secret-scanning.report-secret-pat-beta-note %} The feature is currently only available for {% data variables.product.github %} {% data variables.product.pat_generic %}s (v1 and v2).
TODO
{% endif %}
{% ifversion fpt or ghec %}
If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a partner pattern, an alert is generated and the potential secret is **automatically reported** to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
{% endif %}
{% ifversion secret-scanning-report-secret-github-pat %}
For secrets detected in **private** repositories, anyone who can view {% data variables.secret-scanning.alerts %} for a repository can choose to report the privately exposed secret directly to {% data variables.product.github %}.
By reporting the secret, the token provider will treat the privately exposed secret as if it had been publicly leaked. This means the token provider may revoke the secret, so you should first consider reviewing and updating any services that use the secret. If possible, you should also consider notifying the token owner before reporting the token, so that the token owner is aware that the secret may get revoked.
You will only see the option to report the privately exposed secret to {% data variables.product.github %} if the following conditions are met:
* The secret's validity has not been confirmed.
* The secret's validity has been confirmed as "active".
* The secret is a {% data variables.product.github %} {% data variables.product.pat_generic %}.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
1. From the alert list, click the alert you want to view.
1. In the alert view for the leaked secret, click **Report leak**.
1. Review the information in the dialog box, then click **I understand the consequence, report this secret**.
1. Once you've reported the secret, you can close the alert.
{% endif %}

2
data/features/secret-scanning-report-secret-github-pat.yml
View File

@@ -2,4 +2,4 @@
# Secret scanning one-click report and revocation (for GitHub PATs only)
versions:
ghec: '*'
ghes: '> 3.15'
ghes: '> 3.13'

2
data/reusables/secret-scanning/report-secret-pat-beta-note.md
View File

@@ -1 +1 @@
Reporting a leaked secret to {% data variables.product.github %} is in beta and subject to change.
Reporting a privately exposed secret to {% data variables.product.github %} is in beta and subject to change.