jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-30 03:01:36 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #51503 from github/secret-scanning-reorg-megabranch

Browse Source 
[MEGABRANCH - DO NOT MERGE] - Re-organize the secret scanning docs
This commit is contained in:
Sarita Iyer
2024-08-08 11:41:59 -04:00
committed by GitHub
parent 6084552e76 1c08a15629
commit f473d5e005
93 changed files with 1803 additions and 1294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
content/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications.md
View File

@@ -234,7 +234,7 @@ For more information about the notification delivery methods available to you, a
{% data reusables.secret-scanning.secret-scanning-configure-notifications %}
For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)."
For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)."
{% ifversion update-notification-settings-22 or ghes %}

2
content/admin/managing-code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance.md
View File

@@ -19,7 +19,7 @@ topics:
## About {% data variables.product.prodname_secret_scanning %}
If someone checks a secret with a known pattern into a repository, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the **Security** tab for the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
If someone checks a secret with a known pattern into a repository, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the **Security** tab for the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
## Checking whether your license includes {% data variables.product.prodname_GH_advanced_security %}

4
content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md
View File

@@ -214,10 +214,10 @@ There are a few simple tricks to avoid committing things you don't want committe
* Avoid the catch-all commands `git add .` and `git commit -a` on the command line—use `git add filename` and `git rm filename` to individually stage files, instead.
* Use `git add --interactive` to individually review and stage changes within each file.
* Use `git diff --cached` to review the changes that you have staged for commit. This is the exact diff that `git commit` will produce as long as you don't use the `-a` flag.
* Enable push protection for your repository to detect and prevent pushes which contain hardcoded secrets from being committed to your codebase. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#about-push-protection-for-repositories-and-organizations)."
* Enable push protection for your repository to detect and prevent pushes which contain hardcoded secrets from being committed to your codebase. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."
## Further reading
* [`git filter-repo` man page](https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html)
* [Pro Git: Git Tools - Rewriting History](https://git-scm.com/book/en/Git-Tools-Rewriting-History)
* "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)"
* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"

14
content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md
View File

@@ -132,11 +132,11 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro
**Note:** When a secret is detected in a repository that has enabled {% data variables.product.prodname_secret_scanning %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %}
Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."{% endif %}
Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."{% endif %}
{% endnote %}
If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
If a project communicates with an external service, it might use a token or private key for authentication. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. {% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repositories for secrets and alert you or block the push containing the secret. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
{% ifversion ghec %}{% data variables.secret-scanning.partner_alerts_caps %} runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on {% data variables.product.prodname_dotcom_the_website %}.
@@ -154,17 +154,17 @@ Enabling {% data variables.product.prodname_secret_scanning %} for all repositor
If you are enabling {% data variables.product.prodname_secret_scanning %} on a large organization, be prepared to see a high number of secrets found. Sometimes this comes as a shock to organizations and the alarm is raised. If you would like to turn on {% data variables.product.prodname_secret_scanning %} across all repositories at once, plan for how you will respond to multiple alerts across the organization.
{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)." {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% data variables.product.prodname_secret_scanning_caps %} can be enabled for individual repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)." {% data variables.product.prodname_secret_scanning_caps %} can also be enabled for all repositories in your organization, as described above. For more information on enabling for all repositories, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
### Custom patterns for {% data variables.product.prodname_secret_scanning %}
{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)."
{% data variables.product.prodname_secret_scanning_caps %} detects a large number of default patterns but can also be configured to detect custom patterns, such as secret formats unique to your infrastructure or used by integrators that {% data variables.product.product_name %}'s {% data variables.product.prodname_secret_scanning %} does not currently detect. For more information about supported secrets for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."
As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
As you audit your repositories and speak to security and developer teams, build a list of the secret types that you will later use to configure custom patterns for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
### Push protection for {% data variables.product.prodname_secret_scanning %}
Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
Push protection for organizations and repositories instructs {% data variables.product.prodname_secret_scanning %} to check pushes for supported secrets _before_ secrets are committed to the codebase. For information on which secrets are supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
If a secret is detected in a push, that push is blocked. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. {% data reusables.secret-scanning.push-protection-custom-pattern %}
@@ -176,7 +176,7 @@ Before enabling push protection, consider whether you need to create guidance fo
Next, familiarize yourself with the different options for managing and monitoring alerts that are the result of a contributor bypassing push protection.
For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."
For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."
{% note %}

2
content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md
View File

@@ -102,7 +102,7 @@ Start to review activity using the push protection metrics page in security over
{%- endif %}
If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
If you have collated any custom patterns specific to your enterprise, especially any related to the projects piloting {% data variables.product.prodname_secret_scanning %}, you can configure those. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
To learn how to view and close alerts for secrets checked into your repository, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."

6
content/code-security/adopting-github-advanced-security-at-scale/phase-6-rollout-and-scale-secret-scanning.md
View File

@@ -53,11 +53,11 @@ Repeat the last two steps for any new secrets leaked. This process encourages de
## 2. Enable push protection
Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection)."
Once you have enabled {% data variables.product.prodname_secret_scanning %}, you should also enable push protection. With push protection, {% data variables.product.prodname_secret_scanning %} checks pushes for supported secrets and blocks pushes to {% data variables.product.prodname_dotcom %} _before_ the secrets are exposed to other users. For information on how to enable push protection, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)."
Once enabled, you can do the following:
1. **Provide guidance**: Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection)."
1. **Provide guidance**: Configure a custom link in the message that contributors will see if their push is blocked by {% data variables.product.prodname_secret_scanning %}. The linked resource can provide guidance for contributors on how to resolve the blocked push. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)."
1. **Notify**: Define a webhook that specifically tracks {% data variables.secret-scanning.alerts %} created when someone bypasses push protection by using the alert property `"push_protection_bypassed": true`. Or, use the API to get updates on which {% data variables.secret-scanning.alerts %} were the result of a push protection bypass by filtering the list of results for `"push_protection_bypassed": true`. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
@@ -107,7 +107,7 @@ Once you have decided on the secret types, you can do the following:
You can now expand beyond the five most critical secret types into a more comprehensive list, with an additional focus on education. You can repeat the previous step, remediating previously committed secrets, for the different secret types you have targeted.
You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
You can also include more of the custom patterns collated in the earlier phases and invite security teams and developer teams to submit more patterns, establishing a process for submitting new patterns as new secret types are created. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
As you continue to build your remediation processes for other secret types, start to create proactive training material that can be shared with all developers of GitHub in your organization. Until this point, a lot of the focus has been reactive. It is an excellent idea to shift focus to being proactive and encourage developers not to push credentials to GitHub in the first place. This can be achieved in multiple ways but creating a short document explaining the risks and reasons would be a great place to start.

6
content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md
View File

@@ -36,7 +36,7 @@ Protect your organization's repositories and settings by implementing security b
* Encouraging your users to create strong passwords and secure them appropriately, by following {% data variables.product.prodname_dotcom %}s recommended password guidelines. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-strong-password)."{% ifversion secret-scanning-push-protection-for-users %}
* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %}
* Encouraging your users to keep push protection for users enabled in their personal account settings, so that no matter which public repository they push to, they are protected. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %}
* Establishing an internal security policy in {% data variables.product.prodname_dotcom %}, so users know the appropriate steps to take and who to contact if an incident is suspected. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)."
@@ -82,9 +82,9 @@ There are two forms of {% data variables.product.prodname_secret_scanning %} ava
{% ifversion ghes %}Your site administrator must enable {% data variables.product.prodname_secret_scanning %} for {% data variables.location.product_location %} before you can use this feature. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance)."{% endif %}
For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
{% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %}
{% data reusables.secret-scanning.push-protection-high-level %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% ifversion ghec or ghes %} Finally, you can also extend the detection to include custom secret string structures. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."{% endif %}
### Review the audit log for your organization

8
content/code-security/getting-started/github-security-features.md
View File

@@ -77,19 +77,19 @@ Privately discuss and fix security vulnerabilities in your repository's code. Yo
### {% data variables.secret-scanning.user_alerts_caps %}
Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."
Automatically detect tokens or credentials that have been checked into a {% ifversion ghec %}user-owned {% endif %}public repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts)."
{% ifversion secret-scanning-push-protection-for-users %}
### Push protection for users
Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."
Push protection for users automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
{% endif %}
### {% data variables.secret-scanning.partner_alerts_caps %}
Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
Automatically detect leaked secrets across all public repositories, as well as public npm packages. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
{% endif %}
@@ -114,7 +114,7 @@ Automatically detect security vulnerabilities and coding errors in new or modifi
### {% data variables.secret-scanning.user_alerts_caps %}
Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-on-github-enterprise-server){% endif %}."
Automatically detect tokens or credentials that have been checked into a repository. You can view alerts for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised. {% data reusables.secret-scanning.alert-type-links %}
{% ifversion dependabot-auto-triage-rules %}

117
content/code-security/secret-scanning/about-secret-scanning.md
View File

@@ -1,117 +0,0 @@
---
title: About secret scanning
intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.'
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
- /github/administering-a-repository/about-token-scanning
- /articles/about-token-scanning
- /articles/about-token-scanning-for-private-repositories
- /github/administering-a-repository/about-secret-scanning
- /code-security/secret-security/about-secret-scanning
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: overview
topics:
- Secret scanning
- Advanced Security
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
<a name="about-secret-scanning"></a>
If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.
{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}
{% data reusables.secret-scanning.what-is-scanned %}
{% ifversion fpt or ghec %}
{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms:
1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below.
1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}.
{% ifversion fpt %}The following users can enable and configure additional scanning:
* Owners of repositories on {% data variables.product.prodname_dotcom_the_website %}, on any _public_ repositories they own.
* Organizations owning _public_ repositories, on any of these repositories.
* Organizations using {% data variables.product.prodname_ghe_cloud %}, on any public repositories (for free), and on any private and internal repositories, when you have a license for {% data variables.product.prodname_GH_advanced_security %}.{% elsif ghec %}You can enable and configure additional scanning for repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} for any public repositories (for free), and for private and internal repositories when you have a license for {% data variables.product.prodname_GH_advanced_security %}. Enterprise owners can manage the automatic enablement of {% data variables.product.prodname_GH_advanced_security %} for new repositories owned by {% data variables.product.prodname_emus %} with an enterprise level setting.{% endif %}
Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the **Security** tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the "[About {% data variables.secret-scanning.user_alerts %}](#about-secret-scanning-alerts-for-users)" section below.{% endif %}
{% data reusables.secret-scanning.audit-secret-scanning-events %}
{% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
{% ifversion secret-scanning-push-protection-for-users %}
{% data reusables.secret-scanning.push-protection-for-users %}
{% endif %}
{% note %}
**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} or push protection enabled, these features are not enabled by default on the fork. You can enable {% data variables.product.prodname_secret_scanning %} or push protection on the fork the same way you enable them on a standalone repository.
{% endnote %}
{% ifversion fpt or ghec %}
## About {% data variables.secret-scanning.partner_alerts %}
When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
{% endif %}
## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %}
{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %}
When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} For more information about the repository content that is scanned, see the [beginning of this article](#about-secret-scanning).
When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}."
If you're a repository administrator, you can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion fpt %}public{% endif %} repository{% ifversion ghec or ghes %}, including archived repositories{% endif %}. Organization owners can also enable {% data variables.secret-scanning.user_alerts %} for all {% ifversion fpt %}public {% endif %}repositories or for all new {% ifversion fpt %}public {% endif %}repositories within an organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% data reusables.secret-scanning.secret-scanning-user-owned-enablement %}
You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for a repository, organization, or enterprise. For more information, see "[AUTOTITLE]({% ifversion fpt %}/enterprise-cloud@latest{% endif %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %}
{% ifversion secret-scanning-store-tokens %}
{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %}
### Accessing {% data variables.secret-scanning.alerts %}
{% data reusables.secret-scanning.secret-scanning-about-alerts %}
* {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners. You'll receive an alert if you are watching the repository{% ifversion secret-scanning-notification-settings %}, {% else %}, and {% endif %}if you have enabled notifications either for security alerts or for all the activity on the repository{% ifversion secret-scanning-notification-settings %}, and if, in your notification settings, you have selected to receive email notifications for the repositories that you are watching.{% else %}.{% endif %}
* If the person who introduced the secret isn't ignoring the repository, {% data variables.product.prodname_dotcom %} will also send them an email alert. The email contains a link to the related {% data variables.product.prodname_secret_scanning %} alert. The person who introduced the secret can then view the alert in the repository, and resolve the alert.
* {% data reusables.secret-scanning.repository-alert-location %}
For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
{% ifversion secret-scanning-notification-settings %}
For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)."
{% endif %}
Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
{% ifversion ghec or ghes %}
You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)."
{% endif %}
You can also use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)."
## Further reading
* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)"
* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)"
* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)"
{%- ifversion fpt or ghec %}
* "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %}
* "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)"
* "[AUTOTITLE](/actions/security-guides/encrypted-secrets)"

151
content/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories.md
View File

@@ -1,151 +0,0 @@
---
title: Configuring secret scanning for your repositories
intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.'
product: '{% data reusables.gated-features.secret-scanning %}'
permissions: 'People with admin permissions to a {% ifversion fpt %}public {% endif %}repository can enable {% data variables.product.prodname_secret_scanning %} for the repository.'
redirect_from:
- /github/administering-a-repository/configuring-secret-scanning-for-private-repositories
- /github/administering-a-repository/configuring-secret-scanning-for-your-repositories
- /code-security/secret-security/configuring-secret-scanning-for-your-repositories
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Repositories
shortTitle: Configure secret scans
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
## Enabling {% data variables.secret-scanning.user_alerts %}
You can enable {% data variables.secret-scanning.user_alerts %} for any {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}repository{% else %} repository that is owned by an organization, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}{% elsif fpt %}free public repository that you own{% else %}repository that is owned by an organization{% endif %}. Once enabled, {% data reusables.secret-scanning.secret-scanning-process %}{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %} {% data reusables.secret-scanning.what-is-scanned %}
You can also enable {% data variables.product.prodname_secret_scanning %} for multiple repositories in an organization at the same time. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %}
{% ifversion secret-scanning-enterprise-level %}
{% note %}
**Note:** If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
{% endnote %}
{% endif %}
A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %}
1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**.
1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**.
1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled.
![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %}
1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository.
![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}
## Enabling additional features for {% data variables.secret-scanning.user_alerts %}
You can enable the following additional {% data variables.product.prodname_secret_scanning %} feature{% ifversion ghec or ghes %}s{% endif %} through your repository's "Code security and analysis" settings:
* **Push protection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository)."{% ifversion secret-scanning-validity-check-partner-patterns %}
* **Validity checks for partner patterns**. For more information, see "[Enabling validity checks for partner patterns](#enabling-validity-checks-for-partner-patterns)."{% endif %}{% ifversion secret-scanning-non-provider-patterns %}
* **Scanning for non-provider patterns**. For more information, see "[Enabling scanning for non-provider patterns](#enabling-scanning-for-non-provider-patterns)."{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection%}
* **AI-powered generic secret detection**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)."{% endif %}{% ifversion secret-scanning-push-protection-custom-patterns %}
* **Scanning for custom patterns**. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."{% endif %}
{% ifversion secret-scanning-validity-check-partner-patterns %}
### Enabling validity checks for partner patterns
{% data reusables.gated-features.partner-pattern-validity-check-ghas %}
You can allow {% data variables.product.prodname_secret_scanning %} to automatically check the validity of a secret found in your repository by sending it to the relevant partner. For more information on validity checks, see "Checking a secret's validity" in "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)."
{% note %}
**Note:** When you enable automatic validity checks for a repository, you also allow on-demand validity checks to be performed for patterns detected in that repository.
{% endnote %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.secret-scanning.validity-check-auto-enable %}
You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)." Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)."
{% endif %}
{% ifversion secret-scanning-non-provider-patterns %}
### Enabling scanning for non-provider patterns
{% data reusables.secret-scanning.non-provider-patterns-beta %}
You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns".
For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-secret-scanning-alerts){% endif %}."
{% endif %}
{% ifversion secret-scanning-enable-by-default-for-public-repos %}
## Enabling {% data variables.secret-scanning.user_alerts %} for all your {% ifversion ghec %}user-owned {% endif %}public repositories
You can enable {% data variables.product.prodname_secret_scanning %} for all of your existing {% ifversion ghec %}user-owned {% endif %}public repositories through your personal account settings.
{% note %}
**Note**: As of March 11, 2024, {% data variables.product.prodname_secret_scanning %} and push protection will be enabled by default for all new {% ifversion ghec %}user-owned {% endif %}public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-public-repositories)".
{% endnote %}
{% data reusables.user-settings.access_settings %}
{% data reusables.user-settings.security-analysis %}
1. Under "Code security and analysis", to the right of "{% data variables.product.prodname_secret_scanning_caps %}", click **Disable all** or **Enable all**.
{% data reusables.secret-scanning.push-protection-optional-enable %}
{% endif %}
## Excluding directories from {% data variables.secret-scanning.user_alerts %}
You can configure a _secret_scanning.yml_ file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection. For example, you can exclude directories that contain tests or randomly generated content.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.files.add-file %}
1. In the file name field, type _.github/secret_scanning.yml_.
1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}.
``` yaml
paths-ignore:
- "foo/bar/*.js"
```
You can use special characters, such as `*` to filter paths. For more information about filter patterns, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)."
{% note %}
**Notes:**
* If there are more than 1,000 entries in `paths-ignore`, {% data variables.product.prodname_secret_scanning %} will only exclude the first 1,000 directories from scans.
* If `secret_scanning.yml` is larger than 1 MB, {% data variables.product.prodname_secret_scanning %} will ignore the entire file.
{% endnote %}
You can also ignore individual alerts from {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
{% ifversion not fpt %}
## Further reading
* "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)"
* "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)"
{% endif %}

50
content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository.md Normal file
View File

@@ -0,0 +1,50 @@
---
title: Enabling push protection for your repository
shortTitle: Enable push protection
intro: 'With push protection, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
---
## About enabling push protection
To enable push protection for a repository, you must first enable {% data variables.product.prodname_secret_scanning %}. You can then enable push protection in the repository's "Code security and analysis" settings page following the steps outlined in this article.
{% ifversion secret-scanning-push-protection-for-users %}
You can additionally enable push protection for your own personal account, which prevents you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
{% endif %}
If you're an organization owner, you can enable push protection for multiple repositories at a time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization){% endif %}."
Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section.
{% ifversion secret-scanning-enterprise-level %}
If your organization is owned by an enterprise account, an enterprise owner can also enable push protection at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
{% endif %}
## Enabling push protection for a repository
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-push-protection-repo %}
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)"
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning)"
* "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)"
* "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)"

56
content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository.md Normal file
View File

@@ -0,0 +1,56 @@
---
title: Enabling secret scanning for your repository
shortTitle: Enable secret scanning
intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans your repositories for leaked secrets and generates alerts.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
---
## About enabling {% data variables.secret-scanning.user_alerts %}
{% ifversion fpt %}
{% data variables.secret-scanning.user_alerts_caps %} can be enabled on any free public repository that you own.
{% endif %}{% ifversion ghec or ghes %}
{% data variables.secret-scanning.user_alerts_caps %} can be enabled for any repository that is owned by an organization{% ifversion secret-scanning-user-owned-repos %}, and for repositories owned by user accounts when using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}{% endif %}.
{% endif %}
If you're an organization owner, you can enable {% data variables.product.prodname_secret_scanning %} for multiple repositories at the same time{% ifversion security-configurations-ga %} using a security configuration{% endif %}. For more information, see {% ifversion security-configurations-ga %}"[AUTOTITLE](/code-security/securing-your-organization){% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization#enabling-security-features-in-your-organization)"{% endif %}."
{% ifversion secret-scanning-enterprise-level %}
If your organization is owned by an enterprise account, an enterprise owner can also enable {% data variables.product.prodname_secret_scanning %} at the enterprise level. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
{% endif %}
## Enabling {% data variables.secret-scanning.user_alerts %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghec or ghes %}
1. If {% data variables.product.prodname_advanced_security %} is not already enabled for the repository, to the right of "{% data variables.product.prodname_GH_advanced_security %}", click **Enable**.
1. Review the impact of enabling {% data variables.product.prodname_advanced_security %}, then click **Enable {% data variables.product.prodname_GH_advanced_security %} for this repository**.
1. When you enable {% data variables.product.prodname_advanced_security %}, {% data variables.product.prodname_secret_scanning %} may automatically be enabled for the repository due to the organization's settings. If "{% data variables.product.prodname_secret_scanning_caps %}" is shown with an **Enable** button, you still need to enable {% data variables.product.prodname_secret_scanning %} by clicking **Enable**. If you see a **Disable** button, {% data variables.product.prodname_secret_scanning %} is already enabled.
![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}{% ifversion fpt %}
1. Scroll down to the bottom of the page, and click **Enable** for {% data variables.product.prodname_secret_scanning %}. If you see a **Disable** button, it means that {% data variables.product.prodname_secret_scanning %} is already enabled for the repository.
![Screenshot of the "{% data variables.product.prodname_secret_scanning_caps %}" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.](/assets/images/help/repository/enable-secret-scanning-alerts.png){% endif %}
A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)."
## Next steps
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)"
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)"

49
content/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository.md Normal file
View File

@@ -0,0 +1,49 @@
---
title: Enabling validity checks for your repository
shortTitle: Enable validity checks
intro: 'Enabling validity checks on your repository helps you prioritize the remediation of alerts as it tells you if a secret is active or inactive.'
product: '{% data reusables.gated-features.partner-pattern-validity-check-ghas %}'
versions:
feature: secret-scanning-validity-check-partner-patterns
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
---
## About validity checks
You can enable validity checks for secrets identified as service provider tokens for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %}
{% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view.
{% ifversion secret-scanning-validity-check-partner-patterns %}
You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.
{% data variables.product.company_short %} displays the validation status of the secret in the alert view.
{% endif %}
You can filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on.
> [!NOTE]
> {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.
For more information on using validity checks, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."
## Enabling validity checks
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.secret-scanning.validity-check-auto-enable %}
You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)."
Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)." For more information on enabling at the enterprise-level, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)" and "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis#update-code-security-and-analysis-features-for-an-enterprise)."
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)"

23
content/code-security/secret-scanning/enabling-secret-scanning-features/index.md Normal file
View File

@@ -0,0 +1,23 @@
---
title: Enabling secret scanning features
shortTitle: Enable secret scanning features
allowTitleToDifferFromFilename: true
intro: 'Learn how to enable {% data variables.product.prodname_secret_scanning %} to detect secrets that are already visible in a repository, as well as push protection to proactively secure you against leaking additional secrets by blocking pushes containing secrets.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
topics:
- Secret scanning
- Advanced Security
- Repositories
children:
- /enabling-secret-scanning-for-your-repository
- /enabling-push-protection-for-your-repository
- /enabling-validity-checks-for-your-repository
redirect_from:
- /github/administering-a-repository/configuring-secret-scanning-for-private-repositories
- /github/administering-a-repository/configuring-secret-scanning-for-your-repositories
- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories
---

20
content/code-security/secret-scanning/index.md
View File

@@ -15,19 +15,11 @@ topics:
- Advanced Security
- Repositories
children:
- /about-secret-scanning
- /secret-scanning-partner-program
- /configuring-secret-scanning-for-your-repositories
- /defining-custom-patterns-for-secret-scanning
- /about-generating-regular-expressions-with-ai
- /generating-regular-expressions-for-custom-patterns-with-ai
- /introduction
- /enabling-secret-scanning-features
- /managing-alerts-from-secret-scanning
- /secret-scanning-patterns
- /about-the-detection-of-generic-secrets-with-secret-scanning
- /enabling-ai-powered-generic-secret-detection
- /push-protection-for-repositories-and-organizations
- /push-protection-for-users
- /working-with-push-protection
- /pushing-a-branch-blocked-by-push-protection
- /troubleshooting-secret-scanning
- /working-with-secret-scanning-and-push-protection
- /using-advanced-secret-scanning-and-push-protection-features
- /troubleshooting-secret-scanning-and-push-protection
- /secret-scanning-partnership-program
---

101
content/code-security/secret-scanning/introduction/about-push-protection.md Normal file
View File

@@ -0,0 +1,101 @@
---
title: About push protection
intro: 'Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
redirect_from:
- /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning
- /code-security/secret-scanning/protecting-pushes-with-secret-scanning
- /code-security/secret-scanning/push-protection-for-repositories-and-organizations
type: overview
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Push protection
---
## About push protection
Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
{% ifversion secret-scanning-push-protection-for-users %}
You can enable push protection:
* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated.
{% endif %}
For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
## How push protection works
Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push.
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. {% data reusables.secret-scanning.push-protection-bypass %}
{% data reusables.secret-scanning.bypass-reasons-and-alerts %}
{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."{% endif %}
## About the benefits of push protection
* **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
* **Immediate feedback**: Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
* **Reduced risk of data leaks**: By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
* **Efficient secret management**: Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
* **Integration with CI/CD pipelines**: Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices.
{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**: Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %}
{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**: For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %}
{% ifversion secret-scanning-push-protection-for-users %}
Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
{% endif %}
## Customizing push protection
Once push protection is enabled, you can customize it further:
### Integrate with CI/CD pipelines
Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}.
{% ifversion secret-scanning-push-protection-custom-patterns %}
### Define custom patterns
Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
{% endif %}
{% ifversion push-protection-delegated-bypass %}
### Configure delegated bypass
Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
{% endif %}
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository)"
* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)"
* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)"{% ifversion secret-scanning-push-protection-custom-patterns %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %}

32
content/code-security/secret-scanning/introduction/about-secret-scanning-for-partners.md Normal file
View File

@@ -0,0 +1,32 @@
---
title: About secret scanning for partners
intro: 'When {% data variables.product.prodname_secret_scanning %} detects authentication details for a service provider in a public repository on {% data variables.product.prodname_dotcom %}, an alert is sent directly to the provider. This allows service providers who are {% data variables.product.prodname_dotcom %} partners to promptly take action to secure their systems.'
versions:
fpt: '*'
ghec: '*'
type: overview
topics:
- Secret scanning
- Advanced Security
shortTitle: Secret scanning for partners
---
## About {% data variables.secret-scanning.partner_alerts %}
{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. {% data reusables.secret-scanning.partner-program-link %}
> [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
The reason partner alerts are directly sent to the secret providers whenever a leak is detected for one of their secrets is that this enables the provider to take immediate action to protect you and protect their resources. The notification process for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %} for you to resolve.
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
## What are the supported secrets
For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"
* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)"
* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)"

140
content/code-security/secret-scanning/introduction/about-secret-scanning.md Normal file
View File

@@ -0,0 +1,140 @@
---
title: About secret scanning
intro: '{% data variables.product.product_name %} scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.'
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
- /github/administering-a-repository/about-token-scanning
- /articles/about-token-scanning
- /articles/about-token-scanning-for-private-repositories
- /github/administering-a-repository/about-secret-scanning
- /code-security/secret-security/about-secret-scanning
- /code-security/secret-scanning/about-secret-scanning
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: overview
topics:
- Secret scanning
- Advanced Security
shortTitle: Secret scanning
---
## About {% data variables.product.prodname_secret_scanning %}
{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in repositories for known types of secrets and alerts repository administrators upon detection.
{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}{% ifversion secret-scanning-backfills %} {% data variables.product.prodname_dotcom %} will also periodically run a full Git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled.{% endif %}
{% data reusables.secret-scanning.what-is-scanned %}
When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. Alerts are reported on the **Security** tab of repositories on {% data variables.product.product_name %}, where you can view, evaluate, and resolve them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
{% ifversion fpt or ghec %}Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning. We automatically run {% data variables.product.prodname_secret_scanning %} for partner patterns on all public repositories and public npm packages.{% data reusables.secret-scanning.partner-program-link %}
Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on {% data variables.product.prodname_dotcom_the_website %}. For more information about partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)."{% endif %}
For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
You can use the REST API to monitor results from {% data variables.product.prodname_secret_scanning %} across your repositories{% ifversion ghes %} or your organization{% endif %}. For more information about API endpoints, see "[AUTOTITLE](/rest/secret-scanning)."
{% ifversion ghec or ghes %}
You can also use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)."
{% endif %}
{% data reusables.secret-scanning.audit-secret-scanning-events %}
## How {% data variables.product.prodname_secret_scanning %} works
Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works:
* **Detection**: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.
* **Alerts**: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)."
* **Review**: When a secret is detected, you'll need to review the alert details provided.
* **Remediation**: You then need take appropriate actions to remediate the exposure. This might include:
* Rotating the affected credential to ensure it is no longer usable.
* Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features).
* **Monitoring**: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed.
{% ifversion fpt or ghec %}
* **Integration with partners**: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
{% endif %}
## About the benefits of {% data variables.product.prodname_secret_scanning %}
* **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors.
* **Automated detection**—The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves.
* **Real-time alerts**—When a secret is detected, {% data variables.product.prodname_secret_scanning %} provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions.
{% ifversion fpt or ghec %}
* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
{% endif %}
{% ifversion ghec or ghes %}
* **Custom pattern support**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment.
{% endif %}
{% ifversion secret-scanning-non-provider-patterns %}
* **Ability to detect non-provider patterns**—You can expand the detection to include non-provider patterns such as connection strings, authentication headers, and private keys, for your repository or organization.
{% endif %}
## Customizing {% data variables.product.prodname_secret_scanning %}
Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further:
{% ifversion secret-scanning-non-provider-patterns %}
### Detection of non-provider patterns
Scan for and detect secrets that are not specific to a service provider, such as private keys and generic API keys. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)."
{% endif %}
{% ifversion secret-scanning-ai-generic-secret-detection %}
### Generic secret detection
Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)."
{% endif %}
### Performing validity checks
Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)" and{% endif %} "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."
{% ifversion ghec or ghes %}
### Defining custom patterns
Define your own patterns for secrets used by your organization that {% data variables.product.prodname_secret_scanning %} can scan for and detect. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
{% ifversion secret-scanning-custom-pattern-ai-generated %}
You can also leverage AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)."
{% endif %}
{% endif %}
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)"
* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)"
* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)"
* "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)"
* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)"
* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)"

20
content/code-security/secret-scanning/introduction/index.md Normal file
View File

@@ -0,0 +1,20 @@
---
title: Introduction to secret scanning
shortTitle: Introduction
allowTitleToDifferFromFilename: true
intro: 'Learn how {% data variables.product.prodname_secret_scanning %} detects secrets in existing content and new commits, helping you to avoid exposing sensitive data that could be exploited.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: overview
topics:
- Secret scanning
- Advanced Security
children:
- /about-secret-scanning
- /about-push-protection
- /about-secret-scanning-for-partners
- /supported-secret-scanning-patterns
---

87
content/code-security/secret-scanning/secret-scanning-patterns.md → content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
View File

@@ -1,5 +1,5 @@
---
title: Secret scanning patterns
title: Supported secret scanning patterns
intro: 'Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
@@ -12,85 +12,33 @@ topics:
- Advanced Security
redirect_from:
- /code-security/secret-scanning/secret-scanning-partners
- /code-security/secret-scanning/secret-scanning-patterns
layout: inline
shortTitle: Supported patterns
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
{% ifversion fpt or ghec %}
## About {% data variables.product.prodname_secret_scanning %} patterns
{% data variables.product.product_name %} maintains these different sets of default {% data variables.product.prodname_secret_scanning %} patterns:
{% data reusables.secret-scanning.alert-types %}
1. **Partner patterns.** Used to detect potential secrets in all public repositories as well as public npm packages.{% data reusables.secret-scanning.partner-program-link %}
1. **User alert patterns.** Used to detect potential secrets in {% ifversion fpt %}public{% endif %} repositories with {% data variables.secret-scanning.user_alerts %} enabled.
1. **Push protection patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} as a push protection enabled.
{% ifversion fpt %}
Owners of public repositories, as well as organizations using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %}, can enable {% data variables.secret-scanning.user_alerts %} on their repositories.
{% endif %}
For in-depth information about each alert type, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)."
For details about all the supported patterns, see the "[Supported secrets](#supported-secrets)" section below.
If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)."
If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)."
## About partner alerts
Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)."
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
{% endif %}
## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts
{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}.
{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types:
* High confidence alerts, which relate to supported patterns and specified custom patterns.
* Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys.
{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#other-alerts-list)."
{% data reusables.secret-scanning.non-provider-patterns-beta %}
{% endif %}
You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %}
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
If you use the REST API for secret scanning, you can use the `Secret type` to report on secrets from specific issuers. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning)."
{% ifversion ghes or ghec %}
{% note %}
**Note:** You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
{% endnote %}
{% endif %}
## About push protection alerts
Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers.
{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."{% endif %}
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)."
If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning)."
## Supported secrets
This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.
* **Provider**—name of the token provider.{% ifversion fpt or ghec %}
* **Partner**—token for which leaks are reported to the relevant token partner. Applies to public repositories only.
* **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}
* Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %}, {% data variables.product.prodname_secret_scanning %}.
* Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled.
* Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
* For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)."
* For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)."
{% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %}
* **{% data variables.product.prodname_secret_scanning_caps %} alert**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}
* Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled.
@@ -98,10 +46,10 @@ This table lists the secrets supported by {% data variables.product.prodname_sec
* **Push protection**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled.
{% note %}
**Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)."
**Note:** {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)."
{% endnote %}
* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %}
* **Validity check**—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "[{% data variables.product.prodname_advanced_security %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security)" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %}
{% ifversion secret-scanning-non-provider-patterns %}
@@ -120,7 +68,7 @@ This table lists the secrets supported by {% data variables.product.prodname_sec
| Generic | postgres_connection_string |
| Generic | rsa_private_key |
Push protection and validity checks are not supported for non-provider patterns.
>[!NOTE] Push protection and validity checks are not supported for non-provider patterns.
### High confidence patterns
@@ -161,10 +109,9 @@ Push protection and validity checks are not supported for non-provider patterns.
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)"
{%- ifversion fpt or ghec %}
* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)"
{%- endif %}
* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)"
* "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure)"
{%- ifversion fpt or ghec %}
* "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)"
{%- else %}
* "[AUTOTITLE](/free-pro-team@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation
{% endif %}

230
content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md
View File

@@ -1,230 +0,0 @@
---
title: Managing alerts from secret scanning
intro: 'You can view, evaluate and resolve alerts for secrets checked in to your repository.'
permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view and dismiss secret scanning alerts for the repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
- /github/administering-a-repository/managing-alerts-from-secret-scanning
- /code-security/secret-security/managing-alerts-from-secret-scanning
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Manage secret alerts
---
## About the {% data variables.product.prodname_secret_scanning %} alerts page
{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %}
{% ifversion secret-scanning-non-provider-patterns %}
To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists:
* **High confidence** alerts.
* **Other** alerts.
![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png)
### High confidence alerts list
The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page.
### Other alerts list
The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives.
In addition, alerts that fall into this category:
* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts).
* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view.
* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}.
For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}."
{% endif %}
## Viewing alerts
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %}
1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %}
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view.
{% ifversion secret-scanning-user-owned-repos %}
> [!NOTE]
> {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}
{% endif %}
## Filtering alerts
You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar.
|Qualifier|Description|
|---------|-----------|
|`is:open`|Displays open alerts.|
|`is:closed`|Displays closed alerts.|
| {% ifversion secret-scanning-bypass-filter %} |
|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."|
| {% endif %} |
|`validity:active`| Displays alerts for secrets that are still active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[Checking a secret's validity](#checking-a-secrets-validity)."|
|`validity:inactive`| Displays alerts for secrets that are no longer active.|
|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.|
|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secret)." |
|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."|
| {% ifversion secret-scanning-non-provider-patterns %} |
|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)." |
|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}|
| {% endif %} |
## Evaluating alerts
There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:
* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %}
* Perform an "on-demand" validity check, to get the most up to date validiation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %}
* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %}
### Checking a secret's validity
Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.
By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view.
{% ifversion fpt %}
Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
{% endif %}
{% ifversion secret-scanning-validity-check-partner-patterns %}
You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.
{% data variables.product.company_short %} displays the validation status of the secret in the alert view.
{% endif %}
{% data reusables.secret-scanning.validity-check-table %}
{% ifversion secret-scanning-validity-check-partner-patterns %}
{% data reusables.gated-features.partner-pattern-validity-check-ghas %}
For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#high-confidence-patterns)."
{% endif %}
You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)."
{% ifversion secret-scanning-validity-check-partner-patterns %}
### Performing an on-demand validity check
Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view.
![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png)
{% endif %}
{% ifversion secret-scanning-github-token-metadata %}
### Reviewing {% data variables.product.company_short %} token metadata
> [!NOTE]
> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change.
In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.
Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies).
![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png)
Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens:
|Metadata|Description|
|-------------------------|--------------------------------------------------------------------------------|
|Secret name| The name given to the {% data variables.product.company_short %} token by its creator|
|Secret owner| The {% data variables.product.company_short %} handle of the token's owner|
|Created on| Date the token was created|
|Expired on| Date the token expired|
|Last used on| Date the token was last used|
|Access| Whether the token has organization access|
{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %}
{% endif %}
## Fixing alerts
Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets:
* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."
{%- ifversion token-audit-log %}
* {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
{%- endif %}
* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret.
{% ifversion fpt or ghec %}
> [!NOTE]
> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
{% endif %}
## Closing alerts
> [!NOTE]
>{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view.
1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert.
![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png)
1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation.
1. Click **Close alert**.
## Configuring notifications for {% data variables.secret-scanning.alerts %}
Notifications are different for incremental scans and historical scans.
### Incremental scans
{% data reusables.secret-scanning.secret-scanning-configure-notifications %}
{% data reusables.repositories.navigate-to-repo %}
1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**.
![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png)
1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**.
1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications).
1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown.
1. Select "Email" as a notification option, then click **Save**.
![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png)
{% data reusables.notifications.watch-settings %}
### Historical scans
For historical scans, {% data variables.product.product_name %} notifies the following users:
* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found.
* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences.
We do _not_ notify commit authors.
{% data reusables.notifications.watch-settings %}
## Auditing responses to secret scanning alerts
{% data reusables.secret-scanning.audit-secret-scanning-events %}

71
content/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts.md Normal file
View File

@@ -0,0 +1,71 @@
---
title: About secret scanning alerts
intro: 'Learn about the different types of {% data variables.secret-scanning.alerts %}.'
permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can manage {% data variables.secret-scanning.alerts %} for the repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: About alerts
allowTitleToDifferFromFilename: true
---
## About types of alerts
{% data reusables.secret-scanning.alert-types %}
## About {% ifversion fpt or ghec %}user alerts {% else %}{% data variables.secret-scanning.alerts %}{% endif %}
When {% data variables.product.company_short %} detects a supported secret in a repository that has {% data variables.product.prodname_secret_scanning %} enabled, a {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alert is generated and displayed in the **Security** tab of the repository.
{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types:
* High confidence alerts, which relate to supported patterns and specified custom patterns.
* Other alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %} or AI-detected generic secrets{% endif %}.
{% data variables.product.prodname_dotcom %} displays these "other" alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."
{% data reusables.secret-scanning.non-provider-patterns-beta %}
{% endif %}
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
## About push protection alerts
Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the **Security** tab of the repository. To see all push protection alerts for a repository, you must filter by `bypassed: true` on the alerts page. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#filtering-alerts)."
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
>[!NOTE]
> {% ifversion secret-scanning-push-protection-for-users %}You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to _any_ public repository. Alerts are _not_ created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."{% endif %}
>
> {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning#push-protection-and-pattern-versions)."
{% ifversion fpt or ghec %}
## About partner alerts
When {% data variables.product.company_short %} detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of {% data variables.product.company_short %}'s secret scanning partner program. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."
Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert.
{% endif %}
## Next steps
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)"
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)"{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)"{% endif %}

92
content/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts.md Normal file
View File

@@ -0,0 +1,92 @@
---
title: Evaluating alerts from secret scanning
intro: 'Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret''s validity.'
permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.alerts %} for the repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Evaluate alerts
allowTitleToDifferFromFilename: true
---
## About evaluating alerts
There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:
* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %}
* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}{% ifversion secret-scanning-github-token-metadata %}
* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %}
## Checking a secret's validity
Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.
By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validation status of the token in the alert view.
{% ifversion fpt %}
Organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also enable validity checks for partner patterns. For more information, see "[Checking a secret's validity](/enterprise-cloud@latest/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
{% endif %}
{% data reusables.secret-scanning.validity-check-table %}
{% ifversion secret-scanning-validity-check-partner-patterns %}
{% data reusables.gated-features.partner-pattern-validity-check-ghas %}
For information on how to enable validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)," and for information on which partner patterns are currently supported, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)."
{% endif %}
You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "[AUTOTITLE](/rest/secret-scanning)" in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the `secret_scanning_alert` event in "[AUTOTITLE](/webhooks/webhook-events-and-payloads?actionType=created#secret_scanning_alert)."
{% ifversion secret-scanning-validity-check-partner-patterns %}
## Performing an on-demand validity check
Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" %} **Verify secret** in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view.
![Screenshot of the UI showing a {% data variables.product.prodname_secret_scanning %} alert. A button, labeled "Verify secret" is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-verify-secret.png)
{% endif %}
{% ifversion secret-scanning-github-token-metadata %}
## Reviewing {% data variables.product.company_short %} token metadata
> [!NOTE]
> Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change.
In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.
Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies).
![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png)
Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens:
|Metadata|Description|
|-------------------------|--------------------------------------------------------------------------------|
|Secret name| The name given to the {% data variables.product.company_short %} token by its creator|
|Secret owner| The {% data variables.product.company_short %} handle of the token's owner|
|Created on| Date the token was created|
|Expired on| Date the token expired|
|Last used on| Date the token was last used|
|Access| Whether the token has organization access|
{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %}{% endif %}
{% endif %}
## Next steps
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts)"

26
content/code-security/secret-scanning/managing-alerts-from-secret-scanning/index.md Normal file
View File

@@ -0,0 +1,26 @@
---
title: Managing alerts from secret scanning
intro: 'Learn how to find, evaluate, and resolve alerts for secrets stored in your repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
- /github/administering-a-repository/managing-alerts-from-secret-scanning
- /code-security/secret-security/managing-alerts-from-secret-scanning
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Managing alerts
children:
- /about-alerts
- /viewing-alerts
- /evaluating-alerts
- /resolving-alerts
- /monitoring-alerts
---

54
content/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts.md Normal file
View File

@@ -0,0 +1,54 @@
---
title: Monitoring alerts from secret scanning
intro: 'Learn how and when {% data variables.product.product_name %} will notify you about a secret scanning alert.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Monitor alerts
allowTitleToDifferFromFilename: true
---
## Configuring notifications for {% data variables.secret-scanning.alerts %}
In addition to displaying an alert in the **Security** tab of the repository, {% data variables.product.product_name %} can also send email notifications for alerts. These notifications are different for incremental scans and historical scans.
### Incremental scans
{% data reusables.secret-scanning.secret-scanning-configure-notifications %}
{% data reusables.repositories.navigate-to-repo %}
1. To start watching the repository, select **{% octicon "eye" aria-hidden="true" %} Watch**.
![Screenshot of the repository's main page. A dropdown menu, titled "Watch", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png)
1. In the dropdown menu, click **All Activity**. Alternatively, to only subscribe to security alerts, click **Custom**, then click **Security alerts**.
1. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications).
1. On your notification settings page, under "Subscriptions", then under "Watching", select the **Notify me** dropdown.
1. Select "Email" as a notification option, then click **Save**.
![Screenshot of the notification settings for a user account. An element header, titled "Subscriptions", and a sub-header, titled "Watching", are shown. A checkbox, titled "Email", is highlighted with an orange outline.](/assets/images/help/notifications/repository-watching-notification-options.png)
{% data reusables.notifications.watch-settings %}
### Historical scans
For historical scans, {% data variables.product.product_name %} notifies the following users:
* Organization owners, enterprise owners, and security managers—whenever a historical scan is complete, even if no secrets are found.
* Repository administrators, security managers, and users with custom roles with read/write access—whenever a historical scan detects a secret, and according to their notification preferences.
We do _not_ notify commit authors.
{% data reusables.notifications.watch-settings %}
## Auditing responses to secret scanning alerts
{% data reusables.secret-scanning.audit-secret-scanning-events %}

55
content/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts.md Normal file
View File

@@ -0,0 +1,55 @@
---
title: Resolving alerts from secret scanning
intro: 'After reviewing the details of a secret scanning alert, you should fix and then close the alert.'
permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can dismiss secret scanning alerts for the repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Resolve alerts
allowTitleToDifferFromFilename: true
---
## Fixing alerts
Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets:
* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."
{%- ifversion token-audit-log %}
* {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
{%- endif %}
* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret.
{% ifversion fpt or ghec %}
> [!NOTE]
> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
{% endif %}
## Closing alerts
> [!NOTE]
>{% data variables.product.prodname_secret_scanning_caps %} doesn't automatically close alerts when the corresponding token has been removed from the repository. You must manually close these alerts in the alert list on {% data variables.product.prodname_dotcom %}.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view.
1. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert.
![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png)
1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation.
1. Click **Close alert**.
## Next steps
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/monitoring-alerts)"

87
content/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts.md Normal file
View File

@@ -0,0 +1,87 @@
---
title: Viewing and filtering alerts from secret scanning
intro: 'Learn how to find and filter {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}{% data variables.secret-scanning.user_alerts %} alerts{% endif %} for your repository.'
permissions: 'People with admin access to a {% ifversion fpt %}public {% endif %}repository can view {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} alerts{% endif %} for the repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: View alerts
allowTitleToDifferFromFilename: true
---
## About the {% data variables.product.prodname_secret_scanning %} alerts page
{% data reusables.secret-scanning.secret-scanning-about-alerts %} {% data reusables.secret-scanning.repository-alert-location %}
{% ifversion secret-scanning-non-provider-patterns %}
To help you triage alerts more effectively, {% data variables.product.company_short %} separates alerts into two lists:
* **High confidence** alerts.
* **Other** alerts.
![Screenshot of the {% data variables.product.prodname_secret_scanning %} alert view. The button to toggle between "High confidence" and "Other" alerts is highlighted with an orange outline.](/assets/images/help/security/secret-scanning-high-confidence-alert-view.png)
### High confidence alerts list
The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page.
### Other alerts list
The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys){% ifversion secret-scanning-ai-generic-secret-detection %}, or generic secrets detected using AI (such as passwords){% endif %}. These types of alerts have a higher rate of false positives.
In addition, alerts that fall into this category:
* Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts).
* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view.
* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}.
For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection){% endif %}."
{% endif %}
## Viewing alerts
Alerts for {% data variables.product.prodname_secret_scanning %} are displayed under the **Security** tab of the repository.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. {% ifversion secret-scanning-non-provider-patterns %}
1. Optionally, toggle to "Other" to see alerts for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} or generic secrets detected using AI{% endif %}.{% endif %}
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the alert you want to view.
{% ifversion secret-scanning-user-owned-repos %}
> [!NOTE]
> {% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %}
{% endif %}
## Filtering alerts
You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar.
|Qualifier|Description|
|---------|-----------|
|`is:open`|Displays open alerts.|
|`is:closed`|Displays closed alerts.|
| {% ifversion secret-scanning-bypass-filter %} |
|`bypassed: true`|Displays alerts for secrets where push protection has been bypassed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."|
| {% endif %} |
|`validity:active`| Displays alerts for secrets that are known to be active. {% ifversion fpt %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} For more information about validity statuses, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."|
|`validity:inactive`| Displays alerts for secrets that are no longer active.|
|`validity:unknown`| Displays alerts for secrets where the validity status of the secret is unknown.|
|`secret-type:SECRET-NAME`| Displays alerts for a specific secret type, for example, `secret-type:github_personal_access_token`. For a list of supported secret types, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secret)." |
|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."|
| {% ifversion secret-scanning-non-provider-patterns %} |
|`confidence:high`| Displays alerts for high-confidence secrets, which relate to supported secrets and custom patterns. For a list of supported high-confidence patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#high-confidence-patterns)." |
|`confidence:other`| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)."{% endif %}|
| {% endif %} |
## Next steps
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts)"

292
content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md
View File

@@ -1,292 +0,0 @@
---
title: Push protection for repositories and organizations
intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
redirect_from:
- /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning
- /code-security/secret-scanning/protecting-pushes-with-secret-scanning
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Push protection for repositories
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
## About push protection for repositories and organizations
{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %}
{% data reusables.secret-scanning.push-protection-bypass %}
{% data reusables.secret-scanning.bypass-reasons-and-alerts %}
{% ifversion push-protection-delegated-bypass %}
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](#enabling-delegated-bypass-for-push-protection)."
{% endif %}
{% ifversion secret-scanning-bypass-filter %}
On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
{% endif %}
You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
{% ifversion security-overview-push-protection-metrics-page %}
If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)."
{% endif %}
{% ifversion ghec or fpt %}
{% note %}
**Note:** The github.dev web-based editor doesn't support push protection. For more information about the editor, see "[AUTOTITLE](/codespaces/the-githubdev-web-based-editor)."
{% endnote %}
{% endif %}
For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection
For you to use {% data variables.product.prodname_secret_scanning %} as a push protection in public repositories, the {% ifversion secret-scanning-enterprise-level %}enterprise,{% endif %} organization{% ifversion secret-scanning-enterprise-level %},{% endif %} or repository needs to have {% data variables.product.prodname_secret_scanning %} enabled.{% ifversion secret-scanning-push-protection-private-internal %} To use {% data variables.product.prodname_secret_scanning %} as a push protection in private or internal repositories,{% ifversion secret-scanning-user-owned-repos %} or in user-owned repositories{% ifversion ghec %} for {% data variables.product.prodname_emus %}{% endif %},{% endif %} the enterprise or organization also needs to have {% data variables.product.prodname_GH_advanced_security %} enabled.{% endif %} For more information, see {% ifversion secret-scanning-enterprise-level %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise),"{% endif %} "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)," "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)," and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)."
Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section.
Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret.
{% ifversion secret-scanning-enable-by-default-for-public-repos %}
You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)."
{% endif %}
{% ifversion secret-scanning-enterprise-level-api %}
Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %}
{% note %}
**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, this is not enabled by default on the fork. You can enable it on the fork the same way you enable it on a standalone repository.
{% endnote %}
{% ifversion secret-scanning-enterprise-level %}
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for your enterprise
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
1. In the left sidebar, click **Code security and analysis**.
{% data reusables.advanced-security.secret-scanning-push-protection-enterprise %}
{% endif %}
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization
{% ifversion security-configurations-ga %}
You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% elsif security-configurations-beta-and-pre-beta %}
You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization.
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
{% endif %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-push-protection-org %}
{% data reusables.security.note-securing-your-org %}
{% endif %}
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-push-protection-repo %}
{% ifversion secret-scanning-push-protection-custom-patterns %}
## Enabling push protection for a custom pattern
You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else%} the organization or repository level{% endif %}.
{% ifversion ghec or ghes %}
### Enabling push protection for a custom pattern stored in an enterprise
{% data reusables.secret-scanning.push-protection-enterprise-note %}
Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %}
{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
1. Under "Code security and analysis", click **Security features**.{% else %}
{% data reusables.enterprise-accounts.advanced-security-policies %}
{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %}
{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
{% ifversion custom-pattern-dry-run-ga %}
>[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created.
{%- endif %}
1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
{% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %}
![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
{% endif %}
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern
Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.organizations.security-and-analysis %}
{% else %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% endif %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps.
{% endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% else %}
1. Find "{% data variables.product.prodname_GH_advanced_security %}."
{% endif %}
{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %}
![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern
Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
{% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %}
![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
{% endif %}
{% ifversion push-protection-delegated-bypass %}
## Enabling delegated bypass for push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed.
When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)."
Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)."
Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.
### Configuring delegated bypass for an organization
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.organizations.security-and-analysis %}
{% else %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% endif %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %}
{% endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% else %}
1. Find "{% data variables.product.prodname_GH_advanced_security %}."
{% endif %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
>[!NOTE] You can't add secret teams to the bypass list.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
### Configuring delegated bypass for a repository
>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
>[!NOTE] You can't add secret teams to the bypass list.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
## Managing requests to bypass push protection
You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository.
You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request:
|Status|Description|
|---------|-----------|
|`Cancelled`| The request has been cancelled by the contributor.|
|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.|
|`Denied`|The request has been reviewed and denied.|
|`Expired`| The request has expired. Requests are valid for 7 days. |
|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. |
When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires.
The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.
### Managing requests to bypass push protection at the repository-level
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.bypass-requests-settings %}
1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review.
1. Click the request that you want to review.
1. Review the details of the request.
1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**.
{% endif %}
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"

117
content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md
View File

@@ -1,117 +0,0 @@
---
title: Pushing a branch blocked by push protection
intro: 'Push protection proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.'
product: '{% data reusables.gated-features.push-protection-users-and-repos %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Push a blocked branch
---
## About push protection
Push protection helps to prevent security leaks by scanning for secrets before you push changes to your repository.
When you try to push a secret to a repository secured by push protection, {% data variables.product.prodname_dotcom %} blocks the push. You must remove the secret from your branch before pushing again. For more information on how to resolve a blocked push, see "[Resolving a blocked push on the command line](#resolving-a-blocked-push-on-the-command-line)" and "[Resolving a blocked commit in the web UI](#resolving-a-blocked-commit-in-the-web-ui)" in this article.
If you believe it's safe to allow the secret, you {% ifversion push-protection-delegated-bypass %}may {% endif %}have the option to bypass the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)."
For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
## Resolving a blocked push on the command line
{% data reusables.secret-scanning.push-protection-command-line-choice %}
{% data reusables.secret-scanning.push-protection-multiple-branch-note %}
### Removing a secret introduced by the latest commit on your branch
If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below.
1. Remove the secret from your code.
1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit.
1. Push your changes with `git push`.
### Removing a secret introduced by an earlier commit on your branch
You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase.
1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret.
```text
remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} ——————————————————————
remote: locations:
remote: - commit: 8728dbe67
remote: path: README.md:4
remote: - commit: 03d69e5d3
remote: path: README.md:4
remote: - commit: 8053f7b27
remote: path: README.md:4
```
1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps.
```text
test-repo (test-branch)]$ git log
commit 8053f7b27 (HEAD -> main)
Author: Octocat <1000+octocat@users.noreply.github.com
Date: Tue Jan 30 13:03:37 2024 +0100
my fourth commit message
commit 03d69e5d3
Author: Octocat <1000+octocat@users.noreply.github.com>
Date: Tue Jan 30 13:02:59 2024 +0100
my third commit message
commit 8728dbe67
Author: Octocat <1000+octocat@users.noreply.github.com
Date: Tue Jan 30 13:01:36 2024 +0100
my second commit message
commit 6057cbe51
Author: Octocat <1000+octocat@users.noreply.github.com
Date: Tue Jan 30 12:58:24 2024 +0100
my first commit message
1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history.
* In the example, commit `8728dbe67` was the first commit to contain the secret.
1. Start an interactive rebase with `git rebase -i <COMMIT-ID>~1`.
* For `<COMMIT-ID>`, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`.
1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text.
```text
edit 8728dbe67 my second commit message
pick 03d69e5d3 my third commit message
pick 8053f7b27 my fourth commit message
```
1. Save and close the editor to start the interactive rebase.
1. Remove the secret from your code.
1. Commit your changes using `git commit --amend`.
1. Run `git rebase --continue` to finish the rebase.
1. Push your changes with `git push`.
## Resolving a blocked commit in the web UI
{% data reusables.secret-scanning.push-protection-web-ui-choice %}
To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes.
Alternatively, if you determine that it's safe to allow the secret, use the options displayed in the dialog box to bypass push protection. For more information about bypassing push protection from the web UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection#bypassing-push-protection-when-working-with-the-web-ui)."
# Further reading
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"
* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)"{% ifversion secret-scanning-push-protection-for-users %}
* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)"{% endif %}

13
content/code-security/secret-scanning/secret-scanning-partnership-program/index.md Normal file
View File

@@ -0,0 +1,13 @@
---
title: Secret scanning partnership program
intro: 'As a service provider, you can partner with {% data variables.product.prodname_dotcom %} to have your secret token formats secured through secret scanning, which searches for accidental commits of your secret format and can be sent to a service provider''s verify endpoint.'
versions:
fpt: '*'
ghec: '*'
topics:
- API
shortTitle: Partner program
children:
- /secret-scanning-partner-program
---

3
content/code-security/secret-scanning/secret-scanning-partner-program.md → content/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program.md
View File

@@ -6,11 +6,14 @@ redirect_from:
- /partnerships/secret-scanning
- /developers/overview/secret-scanning
- /developers/overview/secret-scanning-partner-program
- /code-security/secret-scanning/secret-scanning-partner-program
versions:
fpt: '*'
ghec: '*'
topics:
- API
- Secret scanning
- Advanced Security
shortTitle: Partner program
---

18
content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/index.md Normal file
View File

@@ -0,0 +1,18 @@
---
title: Troubleshooting secret scanning and push protection
shortTitle: Troubleshoot secret scanning
intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %} or push protection, you can use these tips to help resolve issues.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Troubleshooting
children:
- /troubleshooting-secret-scanning
---

8
content/code-security/secret-scanning/troubleshooting-secret-scanning.md → content/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning.md
View File

@@ -1,7 +1,7 @@
---
title: Troubleshooting secret scanning
shortTitle: Troubleshoot secret scanning
intro: 'If you have problems with {% data variables.product.prodname_secret_scanning %}, you can use these tips to help resolve issues.'
intro: 'When using {% data variables.product.prodname_secret_scanning %} to detect secrets in your repository, or secrets about to be committed into your repository, you may need to troubleshoot unexpected issues.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
@@ -12,6 +12,8 @@ topics:
- Secret scanning
- Advanced Security
- Troubleshooting
redirect_from:
- /code-security/secret-scanning/troubleshooting-secret-scanning
---
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
@@ -20,7 +22,7 @@ topics:
{% data variables.product.prodname_secret_scanning_caps %} will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource.
Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)."
Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."
{% ifversion secret-scanning-validity-check %}
@@ -32,7 +34,7 @@ For {% data variables.product.prodname_dotcom %} tokens, we check the validity o
## Push protection limitations
If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
If your secret is in the supported list, there are various reasons why push protection may not detect it.

11
content/code-security/secret-scanning/about-generating-regular-expressions-with-ai.md → content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai.md
View File

@@ -13,6 +13,7 @@ topics:
- AI
redirect_from:
- /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns
- /code-security/secret-scanning/about-generating-regular-expressions-with-ai
---
<!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
@@ -35,7 +36,7 @@ The model returns up to three regular expressions for you to review. You can cli
Some results may be quite similar, and some results may not find every instance of the secret that the pattern is intended to detect. It is also possible that the regular expression generator may produce results which are invalid or inappropriate.
When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." {% endif %}
When you click **Use result** on a regular expression, the expression and any examples inputted will be copied over to the main custom pattern form. There, you can perform a dry run of the pattern to see how it performs across your repository or organization.{% ifversion secret-scanning-custom-pattern-ai-generated %} For more information on how to define a custom pattern for your repository or organization, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." {% endif %}
## Improving performance when generating regular expressions with AI
@@ -57,18 +58,18 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio
## Next steps
* [AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)
* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
{% endif %}
## Further reading
{% ifversion fpt %}
* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
{% endif %}
{% ifversion secret-scanning-custom-pattern-ai-generated %}
* [AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)
{% endif %}

50
content/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning.md → content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning.md
View File

@@ -5,6 +5,7 @@ intro: 'You can define your own custom patterns to extend the capabilities of {%
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
- /code-security/secret-security/defining-custom-patterns-for-secret-scanning
- /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
versions:
ghes: '*'
ghec: '*'
@@ -16,7 +17,7 @@ topics:
## About custom patterns for {% data variables.product.prodname_secret_scanning %}
You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)."
You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."
You can define custom patterns for your enterprise, organization, or repository. {% data variables.product.prodname_secret_scanning_caps %} supports up to 500 custom patterns for each organization or enterprise account, and up to 100 custom patterns per repository.
@@ -45,13 +46,13 @@ For simple tokens you will usually only need to specify a secret format. The oth
### Using the regular expression generator
{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-generating-regular-expressions-with-ai)" and "[AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)."
{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)."
{% endif %}
## Defining a custom pattern for a repository
Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)."
Before defining a custom pattern, you must ensure that {% data variables.product.prodname_secret_scanning %} is enabled on your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
@@ -178,44 +179,7 @@ Before defining a custom pattern, you must ensure that you enable secret scannin
After your pattern is created, {% data variables.product.prodname_secret_scanning %} scans for any secrets in repositories within your enterprise's organizations with {% data variables.product.prodname_GH_advanced_security %} enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
## Editing a custom pattern
## Further reading
When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern.
{% data reusables.secret-scanning.view-custom-pattern %}
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}.
{%- ifversion custom-pattern-dry-run-ga %}
1. When you're ready to test your edited custom pattern, to identify matches without creating alerts, click **Save and dry run**.
{%- endif %}
1. When you have reviewed and tested your changes, click **Publish changes**.{% ifversion secret-scanning-push-protection-custom-patterns %}
{% data reusables.advanced-security.secret-scanning-enable-push-protection-custom-pattern %}
1. Optionally, to disable push protection for your custom pattern, click **Disable**.
![Screenshot of the custom pattern page with the button to disable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-disable-push-protection-custom-pattern.png){% endif %}
## Removing a custom pattern
{% data reusables.secret-scanning.view-custom-pattern %}
1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}.
1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern.
1. Click **Yes, delete this pattern**.
{% ifversion secret-scanning-custom-patterns-metrics %}
## Metrics for custom patterns
Organization owners and people with admin permissions can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days.
{% note %}
**Note:** Metrics for custom patterns are in public beta and subject to change.
{% endnote %}
### Viewing metrics for custom patterns
{% data reusables.secret-scanning.view-custom-pattern %}
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the custom pattern you want to view.
The metrics are displayed under the custom pattern's name.
{% endif %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns)" {% ifversion secret-scanning-custom-patterns-metrics %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns)"{% endif %}

4
content/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai.md → content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai.md
View File

@@ -10,6 +10,8 @@ topics:
- Advanced Security
- Secret scanning
- AI
redirect_from:
- /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai
---
## Generating a regular expression for a repository with AI
@@ -42,4 +44,4 @@ topics:
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/about-generating-regular-expressions-with-ai)"
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai)"

20
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/index.md Normal file
View File

@@ -0,0 +1,20 @@
---
title: Custom patterns
shortTitle: Custom patterns
allowTitleToDifferFromFilename: true
intro: 'You can extend the capabilities of {% data variables.product.prodname_secret_scanning %} to search for your own patterns. These custom patterns can range from your service API keys to connection strings into cloud resources.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
ghes: '*'
ghec: '*'
topics:
- Secret scanning
- Advanced Security
- Repositories
children:
- /defining-custom-patterns-for-secret-scanning
- /managing-custom-patterns
- /about-generating-regular-expressions-with-ai
- /generating-regular-expressions-for-custom-patterns-with-ai
- /metrics-for-custom-patterns
---

107
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns.md Normal file
View File

@@ -0,0 +1,107 @@
---
title: Managing custom patterns
shortTitle: Manage custom patterns
intro: 'You can view, edit, and remove custom patterns, as well as enable push protection for custom patterns.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
ghes: '*'
ghec: '*'
type: how_to
topics:
- Advanced Security
- Secret scanning
---
Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
## Editing a custom pattern
When you save a change to a custom pattern, this closes all the {% data variables.secret-scanning.alerts %} that were created using the previous version of the pattern.
{% data reusables.secret-scanning.view-custom-pattern %}
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", to the right of the custom pattern you want to edit, click {% octicon "pencil" aria-label="Edit pattern" %}.
{%- ifversion custom-pattern-dry-run-ga %}
1. When you're ready to test your edited custom pattern, to identify matches without creating alerts, click **Save and dry run**.
{%- endif %}
1. When you have reviewed and tested your changes, click **Publish changes**.{% ifversion secret-scanning-push-protection-custom-patterns %}
{% data reusables.advanced-security.secret-scanning-enable-push-protection-custom-pattern %}
1. Optionally, to disable push protection for your custom pattern, click **Disable**.
![Screenshot of the custom pattern page with the button to disable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-disable-push-protection-custom-pattern.png){% endif %}
## Removing a custom pattern
{% data reusables.secret-scanning.view-custom-pattern %}
1. To the right of the custom pattern you want to remove, click {% octicon "trash" aria-label="Remove pattern" %}.
1. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern.
1. Click **Yes, delete this pattern**.
{% ifversion secret-scanning-push-protection-custom-patterns %}
## Enabling push protection for a custom pattern
You can enable {% data variables.product.prodname_secret_scanning %} as a push protection for custom patterns stored at {% ifversion ghec or ghes %}the enterprise, organization, or repository level{% else %} the organization or repository level{% endif %}.
{% ifversion ghec or ghes %}
### Enabling push protection for a custom pattern stored in an enterprise
{% data reusables.secret-scanning.push-protection-enterprise-note %}
Before enabling push protection for a custom pattern at enterprise level, you must also{% ifversion custom-pattern-dry-run-ga %} test your custom patterns using dry runs. {% data reusables.secret-scanning.dry-runs-enterprise-permissions %}{% else %} test your custom patterns in a repository before defining them for your entire enterprise, as there is no dry-run functionality. That way, you can avoid creating excess false-positive {% data variables.secret-scanning.alerts %}.{% endif %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}{% ifversion security-feature-enablement-policies %}
{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
1. Under "Code security and analysis", click **Security features**.{% else %}
{% data reusables.enterprise-accounts.advanced-security-policies %}
{% data reusables.enterprise-accounts.advanced-security-security-features %}{% endif %}
{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
{% ifversion custom-pattern-dry-run-ga %}
>[!NOTE] At the enterprise level, you can only edit and enable push protection for custom patterns that you created.
{%- endif %}
1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
{% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %}
![Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
{% endif %}
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in an organization for a custom pattern
Before enabling push protection for a custom pattern at organization level, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. To enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %} For next steps on managing custom patterns for your organization with {% data variables.product.prodname_global_settings %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#defining-custom-patterns)." For information on enabling push protection for specific custom patterns, reference the following steps.
{% endif %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
{% indented_data_reference reusables.secret-scanning.push-protection-org-notes spaces=3 %}
![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection in a repository for a custom pattern
Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-edit-custom-pattern %}
1. To enable push protection for your custom pattern, scroll down to "Push Protection", and click **Enable**.
{% data reusables.secret-scanning.custom-pattern-push-protection-enable-button %}
![Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.](/assets/images/help/repository/secret-scanning-custom-pattern-enable-push-protection.png)
{% endif %}

25
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/metrics-for-custom-patterns.md Normal file
View File

@@ -0,0 +1,25 @@
---
title: Metrics for custom patterns
shortTitle: Custom pattern metrics
intro: 'You can view alert metrics for custom patterns at the repository, organization, and enterprise levels.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
feature: secret-scanning-custom-patterns-metrics
type: how_to
topics:
- Advanced Security
- Secret scanning
---
## Metrics for custom patterns
Organization owners and people with admin permission for a repository can see an overview of the activity for custom patterns. The overview includes alert and push protection activity for the custom pattern during the last 30 days.
> [!NOTE] Metrics for custom patterns are in public beta and subject to change.
## Viewing metrics for custom patterns
{% data reusables.secret-scanning.view-custom-pattern %}
1. Under "{% data variables.product.prodname_secret_scanning_caps %}", click the custom pattern you want to view.
The metrics are displayed under the custom pattern's name.

24
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md Normal file
View File

@@ -0,0 +1,24 @@
---
title: About delegated bypass for push protection
intro: 'You can control which teams or roles have the ability to bypass push protection in your organization or repository.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
feature: push-protection-delegated-bypass
type: overview
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Delegated bypass
---
## About delegated bypass for push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-overview %}
For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."

53
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md Normal file
View File

@@ -0,0 +1,53 @@
---
title: Enabling delegated bypass for push protection
intro: 'You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by {% data variables.product.prodname_secret_scanning %}.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.'
versions:
feature: push-protection-delegated-bypass
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Enable delegated bypass
---
## Enabling delegated bypass for push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start.
>[!NOTE] You can't add secret teams to the bypass list.
## Configuring delegated bypass for an organization
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %}
{% endif %}
{% data reusables.repositories.navigate-to-ghas-settings %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
## Configuring delegated bypass for a repository
>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
>[!NOTE] You can't add secret teams to the bypass list.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.

19
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md Normal file
View File

@@ -0,0 +1,19 @@
---
title: Delegated bypass for push protection
shortTitle: Delegated bypass
allowTitleToDifferFromFilename: true
intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
topics:
- Secret scanning
- Advanced Security
- Repositories
children:
- /about-delegated-bypass-for-push-protection
- /enabling-delegated-bypass-for-push-protection
- /managing-requests-to-bypass-push-protection
---

51
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Normal file
View File

@@ -0,0 +1,51 @@
---
title: Managing requests to bypass push protection
intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
permissions: 'Members of the bypass list can process requests from non-members to bypass push protection.'
versions:
feature: push-protection-delegated-bypass
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Manage bypass requests
---
## Managing requests to bypass push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
> [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.
### Managing requests to bypass push protection at the repository level
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.bypass-requests-settings %}
1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed to the repository yet.
1. Click the request that you want to review.
1. Review the details of the request.
1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**.
### Filtering by request status
You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request:
|Status|Description|
|---------|-----------|
|`Cancelled`| The request has been cancelled by the contributor.|
|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.|
|`Denied`|The request has been reviewed and denied.|
|`Expired`| The request has expired. Requests are valid for 7 days. |
|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. |
When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires.
The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.

71
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/excluding-folders-and-files-from-secret-scanning.md Normal file
View File

@@ -0,0 +1,71 @@
---
title: Excluding folders and files from secret scanning
intro: 'You can customize {% data variables.product.prodname_secret_scanning %} to exclude directories or files from analysis, by configuring a `secret_scanning.yml` file in your repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
shortTitle: Exclude folders and files
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Repositories
---
## About {% data variables.product.prodname_secret_scanning %}
{% data variables.product.prodname_secret_scanning_caps %} automatically detects tokens or credentials that have been checked into a repository. You can view {% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts %}{% else %}alerts{% endif %} for any secrets that {% data variables.product.company_short %} finds in your code, in the **Security** tab of the repository, so that you know which tokens or credentials to treat as compromised.{% data reusables.secret-scanning.alert-type-links %}
## About excluding directories from {% data variables.secret-scanning.user_alerts %}
You may have a reason to commit a secret to a repository, such as when you want to provide a fake secret in documentation, or in an example application. In these scenarios, you can quickly dismiss the alert and document the reasons. However, there may be cases where you want to ignore a directory entirely to avoid creating false positive alerts at scale. For example, you might have a monolithic application with several integrations containing a file of dummy keys that could set off numerous false alerts to triage.
You can configure a `secret_scanning.yml` file to exclude directories from {% data variables.product.prodname_secret_scanning %}, including when you use push protection.
## Excluding directories from {% data variables.secret-scanning.user_alerts %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.files.add-file %}
1. In the file name field, enter ".github/secret_scanning.yml".
1. Under **Edit new file**, type `paths-ignore:` followed by the paths you want to exclude from {% data variables.product.prodname_secret_scanning %}.
``` yaml copy
paths-ignore:
- "docs/**"
```
This tells {% data variables.product.prodname_secret_scanning %} to ignore everything in the `docs` directory. You can use this example file as a template to add the files and folders youd like to exclude from your own repositories.
You can also use special characters, such as `*` to filter paths. For more information about filter patterns, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)."
``` yaml copy
paths-ignore:
- "foo/bar/*.js"
```
{% note %}
**Notes:**
* If there are more than 1,000 entries in `paths-ignore`, {% data variables.product.prodname_secret_scanning %} will only exclude the first 1,000 directories from scans.
* If `secret_scanning.yml` is larger than 1 MB, {% data variables.product.prodname_secret_scanning %} will ignore the entire file.
{% endnote %}
## Verifying that the folder is excluded from {% data variables.product.prodname_secret_scanning %}
1. Open a file in a directory that you have excluded from secret scanning
1. Paste a pre-invalidated secret, or a test secret.
1. Commit the change.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %} There should be no new open alerts for the secret you just introduced into the file.
## Best practices
Best practices include:
* Minimizing the number of directories excluded and being as precise as possible when defining exclusions. This ensures that the instructions are as clear as possible, and that exclusions work as intended.
* Explaining why a particular file or folder is excluded in a comment in the `secret_scanning.yml` file. As with regular code, using comments clarifies your intention, making it easier for others to understand the desired behavior.
* Reviewing the `secret_scanning.yml` file on a regular basis. Some exclusions may no longer apply with time, and it is good practice to keep the file clean and current. The use of comments, as advised above, can help with this.
* Informing the security team what files and folders you've excluded, and why. Good communication is vital in ensuring that everyone is on the same page, and understands why specific folders or files are excluded.

8
content/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning.md → content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning.md
View File

@@ -10,6 +10,8 @@ topics:
- Secret scanning
- Advanced Security
- AI
redirect_from:
- /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning
---
<!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
@@ -36,7 +38,7 @@ The system scans for passwords using the LLM. No additional data is collected by
The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input.
These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."{% endif %}
These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %}
## Improving the performance of generic secret detection
@@ -74,12 +76,12 @@ Generic secret detection has been subject to Responsible AI Red Teaming and {% d
## Next steps
* [AUTOTITLE](/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection)
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)
* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
{% endif %}
## Further reading
* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)
* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories)

8
content/code-security/secret-scanning/enabling-ai-powered-generic-secret-detection.md → content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection.md
View File

@@ -9,6 +9,8 @@ topics:
- Secret scanning
- Advanced Security
- AI
redirect_from:
- /code-security/secret-scanning/enabling-ai-powered-generic-secret-detection
---
{% data reusables.secret-scanning.generic-secret-detection-ai %}
@@ -36,9 +38,9 @@ You can then enable the feature in the security settings page of your organizati
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
1. Under "Secret scanning", select the checkbox next to "Use AI detection to find additional secrets".
For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."
## Further reading
* [AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)

16
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/index.md Normal file
View File

@@ -0,0 +1,16 @@
---
title: Generic secret detection
shortTitle: Generic secret detection
allowTitleToDifferFromFilename: true
intro: 'You can use AI in combination with {% data variables.product.prodname_secret_scanning %} to detect unstructured passwords in git content.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
feature: secret-scanning-ai-generic-secret-detection
topics:
- Secret scanning
- Advanced Security
- Repositories
children:
- /about-the-detection-of-generic-secrets-with-secret-scanning
- /enabling-ai-powered-generic-secret-detection
---

21
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/index.md Normal file
View File

@@ -0,0 +1,21 @@
---
title: Using advanced secret scanning and push protection features
shortTitle: Advanced features
allowTitleToDifferFromFilename: true
intro: 'Learn how you can customize {% data variables.product.prodname_secret_scanning %} to meet the needs of your company.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
topics:
- Secret scanning
- Advanced Security
- Repositories
children:
- /excluding-folders-and-files-from-secret-scanning
- /non-provider-patterns
- /generic-secret-detection
- /custom-patterns
- /delegated-bypass-for-push-protection
---

46
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns.md Normal file
View File

@@ -0,0 +1,46 @@
---
title: Enabling secret scanning for non-provider patterns
allowTitleToDifferFromFilename: true
intro: 'You can enable {% data variables.product.prodname_secret_scanning %} to detect additional potential secrets at the {% ifversion security-configurations %}repository and organization levels{% else %}repository level{% endif %}.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
feature: secret-scanning-non-provider-patterns
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Enable for non-provider patterns
---
## Enabling scanning for non-provider patterns
{% data reusables.secret-scanning.non-provider-patterns-beta %}
You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives.
For more information about non-provider patterns, see "{% ifversion fpt or ghec %}[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#about-user--alerts){% else %}[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#about-secret-scanning-alerts){% endif %}."
{% ifversion security-configurations %}
### Enabling detection of non-provider patterns for a repository
{%endif %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
1. Under {% data variables.product.prodname_secret_scanning_caps %}, select the checkbox next to "Scan for non-provider patterns".
{% ifversion security-configurations %}
### Enabling detection of non-provider patterns for an organization
You can enable scanning for non-provider patterns at the organization level. For more information, see "[Configuring global secret scanning settings](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-secret-scanning-settings)."
{% endif %}
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)"

15
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/index.md Normal file
View File

@@ -0,0 +1,15 @@
---
title: Non-provider patterns
shortTitle: Non-provider patterns
allowTitleToDifferFromFilename: true
intro: '{% data variables.product.prodname_secret_scanning_caps %} can also alert you to the potential use of other types of secret in code, for example: HTTP authentication headers, connection strings, and private keys. These non-provider patterns are more difficult to detect reliably so this feature is not enabled by default.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
feature: secret-scanning-non-provider-patterns
topics:
- Secret scanning
- Advanced Security
- Repositories
children:
- /enabling-secret-scanning-for-non-provider-patterns
---

161
content/code-security/secret-scanning/working-with-push-protection.md
View File

@@ -1,161 +0,0 @@
---
title: Working with push protection
intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets. To push a commit containing a secret, you must specify a reason for bypassing the block{% ifversion push-protection-delegated-bypass %}, or, if required, request bypass privileges to bypass the block{% endif %}.'
product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
shortTitle: Work with push protection
---
## About working with push protection
Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets.
You can work with push protection from the command line or from the web UI.
For more information on working with push protection, including how to bypass the block if necessary, see "[Using push protection from the command line](#using-push-protection-from-the-command-line)" and "[Using push protection from the web UI](#using-push-protection-from-the-web-ui)" in this article.
## Using push protection from the command line
{% data reusables.secret-scanning.push-protection-command-line-choice %}
Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."
If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
{% data reusables.secret-scanning.push-protection-multiple-branch-note %}
In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository administrator or organization owner.
You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working with the command line](#bypassing-push-protection-when-working-with-the-command-line)."
{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)."
{% endif %}
### Bypassing push protection when working with the command line
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed.
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
{% data reusables.secret-scanning.push-protection-allow-email %}
{% ifversion push-protection-delegated-bypass %}
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)."
{% endif %}
{% data reusables.secret-scanning.push-protection-visit-URL %}
{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
1. Click **Allow me to push this secret**.
1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.
{% ifversion push-protection-delegated-bypass %}
### Requesting bypass privileges when working with the command line
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request.
Requests expire after 7 days.
{% data reusables.secret-scanning.push-protection-visit-URL %}
{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %}
{% data reusables.secret-scanning.push-protection-submit-bypass-request %}
{% data reusables.secret-scanning.push-protection-bypass-request-check-email %}
{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %}
If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret.
If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."
{% endif %}
## Using push protection from the web UI
{% data reusables.secret-scanning.push-protection-web-ui-choice %}
For a blocked commit, you can remove the secret from the file using the web UI. Once you remove the secret, you will be able to commit your changes.
{% ifversion push-protection-block-uploads %}
{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets. The dialog box will show you which files contain the secret. You should remove the secret from the files before attempting to upload the files again.
{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %}
{% endif %}
{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history.
You may be able to bypass the block by specifying a reason for allowing the secret. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working with the web UI](#bypassing-push-protection-when-working-with-the-web-ui)."
{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to commit your changes. For information on how to request permission to bypass push protection and allow the commit containing the secret, see "[Requesting bypass privileges when working with the web UI](#requesting-bypass-privileges-when-working-with-the-web-ui)."{% endif %}
### Bypassing push protection when working with the web UI
{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-in-the-web-ui)."
If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret.
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
{% data reusables.secret-scanning.push-protection-allow-email %}
{% ifversion push-protection-delegated-bypass %}
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to commit your changes. For more information, see "[Requesting bypass privileges when working with the web UI](#requesting-bypass-privileges-when-working-with-the-web-ui)."
{% endif %}
1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret.
{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
1. Click **Allow secret**.
{% ifversion push-protection-delegated-bypass %}
### Requesting bypass privileges when working with the web UI
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
If your commit has been blocked by push protection, you can request permission to bypass the block. The request is sent to a designated group of reviewers, who will either approve or deny the request.
Requests expire after 7 days.
1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret.
1. Click **Start request**. The request will open in a new tab.
{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %}
{% data reusables.secret-scanning.push-protection-submit-bypass-request %}
{% data reusables.secret-scanning.push-protection-bypass-request-check-email %}
{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %}
If your request is approved, you can commit the changes containing the secret to the file. You can also commit any future changes that contain the same secret.
If your request is denied, you will need to remove the secret from the file before you can commit your changes.
{% endif %}
## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
* "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)"

22
content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/index.md Normal file
View File

@@ -0,0 +1,22 @@
---
title: Working with secret scanning and push protection
shortTitle: Work with secret scanning
allowTitleToDifferFromFilename: true
intro: '{% data variables.product.prodname_secret_scanning_caps %} scans for and detects secrets that have been checked into a repository. Push protection proactively secures you against leaking secrets by blocking pushes containing secrets.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
topics:
- Secret scanning
- Advanced Security
- Repositories
children:
- /push-protection-for-users
- /working-with-push-protection-from-the-command-line
- /working-with-push-protection-in-the-github-ui
redirect_from:
- /code-security/secret-scanning/working-with-push-protection
- /code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection
---

8
content/code-security/secret-scanning/push-protection-for-users.md → content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users.md
View File

@@ -10,21 +10,23 @@ topics:
- Advanced Security
- Alerts
- User account
redirect_from:
- /code-security/secret-scanning/push-protection-for-users
---
## About push protection for users
Push protection for users automatically protects you from accidentally committing secrets to public repositories across {% data variables.product.product_name %}.
When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)."
When you try to push a secret to a public repository, {% data variables.product.prodname_dotcom %} blocks the push. If you believe it's safe to allow the secret, you have the option to bypass the block. Otherwise, you must remove the secret from the commit before pushing again. For more information on how to resolve a blocked push, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)" or "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)", depending on whether you use the {% data variables.product.product_name %} UI or the command line.
Push protection for users is always on by default. You can disable the feature at any time through your personal account settings. This may cause secrets to be accidentally leaked. For more information, see "[Disabling push protection for users](#disabling-push-protection-for-users)."
Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."
Push protection for users is different from _push protection for repositories and organizations_, which is a {% data variables.product.prodname_secret_scanning %} feature that must be enabled by a repository administrator or organization owner. With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."
With push protection for users, {% data variables.product.prodname_dotcom %} won't create an alert when you bypass the protection and push a secret to a public repository, unless the repository itself has {% data variables.product.prodname_secret_scanning %} enabled. However, if the bypassed secret is a {% data variables.product.prodname_dotcom %} token, the token will be revoked and you will be notified by email.
For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
## Disabling push protection for users

155
content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line.md Normal file
View File

@@ -0,0 +1,155 @@
---
title: Working with push protection from the command line
shortTitle: Push protection on the command line
intro: 'Learn your options for unblocking your push from the command line to {% data variables.product.prodname_dotcom %} if {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
---
## About push protection from the command line
Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets.
When you attempt to push a supported secret from the command line to a repository secured by push protection, {% data variables.product.prodname_dotcom %} will block the push.
You should either:
* **Remove** the secret from your branch. For more information, see "[Resolving a blocked push](#resolving-a-blocked-push)."
* **Follow a provided URL** {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}."
Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
{% data reusables.secret-scanning.push-protection-multiple-branch-note %}
## Resolving a blocked push
To resolve a blocked push, you must remove the secret from all of the commits it appears in.
* If the secret was introduced by your latest commit, see "[Removing a secret introduced by the latest commit on your branch](#removing-a-secret-introduced-by-the-latest-commit-on-your-branch)."
* If the secret appears in earlier commits, see "[Removing a secret introduced by an earlier commit on your branch](#removing-a-secret-introduced-by-an-earlier-commit-on-your-branch)."
>[!NOTE] To learn how to resolved a blocked commit in the {% data variables.product.prodname_dotcom %} UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit)."
### Removing a secret introduced by the latest commit on your branch
If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below.
1. Remove the secret from your code.
1. To commit the changes, run `git commit --amend`. This updates the original commit that introduced the secret instead of creating a new commit.
1. Push your changes with `git push`.
### Removing a secret introduced by an earlier commit on your branch
You can also remove the secret if the secret appears in an earlier commit in the Git history. To do so, you will need to identify which commit first introduced the secret and modify the commit history with an interactive rebase.
1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret.
```text
remote: —— {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic_title_case %} ——————————————————————
remote: locations:
remote: - commit: 8728dbe67
remote: path: README.md:4
remote: - commit: 03d69e5d3
remote: path: README.md:4
remote: - commit: 8053f7b27
remote: path: README.md:4
```
1. Next, run `git log` to see a full history of all the commits on your branch, along with their corresponding timestamps.
```text
test-repo (test-branch)]$ git log
commit 8053f7b27 (HEAD -> main)
Author: Octocat <1000+octocat@users.noreply.github.com
Date: Tue Jan 30 13:03:37 2024 +0100
my fourth commit message
commit 03d69e5d3
Author: Octocat <1000+octocat@users.noreply.github.com>
Date: Tue Jan 30 13:02:59 2024 +0100
my third commit message
commit 8728dbe67
Author: Octocat <1000+octocat@users.noreply.github.com
Date: Tue Jan 30 13:01:36 2024 +0100
my second commit message
commit 6057cbe51
Author: Octocat <1000+octocat@users.noreply.github.com
Date: Tue Jan 30 12:58:24 2024 +0100
my first commit message
1. Focusing only on the commits that contain the secret, use the output of `git log` to identify which commit comes _earliest_ in your Git history.
* In the example, commit `8728dbe67` was the first commit to contain the secret.
1. Start an interactive rebase with `git rebase -i <COMMIT-ID>~1`.
* For `<COMMIT-ID>`, use the commit identified in step 3. For example, `git rebase -i 8728dbe67~1`.
1. In the editor, choose to edit the commit identified in step 3 by changing `pick` to `edit` on the first line of the text.
```text
edit 8728dbe67 my second commit message
pick 03d69e5d3 my third commit message
pick 8053f7b27 my fourth commit message
```
1. Save and close the editor to start the interactive rebase.
1. Remove the secret from your code.
1. Commit your changes using `git commit --amend`.
1. Run `git rebase --continue` to finish the rebase.
1. Push your changes with `git push`.
## Bypassing push protection
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed.
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
{% data reusables.secret-scanning.push-protection-allow-email %}
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/enterprise-cloud@latest/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#requesting-bypass-privileges)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
{% data reusables.secret-scanning.push-protection-visit-URL %}
{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
1. Click **Allow me to push this secret**.
1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.
{% ifversion push-protection-delegated-bypass %}
## Requesting bypass privileges
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request.
Requests expire after 7 days.
{% data reusables.secret-scanning.push-protection-visit-URL %}
{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %}
{% data reusables.secret-scanning.push-protection-submit-bypass-request %}
{% data reusables.secret-scanning.push-protection-bypass-request-check-email %}
{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %}
If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret.
If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[Resolving a blocked push](#resolving-a-blocked-push)."
{% endif %}
## Further reading
* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)

92
content/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui.md Normal file
View File

@@ -0,0 +1,92 @@
---
title: Working with push protection in the GitHub UI
shortTitle: Push protection in the GitHub UI
intro: 'Learn your options for unblocking your commit when {% data variables.product.prodname_secret_scanning %} detects a secret in your changes.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
fpt: '*'
ghes: '*'
ghec: '*'
type: how_to
topics:
- Secret scanning
- Advanced Security
- Alerts
- Repositories
---
## About push protection in the {% data variables.product.prodname_dotcom %} UI
When you are creating and editing files in the {% data variables.product.prodname_dotcom %} UI, push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets.
{% ifversion push-protection-block-uploads %}
{% data variables.product.prodname_dotcom %} will also block the commit if you attempt to upload files containing supported secrets.
{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %}
{% endif %}
You should either:
* **Remove** the secret from the commit. For more information, see "[Resolving a blocked commit](#resolving-a-blocked-commit)."
* **Review** the instructions in the dialog box {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push. For more information, see "[Bypassing push protection](#bypassing-push-protection){% ifversion push-protection-delegated-bypass %}" and "[Requesting bypass privileges](#requesting-bypass-privileges){% endif %}."
{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history.
## Resolving a blocked commit
{% data reusables.secret-scanning.push-protection-web-ui-choice %}
To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes.
>[!NOTE] To learn how to resolved a blocked push on the command line, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push)."
## Bypassing push protection
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret.
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
{% data reusables.secret-scanning.push-protection-allow-email %}
1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret.
{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
1. Click **Allow secret**.
{% ifversion push-protection-delegated-bypass %}
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#requesting-bypass-privileges)."
{% endif %}
{% ifversion push-protection-delegated-bypass %}
## Requesting bypass privileges
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
If your commit has been blocked by push protection, you can request permission to bypass the block. The request is sent to a designated group of reviewers, who will either approve or deny the request.
Requests expire after 7 days.
1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret.
1. Click **Start request**. The request will open in a new tab.
{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %}
{% data reusables.secret-scanning.push-protection-submit-bypass-request %}
{% data reusables.secret-scanning.push-protection-bypass-request-check-email %}
{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %}
If your request is approved, you can commit the changes containing the secret to the file. You can also commit any future changes that contain the same secret.
If your request is denied, you will need to remove the secret from the file before you can commit your changes.
{% endif %}
## Further reading
* [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line)

6
content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
View File

@@ -103,7 +103,7 @@ You can customize several {% data variables.product.prodname_global_settings %}
### Scanning for non-provider patterns
You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#about-user-alerts)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#other-alerts-list)."
You can choose to scan for non-provider patterns, such as private keys, to detect non-provider secrets before they are leaked. To enable these scans, select **Scan for non-provider patterns**. Be aware that non-provider tokens often have a higher rate of false positives. To learn more about non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)" and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts#other-alerts-list)."
{% data reusables.secret-scanning.non-provider-patterns-beta %}
@@ -113,7 +113,7 @@ You can choose to scan for non-provider patterns, such as private keys, to detec
### Generic secret detection
Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Use AI detection to find additional secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning)."
Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Use AI detection to find additional secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning)."
{% data reusables.secret-scanning.generic-secret-detection-ai %}
@@ -126,7 +126,7 @@ To provide context for developers when {% data variables.product.prodname_secret
### Defining custom patterns
You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
{% endif %}

2
content/code-security/securing-your-organization/managing-the-security-of-your-organization/interpreting-security-findings-on-a-repository.md
View File

@@ -39,7 +39,7 @@ After you apply a {% data variables.product.prodname_security_configuration %} t
{% endif %}
You can view {% data variables.product.prodname_secret_scanning %} alerts for a repository by navigating to the main page of that repository, clicking the {% octicon "shield" aria-hidden="true" %} **Security** tab, then clicking {% octicon "key" aria-hidden="true" %} **{% data variables.product.prodname_secret_scanning_caps %}**.
For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."
For an introduction to {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)."
To learn how to interpret and resolve {% data variables.product.prodname_secret_scanning %} alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."

6
content/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration.md
View File

@@ -47,9 +47,9 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c
1. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. To learn about default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup)."
1. In the "{% data variables.product.prodname_secret_scanning_caps %}" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for the following security features:
* {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %}
* Validity check. To learn more about validity checks for partner patterns, see "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning#checking-a-secrets-validity)".{% endif %}
* Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."
* {% data variables.product.prodname_secret_scanning_caps %}. To learn about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."{% ifversion secret-scanning-validity-check-partner-patterns %}
* Validity check. To learn more about validity checks for partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)".{% endif %}
* Push protection. To learn about push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."
{% ifversion fpt or ghec %}
1. In the "Private vulnerability reporting" section of the security settings table, choose whether you want to enable, disable, or keep the existing settings for private vulnerability reporting. To learn about private vulnerability reporting, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
{% endif %}

2
content/code-security/security-overview/about-security-overview.md
View File

@@ -89,7 +89,7 @@ Each repository is shown in security overview with an indicator for each type of
| Indicator | Meaning |
| -------- | -------- |
| {% octicon "code-square" aria-label="Code scanning alerts" %} | {% data variables.product.prodname_code_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." |
| {% octicon "key" aria-label="Secret scanning alerts" %} | {% data variables.product.prodname_secret_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." |
| {% octicon "key" aria-label="Secret scanning alerts" %} | {% data variables.product.prodname_secret_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)." |
| {% octicon "hubot" aria-label="Dependabot alerts" %} | {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." |
| {% octicon "check" aria-label="Enabled" %} | The security feature is enabled, but does not raise alerts in this repository. |
| {% octicon "x" aria-label="Not supported" %} | The security feature is not supported in this repository. |

6
content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md
View File

@@ -74,7 +74,7 @@ Code often needs to communicate with other systems over a network, and requires
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
{% ifversion fpt or ghec %}
{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)."
{% data variables.product.prodname_dotcom %} partners with many providers to automatically detect when secrets are committed to or stored in your public repositories and public npm packages you depend on, and will notify the provider so they can take appropriate actions to ensure your account remains secure. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts##about-partner-alerts)."
{% endif %}
{% ifversion fpt %}
@@ -85,9 +85,9 @@ You can enable and configure additional scanning that will alert you about accid
{% elsif secret-scanning-user-owned-repos %}
If your organization uses {% data variables.product.prodname_GH_advanced_security %}, you can enable {% data variables.secret-scanning.user_alerts %} on any repository owned by the organization, including private repositories. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %}
You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."
You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts)."
{% else %}
You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)."
You can configure {% data variables.product.prodname_secret_scanning %} to check for secrets issued by many service providers and to notify you when any are detected. You can also define custom patterns to detect additional secrets at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)."
{% endif %}
### Secure storage of secrets you use in {% data variables.product.product_name %}

2
content/contributing/style-guide-and-content-model/style-guide.md
View File

@@ -54,7 +54,7 @@ Notes are particularly useful for communicating parenthetical information that i
* Caveats that might affect the outcome of a process, such as specific user settings.
* Products and features that are subject to changes in availability, such as those in beta or being deprecated.
For example, "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning#reviewing-github-token-metadata)" uses a note to inform users that metadata for {% data variables.product.prodname_dotcom %} tokens is currently in beta.
For example, "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#reviewing-github-token-metadata)" uses a note to inform users that metadata for {% data variables.product.prodname_dotcom %} tokens is currently in beta.
> [!NOTE]
> Metadata for {% data variables.product.prodname_dotcom %} tokens is currently in public beta and subject to change.

2
content/get-started/learning-about-github/about-github-advanced-security.md
View File

@@ -38,7 +38,7 @@ A {% data variables.product.prodname_GH_advanced_security %} license provides th
* **{% data variables.product.prodname_codeql_cli %}** - Run {% data variables.product.prodname_codeql %} processes locally on software projects or to generate {% data variables.product.prodname_code_scanning %} results for upload to {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/about-the-codeql-cli)."
* **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}. If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."
* **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %}private repositories{% else %} the repository{% endif %}. If push protection is enabled, {% data variables.product.prodname_dotcom %} also detects secrets when they are pushed to your repository. {% ifversion secret-scanning-enable-by-default-for-public-repos %}{% data variables.secret-scanning.user_alerts_caps %} and push protection are available and free of charge for all {% ifversion ghec %}user-owned {% endif %}public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."
{% ifversion dependabot-auto-triage-rules %}

2
content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md
View File

@@ -184,6 +184,6 @@ You can manage access to {% data variables.product.prodname_GH_advanced_security
## Further reading
* "[AUTOTITLE](/code-security/getting-started/securing-your-repository)"{% ifversion not fpt %}
* "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)"{% endif %}
* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"{% endif %}
* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)"
* "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)"

12
content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md
View File

@@ -86,7 +86,7 @@ To search for specific events, use the `action` qualifier in your query. Actions
| `org_secret_scanning_automatic_validity_checks` | Contains organization-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization)."
| {% endif %} |
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
| `org_secret_scanning_custom_pattern` | Contains organization-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
| `org_secret_scanning_custom_pattern` | Contains organization-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
| {% endif %} |
| `organization_default_label` | Contains all activities related to default labels for repositories in your organization.
| `oauth_application` | Contains all activities related to {% data variables.product.prodname_oauth_apps %}.
@@ -107,16 +107,16 @@ To search for specific events, use the `action` qualifier in your query. Actions
| `repository_dependency_graph` | Contains repository-level activities related to enabling or disabling the dependency graph for a {% ifversion fpt or ghec %}private {% endif %}repository. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
| {% endif %} |
| {% ifversion ghes or ghec %} |
| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
| {% endif %} |
| {% ifversion secret-scanning-validity-check-audit-log %} |
| `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)."
| `repository_secret_scanning_automatic_validity_checks` | Contains repository-level activities related to enabling and disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)."
| {% endif %} |
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
| `repository_secret_scanning_custom_pattern` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)." |
| `repository_secret_scanning_custom_pattern` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)." |
| {% endif %} |
| {% ifversion secret-scanning-custom-pattern-push-protection-audit %} |
| `repository_secret_scanning_custom_pattern_push_protection`| Contains repository-level activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."
| `repository_secret_scanning_custom_pattern_push_protection`| Contains repository-level activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."
| {% endif %} |
| {% ifversion secret-scanning-audit-log-custom-patterns %} |
| `repository_secret_scanning_push_protection` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %} push protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
@@ -129,7 +129,7 @@ To search for specific events, use the `action` qualifier in your query. Actions
| `role` | Contains all activities related to [custom repository roles](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization).
| {% endif %} |
| {% ifversion ghes or ghec %} |
| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
| `secret_scanning_new_repos` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} for new repositories created in the organization.
| {% endif %} |
| {% ifversion fpt or ghec %} |

2
content/repositories/archiving-a-github-repository/archiving-repositories.md
View File

@@ -29,7 +29,7 @@ topics:
{% ifversion ghec or ghes %}
{% note %}
**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-for-private-repositories)."
**Note:** Customers who use {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning %} on archived repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
{% endnote %}
{% endif %}

2
content/repositories/working-with-files/managing-files/adding-a-file-to-a-repository.md
View File

@@ -35,7 +35,7 @@ You can upload multiple files to {% data variables.product.product_name %} at th
{% ifversion push-protection-block-uploads %}
Your repository may be secured by push protection. With push protection, {% data variables.product.prodname_dotcom %} will block uploading a file to the repository if the file contains a supported secret, such as a token. You should remove the secret from the file before attempting to upload the file again. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection#using-push-protection-from-the-web-ui)" and "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-commit-in-the-web-ui)."
Your repository may be secured by push protection. With push protection, {% data variables.product.prodname_dotcom %} will block uploading a file to the repository if the file contains a supported secret, such as a token. You should remove the secret from the file before attempting to upload the file again. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui)" and "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui#resolving-a-blocked-commit)."
{% data reusables.secret-scanning.push-protection-web-UI-uploads-beta %}

2
content/rest/authentication/keeping-your-api-credentials-secure.md
View File

@@ -47,7 +47,7 @@ Treat authentication credentials the same way you would treat your passwords or
* Don't share authentication credentials using an unencrypted messaging or email system.
* Don't pass your {% data variables.product.pat_generic %} as plain text in the command line. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#keeping-your-personal-access-tokens-secure)."
* Don't push unencrypted authentication credentials like tokens or keys to any repository, even if the repository is private. Instead consider using a {% data variables.product.prodname_actions %} secret{% ifversion fpt or ghec %} or Codespaces secret{% endif %}. For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets)"{% ifversion fpt or ghec %} and "[AUTOTITLE](/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces)"{% endif %}.
* You can use secret scanning to discover tokens, private keys, and other secrets that were pushed to a repository, or to block future pushes that contain secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
* You can use secret scanning to discover tokens, private keys, and other secrets that were pushed to a repository, or to block future pushes that contain secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
## Limit who can access your authentication credentials

2
content/rest/secret-scanning/secret-scanning.md
View File

@@ -23,6 +23,6 @@ You can use the API to:
* Enable or disable {% data variables.product.prodname_secret_scanning %} and push protection for a repository. For more information, see "[AUTOTITLE](/rest/repos/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section.
* Retrieve and update {% data variables.secret-scanning.alerts %} from a repository. For further details, see the sections below.
For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
For more information about {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
<!-- Content after this section is automatically generated -->

2
content/site-policy/github-terms/github-terms-for-additional-products-and-features.md
View File

@@ -60,7 +60,7 @@ GitHub makes extra security features available to customers under an Advanced Se
Advanced Security is licensed on a "Unique Committer" basis. A "Unique Committer" is a licensed user of GitHub Enterprise, GitHub Enterprise Cloud, or GitHub Enterprise Server, who has made a commit in the last 90 days to any repository with any GitHub Advanced Security functionality activated. You must acquire a GitHub Advanced Security User license for each of your Unique Committers. You may only use GitHub Advanced Security on codebases that are developed by or for you. For GitHub Enterprise Cloud users, some Advanced Security features also require the use of GitHub Actions.
For secret scanning with GitHub Advanced Security, when you opt-in to automatic validity checks for partner patterns, exposed third-party tokens may be shared with the relevant partner, in order to provide you with more information about the validity of the token. Not all partners are based in the United States. The [Secret scanning patterns documentation](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns) provides more details on which partners support the validity check.
For secret scanning with GitHub Advanced Security, when you opt-in to automatic validity checks for partner patterns, exposed third-party tokens may be shared with the relevant partner, in order to provide you with more information about the validity of the token. Not all partners are based in the United States. The [Secret scanning patterns documentation](/enterprise-cloud@latest/code-security/secret-scanning/introduction/supported-secret-scanning-patterns) provides more details on which partners support the validity check.
## Advisory Database

2
data/features/secret-scanning-custom-link-on-block.yml
View File

@@ -1,5 +1,5 @@
# Reference: #8384.
# Documentation for secret scanning: custom link on block.
# Documentation for secret scanning: on block.
versions:
ghec: '*'
ghes: '>=3.8'

25
data/learning-tracks/code-security.yml
View File

@@ -112,27 +112,36 @@ secret_scanning:
Set up secret scanning to guard against accidental check-ins of tokens,
passwords, and other secrets to your repository.
guides:
- /code-security/secret-scanning/about-secret-scanning
- /code-security/secret-scanning/introduction/about-secret-scanning
- /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository
- /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository
- >-
/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories
{% ifversion secret-scanning-validity-check-partner-patterns %}
/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository{% endif %}
- >-
{% ifversion not fpt
%}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{%
%}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{%
endif %}
- /code-security/secret-scanning/managing-alerts-from-secret-scanning
- /code-security/secret-scanning/secret-scanning-patterns
- /code-security/secret-scanning/introduction/supported-secret-scanning-patterns
- >-
{% ifversion secret-scanning-push-protection
%}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{%
%}/code-security/secret-scanning/introduction/about-push-protection{%
endif %}
- >-
{% ifversion secret-scanning-push-protection-for-users
%}/code-security/secret-scanning/push-protection-for-users{% endif %}
%}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users{%
endif %}
- >-
{% ifversion secret-scanning-push-protection
%}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{%
%}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line{%
endif %}
- /code-security/secret-scanning/troubleshooting-secret-scanning
- >-
{% ifversion secret-scanning-push-protection
%}/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-in-the-github-ui{%
endif %}
- >-
/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning
security_alerts:
title: Explore and manage security alerts
description: Learn where to find and resolve security alerts.

2
data/reusables/advanced-security/more-info-ghas-secret-scanning.md
View File

@@ -1 +1 @@
For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-on-github-enterprise-server)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)."
For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts)"{% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts)"{% endif %} and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)."

2
data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md
View File

@@ -1,6 +1,6 @@
1. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
1. In the "Pattern name" field, type a name for your pattern.
1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %}
1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %}
1. You can click **More options {% octicon "chevron-down" aria-label="down" %}** to provide other surrounding content or additional match requirements for the secret format.
1. Provide a sample test string to make sure your configuration is matching the patterns you expect.

2
data/reusables/advanced-security/secret-scanning-generate-regular-expression-custom-pattern.md
View File

@@ -3,7 +3,7 @@
{% note %}
**Note:** You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)."
**Note:** You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)."
{% endnote %}

2
data/reusables/apps/app-scans.md
View File

@@ -1 +1 @@
You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."

14
data/reusables/audit_log/audit-log-action-categories.md
View File

@@ -25,7 +25,7 @@
| `business_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an enterprise.
{%- endif %}
{%- ifversion secret-scanning-custom-pattern-push-protection-audit %}
| `business_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)."
| `business_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)."
{%- endif %}
{%- ifversion code-security-audit-log-events %}
| `business_secret_scanning_push_protection` | Contains activities related to the push protection feature of {% data variables.product.prodname_secret_scanning %} in an enterprise. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise)."
@@ -95,7 +95,7 @@
| `org_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization)."
{%- endif %}
{%- ifversion secret-scanning-audit-log-custom-patterns %}
| `org_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
| `org_secret_scanning_custom_pattern` | Contains activities related to custom patterns for {% data variables.product.prodname_secret_scanning %} in an organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
{%- endif %}
| `organization_default_label` | Contains activities related to default labels for repositories in an organization.
| `organization_domain` | Contains activities related to verified organization domains.
@@ -134,16 +134,16 @@
| `repository_invitation` | Contains activities related to invitations to join a repository.
| `repository_projects_change` | Contains activities related to enabling projects for a repository or for all repositories in an organization.
{%- ifversion ghec or ghes %}
| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
| `repository_secret_scanning` | Contains repository-level activities related to {% data variables.product.prodname_secret_scanning %}. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
{%- endif %}
{%- ifversion secret-scanning-validity-check-audit-log %}
| `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories)."
| `repository_secret_scanning_automatic_validity_checks` | Contains activities related to enabling or disabling automatic validity checks for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository)."
{%- endif %}
{%- ifversion secret-scanning-audit-log-custom-patterns %}
| `repository_secret_scanning_custom_pattern` | Contains activities related to {% data variables.product.prodname_secret_scanning %} custom patterns in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
| `repository_secret_scanning_custom_pattern` | Contains activities related to {% data variables.product.prodname_secret_scanning %} custom patterns in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
{%- endif %}
{%- ifversion secret-scanning-custom-pattern-push-protection-audit %}
| `repository_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."
| `repository_secret_scanning_custom_pattern_push_protection` | Contains activities related to push protection of a custom pattern for {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)."
{%- endif %}
{%- ifversion secret-scanning-audit-log-custom-patterns %}
| `repository_secret_scanning_push_protection` | Contains activities related to the push protection feature of {% data variables.product.prodname_secret_scanning %} in a repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
@@ -163,7 +163,7 @@
| `role` | Contains activities related to [custom repository roles](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization).
{%- endif %}
{%- ifversion ghec or ghes %}
| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."
| `secret_scanning` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} in existing repositories. For more information, see "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)."
| `secret_scanning_new_repos` | Contains organization-level configuration activities for {% data variables.product.prodname_secret_scanning %} for new repositories created in the organization.
{%- endif %}
{%- ifversion ghec or ghes %}

2
data/reusables/gated-features/push-protection-users-and-repos.md
View File

@@ -10,4 +10,4 @@ Push protection for repositories and organizations is available for {% ifversion
{%- elsif ghes %}
Push protection is available for organization-owned repositories in {% data variables.product.product_name %} if your enterprise has a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %}
For more information, see {% ifversion secret-scanning-push-protection-for-users %}"[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)" and {% endif %}"[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)."
For more information, see {% ifversion secret-scanning-push-protection-for-users %}"[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)" and {% endif %}"[AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection)."

1
data/reusables/secret-scanning/alert-type-links.md Normal file
View File

@@ -0,0 +1 @@
For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts){% endif %}."

5
data/reusables/secret-scanning/alert-types.md Normal file
View File

@@ -0,0 +1,5 @@
There are {% ifversion fpt or ghec %}three{% else %}two{% endif %} types of {% data variables.secret-scanning.alerts %}:
* **{% ifversion fpt or ghec %}User alerts{% else %}{% data variables.secret-scanning.alerts_caps %}{% endif %}**: Reported to users in the **Security** tab of the repository, when a supported secret is detected in the repository.
* **Push protection alerts**: Reported to users in the **Security** tab of the repository, when a contributor bypasses push protection. {% ifversion fpt or ghec %}
* **Partner alerts**: Reported directly to secret providers that are part of {% data variables.product.prodname_secret_scanning %}'s partner program. These alerts are not reported in the **Security** tab of the repository.{% endif %}

2
data/reusables/secret-scanning/link-to-push-protection.md
View File

@@ -1 +1 @@
You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see "[Enabling push protection for a custom pattern](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-push-protection-for-a-custom-pattern)."
You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see "[Enabling push protection for a custom pattern](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns#enabling-push-protection-for-a-custom-pattern)."

4
data/reusables/secret-scanning/partner-program-link.md
View File

@@ -1,5 +1,5 @@
{% ifversion fpt or ghec %}
To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)."
To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
{% else %}
To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
{% endif %}

1
data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md Normal file
View File

@@ -0,0 +1 @@
Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors.

9
data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md Normal file
View File

@@ -0,0 +1,9 @@
When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
To configure delegated bypass, organization owners or repository administrators need to first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)."
Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)."
Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.

2
data/reusables/secret-scanning/push-protection-for-users.md
View File

@@ -1 +1 @@
Additionally, push protection _for users_ automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."
Additionally, push protection _for users_ automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository has {% data variables.product.prodname_secret_scanning %} enabled. Push protection for users is on by default, but you can disable the feature at any time through your personal account settings. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."

2
data/reusables/secret-scanning/push-protection-overview.md
View File

@@ -1 +1 @@
When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{%else%}needed{% endif %}, allow those secrets to be pushed.
When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{% else %}needed{% endif %}, allow those secrets to be pushed.

2
data/reusables/secret-scanning/push-protection-public-repos-bypass.md
View File

@@ -6,7 +6,7 @@
When pushing to a _public_ repository that doesn't have secret scanning enabled, you are still protected from accidentally pushing secrets thanks to _push protection for users_, which is on by default for your user account.
With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)."
With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
{% endnote %}

2
data/reusables/secret-scanning/validity-check-partner-patterns-enabled.md
View File

@@ -1 +1 @@
To be able to filter by validity status, you need to have validity checks for partner patterns enabled at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-validity-checks-for-partner-patterns)," "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)," and "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features)."
To be able to filter by validity status, you need to have validity checks for partner patterns enabled at the repository, organization, or enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)," "[AUTOTITLE](/code-security/securing-your-organization/meeting-your-specific-security-needs-with-custom-security-configurations/creating-a-custom-security-configuration)," and "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features)."

3
data/reusables/secret-scanning/validity-checks-intro.md Normal file
View File

@@ -0,0 +1,3 @@
Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. An `active` secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.
By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validitation status of the token in the alert view.

4
data/reusables/secret-scanning/view-custom-pattern.md
View File

@@ -1,3 +1,3 @@
1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account.
* For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](#defining-a-custom-pattern-for-an-organization)".
* For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see "[Defining a custom pattern for an enterprise account](#defining-a-custom-pattern-for-an-enterprise-account)" above.
* For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)".
* For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see "[Defining a custom pattern for an enterprise account](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)."

4
data/reusables/secret-scanning/what-is-scanned.md
View File

@@ -1,3 +1,5 @@
{% ifversion fpt or ghec or ghes > 3.10 %}
Additionally, {% data variables.product.prodname_secret_scanning %} scans:{% ifversion secret-scanning-issue-body-comments %}
* Descriptions and comments in issues{% endif %}{% ifversion secret-scanning-backfills-historical-issues %}
* Titles, descriptions, and comments, in open and closed _historical_ issues{% ifversion ghec %}. A notification is sent to the relevant partner when a historical partner pattern is detected.{% endif %}{% endif %}{% ifversion secret-scanning-enhancements-prs-discussions %}
@@ -10,3 +12,5 @@ This additional scanning is free for public repositories.
{% endif %}
{% data reusables.secret-scanning.beta-prs-discussions-wikis-scanned %}
{% endif %}

2
data/reusables/security-overview/settings-limitations.md
View File

@@ -4,7 +4,7 @@
**Notes:**
* Enabling {% data variables.product.prodname_code_scanning %} default setup _will not_ override any existing configurations of advanced setup for the selected repositories, but it _will_ override any existing configurations of default setup.
* Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables high-confidence alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see "[Supported secrets](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
* Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables high-confidence alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see "[Supported secrets](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
{% endnote %}

4
src/fixtures/fixtures/versionless-redirects.txt
View File

@@ -378,9 +378,9 @@
# FPT versioning for these files was removed as part of github/docs-content#5642
/enterprise-cloud@latest/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
/enterprise-cloud@latest/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning
- /code-security/secret-security/defining-custom-patterns-for-secret-scanning
- /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning
/enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators
- /articles/restricting-the-ability-to-add-outside-collaborators-to-organization-repositories

6
src/secret-scanning/middleware/secret-scanning.ts
View File

@@ -14,7 +14,11 @@ export default async function secretScanning(
res: Response,
next: NextFunction,
) {
if (!req.pagePath!.endsWith('code-security/secret-scanning/secret-scanning-patterns'))
if (
!req.pagePath!.endsWith(
'code-security/secret-scanning/introduction/supported-secret-scanning-patterns',
)
)
return next()
const secretScanningData = yaml.load(