c1ca049106
Signed-off-by: Meredith Lancaster <malancas@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: AlonaHlobina <54394529+AlonaHlobina@users.noreply.github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com> Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com> Co-authored-by: Kelly Arwine <kellyarwine@github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Jon Janego <jonjanego@github.com> Co-authored-by: Jules Porter <jules-p@users.noreply.github.com> Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: Laurenzo <lsto@github.com> Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Co-authored-by: Vanessa <vgrl@github.com> Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com> Co-authored-by: Claire W <78226508+crwaters16@users.noreply.github.com> Co-authored-by: Felix Guntrip <guntrip@github.com> Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> Co-authored-by: Tim Rogers <timrogers@github.com> Co-authored-by: docs-bot <77750099+docs-bot@users.noreply.github.com> Co-authored-by: Guillaume Perrot <guperrot@github.com> Co-authored-by: Mark Tareshawty <tarebyte@github.com> Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com> Co-authored-by: Emily Gould <4822039+emilyistoofunky@users.noreply.github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Co-authored-by: PJ Quirk <pjquirk@github.com> Co-authored-by: Steve Ward <steveward@github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com> Co-authored-by: SiaraMist <siaramist@github.com> Co-authored-by: Tomoko Tanaka <28242405+tallzeebaa@users.noreply.github.com> Co-authored-by: a1exmozz <187176404+a1exmozz@users.noreply.github.com> Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com> Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com> Co-authored-by: Andy Barnes <kurgol@github.com> Co-authored-by: Sheena Ganju <sheenyg@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sydney Wilson <86739163+swilson15@users.noreply.github.com> Co-authored-by: Robert Sese <734194+rsese@users.noreply.github.com> Co-authored-by: Vimala Moger <166641453+VimalaMoger@users.noreply.github.com> Co-authored-by: Sharra-writes <sharra-writes@github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Jenni C <97056108+dihydroJenoxide@users.noreply.github.com> Co-authored-by: Greg Mondello <72952982+gmondello@users.noreply.github.com> Co-authored-by: Mia Arts <107727642+its-mia@users.noreply.github.com> Co-authored-by: sunbrye <sunbrye@github.com> Co-authored-by: Lorenz Vanthillo <lorenz.vanthillo@gmail.com> Co-authored-by: Eboni <32157169+EboniLM@users.noreply.github.com> Co-authored-by: Junko Suzuki <pnsk@github.com> Co-authored-by: Alex Nguyen <150945400+nguyenalex836@users.noreply.github.com> Co-authored-by: heiskr <1221423+heiskr@users.noreply.github.com> Co-authored-by: Patrick Knight <patrick-knight@github.com> Co-authored-by: T. Greg Doucette <58960990+LawDevNull@users.noreply.github.com> Co-authored-by: Evan Bonsignori <ebonsignori@github.com> Co-authored-by: Robert Justin Monzingo <robertjmonzingo@gmail.com> Co-authored-by: John Coleman <thenewcoke@gmail.com> Co-authored-by: Brendan Scott-Smith <117171930+bss-mc@users.noreply.github.com> Co-authored-by: Chad Bentz <1760475+felickz@users.noreply.github.com> Co-authored-by: Justin Alex <1155821+jusuchin85@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: azenMatt <7584089+azenMatt@users.noreply.github.com> Co-authored-by: Felix Guntrip <stevecat@github.com> Co-authored-by: timrogers <116134+timrogers@users.noreply.github.com> Co-authored-by: John Clement <70238417+jclement136@users.noreply.github.com> Co-authored-by: vaindil <vaindil@github.com> Co-authored-by: Matthew Isabel <matthewisabel@github.com> Co-authored-by: Matthew Isabel <matthew.isabel@gmail.com>
11 KiB
title, intro, permissions, versions, type, topics, shortTitle, allowTitleToDifferFromFilename
| title | intro | permissions | versions | type | topics | shortTitle | allowTitleToDifferFromFilename | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Evaluating alerts from secret scanning | Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret's validity. | {% data reusables.permissions.secret-scanning-alerts %} |
|
how_to |
|
Evaluate alerts | true |
About evaluating alerts
There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:
- Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghec %}Applies to {% data variables.product.company_short %} tokens only.{% endif %} See Checking a secret's validity.{% ifversion secret-scanning-validity-check-partner-patterns %}
- Perform an "on-demand" validity check, to get the most up to date validation status. See Performing an on-demand validity check.{% endif %}
- Review a token's metadata. Applies to {% data variables.product.company_short %} tokens only. For example, to see when the token was last used. See Reviewing {% data variables.product.company_short %} token metadata.{% ifversion secret-scanning-extended-metadata-checks %}
- Review extended metadata checks for an exposed secret, to see details such as who owns the secret and how to contact the secret owner. Applies to OpenAI API, Google OAuth, and Slack tokens only. See Reviewing extended metadata for a token.{% endif %}{% ifversion secret-scanning-multi-repo-public-leak %}
- Review the labels assigned to the alert. For more information, see Reviewing alert labels.{% endif %}
Checking a secret's validity
Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.
By default, {% data variables.product.company_short %} checks the validity of {% data variables.product.company_short %} tokens and displays the validation status of the token in the alert view.
Organizations using {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_secret_protection %} can also enable validity checks for partner patterns. For more information, see Checking a secret's validity.
{% data reusables.secret-scanning.validity-check-table %}
{% ifversion secret-scanning-validity-check-partner-patterns %}
{% data reusables.gated-features.partner-pattern-validity-check-ghas %}
For information on how to enable validity checks for partner patterns, see AUTOTITLE, and for information on which partner patterns are currently supported, see AUTOTITLE.
{% endif %}
You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see AUTOTITLE in the REST API documentation. You can also use webhooks to be notified of activity relating to a {% data variables.product.prodname_secret_scanning %} alert. For more information, see the secret_scanning_alert event in AUTOTITLE.
{% ifversion copilot-chat-ghas-alerts %}
Asking {% data variables.copilot.copilot_chat %} about {% data variables.product.prodname_secret_scanning %} alerts
With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_secret_scanning %} alerts, in repositories in your organization. For more information, see AUTOTITLE.
{% endif %}
{% ifversion secret-scanning-validity-check-partner-patterns %}
Performing an on-demand validity check
Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking {% octicon "sync" aria-hidden="true" aria-label="sync" %} Verify secret in the alert view. {% data variables.product.company_short %} will send the pattern to the relevant partner and display the validation status of the secret in the alert view.
{% endif %}
Reviewing {% data variables.product.company_short %} token metadata
Note
Metadata for {% data variables.product.company_short %} tokens is currently in {% data variables.release-phases.public_preview %} and subject to change.
In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.
Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see GitHub's Privacy Statement and Acceptable Use Policies.
Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens:
| Metadata | Description |
|---|---|
| Secret name | The name given to the {% data variables.product.company_short %} token by its creator |
| Secret owner | The {% data variables.product.company_short %} handle of the token's owner |
| Created on | Date the token was created |
| Expired on | Date the token expired |
| Last used on | Date the token was last used |
| Access | Whether the token has organization access |
{% ifversion secret-scanning-user-owned-repos %}{% data reusables.secret-scanning.secret-scanning-user-owned-repo-access %} If access is granted, {% data variables.product.prodname_dotcom %} will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.{% ifversion ghec %} For more information, see AUTOTITLE.{% endif %}{% endif %}
{% ifversion secret-scanning-extended-metadata-checks %}
Reviewing extended metadata for a token
{% data reusables.secret-scanning.metadata-checks-public-preview %}
In the view for an active {% data variables.product.company_short %} token alert, you can see extended metadata information, such as owner and contact details.
The following table shows all the available metadata. Note that metadata checks are currently limited to OpenAI API, Google OAuth, and Slack tokens, and the metadata shown for each token may represent only a subset of what exists.
| Metadata type | Description |
|---|---|
| Owner ID | Provider’s unique identifier for the user or service account that owns the secret |
| Owner name | Human‑readable username or display name of the secret’s owner |
| Owner email | Email address associated with the owner |
| Org name | Name of the organization / workspace / project the secret belongs to |
| Org ID | Provider’s unique identifier for that organization |
| Secret issued date | Timestamp when the secret (token or key) was created or most recently issued |
| Secret expiry date | Timestamp when the secret is scheduled to expire |
| Secret name | Human‑assigned display name or label for the secret |
| Secret ID | Provider’s unique identifier for the secret |
{% endif %}
{% ifversion secret-scanning-multi-repo-public-leak-deduped-alerts or secret-scanning-multi-repo-public-leak %}
Reviewing alert labels
In the alert view, you can review any labels assigned to the alert. The labels provide additional details about the alert, which can inform the approach you take for remediation.
{% data variables.product.prodname_secret_scanning_caps %} alerts can have the following labels assigned to them. Depending on the labels assigned, you'll see additional information in the alert view.
| Label | Description | Alert view information |
|---|---|---|
public leak |
The secret detected in your repository has also been found as publicly leaked by at least one of {% data variables.product.github %}'s scans of code, discussions, gists, issues, pull requests, and wikis. This may require you to address the alert with greater urgency, or remediate the alert differently compared to a privately exposed token. | You'll see links to any specific public locations where the leaked secret has been detected. |
multi-repo |
The secret detected in your repository has been found across multiple repositories in your organization or enterprise. This information may help you more easily dedupe the alert across your organization or enterprise. | If you have appropriate permissions, you'll see links to any specific alerts for the same secret in your organization or enterprise. |
{% endif %}