4.7 KiB
title, shortTitle, intro, product, redirect_from, versions, type, topics
| title | shortTitle | intro | product | redirect_from | versions | type | topics | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring secret scanning for your appliance | Configuring secret scanning | You can enable, configure, and disable {% data variables.product.prodname_secret_scanning %} for {% data variables.product.prodname_ghe_server %}. {% data variables.product.prodname_secret_scanning_caps %} allows users to scan code for accidentally committed secrets. | {% data reusables.gated-features.secret-scanning %} |
|
|
how_to |
|
About {% data variables.product.prodname_secret_scanning %}
If someone checks a secret with a known pattern into a repository, {% data variables.product.prodname_secret_scanning %} catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository. See AUTOTITLE.
Checking whether your license includes {% data variables.product.prodname_GH_advanced_security %}
{% data reusables.advanced-security.check-for-ghas-license %}
Prerequisites for {% data variables.product.prodname_secret_scanning %}
-
The SSSE3 (Supplemental Streaming SIMD Extensions 3) CPU flag needs to be enabled on the VM/KVM that runs {% data variables.product.prodname_ghe_server %}. For more information about SSSE3, see Intel 64 and IA-32 Architectures Optimization Reference Manual in the Intel documentation.
-
A license for {% data variables.product.prodname_GH_advanced_security %} (see AUTOTITLE)
-
{% data variables.product.prodname_secret_scanning_caps %} enabled in the management console (see AUTOTITLE)
Checking support for the SSSE3 flag on your vCPUs
The SSSE3 set of instructions is required because {% data variables.product.prodname_secret_scanning %} leverages hardware accelerated pattern matching to find potential credentials committed to your {% data variables.product.prodname_dotcom %} repositories. SSSE3 is enabled for most modern CPUs. You can check whether SSSE3 is enabled for the vCPUs available to your {% data variables.product.prodname_ghe_server %} instance.
-
Connect to the administrative shell for your {% data variables.product.prodname_ghe_server %} instance. See AUTOTITLE.
-
Enter the following command:
grep -iE '^flags.*ssse3' /proc/cpuinfo >/dev/null | echo $?If this returns the value
0, it means that the SSSE3 flag is available and enabled. You can now enable {% data variables.product.prodname_secret_scanning %}. See Enabling {% data variables.product.prodname_secret_scanning %} below.If this doesn't return
0, SSSE3 is not enabled on your VM/KVM. You need to refer to the documentation of the hardware/hypervisor on how to enable the flag, or make it available to guest VMs.
Enabling {% data variables.product.prodname_secret_scanning %}
{% data reusables.enterprise_management_console.enable-disable-security-features %}
{% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.advanced-security-tab %}
- Under "Security," select {% data variables.product.prodname_secret_scanning_caps %}. {% data reusables.enterprise_management_console.save-settings %}
Disabling {% data variables.product.prodname_secret_scanning %}
{% data reusables.enterprise_management_console.enable-disable-security-features %}
{% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.advanced-security-tab %}
- Under "Security," deselect {% data variables.product.prodname_secret_scanning_caps %}. {% data reusables.enterprise_management_console.save-settings %}