| title | About secret scanning | |||||||
|---|---|---|---|---|---|---|---|---|
| intro | Prevent fraudulent use of your secrets by automatically detecting exposed credentials before they can be exploited. | |||||||
| redirect_from |
|
|||||||
| versions |
|
|||||||
| shortTitle | Secret scanning | |||||||
| contentType | concepts | |||||||
| category |
|
When credentials like API keys and passwords are committed to repositories as hardcoded secrets, they become targets for unauthorized access. {% data variables.product.prodname_secret_scanning_caps %} automatically detects credential leaks so you can secure them before they're exploited.
{% ifversion secret-risk-assessment %}
Tip
At any time, you can run a free assessment of your organization's code for leaked secrets.
To generate a report, open {% data reusables.security-overview.navigate-to-risk-assessment %}.
{% endif %}
{% data variables.product.prodname_secret_scanning_caps %} scans your entire Git history on all branches of your repository for hardcoded credentials, including API keys, passwords, tokens, and other known secret types. This helps you identify secret sprawl, the uncontrolled proliferation of credentials across repositories, before it becomes a security risk. {% data variables.product.github %} also periodically rescans repositories when new secret types are added.
{% data variables.product.github %} also automatically scans:
{% data reusables.secret-scanning.what-is-scanned %}
When {% data variables.product.prodname_secret_scanning %} detects a credential leak, {% data variables.product.github %} generates an alert on your repository's {% data variables.product.prodname_security_and_quality_tab %} tab with details about the exposed credential.
When you receive an alert, rotate the affected credential immediately to prevent unauthorized access. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.
{% ifversion fpt or ghec %}
{% data variables.product.company_short %} partners with a large variety of service providers to validate detected secrets. When a partner secret is detected, we notify the provider so they can take action, such as revoking the credential. Partner secrets are reported directly to the provider and aren't displayed in your repository alerts. For more information, see AUTOTITLE.
{% endif %}
Beyond the default detection of partner and provider secrets, you can expand and customize {% data variables.product.prodname_secret_scanning %} to fit your needs.
- Non-provider patterns. Expand detection to secrets that aren't tied to a specific service provider, such as private keys, connection strings, and generic API keys.
- Custom patterns. Define your own regular expressions to detect organization-specific secrets that aren't covered by default patterns.
- Validity checks. Prioritize remediation by checking whether detected secrets are still active. {% ifversion secret-scanning-ai-generic-secret-detection %}
- {% data variables.secret-scanning.copilot-secret-scanning %}. Use AI to detect unstructured secrets like passwords, or to generate regular expressions for custom patterns. {% endif %}
{% ifversion secret-scanning-validity-check-partner-patterns %}
Validity checks help you prioritize which secrets to remediate first by verifying whether a detected secret is still active. When you enable validity checks, {% data variables.product.prodname_secret_scanning %} may contact the secret's issuing service to determine if the credential has been revoked.
Validity checks are separate from {% data variables.product.prodname_secret_scanning %}'s partner program. While partner secrets are automatically reported to service providers for revocation, validity checks verify the status of secrets you manage in your own alerts. For more information, see AUTOTITLE.
{% endif %}
{% data reusables.gated-features.secret-scanning %}
- If you've received an alert, see AUTOTITLE to learn how to review, resolve, and remediate exposed secrets. {%- ifversion secret-risk-assessment %}
- If you're securing an organization, see AUTOTITLE to determine your organization's exposure to leaked secrets. {% endif %}
- For a complete list of supported secrets and service providers, see AUTOTITLE.
