Esta versión de GitHub Enterprise Server se discontinuó el 2026-06-02. No se realizarán lanzamientos de patch, ni siquiera para problemas de seguridad críticos. Para obtener rendimiento mejorado, seguridad mejorada y nuevas características, actualice a la versión más reciente de GitHub Enterprise Server. Para obtener ayuda con la actualización, póngase en contacto con el soporte técnico de GitHub Enterprise.

Secret scanning

Prevent fraudulent use of your secrets by automatically detecting exposed credentials before they can be exploited.

En este artículo

When credentials like API keys and passwords are committed to repositories as hardcoded secrets, they become targets for unauthorized access. Secret scanning automatically detects credential leaks so you can secure them before they're exploited.

How secret scanning protects your code

Secret scanning scans your entire Git history on all branches of your repository for hardcoded credentials, including API keys, passwords, tokens, and other known secret types. This helps you identify secret sprawl, the uncontrolled proliferation of credentials across repositories, before it becomes a security risk. GitHub also periodically rescans repositories when new secret types are added.

GitHub also automatically scans:

  • Descripciones y comentarios sobre problemas
  • Títulos, descripciones y comentarios en el historial de incidencias, abiertas y cerradas.
  • Títulos, descripciones y comentarios en pull requests
  • Títulos, descripciones y comentarios en GitHub Discussions
  • Gists secretos

Secret scanning alerts and remediation

When secret scanning detects a credential leak, GitHub generates an alert on your repository's Security tab with details about the exposed credential.

When you receive an alert, rotate the affected credential immediately to prevent unauthorized access. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.

Customizability

Beyond the default detection of partner and provider secrets, you can expand and customize secret scanning to fit your needs.

  • Non-provider patterns. Expand detection to secrets that aren't tied to a specific service provider, such as private keys, connection strings, and generic API keys.
  • Custom patterns. Define your own regular expressions to detect organization-specific secrets that aren't covered by default patterns.
  • Validity checks. Prioritize remediation by checking whether detected secrets are still active.

How can I access this feature?

Secret scanning está disponible para los tipos de repositorio siguientes:

  • Repositorios públicos: Secret scanning se ejecuta automáticamente y sin coste.
  • Repositorios privados e internos de la organización: disponibles con GitHub Advanced Security habilitados en GitHub Team o GitHub Enterprise Cloud.
  • Repositorios propiedad del usuario: disponibles en GitHub Enterprise Cloud con Enterprise Managed Users. Disponible en GitHub Enterprise Server cuando la empresa tiene GitHub Advanced Security habilitado.