Secret scanning

When credentials like API keys and passwords are committed to repositories as hardcoded secrets, they become targets for unauthorized access. Secret scanning automatically detects credential leaks so you can secure them before they're exploited.

How secret scanning protects your code

Secret scanning scans your entire Git history on all branches of your repository for hardcoded credentials, including API keys, passwords, tokens, and other known secret types. This helps you identify secret sprawl, the uncontrolled proliferation of credentials across repositories, before it becomes a security risk. GitHub also periodically rescans repositories when new secret types are added.

GitHub also automatically scans:

• Descriptions et commentaires dans les problèmes
• Titres, descriptions et commentaires dans les problèmes historiques ouverts et fermés
• Titres, descriptions et commentaires dans les demandes de tirage
• Titres, descriptions et commentaires dans GitHub Discussions
• Wikis
• Gists secrètes

Secret scanning alerts and remediation

When secret scanning detects a credential leak, GitHub generates an alert on your repository's Security and quality tab with details about the exposed credential.

When you receive an alert, rotate the affected credential immediately to prevent unauthorized access. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.

Partner integration

GitHub partners with a large variety of service providers to validate detected secrets. When a partner secret is detected, we notify the provider so they can take action, such as revoking the credential. Partner secrets are reported directly to the provider and aren't displayed in your repository alerts. For more information, see Programme de partenariat d’analyse des secrets.

Customizability

Beyond the default detection of partner and provider secrets, you can expand and customize secret scanning to fit your needs.

• Non-provider patterns. Expand detection to secrets that aren't tied to a specific service provider, such as private keys, connection strings, and generic API keys.

• Custom patterns. Define your own regular expressions to detect organization-specific secrets that aren't covered by default patterns.

• Validity checks. Prioritize remediation by checking whether detected secrets are still active.

• Analyse des secrets avec Copilot. Use AI to detect unstructured secrets like passwords, or to generate regular expressions for custom patterns.

About validity checks

Validity checks help you prioritize which secrets to remediate first by verifying whether a detected secret is still active. When you enable validity checks, secret scanning may contact the secret's issuing service to determine if the credential has been revoked.

Validity checks are separate from secret scanning's partner program. While partner secrets are automatically reported to service providers for revocation, validity checks verify the status of secrets you manage in your own alerts. For more information, see Validity checks.

How can I access this feature?

Secret scanning est disponible pour les types de référentiels suivants :

• Référentiels publics : Secret scanning s’exécute automatiquement gratuitement.
• Référentiels privés et internes appartenant à l’organisation : disponible avec GitHub Secret Protection activé sur GitHub Team ou GitHub Enterprise Cloud.
• Dépôts appartenant à l'utilisateur : disponibles sur GitHub Enterprise Cloud avec Enterprise Managed Users. Disponible sur GitHub Enterprise Server lorsque l’entreprise a GitHub Secret Protection activée.