Validity checks

Validity checks and extended metadata checks help you prioritize remediation of exposed credentials that pose immediate security risks.

누가 이 기능을 사용할 수 있나요?

Secret scanning은 다음 리포지토리 유형에 사용할 수 있습니다.

  • 공용 리포지토리: Secret scanning은(는) 자동으로 무료로 실행됩니다.
  • 조직 소유 개인 및 내부 리포지토리: GitHub Secret Protection을 사용하면 GitHub Team 또는 GitHub Enterprise Cloud에서 활성화된 경우 이용할 수 있습니다.
  • 사용자 소유 리포지토리: GitHub Enterprise Cloud에서 Enterprise Managed Users를 사용할 수 있습니다. 엔터프라이즈에 GitHub Enterprise Server 기능이 활성화된 경우 GitHub Secret Protection에서 사용할 수 있습니다.

보안 위험 평가 실행

이 기사에서

About validity checks

Validity checks, a feature of secret scanning, verify whether a detected secret is still active and could be exploited. This helps you prioritize remediation by focusing first on secrets that are confirmed to be active.

You can enable automatic validity checks for detected secrets. Once enabled, GitHub will periodically check the validity of a detected credential by sending the secret to the issuer and testing it against APIs provided by that service. Validity checks are available for secrets from many service providers, and support continues to expand as GitHub partners with additional services.

GitHub prioritizes privacy when checking the validity of the credential. We typically make GET requests, pick the least intrusive endpoints, and select endpoints that don't return any personal information.

GitHub displays the validation status of the secret in the alert view, so you can see if the secret is active, inactive, or if the validation status is unknown. You can optionally perform an "on-demand" validity check for the secret in the alert view.

About extended metadata checks

참고

보안 구성의 확장 메타데이터 검사는 현재 공개 미리 보기로 제공되며 변경될 수 있습니다.

Extended metadata checks provide additional contextual information about detected secrets. They are often referred to as analyzers in other tools.

You can enable extended metadata checks if validity checks are enabled. Then, you'll get information that helps you:

  • Gain deeper insight into detected secrets: Know who owns a secret.
  • Prioritize remediation: Understand the scope and impact of each exposed secret.
  • Improve incident response: Quickly identify responsible teams or individuals when a secret is leaked.
  • Enhance compliance: Ensure secrets align with your organization’s governance and security policies.
  • Reduce false positives: Use additional context to determine if a detection requires action.

The specific metadata available depends on what the service provider shares with GitHub. Not all secret types support extended metadata checks. For more information, see 비밀 검사 경고 평가.

Getting started with validity and extended metadata checks

참고

2026년 2월 18일부터 GitHub 은 유효성 검사가 활성화된 리포지토리에 대해 확장 메타데이터 검사를 자동으로 활성화합니다. 보안 구성 GitHub 에서 관리되는 리포지토리의 경우 해당 구성을 업데이트하고 연결된 리포지토리에 기능을 적용합니다. 이는 조직이 수동 구성 없이 향상된 메타데이터를 활용할 수 있도록 하는 일회성 전환입니다.

You can enable validity and extended metadata checks at the repository, organization, or enterprise level to help prioritize which exposed credentials pose the most immediate security risks.

For large organizations, we recommend using security configurations to enable these features at the organization or enterprise level. Security configurations allow you to centrally manage secret scanning settings and apply them consistently across many repositories.

To get started: