When credentials like API keys and passwords are committed to repositories as hardcoded secrets, they become targets for unauthorized access. Secret scanning automatically detects credential leaks so you can secure them before they're exploited.
Совет
At any time, you can run a free assessment of your organization's code for leaked secrets.
To generate a report, open вкладка Security and quality для вашей организации, отобразите страницу оценок, затем нажмите «Сканировать вашу организацию».
How secret scanning protects your code
Secret scanning scans your entire Git history on all branches of your repository for hardcoded credentials, including API keys, passwords, tokens, and other known secret types. This helps you identify secret sprawl, the uncontrolled proliferation of credentials across repositories, before it becomes a security risk. GitHub also periodically rescans repositories when new secret types are added.
GitHub also automatically scans:
- Описания и комментарии в проблемах
- Заголовки, описания и комментарии в открытых и закрытых исторических выпусках
- Заголовки, описания и комментарии в запросах на вытягивание
- Заголовки, описания и комментарии в GitHub Discussions
- Вики
- Секретные суть
Secret scanning alerts and remediation
When secret scanning detects a credential leak, GitHub generates an alert on your repository's Security and quality tab with details about the exposed credential.
When you receive an alert, rotate the affected credential immediately to prevent unauthorized access. While you can also remove secrets from your Git history, this is time-intensive and often unnecessary if you've already revoked the credential.
Partner integration
GitHub partners with a large variety of service providers to validate detected secrets. When a partner secret is detected, we notify the provider so they can take action, such as revoking the credential. Partner secrets are reported directly to the provider and aren't displayed in your repository alerts. For more information, see Партнерская программа сканирования секретов.
Customizability
Beyond the default detection of partner and provider secrets, you can expand and customize secret scanning to fit your needs.
-
Non-provider patterns. Expand detection to secrets that aren't tied to a specific service provider, such as private keys, connection strings, and generic API keys.
-
Custom patterns. Define your own regular expressions to detect organization-specific secrets that aren't covered by default patterns.
-
Validity checks. Prioritize remediation by checking whether detected secrets are still active.
-
Секретное сканирование Copilot. Use AI to detect unstructured secrets like passwords, or to generate regular expressions for custom patterns.
About validity checks
Validity checks help you prioritize which secrets to remediate first by verifying whether a detected secret is still active. When you enable validity checks, secret scanning may contact the secret's issuing service to determine if the credential has been revoked.
Validity checks are separate from secret scanning's partner program. While partner secrets are automatically reported to service providers for revocation, validity checks verify the status of secrets you manage in your own alerts. For more information, see Validity checks.
How can I access this feature?
Secret scanning доступен для следующих типов репозитория:
- Публичные репозитории: Secret scanning запускается автоматически бесплатно.
- Частные и внутренние репозитории, принадлежащие организации: доступны с включённым GitHub Secret Protection на GitHub Team или GitHub Enterprise Cloud.
- Пользовательские репозитории: доступны на GitHub Enterprise Cloud с Enterprise Managed Users. Доступно на GitHub Enterprise Server, когда у предприятия включён GitHub Secret Protection .