Validity checks

Validity checks and extended metadata checks help you prioritize remediation of exposed credentials that pose immediate security risks.

谁可以使用此功能?

Secret scanning 可用于以下存储库类型:

  • 公共存储库:Secret scanning 自动且免费地运行。
  •           **组织拥有的私有和内部存储库**:在 GitHub Secret Protection 或 GitHub Team 上启用 [GitHub Enterprise Cloud](/get-started/learning-about-github/about-github-advanced-security) 后可用。
  • 用户拥有的存储库:在 GitHub Enterprise Cloud 上可用,配合 Enterprise Managed Users。 当企业启用了 GitHub Enterprise Server 时,可在 GitHub Secret Protection 上使用。

运行安全风险评估

在本文中

About validity checks

Validity checks, a feature of secret scanning, verify whether a detected secret is still active and could be exploited. This helps you prioritize remediation by focusing first on secrets that are confirmed to be active.

You can enable automatic validity checks for detected secrets. Once enabled, GitHub will periodically check the validity of a detected credential by sending the secret to the issuer and testing it against APIs provided by that service. Validity checks are available for secrets from many service providers, and support continues to expand as GitHub partners with additional services.

GitHub prioritizes privacy when checking the validity of the credential. We typically make GET requests, pick the least intrusive endpoints, and select endpoints that don't return any personal information.

GitHub displays the validation status of the secret in the alert view, so you can see if the secret is active, inactive, or if the validation status is unknown. You can optionally perform an "on-demand" validity check for the secret in the alert view.

About extended metadata checks

注意

安全配置中的扩展元数据检查目前为公共预览版,可能会更改。

Extended metadata checks provide additional contextual information about detected secrets. They are often referred to as analyzers in other tools.

You can enable extended metadata checks if validity checks are enabled. Then, you'll get information that helps you:

  • Gain deeper insight into detected secrets: Know who owns a secret.
  • Prioritize remediation: Understand the scope and impact of each exposed secret.
  • Improve incident response: Quickly identify responsible teams or individuals when a secret is leaked.
  • Enhance compliance: Ensure secrets align with your organization’s governance and security policies.
  • Reduce false positives: Use additional context to determine if a detection requires action.

The specific metadata available depends on what the service provider shares with GitHub. Not all secret types support extended metadata checks. For more information, see 评估机密扫描警报.

Getting started with validity and extended metadata checks

注意

从 2026 年 2 月 18 日开始, GitHub 将自动为启用了有效性检查的存储库启用扩展元数据检查。 对于由安全配置管理的存储库, GitHub 将更新这些配置并将该功能应用到附加的存储库。 这是一次性过渡,可帮助组织从增强的元数据中受益,而无需手动配置。

You can enable validity and extended metadata checks at the repository, organization, or enterprise level to help prioritize which exposed credentials pose the most immediate security risks.

For large organizations, we recommend using security configurations to enable these features at the organization or enterprise level. Security configurations allow you to centrally manage secret scanning settings and apply them consistently across many repositories.

To get started: