About secret scanning

GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

Who can use this feature?

Secret scanning alerts for partners runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on GitHub.

Secret scanning alerts for users are available for public repositories for free. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable secret scanning alerts for users on their private and internal repositories. For more information, see "About secret scanning alerts" and "About GitHub Advanced Security."

For information about how you can try GitHub Enterprise with GitHub Advanced Security for free, see "Setting up a trial of GitHub Enterprise Cloud" and "Setting up a trial of GitHub Advanced Security" in the GitHub Enterprise Cloud documentation.

In this article

About secret scanning

Secret scanning is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, secret scanning scans commits in repositories for known types of secrets and alerts repository administrators upon detection.

Secret scanning scans your entire Git history on all branches present in your GitHub repository for secrets. GitHub will also periodically run a full Git history scan of existing content in public repositories where secret scanning is enabled.

Additionally, secret scanning scans:

  • Descriptions and comments in issues
  • Titles, descriptions, and comments, in open and closed historical issues
  • Titles, descriptions, and comments in pull requests
  • Titles, descriptions, and comments in GitHub Discussions
  • Wikis

This additional scanning is free for public repositories.

When a supported secret is leaked, GitHub generates a secret scanning alert. Alerts are reported on the Security tab of repositories on GitHub, where you can view, evaluate, and resolve them. For more information, see "Managing alerts from secret scanning."

Service providers can partner with GitHub to provide their secret formats for scanning. We automatically run secret scanning for partner patterns on all public repositories and public npm packages. To find out about our partner program, see "Secret scanning partner program."

Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on GitHub.com. For more information about partner patterns, see "About secret scanning alerts."

For information about the secrets and service providers supported by secret scanning, see "Supported secret scanning patterns."

You can use the REST API to monitor results from secret scanning across your repositories. For more information about API endpoints, see "REST API endpoints for secret scanning."

You can audit the actions taken in response to secret scanning alerts using GitHub tools. For more information, see "Auditing security alerts."

How secret scanning works

Below is a typical workflow that explains how secret scanning works:

  • Detection: Secret scanning automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.

  • Alerts: When a potential secret is detected, GitHub generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see "About secret scanning alerts."

  • Review: When a secret is detected, you'll need to review the alert details provided.

  • Remediation: You then need take appropriate actions to remediate the exposure. This might include:

    • Rotating the affected credential to ensure it is no longer usable.
    • Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or GitHub's built-in features).

  • Monitoring: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed.

  • Integration with partners: GitHub works with various service providers to validate secrets. When a partner secret is detected, GitHub notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "Secret scanning partner program."

About the benefits of secret scanning

  • Enhanced security—Secret scanning scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors.

  • Automated detection—The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves.

  • Real-time alerts—When a secret is detected, secret scanning provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions.

  • Integration with service providers—GitHub partners with various service providers to validate detected secrets. When a secret is identified, GitHub notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "Secret scanning partner program."

Customizing secret scanning

Once secret scanning is enabled, you can customize it further:

Performing validity checks

Validity checks help you prioritize alerts by telling you which secrets are active or inactive. For more information, see "Evaluating alerts from secret scanning."

Further reading