Generating regular expressions for custom patterns with AI

You can use the regular expression generator to generate regular expressions for custom patterns. The generator uses an AI model to generate expressions that match your input, and optionally example strings.

Who can use this feature?

Secret scanning alerts for partners runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on GitHub.com.

Secret scanning alerts for users are available for user-owned public repositories for free. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable secret scanning alerts for users on their private and internal repositories. Additionally, secret scanning alerts for users are available and in beta on user-owned repositories for GitHub Enterprise Cloud with Enterprise Managed Users. For more information, see "About secret scanning" and "About GitHub Advanced Security."

For information about how you can try GitHub Advanced Security for free, see "Setting up a trial of GitHub Advanced Security."

In this article

Note: The regular expression generator is in beta. Functionality and documentation are subject to change.

About the regular expression generator

Custom patterns are formatted as regular expressions. You can manually type in a regular expression on GitHub, or you can use the regular expression generator. The generator uses a generative AI model where you input a text description of the type of pattern you would like to detect, including optional example strings that should be detected. The model returns up to three regular expressions for you to review.

For instructions on how to generate a regular expression manually for your repository or organization, see "Defining custom patterns for secret scanning."

For more information about the generator, see "About the regular expression generator for custom patterns."

Generating a regular expression for a repository using the generator

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Code security and analysis", find "GitHub Advanced Security."

  5. Under "Secret scanning", under "Custom patterns", click New pattern.

  6. In the "Pattern name" field, type a name for your pattern.

  7. On the top right, click Generate with AI.

    Note: You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "Defining a custom pattern for a repository" or "Defining a custom pattern for an organization."

  8. In the sliding panel that is displayed:

    • Complete the "I want a regular expression that" field, describing, ideally in plain English, what patterns you want your regular expression to capture. You can use other natural languages, but the performance may not be as good as with English.

    • Complete the "Examples of what I'm looking for" field, giving an example of a pattern you want to scan for.

    • Click Generate suggestions.

    • Optionally, click on a suggestion to view a description of the regular expression.

    • Click Use results in the Results section that appears, for the result you want to use.

      Screenshot of a filled custom secret scanning pattern form for the generator to use.

  9. You can click More options to provide other surrounding content or additional match requirements for the secret format. GitHub will add the examples you typed in the sliding panel to the Test string field.

  10. When you're ready to test your new custom pattern, to identify matches in the repository without creating alerts, click Save and dry run.

  11. When the dry run finishes, you'll see a sample of results (up to 1000). Review the results and identify any false positive results.

    Screenshot showing results from dry run.

  12. Edit the new custom pattern to fix any problems with the results, then, to test your changes, click Save and dry run.

  13. When you're satisfied with your new custom pattern, click Publish pattern.

You can configure secret scanning to check pushes for custom patterns before commits are merged into the default branch. For more information, see "Enabling push protection for a custom pattern."

Generating a regular expression for an organization using the generator

  1. In the upper-right corner of GitHub.com, select your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Next to the organization, click Settings.

  3. In the "Security" section of the sidebar, click Code security and analysis.

    Note

    If your organization is enrolled in the security configurations and global settings public beta, instead of "Code security and analysis", you will see a "Code security" dropdown menu. Select Code security, then click Global settings. For detail on using the regular expression generator, reference the following steps in this procedure. For more information on configuring global settings for your organization, see "Configuring global security settings for your organization."

  4. Under "Code security and analysis", find "GitHub Advanced Security."

  5. Under "Secret scanning", under "Custom patterns", click New pattern.

  6. In the "Pattern name" field, type a name for your pattern.

  7. On the top right, click Generate with AI.

    Note: You can enter a regular expression manually instead of using the generator, by typing a regular expression for the format of your secret pattern in the "Secret format" field. For more information, see "Defining a custom pattern for a repository" or "Defining a custom pattern for an organization."

  8. In the sliding panel that is displayed:

    • Complete the "I want a regular expression that" field, describing, ideally in plain English, what patterns you want your regular expression to capture. You can use other natural languages, but the performance may not be as good as with English.

    • Complete the "Examples of what I'm looking for" field, giving an example of a pattern you want to scan for.

    • Click Generate suggestions.

    • Optionally, click on a suggestion to view a description of the regular expression.

    • Click Use results in the Results section that appears, for the result you want to use.

      Screenshot of a filled custom secret scanning pattern form for the generator to use.

  9. You can click More options to provide other surrounding content or additional match requirements for the secret format. GitHub will add the examples you typed in the sliding panel to the Test string field.

  10. When you're ready to test your new custom pattern, to identify matches in selected repositories without creating alerts, click Save and dry run.

  11. Select the repositories where you want to perform the dry run.

    • To perform the dry run across the entire organization, select All repositories in the organization.
    • To specify the repositories where you want to perform the dry run, select Selected repositories, then search for and select up to 10 repositories.

  12. When you're ready to test your new custom pattern, click Run.

  13. When the dry run finishes, you'll see a sample of results (up to 1000). Review the results and identify any false positive results.

    Screenshot showing results from dry run.

  14. Edit the new custom pattern to fix any problems with the results, then, to test your changes, click Save and dry run.

  15. When you're satisfied with your new custom pattern, click Publish pattern.

You can configure secret scanning to check pushes for custom patterns before commits are merged into the default branch. For more information, see "Enabling push protection for a custom pattern."