Note: Secret scanning for private repositories is currently in beta and subject to change.
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Security.
- In the left sidebar, click Detected secrets.
- Under "Secret scanning" click the alert you want to view.
- Optionally, use the "Resolve" drop-down menu and click a reason for resolving an alert.
Once a secret has been committed to a repository, you should consider the secret compromised. GitHub recommends the following actions for compromised secrets:
- For a compromised GitHub personal access token, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "Creating a personal access token for the command line."
- For all other secrets, first verify that the secret committed to GitHub is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret.