Note: The secret scanning API is currently in beta and subject to change.
The secret scanning API lets you retrieve and update secret scanning alerts from a private repository. For more information on secret scanning for private repositories, see "Securing your repository."
List secret scanning alerts for a repository
Lists all secret scanning alerts for a private repository, from newest to oldest. To use this endpoint, you must be an administrator for the repository or organization, and you must use an access token with the repo
scope or security_events
scope.
GitHub Apps must have the secret_scanning_alerts
read permission to use this endpoint.
get /repos/{owner}/{repo}/secret-scanning/alerts
Parameters
Name | Type | In | Description |
---|---|---|---|
accept |
string | header |
Setting to |
owner |
string | path | |
repo |
string | path | |
state |
string | query | Set to |
page |
integer | query | Page number of the results to fetch. |
per_page |
integer | query | Results per page (max 100). |
Code samples
Shell
curl \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/octocat/hello-world/secret-scanning/alerts
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/secret-scanning/alerts', {
owner: 'octocat',
repo: 'hello-world'
})
Default response
Status: 200 OK
[
{
"number": 2,
"created_at": "2020-11-06T18:48:51Z",
"url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/2",
"html_url": "https://github.com/owner/private-repo/security/secret-scanning/2",
"state": "resolved",
"resolution": "false_positive",
"resolved_at": "2020-11-07T02:47:13Z",
"resolved_by": {
"login": "monalisa",
"id": 2,
"node_id": "MDQ6VXNlcjI=",
"avatar_url": "https://alambic.github.com/avatars/u/2?",
"gravatar_id": "",
"url": "https://api.github.com/users/monalisa",
"html_url": "https://github.com/monalisa",
"followers_url": "https://api.github.com/users/monalisa/followers",
"following_url": "https://api.github.com/users/monalisa/following{/other_user}",
"gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
"starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
"organizations_url": "https://api.github.com/users/monalisa/orgs",
"repos_url": "https://api.github.com/users/monalisa/repos",
"events_url": "https://api.github.com/users/monalisa/events{/privacy}",
"received_events_url": "https://api.github.com/users/monalisa/received_events",
"type": "User",
"site_admin": true
},
"secret_type": "adafruit_io_key",
"secret": "aio_XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
},
{
"number": 1,
"created_at": "2020-11-06T18:18:30Z",
"url": "https://api.github.com/repos/owner/repo/secret-scanning/alerts/1",
"html_url": "https://github.com/owner/repo/security/secret-scanning/1",
"state": "open",
"resolution": null,
"resolved_at": null,
"resolved_by": null,
"secret_type": "mailchimp_api_key",
"secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2"
}
]
Repository is public or secret scanning is disabled for the repository
Status: 404 Not Found
Service unavailable
Status: 503 Service Unavailable
Notes
Get a secret scanning alert
Gets a single secret scanning alert detected in a private repository. To use this endpoint, you must be an administrator for the repository or organization, and you must use an access token with the repo
scope or security_events
scope.
GitHub Apps must have the secret_scanning_alerts
read permission to use this endpoint.
get /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}
Parameters
Name | Type | In | Description |
---|---|---|---|
accept |
string | header |
Setting to |
owner |
string | path | |
repo |
string | path | |
alert_number |
integer | path | The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the |
Code samples
Shell
curl \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/octocat/hello-world/secret-scanning/alerts/42
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}', {
owner: 'octocat',
repo: 'hello-world',
alert_number: 42
})
Default response
Status: 200 OK
{
"number": 42,
"created_at": "2020-11-06T18:18:30Z",
"url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42",
"html_url": "https://github.com/owner/private-repo/security/secret-scanning/42",
"state": "open",
"resolution": null,
"resolved_at": null,
"resolved_by": null,
"secret_type": "mailchimp_api_key",
"secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2"
}
Repository is public or secret scanning is disabled for the repository or the resource is not found
Status: 404 Not Found
Service unavailable
Status: 503 Service Unavailable
Notes
Update a secret scanning alert
Updates the status of a secret scanning alert in a private repository. To use this endpoint, you must be an administrator for the repository or organization, and you must use an access token with the repo
scope or security_events
scope.
GitHub Apps must have the secret_scanning_alerts
write permission to use this endpoint.
patch /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}
Parameters
Name | Type | In | Description |
---|---|---|---|
accept |
string | header |
Setting to |
owner |
string | path | |
repo |
string | path | |
alert_number |
integer | path | The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the |
state |
string | body |
Required. Sets the state of the secret scanning alert. Can be either |
resolution |
string or null | body |
Required when the |
Code samples
Shell
curl \
-X PATCH \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/octocat/hello-world/secret-scanning/alerts/42 \
-d '{"state":"state"}'
JavaScript (@octokit/core.js)
await octokit.request('PATCH /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}', {
owner: 'octocat',
repo: 'hello-world',
alert_number: 42,
state: 'state'
})
Default response
Status: 200 OK
{
"number": 42,
"created_at": "2020-11-06T18:18:30Z",
"url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42",
"html_url": "https://github.com/owner/private-repo/security/secret-scanning/42",
"state": "resolved",
"resolution": "used_in_tests",
"resolved_at": "2020-11-16T22:42:07Z",
"resolved_by": {
"login": "monalisa",
"id": 2,
"node_id": "MDQ6VXNlcjI=",
"avatar_url": "https://alambic.github.com/avatars/u/2?",
"gravatar_id": "",
"url": "https://api.github.com/users/monalisa",
"html_url": "https://github.com/monalisa",
"followers_url": "https://api.github.com/users/monalisa/followers",
"following_url": "https://api.github.com/users/monalisa/following{/other_user}",
"gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
"starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
"organizations_url": "https://api.github.com/users/monalisa/orgs",
"repos_url": "https://api.github.com/users/monalisa/repos",
"events_url": "https://api.github.com/users/monalisa/events{/privacy}",
"received_events_url": "https://api.github.com/users/monalisa/received_events",
"type": "User",
"site_admin": true
},
"secret_type": "mailchimp_api_key",
"secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2"
}
Repository is public or secret scanning is disabled for the repository or the resource is not found
Status: 404 Not Found
State does not match the resolution
Status: 422 Unprocessable Entity
Service unavailable
Status: 503 Service Unavailable