# Puntos de conexión de la API REST para el examen de secretos Usa la API REST para recuperar y actualizar las alertas de secretos de un repositorio. > \[!NOTE] > Los puntos de conexión para administrar secret scanning se encuentran actualmente en versión preliminar pública y están sujetos a cambios. ## Acerca del examen de secretos Puedes usar la API para: * Habilitar o deshabilitar secret scanning y la protección de inserción para un repositorio. Para obtener más información, consulte [Puntos de conexión de la API de REST para repositorios](/es/enterprise-server@3.18/rest/repos/repos#update-a-repository) y expanda la sección "Propiedades del objeto `security_and_analysis`". * Recuperar y actualizar alertas de detección de secretos de un repositorio. Para obtener más detalles, vea las secciones siguientes. Para más información sobre secret scanning, consulta [Escaneo de datos confidenciales](/es/enterprise-server@3.18/code-security/secret-scanning/introduction/about-secret-scanning). > \[!NOTE] > Most endpoints use `Authorization: Bearer ` and `Accept: application/vnd.github+json` headers, plus `X-GitHub-Api-Version: 2022-11-28`. Curl examples below omit these standard headers for brevity. ## List secret scanning alerts for an enterprise ``` GET /enterprises/{enterprise}/secret-scanning/alerts ``` Lists secret scanning alerts for eligible repositories in an enterprise, from newest to oldest. To use this endpoint, you must be a member of the enterprise, and you must use an access token with the repo scope or security\_events scope. Alerts are only returned for organizations in the enterprise for which you are an organization owner or a security manager, or for personal account repositories. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`enterprise`** (string) (required) The slug version of the enterprise name. * **`state`** (string) Set to open or resolved to only list secret scanning alerts in a specific state. Can be one of: `open`, `resolved` * **`secret_type`** (string) A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types. * **`resolution`** (string) A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false\_positive, wont\_fix, revoked, pattern\_edited, pattern\_deleted or used\_in\_tests. * **`sort`** (string) The property to sort the results by. created means when the alert was created. updated means when the alert was updated or resolved. Default: `created` Can be one of: `created`, `updated` * **`direction`** (string) The direction to sort the results by. Default: `desc` Can be one of: `asc`, `desc` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` * **`before`** (string) A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API." * **`after`** (string) A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API." * **`validity`** (string) A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are active, inactive, and unknown. * **`is_publicly_leaked`** (boolean) A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. Default: `false` * **`is_multi_repo`** (boolean) A boolean value representing whether or not to filter alerts by the multi-repo tag being present. Default: `false` * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **404** - Resource not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/enterprises/ENTERPRISE/secret-scanning/alerts ``` **Response schema (Status: 200):** Array of objects: * `number`: integer, read-only * `created_at`: string, format: date-time, read-only * `updated_at`: any of: * **null** * **string, format: date-time, read-only** * `url`: string, format: uri, read-only * `html_url`: string, format: uri, read-only * `locations_url`: string, format: uri * `state`: string, enum: `open`, `resolved` * `resolution`: string or null, enum: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * `resolved_at`: string or null, format: date-time * `resolved_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `secret_type`: string * `secret_type_display_name`: string * `secret`: string * `repository`: `Simple Repository`: * `id`: required, integer, format: int64 * `node_id`: required, string * `name`: required, string * `full_name`: required, string * `owner`: required, `Simple User`: * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `private`: required, boolean * `html_url`: required, string, format: uri * `description`: required, string or null * `fork`: required, boolean * `url`: required, string, format: uri * `archive_url`: required, string * `assignees_url`: required, string * `blobs_url`: required, string * `branches_url`: required, string * `collaborators_url`: required, string * `comments_url`: required, string * `commits_url`: required, string * `compare_url`: required, string * `contents_url`: required, string * `contributors_url`: required, string, format: uri * `deployments_url`: required, string, format: uri * `downloads_url`: required, string, format: uri * `events_url`: required, string, format: uri * `forks_url`: required, string, format: uri * `git_commits_url`: required, string * `git_refs_url`: required, string * `git_tags_url`: required, string * `issue_comment_url`: required, string * `issue_events_url`: required, string * `issues_url`: required, string * `keys_url`: required, string * `labels_url`: required, string * `languages_url`: required, string, format: uri * `merges_url`: required, string, format: uri * `milestones_url`: required, string * `notifications_url`: required, string * `pulls_url`: required, string * `releases_url`: required, string * `stargazers_url`: required, string, format: uri * `statuses_url`: required, string * `subscribers_url`: required, string, format: uri * `subscription_url`: required, string, format: uri * `tags_url`: required, string, format: uri * `teams_url`: required, string, format: uri * `trees_url`: required, string * `hooks_url`: required, string, format: uri * `push_protection_bypassed`: boolean or null * `push_protection_bypassed_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypassed_at`: string or null, format: date-time * `push_protection_bypass_request_reviewer`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypass_request_reviewer_comment`: string or null * `push_protection_bypass_request_comment`: string or null * `push_protection_bypass_request_html_url`: string or null, format: uri * `resolution_comment`: string or null * `validity`: string, enum: `active`, `inactive`, `unknown` * `multi_repo`: boolean or null * `is_base64_encoded`: boolean or null ## List secret scanning alerts for an organization ``` GET /orgs/{org}/secret-scanning/alerts ``` Lists secret scanning alerts for eligible repositories in an organization, from newest to oldest. The authenticated user must be an administrator or security manager for the organization to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`state`** (string) Set to open or resolved to only list secret scanning alerts in a specific state. Can be one of: `open`, `resolved` * **`secret_type`** (string) A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types. * **`resolution`** (string) A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false\_positive, wont\_fix, revoked, pattern\_edited, pattern\_deleted or used\_in\_tests. * **`sort`** (string) The property to sort the results by. created means when the alert was created. updated means when the alert was updated or resolved. Default: `created` Can be one of: `created`, `updated` * **`direction`** (string) The direction to sort the results by. Default: `desc` Can be one of: `asc`, `desc` * **`page`** (integer) The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: `1` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` * **`before`** (string) A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. To receive an initial cursor on your first request, include an empty "before" query string. * **`after`** (string) A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. To receive an initial cursor on your first request, include an empty "after" query string. * **`validity`** (string) A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are active, inactive, and unknown. * **`is_publicly_leaked`** (boolean) A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. Default: `false` * **`is_multi_repo`** (boolean) A boolean value representing whether or not to filter alerts by the multi-repo tag being present. Default: `false` * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **404** - Resource not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/orgs/ORG/secret-scanning/alerts ``` **Response schema (Status: 200):** Same response schema as [List secret scanning alerts for an enterprise](#list-secret-scanning-alerts-for-an-enterprise). ## List secret scanning alerts for a repository ``` GET /repos/{owner}/{repo}/secret-scanning/alerts ``` Lists secret scanning alerts for an eligible repository, from newest to oldest. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`state`** (string) Set to open or resolved to only list secret scanning alerts in a specific state. Can be one of: `open`, `resolved` * **`secret_type`** (string) A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types. * **`resolution`** (string) A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false\_positive, wont\_fix, revoked, pattern\_edited, pattern\_deleted or used\_in\_tests. * **`sort`** (string) The property to sort the results by. created means when the alert was created. updated means when the alert was updated or resolved. Default: `created` Can be one of: `created`, `updated` * **`direction`** (string) The direction to sort the results by. Default: `desc` Can be one of: `asc`, `desc` * **`page`** (integer) The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: `1` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` * **`before`** (string) A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. To receive an initial cursor on your first request, include an empty "before" query string. * **`after`** (string) A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. To receive an initial cursor on your first request, include an empty "after" query string. * **`validity`** (string) A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are active, inactive, and unknown. * **`is_publicly_leaked`** (boolean) A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. Default: `false` * **`is_multi_repo`** (boolean) A boolean value representing whether or not to filter alerts by the multi-repo tag being present. Default: `false` * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **404** - Repository is public or secret scanning is disabled for the repository * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts ``` **Response schema (Status: 200):** Array of objects: * `number`: integer, read-only * `created_at`: string, format: date-time, read-only * `updated_at`: any of: * **null** * **string, format: date-time, read-only** * `url`: string, format: uri, read-only * `html_url`: string, format: uri, read-only * `locations_url`: string, format: uri * `state`: string, enum: `open`, `resolved` * `resolution`: string or null, enum: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * `resolved_at`: string or null, format: date-time * `resolved_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `resolution_comment`: string or null * `secret_type`: string * `secret_type_display_name`: string * `secret`: string * `push_protection_bypassed`: boolean or null * `push_protection_bypassed_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypassed_at`: string or null, format: date-time * `push_protection_bypass_request_reviewer`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypass_request_reviewer_comment`: string or null * `push_protection_bypass_request_comment`: string or null * `push_protection_bypass_request_html_url`: string or null, format: uri * `validity`: string, enum: `active`, `inactive`, `unknown` * `multi_repo`: boolean or null * `is_base64_encoded`: boolean or null ## Get a secret scanning alert ``` GET /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number} ``` Gets a single secret scanning alert detected in an eligible repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`alert_number`** (integer) (required) The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation. * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **304** - Not modified * **404** - Repository is public, or secret scanning is disabled for the repository, or the resource is not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER ``` **Response schema (Status: 200):** * `number`: integer, read-only * `created_at`: string, format: date-time, read-only * `updated_at`: any of: * **null** * **string, format: date-time, read-only** * `url`: string, format: uri, read-only * `html_url`: string, format: uri, read-only * `locations_url`: string, format: uri * `state`: string, enum: `open`, `resolved` * `resolution`: string or null, enum: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * `resolved_at`: string or null, format: date-time * `resolved_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `resolution_comment`: string or null * `secret_type`: string * `secret_type_display_name`: string * `secret`: string * `push_protection_bypassed`: boolean or null * `push_protection_bypassed_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypassed_at`: string or null, format: date-time * `push_protection_bypass_request_reviewer`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypass_request_reviewer_comment`: string or null * `push_protection_bypass_request_comment`: string or null * `push_protection_bypass_request_html_url`: string or null, format: uri * `validity`: string, enum: `active`, `inactive`, `unknown` * `multi_repo`: boolean or null * `is_base64_encoded`: boolean or null ## Update a secret scanning alert ``` PATCH /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number} ``` Updates the status of a secret scanning alert in an eligible repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`alert_number`** (integer) (required) The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation. #### Body parameters * **`state`** (string) Sets the state of the secret scanning alert. You must provide resolution when you set the state to resolved. Can be one of: `open`, `resolved` * **`resolution`** (string or null) Required when the state is resolved. The reason for resolving the alert. Can be one of: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * **`resolution_comment`** (string or null) An optional comment when closing or reopening an alert. Cannot be updated or deleted. ### HTTP response status codes * **200** - OK * **400** - Bad request, resolution comment is invalid or the resolution was not changed. * **403** - Delegated alert dismissal is enabled and the authenticated user is not a valid reviewer. * **404** - Repository is public, or secret scanning is disabled for the repository, or the resource is not found * **422** - State does not match the resolution or resolution comment * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X PATCH \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER \ -d '{ "state": "resolved", "resolution": "false_positive" }' ``` **Response schema (Status: 200):** Same response schema as [Get a secret scanning alert](#get-a-secret-scanning-alert). ## List locations for a secret scanning alert ``` GET /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}/locations ``` Lists all locations for a given secret scanning alert for an eligible repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`alert_number`** (integer) (required) The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation. * **`page`** (integer) The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: `1` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` ### HTTP response status codes * **200** - OK * **404** - Repository is public, or secret scanning is disabled for the repository, or the resource is not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER/locations ``` **Response schema (Status: 200):** Array of objects: * `type`: string, enum: `commit`, `wiki_commit`, `issue_title`, `issue_body`, `issue_comment`, `discussion_title`, `discussion_body`, `discussion_comment`, `pull_request_title`, `pull_request_body`, `pull_request_comment`, `pull_request_review`, `pull_request_review_comment` * `details`: one of: * **object** * `path`: required, string * `start_line`: required, number * `end_line`: required, number * `start_column`: required, number * `end_column`: required, number * `blob_sha`: required, string * `blob_url`: required, string * `commit_sha`: required, string * `commit_url`: required, string * **object** * `path`: required, string * `start_line`: required, number * `end_line`: required, number * `start_column`: required, number * `end_column`: required, number * `blob_sha`: required, string * `page_url`: required, string * `commit_sha`: required, string * `commit_url`: required, string * **object** * `issue_title_url`: required, string, format: uri * **object** * `issue_body_url`: required, string, format: uri * **object** * `issue_comment_url`: required, string, format: uri * **object** * `discussion_title_url`: required, string, format: uri * **object** * `discussion_body_url`: required, string, format: uri * **object** * `discussion_comment_url`: required, string, format: uri * **object** * `pull_request_title_url`: required, string, format: uri * **object** * `pull_request_body_url`: required, string, format: uri * **object** * `pull_request_comment_url`: required, string, format: uri * **object** * `pull_request_review_url`: required, string, format: uri * **object** * `pull_request_review_comment_url`: required, string, format: uri ## Create a push protection bypass ``` POST /repos/{owner}/{repo}/secret-scanning/push-protection-bypasses ``` Creates a bypass for a previously push protected secret. The authenticated user must be the original author of the committed secret. OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. #### Body parameters * **`reason`** (string) (required) The reason for bypassing push protection. Can be one of: `false_positive`, `used_in_tests`, `will_fix_later` * **`placeholder_id`** (string) (required) The ID of the push protection bypass placeholder. This value is returned on any push protected routes. ### HTTP response status codes * **200** - OK * **403** - User does not have enough permissions to perform this action. * **404** - Placeholder ID not found, or push protection is disabled on this repository. * **422** - Bad request, input data missing or incorrect. * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X POST \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/push-protection-bypasses \ -d '{ "reason": "will_fix_later", "placeholder_id": "2k4dM4tseyC5lPIsjl5emX9sPNk" }' ``` **Response schema (Status: 200):** * `reason`: string, enum: `false_positive`, `used_in_tests`, `will_fix_later` * `expire_at`: string or null, format: date-time * `token_type`: string ## Get secret scanning scan history for a repository ``` GET /repos/{owner}/{repo}/secret-scanning/scan-history ``` Lists the latest default incremental and backfill scans by type for a repository. Scans from Copilot Secret Scanning are not included. Note This endpoint requires GitHub Advanced Security. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. ### HTTP response status codes * **200** - OK * **404** - Repository does not have GitHub Advanced Security or secret scanning enabled * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/scan-history ``` **Response schema (Status: 200):** * `incremental_scans`: array of objects: * `type`: string * `status`: string * `completed_at`: string or null, format: date-time * `started_at`: string or null, format: date-time * `pattern_update_scans`: array of objects: * `type`: string * `status`: string * `completed_at`: string or null, format: date-time * `started_at`: string or null, format: date-time * `backfill_scans`: array of objects: * `type`: string * `status`: string * `completed_at`: string or null, format: date-time * `started_at`: string or null, format: date-time * `custom_pattern_backfill_scans`: array of object