# 适用于机密扫描的 REST API 终结点使用 REST API 从存储库中检索和更新机密警报。 > \[!NOTE] > 用于管理 secret scanning 的终结点目前为公开预览，可能随时更改。 ## 关于密钥扫描可以使用 API 执行以下操作： * 启用或禁用 secret scanning，并推送存储库的保护。有关详细信息，请参阅 [存储库的 REST API 终结点](/zh/enterprise-server@3.18/rest/repos/repos#update-a-repository) 并展开“`security_and_analysis` 对象的属性”部分。 * 从存储库中检索和更新机密扫描警报。有关更多详细信息，请参阅以下部分。有关 secret scanning 的详细信息，请参阅“[秘密扫描](/zh/enterprise-server@3.18/code-security/secret-scanning/introduction/about-secret-scanning)”。 > \[!NOTE] > Most endpoints use `Authorization: Bearer ` and `Accept: application/vnd.github+json` headers, plus `X-GitHub-Api-Version: 2022-11-28`. Curl examples below omit these standard headers for brevity. ## List secret scanning alerts for an enterprise ``` GET /enterprises/{enterprise}/secret-scanning/alerts ``` Lists secret scanning alerts for eligible repositories in an enterprise, from newest to oldest. To use this endpoint, you must be a member of the enterprise, and you must use an access token with the repo scope or security\_events scope. Alerts are only returned for organizations in the enterprise for which you are an organization owner or a security manager, or for personal account repositories. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`enterprise`** (string) (required) The slug version of the enterprise name. * **`state`** (string) Set to open or resolved to only list secret scanning alerts in a specific state. Can be one of: `open`, `resolved` * **`secret_type`** (string) A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types. * **`resolution`** (string) A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false\_positive, wont\_fix, revoked, pattern\_edited, pattern\_deleted or used\_in\_tests. * **`sort`** (string) The property to sort the results by. created means when the alert was created. updated means when the alert was updated or resolved. Default: `created` Can be one of: `created`, `updated` * **`direction`** (string) The direction to sort the results by. Default: `desc` Can be one of: `asc`, `desc` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` * **`before`** (string) A cursor, as given in the Link header. If specified, the query only searches for results before this cursor. For more information, see "Using pagination in the REST API." * **`after`** (string) A cursor, as given in the Link header. If specified, the query only searches for results after this cursor. For more information, see "Using pagination in the REST API." * **`validity`** (string) A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are active, inactive, and unknown. * **`is_publicly_leaked`** (boolean) A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. Default: `false` * **`is_multi_repo`** (boolean) A boolean value representing whether or not to filter alerts by the multi-repo tag being present. Default: `false` * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **404** - Resource not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/enterprises/ENTERPRISE/secret-scanning/alerts ``` **Response schema (Status: 200):** Array of objects: * `number`: integer, read-only * `created_at`: string, format: date-time, read-only * `updated_at`: any of: * **null** * **string, format: date-time, read-only** * `url`: string, format: uri, read-only * `html_url`: string, format: uri, read-only * `locations_url`: string, format: uri * `state`: string, enum: `open`, `resolved` * `resolution`: string or null, enum: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * `resolved_at`: string or null, format: date-time * `resolved_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `secret_type`: string * `secret_type_display_name`: string * `secret`: string * `repository`: `Simple Repository`: * `id`: required, integer, format: int64 * `node_id`: required, string * `name`: required, string * `full_name`: required, string * `owner`: required, `Simple User`: * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `private`: required, boolean * `html_url`: required, string, format: uri * `description`: required, string or null * `fork`: required, boolean * `url`: required, string, format: uri * `archive_url`: required, string * `assignees_url`: required, string * `blobs_url`: required, string * `branches_url`: required, string * `collaborators_url`: required, string * `comments_url`: required, string * `commits_url`: required, string * `compare_url`: required, string * `contents_url`: required, string * `contributors_url`: required, string, format: uri * `deployments_url`: required, string, format: uri * `downloads_url`: required, string, format: uri * `events_url`: required, string, format: uri * `forks_url`: required, string, format: uri * `git_commits_url`: required, string * `git_refs_url`: required, string * `git_tags_url`: required, string * `issue_comment_url`: required, string * `issue_events_url`: required, string * `issues_url`: required, string * `keys_url`: required, string * `labels_url`: required, string * `languages_url`: required, string, format: uri * `merges_url`: required, string, format: uri * `milestones_url`: required, string * `notifications_url`: required, string * `pulls_url`: required, string * `releases_url`: required, string * `stargazers_url`: required, string, format: uri * `statuses_url`: required, string * `subscribers_url`: required, string, format: uri * `subscription_url`: required, string, format: uri * `tags_url`: required, string, format: uri * `teams_url`: required, string, format: uri * `trees_url`: required, string * `hooks_url`: required, string, format: uri * `push_protection_bypassed`: boolean or null * `push_protection_bypassed_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypassed_at`: string or null, format: date-time * `push_protection_bypass_request_reviewer`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypass_request_reviewer_comment`: string or null * `push_protection_bypass_request_comment`: string or null * `push_protection_bypass_request_html_url`: string or null, format: uri * `resolution_comment`: string or null * `validity`: string, enum: `active`, `inactive`, `unknown` * `multi_repo`: boolean or null * `is_base64_encoded`: boolean or null ## List secret scanning alerts for an organization ``` GET /orgs/{org}/secret-scanning/alerts ``` Lists secret scanning alerts for eligible repositories in an organization, from newest to oldest. The authenticated user must be an administrator or security manager for the organization to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`state`** (string) Set to open or resolved to only list secret scanning alerts in a specific state. Can be one of: `open`, `resolved` * **`secret_type`** (string) A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types. * **`resolution`** (string) A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false\_positive, wont\_fix, revoked, pattern\_edited, pattern\_deleted or used\_in\_tests. * **`sort`** (string) The property to sort the results by. created means when the alert was created. updated means when the alert was updated or resolved. Default: `created` Can be one of: `created`, `updated` * **`direction`** (string) The direction to sort the results by. Default: `desc` Can be one of: `asc`, `desc` * **`page`** (integer) The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: `1` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` * **`before`** (string) A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. To receive an initial cursor on your first request, include an empty "before" query string. * **`after`** (string) A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. To receive an initial cursor on your first request, include an empty "after" query string. * **`validity`** (string) A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are active, inactive, and unknown. * **`is_publicly_leaked`** (boolean) A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. Default: `false` * **`is_multi_repo`** (boolean) A boolean value representing whether or not to filter alerts by the multi-repo tag being present. Default: `false` * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **404** - Resource not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/orgs/ORG/secret-scanning/alerts ``` **Response schema (Status: 200):** Same response schema as [List secret scanning alerts for an enterprise](#list-secret-scanning-alerts-for-an-enterprise). ## List secret scanning alerts for a repository ``` GET /repos/{owner}/{repo}/secret-scanning/alerts ``` Lists secret scanning alerts for an eligible repository, from newest to oldest. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`state`** (string) Set to open or resolved to only list secret scanning alerts in a specific state. Can be one of: `open`, `resolved` * **`secret_type`** (string) A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types. * **`resolution`** (string) A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false\_positive, wont\_fix, revoked, pattern\_edited, pattern\_deleted or used\_in\_tests. * **`sort`** (string) The property to sort the results by. created means when the alert was created. updated means when the alert was updated or resolved. Default: `created` Can be one of: `created`, `updated` * **`direction`** (string) The direction to sort the results by. Default: `desc` Can be one of: `asc`, `desc` * **`page`** (integer) The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: `1` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` * **`before`** (string) A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. To receive an initial cursor on your first request, include an empty "before" query string. * **`after`** (string) A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. To receive an initial cursor on your first request, include an empty "after" query string. * **`validity`** (string) A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are active, inactive, and unknown. * **`is_publicly_leaked`** (boolean) A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. Default: `false` * **`is_multi_repo`** (boolean) A boolean value representing whether or not to filter alerts by the multi-repo tag being present. Default: `false` * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **404** - Repository is public or secret scanning is disabled for the repository * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts ``` **Response schema (Status: 200):** Array of objects: * `number`: integer, read-only * `created_at`: string, format: date-time, read-only * `updated_at`: any of: * **null** * **string, format: date-time, read-only** * `url`: string, format: uri, read-only * `html_url`: string, format: uri, read-only * `locations_url`: string, format: uri * `state`: string, enum: `open`, `resolved` * `resolution`: string or null, enum: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * `resolved_at`: string or null, format: date-time * `resolved_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `resolution_comment`: string or null * `secret_type`: string * `secret_type_display_name`: string * `secret`: string * `push_protection_bypassed`: boolean or null * `push_protection_bypassed_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypassed_at`: string or null, format: date-time * `push_protection_bypass_request_reviewer`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypass_request_reviewer_comment`: string or null * `push_protection_bypass_request_comment`: string or null * `push_protection_bypass_request_html_url`: string or null, format: uri * `validity`: string, enum: `active`, `inactive`, `unknown` * `multi_repo`: boolean or null * `is_base64_encoded`: boolean or null ## Get a secret scanning alert ``` GET /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number} ``` Gets a single secret scanning alert detected in an eligible repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`alert_number`** (integer) (required) The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation. * **`hide_secret`** (boolean) A boolean value representing whether or not to hide literal secrets in the results. Default: `false` ### HTTP response status codes * **200** - OK * **304** - Not modified * **404** - Repository is public, or secret scanning is disabled for the repository, or the resource is not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER ``` **Response schema (Status: 200):** * `number`: integer, read-only * `created_at`: string, format: date-time, read-only * `updated_at`: any of: * **null** * **string, format: date-time, read-only** * `url`: string, format: uri, read-only * `html_url`: string, format: uri, read-only * `locations_url`: string, format: uri * `state`: string, enum: `open`, `resolved` * `resolution`: string or null, enum: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * `resolved_at`: string or null, format: date-time * `resolved_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `resolution_comment`: string or null * `secret_type`: string * `secret_type_display_name`: string * `secret`: string * `push_protection_bypassed`: boolean or null * `push_protection_bypassed_by`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypassed_at`: string or null, format: date-time * `push_protection_bypass_request_reviewer`: any of: * **null** * **Simple User** * `name`: string or null * `email`: string or null * `login`: required, string * `id`: required, integer, format: int64 * `node_id`: required, string * `avatar_url`: required, string, format: uri * `gravatar_id`: required, string or null * `url`: required, string, format: uri * `html_url`: required, string, format: uri * `followers_url`: required, string, format: uri * `following_url`: required, string * `gists_url`: required, string * `starred_url`: required, string * `subscriptions_url`: required, string, format: uri * `organizations_url`: required, string, format: uri * `repos_url`: required, string, format: uri * `events_url`: required, string * `received_events_url`: required, string, format: uri * `type`: required, string * `site_admin`: required, boolean * `starred_at`: string * `user_view_type`: string * `push_protection_bypass_request_reviewer_comment`: string or null * `push_protection_bypass_request_comment`: string or null * `push_protection_bypass_request_html_url`: string or null, format: uri * `validity`: string, enum: `active`, `inactive`, `unknown` * `multi_repo`: boolean or null * `is_base64_encoded`: boolean or null ## Update a secret scanning alert ``` PATCH /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number} ``` Updates the status of a secret scanning alert in an eligible repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`alert_number`** (integer) (required) The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation. #### Body parameters * **`state`** (string) Sets the state of the secret scanning alert. You must provide resolution when you set the state to resolved. Can be one of: `open`, `resolved` * **`resolution`** (string or null) Required when the state is resolved. The reason for resolving the alert. Can be one of: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null` * **`resolution_comment`** (string or null) An optional comment when closing or reopening an alert. Cannot be updated or deleted. ### HTTP response status codes * **200** - OK * **400** - Bad request, resolution comment is invalid or the resolution was not changed. * **403** - Delegated alert dismissal is enabled and the authenticated user is not a valid reviewer. * **404** - Repository is public, or secret scanning is disabled for the repository, or the resource is not found * **422** - State does not match the resolution or resolution comment * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X PATCH \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER \ -d '{ "state": "resolved", "resolution": "false_positive" }' ``` **Response schema (Status: 200):** Same response schema as [Get a secret scanning alert](#get-a-secret-scanning-alert). ## List locations for a secret scanning alert ``` GET /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}/locations ``` Lists all locations for a given secret scanning alert for an eligible repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. * **`alert_number`** (integer) (required) The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation. * **`page`** (integer) The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: `1` * **`per_page`** (integer) The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: `30` ### HTTP response status codes * **200** - OK * **404** - Repository is public, or secret scanning is disabled for the repository, or the resource is not found * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER/locations ``` **Response schema (Status: 200):** Array of objects: * `type`: string, enum: `commit`, `wiki_commit`, `issue_title`, `issue_body`, `issue_comment`, `discussion_title`, `discussion_body`, `discussion_comment`, `pull_request_title`, `pull_request_body`, `pull_request_comment`, `pull_request_review`, `pull_request_review_comment` * `details`: one of: * **object** * `path`: required, string * `start_line`: required, number * `end_line`: required, number * `start_column`: required, number * `end_column`: required, number * `blob_sha`: required, string * `blob_url`: required, string * `commit_sha`: required, string * `commit_url`: required, string * **object** * `path`: required, string * `start_line`: required, number * `end_line`: required, number * `start_column`: required, number * `end_column`: required, number * `blob_sha`: required, string * `page_url`: required, string * `commit_sha`: required, string * `commit_url`: required, string * **object** * `issue_title_url`: required, string, format: uri * **object** * `issue_body_url`: required, string, format: uri * **object** * `issue_comment_url`: required, string, format: uri * **object** * `discussion_title_url`: required, string, format: uri * **object** * `discussion_body_url`: required, string, format: uri * **object** * `discussion_comment_url`: required, string, format: uri * **object** * `pull_request_title_url`: required, string, format: uri * **object** * `pull_request_body_url`: required, string, format: uri * **object** * `pull_request_comment_url`: required, string, format: uri * **object** * `pull_request_review_url`: required, string, format: uri * **object** * `pull_request_review_comment_url`: required, string, format: uri ## Create a push protection bypass ``` POST /repos/{owner}/{repo}/secret-scanning/push-protection-bypasses ``` Creates a bypass for a previously push protected secret. The authenticated user must be the original author of the committed secret. OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. #### Body parameters * **`reason`** (string) (required) The reason for bypassing push protection. Can be one of: `false_positive`, `used_in_tests`, `will_fix_later` * **`placeholder_id`** (string) (required) The ID of the push protection bypass placeholder. This value is returned on any push protected routes. ### HTTP response status codes * **200** - OK * **403** - User does not have enough permissions to perform this action. * **404** - Placeholder ID not found, or push protection is disabled on this repository. * **422** - Bad request, input data missing or incorrect. * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X POST \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/push-protection-bypasses \ -d '{ "reason": "will_fix_later", "placeholder_id": "2k4dM4tseyC5lPIsjl5emX9sPNk" }' ``` **Response schema (Status: 200):** * `reason`: string, enum: `false_positive`, `used_in_tests`, `will_fix_later` * `expire_at`: string or null, format: date-time * `token_type`: string ## Get secret scanning scan history for a repository ``` GET /repos/{owner}/{repo}/secret-scanning/scan-history ``` Lists the latest default incremental and backfill scans by type for a repository. Scans from Copilot Secret Scanning are not included. Note This endpoint requires GitHub Advanced Security. OAuth app tokens and personal access tokens (classic) need the repo or security\_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public\_repo scope instead. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`owner`** (string) (required) The account owner of the repository. The name is not case sensitive. * **`repo`** (string) (required) The name of the repository without the .git extension. The name is not case sensitive. ### HTTP response status codes * **200** - OK * **404** - Repository does not have GitHub Advanced Security or secret scanning enabled * **503** - Service unavailable ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/scan-history ``` **Response schema (Status: 200):** * `incremental_scans`: array of objects: * `type`: string * `status`: string * `completed_at`: string or null, format: date-time * `started_at`: string or null, format: date-time * `pattern_update_scans`: array of objects: * `type`: string * `status`: string * `completed_at`: string or null, format: date-time * `started_at`: string or null, format: date-time * `backfill_scans`: array of objects: * `type`: string * `status`: string * `completed_at`: string or null, format: date-time * `started_at`: string or null, format: date-time * `custom_pattern_backfill_scans`: array of object