Skip to main content

About secret scanning

GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

秘密扫描合作伙伴模式 is automatically run on public repositories in all products on GitHub.com. 秘密扫描,用于高级安全 is available for repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "GitHub's products."

About 秘密扫描

If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.

秘密扫描 will scan your entire Git history on all branches present in your GitHub repository for secrets.

秘密扫描 is available on GitHub.com in two forms:

  1. 秘密扫描合作伙伴模式. Runs automatically on all public repositories. Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner.

  2. 秘密扫描,用于高级安全. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can enable and configure additional scanning for repositories owned by the organization. Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by your organization, are reported as alerts in the "Security" tab of repositories. If a string in a public repository matches a partner pattern, it is also reported to the partner. For more information, see the GitHub Enterprise Cloud documentation.

Service providers can partner with GitHub to provide their secret formats for scanning. To find out about our partner program, see "秘密扫描 partner program."

About 秘密扫描合作伙伴模式

When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. If 秘密扫描 detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "Supported secrets for partner patterns."

You cannot change the configuration of 秘密扫描 on public repositories.

注意: 组织使用 GitHub Enterprise Cloud 和 GitHub Advanced Security 还可以在其拥有的任何存储库(包括私有存储库)上启用 > - 秘密扫描,用于高级安全。 更多信息请参阅 GitHub Enterprise Cloud 文档

Further reading