Configuring secret scanning for your repositories

You can configure how GitHub scans your repositories for secrets.

People with admin permissions to a repository can enable 秘密扫描 for the repository.

秘密扫描 适用于所有公共仓库以及启用了 GitHub Advanced Security 的组织拥有的私有仓库。 更多信息请参阅“关于 GitHub Advanced Security”。

Note: 秘密扫描 is enabled by default on public repositories and cannot be turned off. You can configure 秘密扫描 for your private repositories only.

Enabling 秘密扫描 for private repositories

Once enabled, 秘密扫描 将在 GitHub 仓库中存在的所有分支上扫描整个 Git 历史记录的任何密钥。

  1. 在 GitHub.com 上,导航到仓库的主页面。

  2. 在仓库名称下,单击 Settings(设置)仓库设置按钮

  3. 在左侧边栏中,单击 Security & analysis(安全和分析)仓库设置中的"Security & analysis(安全和分析)"选项卡

  4. If Advanced Security is not already enabled for the repository, to the right of "GitHub Advanced Security", click Enable. Enable GitHub Advanced Security for your repository

  5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository.

  6. When you enable Advanced Security, 秘密扫描 may automatically be enabled for the repository due to the organization's settings. If "秘密扫描" is shown with an Enable button, you still need to enable 秘密扫描 by clicking Enable. If you see a Disable button, 秘密扫描 is already enabled. Enable 秘密扫描 for your repository

Excluding alerts from 秘密扫描 in private repositories

You can use a secret_scanning.yml file to exclude directories from 秘密扫描. For example, you can exclude directories that contain tests or randomly generated content.

  1. 在 GitHub.com 上,导航到仓库的主页面。

  2. 在文件列表上方,使用 Add file(添加文件)下拉菜单,单击 Create new file(创建新文件)"添加文件"下拉菜单中的"创建新文件"按钮

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from 秘密扫描.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, 秘密扫描 will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, 秘密扫描 will ignore the entire file.

You can also ignore individual alerts from 秘密扫描. For more information, see "Managing alerts from 秘密扫描."

Further reading

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。