Skip to main content

Configuring secret scanning for your repositories

You can configure how GitHub scans your repositories for secrets that match advanced security patterns.

Who can use this feature

People with admin permissions to a repository can enable secret scanning for advanced security for the repository.

Secret scanning for advanced security is available for organization-owned repositories in GitHub Enterprise Cloud if your enterprise has a license for GitHub Advanced Security. 有关详细信息,请参阅“关于 GitHub Advanced Security”。

Enabling secret scanning for advanced security

You can enable secret scanning for advanced security for any repository that is owned by an organization. Once enabled, secret scanning 将在 GitHub 仓库中存在的所有分支上扫描整个 Git 历史记录的任何密钥。

Note: If your organization is owned by an enterprise account, an enterprise owner can also enable secret scanning at the enterprise level. For more information, see "Managing GitHub Advanced Security features for your enterprise."

  1. On GitHub.com, navigate to the main page of the repository.

  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. If Advanced Security is not already enabled for the repository, to the right of "GitHub Advanced Security", click Enable. Enable GitHub Advanced Security for your repository

  5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository.

  6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If "Secret scanning" is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled. Enable secret scanning for your repository

  7. Optionally, if you want to enable push protection, click Enable to the right of "Push protection." 启用推送保护时,secret scanning 还会检查推送中是否存在高置信度机密(经识别误报率低的机密)。 Secret scanning 列出了它检测到的所有机密,便于作者进行查看和删除,或者根据需要允许推送这些机密。 For more information, see "Protecting pushes with secret scanning." Enable push protection for your repository

Excluding directories from secret scanning for advanced security

You can use a secret_scanning.yml file to exclude directories from secret scanning. For example, you can exclude directories that contain tests or randomly generated content.

  1. On GitHub.com, navigate to the main page of the repository.

  2. 在文件列表上方,使用“添加文件”下拉列表,在其中单击“创建新文件” 。 “添加文件”下拉列表中的“创建新文件”

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."

Further reading