为存储库配置机密扫描

可以配置 GitHub 如何扫描存储库中遭到泄露的机密并生成警报。

谁可以使用此功能?

People with admin permissions to a public repository can enable secret scanning for the repository.

合作伙伴的机密扫描警报 在 GitHub.com 上的公共存储库和公共 npm 包中自动运行,以向服务提供商通知泄漏的机密情况。

公共存储库可免费使用用户的机密扫描警报。 使用 GitHub Enterprise Cloud 且拥有 GitHub Advanced Security 许可证的组织也可以在其专用存储库和内部存储库上启用 用户的机密扫描警报。 有关详细信息,请参阅 “关于机密扫描”和“关于 GitHub 高级安全性”。

有关如何使用 GitHub Advanced Security 免费试用 GitHub Enterprise 的信息,请参阅 GitHub Enterprise Cloud 文档中的“设置 GitHub Enterprise Cloud 试用版”和“安装 GitHub Advanced Security 试用版”。

本文内容

Enabling secret scanning alerts for users

You can enable secret scanning alerts for users for any free public repository that you own. Once enabled, secret scanning scans for any secrets in your entire Git history on all branches present in your GitHub repository. Additionally, secret scanning scans:

  • Descriptions and comments in issues
  • Titles, descriptions, and comments, in open and closed historical issues
  • Titles, descriptions, and comments in pull requests
  • Titles, descriptions, and comments in GitHub Discussions
  • Wikis

This additional scanning is free for public repositories.

Note: The scanning of content in pull requests, GitHub Discussions, and wikis is currently in beta and subject to change.

You can also enable secret scanning for multiple repositories in an organization at the same time. For more information, see "Quickstart for securing your organization."

A repository administrator can choose to disable secret scanning for a repository at any time. For more information, see "Managing security and analysis settings for your repository."

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Scroll down to the bottom of the page, and click Enable for secret scanning. If you see a Disable button, it means that secret scanning is already enabled for the repository.

    Screenshot of the "Secret scanning" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.

Enabling additional features for secret scanning alerts for users

You can enable the following additional secret scanning feature through your repository's "Code security and analysis" settings:

Enabling secret scanning alerts for users for all your public repositories

You can enable secret scanning for all of your existing public repositories through your personal account settings.

Note: As of March 11, 2024, secret scanning and push protection will be enabled by default for all new public repositories that you create. You can still choose to disable these features for an individual repository in the repository's "Code security and analysis" settings page. For more information, see "Managing security and analysis settings for your repository".

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    Screenshot of a user's account menu on GitHub. The menu item "Settings" is outlined in dark orange.

  2. In the "Security" section of the sidebar, click Code security and analysis.

  3. Under "Code security and analysis", to the right of "Secret scanning", click Disable all or Enable all.

  4. Optionally, if you want to enable push protection, click Enable to the right of "Push protection." When you enable push protection for your organization or repository, secret scanning also checks pushes for supported secrets. Secret scanning lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. For more information, see "Push protection for repositories and organizations."

    Screenshot of the "Secret scanning" section. The "Enable" button is highlighted in a dark orange outline in the "Push protection" section.

Excluding directories from secret scanning alerts for users

You can configure a secret_scanning.yml file to exclude directories from secret scanning, including when you use push protection. For example, you can exclude directories that contain tests or randomly generated content.

  1. On GitHub.com, navigate to the main page of the repository.

  2. Above the list of files, select the Add file dropdown menu, then click Create new file.

    Alternatively, you can click in the file tree view on the left.

    Screenshot of the main page of a repository. Above the list of files, a button, labeled "Add file," is outlined in dark orange. In the file tree view of the repository, a button with a plus sign icon is also outlined in dark orange.

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
  - "foo/bar/*.js"

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."