About evaluating alerts
There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:
- Check the validity of a secret, to see if the secret is still active. See Checking a secret's validity.
- Review a token's metadata. Applies to GitHub tokens only. For example, to see when the token was last used. See Reviewing GitHub token metadata.
Checking a secret's validity
Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.
By default, GitHub checks the validity of GitHub tokens and displays the validation status of the token in the alert view.
Organizations using GitHub Team or GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable validity checks for partner patterns. For more information, see Checking a secret's validity.
| Gültigkeitsdauer | Status | Ergebnis |
|---|---|---|
| Aktives Geheimnis | active | GitHub hat beim Anbieter dieses Geheimnisses nachgefragt und ermittelt, dass dieses Geheimnis aktiv ist. |
| Möglicherweise aktives Geheimnis | unknown | GitHub bietet noch keine Gültigkeitsüberprüfungen für diesen Tokentyp. |
| Möglicherweise aktives Geheimnis | unknown | GitHub konnte dieses Geheimnis nicht überprüfen. |
| Geheimnis inaktiv | inactive | Du solltest sicherstellen, dass noch kein unautorisierter Zugriff erfolgt ist. |
You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see REST-API-Endpunkte für die Geheimnisüberprüfung in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert. For more information, see the secret_scanning_alert event in Webhook-Ereignisse und -Nutzlasten.
Reviewing GitHub token metadata
Hinweis
Metadata for GitHub tokens is currently in beta and subject to change.
In the view for an active GitHub token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.
Tokens, like personal access token and other credentials, are considered personal information. For more information about using GitHub tokens, see GitHub's Privacy Statement and Acceptable Use Policies.
Metadata for GitHub tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. GitHub auto-revokes GitHub tokens in public repositories, so metadata for GitHub tokens in public repositories is unlikely to be available. The following metadata is available for active GitHub tokens:
| Metadata | Description |
|---|---|
| Secret name | The name given to the GitHub token by its creator |
| Secret owner | The GitHub handle of the token's owner |
| Created on | Date the token was created |
| Expired on | Date the token expired |
| Last used on | Date the token was last used |
| Access | Whether the token has organization access |
Nur Personen mit Admin-Berechtigungen für das Repository, das ein durchgesickertes Geheimnis enthält, können die Details einer Sicherheitsmeldung und die Token-Metadaten für eine Warnung einsehen. Unternehmensbesitzer können für diesen Zweck temporären Zugriff auf das Repository anfordern. If access is granted, GitHub will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.