Keeping secrets secure with secret scanning

GitHub Enterprise Cloud scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

As a service provider, you can partner with GitHub to have your secret token formats secured through secret scanning, which searches for accidental commits of your secret format and can be sent to a service provider's verify endpoint.

You can configure how GitHub scans your repositories for leaked secrets and generates alerts.

You can define your own custom patterns to extend the capabilities of secret scanning by generating one or more regular expressions.

You can define your own custom patterns to extend the capabilities of secret scanning by generating one or more regular expressions for each pattern, using the regular expression generator.

You can use the regular expression generator to generate regular expressions for custom patterns. The generator uses an AI model to generate expressions that match your input, and optionally example strings.

You can view, evaluate and resolve alerts for secrets checked in to your repository.

Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.

Learn how secret scanning uses AI to scan and create alerts for unstructured secrets, such as passwords.

You can enable AI-powered generic secret detection for your repository or organization. Alerts for generic secrets, such as passwords, are displayed in a separate list on the secret scanning alerts page.

With push protection for repositories and organizations, secret scanning blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.

With push protection for users, you are automatically protected on all pushes to public repositories across GitHub Enterprise Cloud.

Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets. To push a commit containing a secret, you must specify a reason for bypassing the block, or, if required, request bypass privileges to bypass the block.

Push protection proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.

If you have problems with secret scanning, you can use these tips to help resolve issues.