Enabling generic secret detection
To use generic secret detection, an enterprise owner must first set a policy at the enterprise level that controls whether the feature can be enabled and disabled for repositories in an organization. This policy is set to "allowed" by default.
You can then enable generic secret detection in the security settings page of your repository or organization.
Note
You do not need a subscription to GitHub Copilot to use Copilot secret scanning's generic secret detection. Copilot secret scanning features are available to repositories owned by organizations and enterprises with GitHub Advanced Security enabled.
Enabling generic secret detection for your repository
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, click Code security.
-
Under "Code security", find "GitHub Advanced Security."
-
Under "Secret scanning", select the checkbox next to "Scan for generic secrets".
Enabling generic secret detection for your organization
You must configure generic secret detection for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.
- Create a new custom security configuration, or edit an existing one. See Creating a custom security configuration.
- When creating the custom security configuration, under "Secret scanning", ensure that the dropdown menus for "Alerts" and "Generic secrets" are set to Enabled.
- Apply the custom security configuration to one or more repositories. For more information, see Applying a custom security configuration.
For information on how to view alerts for generic secrets that have been detected using AI, see Viewing and filtering alerts from secret scanning.