Skip to main content

Evaluating alerts from secret scanning

Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret's validity.

Who can use this feature?

Repository owners, organization owners, security managers, and users with the admin role

About evaluating alerts

There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:

Checking a secret's validity

Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.

By default, GitHub checks the validity of GitHub tokens and displays the validation status of the token in the alert view.

ValidityStatusResult
Active secretactiveGitHub checked with this secret's provider and found that the secret is active
Possibly active secretunknownGitHub does not support validation checks for this token type yet
Possibly active secretunknownGitHub could not verify this secret
Secret inactiveinactiveYou should make sure no unauthorized access has already occurred

Validity checks for partner patterns is available on all types of repositories on GitHub. To use this feature, you must have a license for GitHub Advanced Security.

For information on how to enable validity checks for partner patterns, see Enabling validity checks for your repository, and for information on which partner patterns are currently supported, see Supported secret scanning patterns.

You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see REST API endpoints for secret scanning in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert. For more information, see the secret_scanning_alert event in Webhook events and payloads.

Asking GitHub Copilot Chat about secret scanning alerts

With a GitHub Copilot Enterprise license, you can ask Copilot Chat for help to better understand security alerts, including secret scanning alerts, in repositories in your organization. For more information, see Asking GitHub Copilot questions in GitHub.

Performing an on-demand validity check

Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking Verify secret in the alert view. GitHub will send the pattern to the relevant partner and display the validation status of the secret in the alert view.

Screenshot of the UI showing a secret scanning alert. A button, labeled "Verify secret" is highlighted with an orange outline.

Reviewing GitHub token metadata

Note

Metadata for GitHub tokens is currently in public preview and subject to change.

In the view for an active GitHub token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.

Tokens, like personal access token and other credentials, are considered personal information. For more information about using GitHub tokens, see GitHub's Privacy Statement and Acceptable Use Policies.

Screenshot of the UI for a GitHub token, showing the token metadata.

Metadata for GitHub tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. GitHub auto-revokes GitHub tokens in public repositories, so metadata for GitHub tokens in public repositories is unlikely to be available. The following metadata is available for active GitHub tokens:

MetadataDescription
Secret nameThe name given to the GitHub token by its creator
Secret ownerThe GitHub handle of the token's owner
Created onDate the token was created
Expired onDate the token expired
Last used onDate the token was last used
AccessWhether the token has organization access

Only people with admin permissions to the repository containing a leaked secret can view security alert details and token metadata for an alert. Enterprise owners can request temporary access to the repository for this purpose. If access is granted, GitHub will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours. For more information, see Accessing user-owned repositories in your enterprise.

Reviewing alert labels

In the alert view, you can review any labels assigned to the alert. The labels provide additional details about the alert, which can inform the approach you take for remediation.

Secret scanning alerts can have the following labels assigned to them. Depending on the labels assigned, you'll see additional information in the alert view.

LabelDescriptionAlert view information
public leakThe secret detected in your repository has also been found as publicly leaked by at least one of GitHub's scans of code, discussions, gists, issues, pull requests, and wikis. This may require you to address the alert with greater urgency, or remediate the alert differently compared to a privately exposed token.You'll see links to any specific public locations where the leaked secret has been detected.
multi-repoThe secret detected in your repository has been found across multiple repositories in your organization or enterprise. This information may help you more easily dedupe the alert across your organization or enterprise.If you have appropriate permissions, you'll see links to any specific alerts for the same secret in your organization or enterprise.

Next steps