Skip to main content

Enabling Copilot secret scanning's generic secret detection

You can enable generic secret detection for your repository or organization. Alerts for generic secrets, such as passwords, are displayed in a separate list on the secret scanning alerts page.

Who can use this feature?

Secret scanning is available for the following repositories:

  • Public repositories (for free)
  • Private and internal repositories in organizations using GitHub Enterprise Cloud with GitHub Advanced Security enabled
  • User-owned repositories for GitHub Enterprise Cloud with Enterprise Managed Users

Enabling generic secret detection

To use generic secret detection, an enterprise owner must first set a policy at the enterprise level that controls whether the feature can be enabled and disabled for repositories in an organization. This policy is set to "allowed" by default.

You can then enable generic secret detection in the security settings page of your repository or organization.

Note

You do not need a subscription to GitHub Copilot to use Copilot secret scanning's generic secret detection. Copilot secret scanning features are available to private repositories in GitHub Enterprise Cloud enterprises that have GitHub Advanced Security enabled.

Enabling generic secret detection for your repository

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Code security and analysis", find "GitHub Advanced Security."

  5. Under "Secret scanning", select the checkbox next to "Scan for generic secrets".

Enabling generic secret detection for your organization

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
  2. Next to the organization, click Settings.
  3. In the "Security" section of the sidebar, click Code security then Global settings.
  4. Under "Secret scanning", select the checkbox next to "Scan for generic secrets".

For information on how to view alerts for generic secrets that have been detected using AI, see "Viewing and filtering alerts from secret scanning."

Further reading