Skip to main content

This version of GitHub Enterprise Server was discontinued on 2024-09-25. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Viewing and filtering alerts from secret scanning

Learn how to find and filter secret scanning alerts for your repository.

Who can use this feature?

Repository owners, organization owners, security managers, and users with the admin role

About the secret scanning alerts page

When you enable secret scanning for a repository or push commits to a repository with secret scanning enabled, GitHub scans the contents for secrets that match patterns defined by service providers and any custom patterns defined in your enterprise, organization, or repository.

When secret scanning detects a secret, GitHub generates an alert. GitHub displays an alert in the Security tab of the repository.

Viewing alerts

Alerts for secret scanning are displayed under the Security tab of the repository.

  1. On GitHub, navigate to the main page of the repository.
  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.
    Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.
  3. In the left sidebar, under "Vulnerability alerts", click Secret scanning.
  4. Under "Secret scanning", click the alert you want to view.

Filtering alerts

You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar.

QualifierDescription
is:openDisplays open alerts.
is:closedDisplays closed alerts.
validity:activeDisplays alerts for secrets that are known to be active. For more information about validity statuses, see Evaluating alerts from secret scanning.
validity:inactiveDisplays alerts for secrets that are no longer active.
validity:unknownDisplays alerts for secrets where the validity status of the secret is unknown.
secret-type:SECRET-NAMEDisplays alerts for a specific secret type, for example, secret-type:github_personal_access_token. For a list of supported secret types, see Supported secret scanning patterns.
provider:PROVIDER-NAMEDisplays alerts for a specific provider, for example, provider:github. For a list of supported partners, see Supported secret scanning patterns.

Next steps