Skip to main content

Secret scanning

Use the Secret scanning API to retrieve and update secret alerts from a repository.

Note: The secret scanning API is currently in beta and subject to change.

About the Secret scanning API

The secret scanning API lets you:

  • Enable or disable secret scanning for a repository. For more information, see "Repositories" and expand the "Properties of the security_and_analysis object" section in the REST API documentation.
  • Retrieve and update secret scanning alerts from a repository. For further details, see the sections below.

For more information about secret scanning, see "About secret scanning."

List secret scanning alerts for a repository

Works with GitHub Apps

Lists secret scanning alerts for a private repository, from newest to oldest. To use this endpoint, you must be an administrator for the repository or organization, and you must use an access token with the repo scope or security_events scope.

GitHub Apps must have the secret_scanning_alerts read permission to use this endpoint.

Parameters

Headers
Name, Type, Description
acceptstring

Setting to application/vnd.github.v3+json is recommended.

Path parameters
Name, Type, Description
ownerstringRequired

The account owner of the repository. The name is not case sensitive.

repostringRequired

The name of the repository. The name is not case sensitive.

Query parameters
Name, Type, Description
statestring

Set to open or resolved to only list secret scanning alerts in a specific state.

Can be one of: open, resolved

secret_typestring

A comma-separated list of secret types to return. By default all secret types are returned. See "Secret scanning patterns" for a complete list of secret types.

resolutionstring

A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false_positive, wont_fix, revoked, pattern_edited, pattern_deleted or used_in_tests.

pageinteger

Page number of the results to fetch.

Default: 1

per_pageinteger

The number of results per page (max 100).

Default: 30

HTTP response status codes

Status codeDescription
200

OK

404

Repository is public or secret scanning is disabled for the repository

503

Service unavailable

Code samples

get/repos/{owner}/{repo}/secret-scanning/alerts
curl \ -H "Accept: application/vnd.github.v3+json" \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts

Response

Status: 200
[ { "number": 2, "created_at": "2020-11-06T18:48:51Z", "url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/2", "html_url": "https://github.com/owner/private-repo/security/secret-scanning/2", "state": "resolved", "resolution": "false_positive", "resolved_at": "2020-11-07T02:47:13Z", "resolved_by": { "login": "monalisa", "id": 2, "node_id": "MDQ6VXNlcjI=", "avatar_url": "https://alambic.github.com/avatars/u/2?", "gravatar_id": "", "url": "https://api.github.com/users/monalisa", "html_url": "https://github.com/monalisa", "followers_url": "https://api.github.com/users/monalisa/followers", "following_url": "https://api.github.com/users/monalisa/following{/other_user}", "gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}", "starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/monalisa/subscriptions", "organizations_url": "https://api.github.com/users/monalisa/orgs", "repos_url": "https://api.github.com/users/monalisa/repos", "events_url": "https://api.github.com/users/monalisa/events{/privacy}", "received_events_url": "https://api.github.com/users/monalisa/received_events", "type": "User", "site_admin": true }, "secret_type": "adafruit_io_key", "secret": "aio_XXXXXXXXXXXXXXXXXXXXXXXXXXXX" }, { "number": 1, "created_at": "2020-11-06T18:18:30Z", "url": "https://api.github.com/repos/owner/repo/secret-scanning/alerts/1", "html_url": "https://github.com/owner/repo/security/secret-scanning/1", "state": "open", "resolution": null, "resolved_at": null, "resolved_by": null, "secret_type": "mailchimp_api_key", "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2" } ]

Get a secret scanning alert

Works with GitHub Apps

Gets a single secret scanning alert detected in a private repository. To use this endpoint, you must be an administrator for the repository or organization, and you must use an access token with the repo scope or security_events scope.

GitHub Apps must have the secret_scanning_alerts read permission to use this endpoint.

Parameters

Headers
Name, Type, Description
acceptstring

Setting to application/vnd.github.v3+json is recommended.

Path parameters
Name, Type, Description
ownerstringRequired

The account owner of the repository. The name is not case sensitive.

repostringRequired

The name of the repository. The name is not case sensitive.

alert_numberintegerRequired

The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation.

HTTP response status codes

Status codeDescription
200

OK

304

Not modified

404

Repository is public, or secret scanning is disabled for the repository, or the resource is not found

503

Service unavailable

Code samples

get/repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}
curl \ -H "Accept: application/vnd.github.v3+json" \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER

Response

Status: 200
{ "number": 42, "created_at": "2020-11-06T18:18:30Z", "url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42", "html_url": "https://github.com/owner/private-repo/security/secret-scanning/42", "locations_url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42/locations", "state": "open", "secret_type": "mailchimp_api_key", "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2" }

Update a secret scanning alert

Works with GitHub Apps

Updates the status of a secret scanning alert in a private repository. To use this endpoint, you must be an administrator for the repository or organization, and you must use an access token with the repo scope or security_events scope.

GitHub Apps must have the secret_scanning_alerts write permission to use this endpoint.

Parameters

Headers
Name, Type, Description
acceptstring

Setting to application/vnd.github.v3+json is recommended.

Path parameters
Name, Type, Description
ownerstringRequired

The account owner of the repository. The name is not case sensitive.

repostringRequired

The name of the repository. The name is not case sensitive.

alert_numberintegerRequired

The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation.

Body parameters
Name, Type, Description
statestringRequired

Sets the state of the secret scanning alert. Can be either open or resolved. You must provide resolution when you set the state to resolved.

Can be one of: open, resolved

resolutionstring or null

Required when the state is resolved. The reason for resolving the alert.

Can be one of: , false_positive, wont_fix, revoked, used_in_tests

HTTP response status codes

Status codeDescription
200

OK

404

Repository is public, or secret scanning is disabled for the repository, or the resource is not found

422

State does not match the resolution

503

Service unavailable

Code samples

patch/repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}
curl \ -X PATCH \ -H "Accept: application/vnd.github.v3+json" \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER \ -d '{"state":"resolved","resolution":"false_positive"}'

Response

Status: 200
{ "number": 42, "created_at": "2020-11-06T18:18:30Z", "url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42", "html_url": "https://github.com/owner/private-repo/security/secret-scanning/42", "locations_url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42/locations", "state": "resolved", "resolution": "used_in_tests", "resolved_at": "2020-11-16T22:42:07Z", "resolved_by": { "login": "monalisa", "id": 2, "node_id": "MDQ6VXNlcjI=", "avatar_url": "https://alambic.github.com/avatars/u/2?", "gravatar_id": "", "url": "https://api.github.com/users/monalisa", "html_url": "https://github.com/monalisa", "followers_url": "https://api.github.com/users/monalisa/followers", "following_url": "https://api.github.com/users/monalisa/following{/other_user}", "gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}", "starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/monalisa/subscriptions", "organizations_url": "https://api.github.com/users/monalisa/orgs", "repos_url": "https://api.github.com/users/monalisa/repos", "events_url": "https://api.github.com/users/monalisa/events{/privacy}", "received_events_url": "https://api.github.com/users/monalisa/received_events", "type": "User", "site_admin": true }, "secret_type": "mailchimp_api_key", "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2" }