Skip to main content

This version of GitHub Enterprise Server will be discontinued on 2024-06-29. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Keeping secrets secure with secret scanning

Let GitHub do the hard work of ensuring that tokens, private keys, and other code secrets are not exposed in your repository.

Who can use this feature?

Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. For more information, see "About secret scanning" and "About GitHub Advanced Security."

About secret scanning

GitHub Enterprise Server scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

Configuring secret scanning for your repositories

You can configure how GitHub scans your repositories for leaked secrets and generates alerts.

Defining custom patterns for secret scanning

You can define your own custom patterns to extend the capabilities of secret scanning by generating one or more regular expressions.

Managing alerts from secret scanning

You can view, evaluate and resolve alerts for secrets checked in to your repository.

Secret scanning patterns

Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.

Push protection for repositories and organizations

With push protection for repositories and organizations, secret scanning blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.

Working with push protection

Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets. To push a commit containing a secret, you must specify a reason for bypassing the block.

Pushing a branch blocked by push protection

Push protection proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.

Troubleshooting secret scanning

If you have problems with secret scanning, you can use these tips to help resolve issues.