About secret scanning

GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

Secret scanning is available in public repositories, and in private repositories owned by organizations with an Advanced Security license. For more information, see "GitHub's products."

In this article

If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.

If someone checks a secret from a GitHub partner into a public or private repository, secret scanning can detect the secret and help you mitigate the impact of the leak.

Service providers can partner with GitHub to provide their secret formats for scanning. For more information, see "Secret scanning."

About secret scanning for public repositories

Secret scanning is automatically enabled on public repositories, where it scans code for secrets, to check for known secret formats. When a match of your secret format is found in a public repository, GitHub doesn't publicly disclose the information as an alert, but instead sends a payload to an HTTP endpoint of your choice. For an overview of how secret scanning works on public repositories, see "Secret scanning."

When you push to a public repository, GitHub scans the content of the commits for secrets. If you switch a private repository to public, GitHub scans the entire repository for secrets.

When secret scanning detects a set of credentials, we notify the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret, issue a new secret, or reach out to you directly, which will depend on the associated risks to you or the service provider.

GitHub currently scans public repositories for secrets issued by the following service providers.

  • Adafruit
  • Alibaba Cloud
  • Amazon Web Services (AWS)
  • Atlassian
  • Azure
  • Clojars
  • CloudBees CodeShip
  • Databricks
  • Datadog
  • Discord
  • Dropbox
  • Dynatrace
  • Finicity
  • Frame.io
  • GitHub
  • GoCardless
  • Google Cloud
  • Hashicorp Terraform
  • Hubspot
  • Mailchimp
  • Mailgun
  • MessageBird
  • npm
  • NuGet
  • Palantir
  • Plivo
  • Postman
  • Proctorio
  • Pulumi
  • Samsara
  • Shopify
  • Slack
  • SSLMate
  • Stripe
  • Tencent Cloud
  • Twilio

About secret scanning for private repositories

Note: Secret scanning for private repositories is currently in beta and subject to change.

If you're a repository administrator or an organization owner, you can enable secret scanning for private repositories that are owned by organizations. You can enable secret scanning for all your repositories, or for all new repositories within your organization. Secret scanning is not available for user account-owned private repositories. For more information, see "Managing security and analysis settings for your repository" and "Managing security and analysis settings for your organization."

When you push commits to a private repository with secret scanning enabled, GitHub scans the contents of the commits for secrets.

When secret scanning detects a secret in a private repository, GitHub sends alerts.

  • GitHub sends an email alert to the repository administrators and organization owners.

  • GitHub displays an alert in the repository. For more information, see "Managing alerts from secret scanning."

Repository administrators and organization owners can grant users and team access to secret scanning alerts. For more information, see "Managing security and analysis settings for your repository."

GitHub currently scans private repositories for secrets issued by the following service providers.

  • Adafruit
  • Alibaba Cloud
  • Amazon Web Services (AWS)
  • Atlassian
  • Azure
  • Clojars
  • CloudBees CodeShip
  • Databricks
  • Discord
  • Dropbox
  • Dynatrace
  • Finicity
  • Frame.io
  • GitHub
  • GoCardless
  • Google Cloud
  • Hashicorp Terraform
  • Hubspot
  • Mailchimp
  • Mailgun
  • npm
  • NuGet
  • Palantir
  • Postman
  • Proctorio
  • Pulumi
  • Samsara
  • Shopify
  • Slack
  • SSLMate
  • Stripe
  • Tencent Cloud
  • Twilio

Note: Secret scanning does not currently allow you to define your own patterns for detecting secrets.

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.