Configuring secret scanning for your repositories

You can configure how GitHub scans your repositories for secrets.

People with admin permissions to a repository can enable secret scanning for the repository.

Secret scanning is available for organization-owned repositories where GitHub Advanced Security is enabled. For more information, see "About GitHub Advanced Security."

Note: Secret scanning for organization-owned repositories is currently in beta and subject to change.

If you're using an earlier version of GitHub Enterprise Server, you'll have to upgrade to use secret scanning. For more information about upgrading your GitHub Enterprise Server instance, see "About upgrades to new releases" and refer to the Upgrade assistant to find the upgrade path from your current release version.

Enabling secret scanning for repositories

You can enable secret scanning for any repository that is owned by an organization. Once enabled, secret scanning scans for any secrets in your entire Git history on all branches present in your GitHub repository.

  1. On your enterprise, navigate to the main page of the repository.

  2. Under your repository name, click Settings. Repository settings button

  3. In the left sidebar, click Security & analysis. "Security & analysis" tab in repository settings

  4. If Advanced Security is not already enabled for the repository, to the right of "GitHub Advanced Security", click Enable. Enable GitHub Advanced Security for your repository

  5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository.

  6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If "Secret scanning" is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled. Enable secret scanning for your repository

  1. Before you can enable secret scanning, you need to enable GitHub Advanced Security first. To the right of "GitHub Advanced Security", click Enable. Enable GitHub Advanced Security for your repository
  2. Click Enable GitHub Advanced Security for this repository to confirm the action. Confirm enabling GitHub Advanced Security for your repository
  3. To the right of "Secret scanning", click Enable. Enable secret scanning for your repository

Excluding alerts from secret scanning in repositories

You can use a secret_scanning.yml file to exclude directories from secret scanning. For example, you can exclude directories that contain tests or randomly generated content.

  1. On your enterprise, navigate to the main page of the repository.

  2. Above the list of files, using the Add file drop-down, click Create new file. "Create new file" in the "Add file" dropdown

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.