About secret scanning

GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

In this article

Did this doc help you?

If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.

If someone checks a secret from a GitHub partner into a public or private repository, secret scanning can detect the secret and help you mitigate the impact of the leak.

Service providers can partner with GitHub to provide their secret formats for scanning. For more information, see "Secret scanning."

About secret scanning for public repositories

When you push to a public repository, GitHub scans the content of the commits for secrets. If you switch a private repository to public, GitHub scans the entire repository for secrets.

When secret scanning detects a set of credentials, we notify the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret, issue a new secret, or reach out to you directly, which will depend on the associated risks to you or the service provider.

GitHub currently scans public repositories for secrets issued by the following service providers.

  • Adafruit
  • Alibaba Cloud
  • Amazon Web Services (AWS)
  • Atlassian
  • Azure
  • Clojars
  • CloudBees CodeShip
  • Databricks
  • Datadog
  • Discord
  • Dropbox
  • Dynatrace
  • Finicity
  • Frame.io
  • GitHub
  • GoCardless
  • Google Cloud
  • Hashicorp Terraform
  • Hubspot
  • Mailchimp
  • Mailgun
  • MessageBird
  • npm
  • NuGet
  • Palantir
  • Plivo
  • Postman
  • Proctorio
  • Pulumi
  • Samsara
  • Shopify
  • Slack
  • SSLMate
  • Stripe
  • Tencent Cloud
  • Twilio

About secret scanning for private repositories

Note: Secret scanning for private repositories is currently in beta and subject to change. To request access to the beta, join the waitlist.

When you push commits to a private repository with secret scanning enabled, GitHub scans the contents of the commits for secrets.

When secret scanning detects a secret in a private repository, GitHub sends alerts.

  • GitHub sends an email alert to the repository administrators and organization owners.

  • GitHub displays an alert in the repository. For more information, see "Managing alerts from secret scanning."

GitHub currently scans private repositories for secrets issued by the following service providers.

  • Adafruit
  • Alibaba Cloud
  • Amazon Web Services (AWS)
  • Atlassian
  • Azure
  • Clojars
  • CloudBees CodeShip
  • Databricks
  • Discord
  • Dropbox
  • Dynatrace
  • Finicity
  • Frame.io
  • GitHub
  • GoCardless
  • Google Cloud
  • Hashicorp Terraform
  • Hubspot
  • Mailchimp
  • Mailgun
  • npm
  • NuGet
  • Palantir
  • Postman
  • Proctorio
  • Pulumi
  • Samsara
  • Shopify
  • Slack
  • SSLMate
  • Stripe
  • Tencent Cloud
  • Twilio

Note: Secret scanning does not currently allow you to define your own patterns for detecting secrets.

Further reading

Did this doc help you?