Configuring secret scanning for private repositories

You can configure how GitHub scans your private repositories for secrets.

People with admin permissions to a private repository can enable secret scanning for the repository.

In this article

Note: Secret scanning for private repositories is currently in beta and subject to change. To request access to the beta, join the waitlist.

Enabling secret scanning for private repositories

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Settings.
    Repository settings button
  3. In the left sidebar, click Security & analysis.
    "Security & analysis" tab in repository settings
  4. To the right of "Secret scanning", click Enable.
    Enable secret scanning for your repository

Excluding alerts from secret scanning in private repositories

You can use a secret_scanning.yml file to exclude directories from secret scanning. For example, you can exclude directories that contain tests or randomly generated content.

  1. On GitHub, navigate to the main page of the repository.

  2. Above the list of files, using the Add file drop-down, click Create new file.

    "Create new file" in the "Add file" dropdown

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."

Further reading

Ask a human

Can't find what you're looking for?

Contact us