Note: Secret scanning for organization-owned private repositories is currently in beta and subject to change.
Note: Secret scanning is enabled by default on public repositories and cannot be turned off. You can configure secret scanning for your private repositories only.
Enabling secret scanning for private repositories
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Settings.
-
In the left sidebar, click Security & analysis.
-
If "Secret scanning" is not shown on the page, you need to enable GitHub Advanced Security first. To the right of "GitHub Advanced Security", click Enable.
-
Click Enable GitHub Advanced Security for this repository to confirm the action.
-
When you enable GitHub Advanced Security this may automatically enable secret scanning for the repository (this is controlled by the organization configuration). If "Secret scanning" is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled.
Excluding alerts from secret scanning in private repositories
You can use a secret_scanning.yml file to exclude directories from secret scanning. For example, you can exclude directories that contain tests or randomly generated content.
-
On GitHub, navigate to the main page of the repository.
-
Above the list of files, using the Add file drop-down, click Create new file.
-
In the file name field, type .github/secret_scanning.yml.
-
Under Edit new file, type
paths-ignore:
followed by the paths you want to exclude from secret scanning.paths-ignore: - "foo/bar/*.js"
You can use special characters, such as
*
to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."Notes:
- If there are more than 1,000 entries in
paths-ignore
, secret scanning will only exclude the first 1,000 directories from scans. - If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.
- If there are more than 1,000 entries in
You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."