Configuring secret scanning for your repositories

You can configure how GitHub scans your repositories for secrets.

People with admin permissions to a repository can enable escaneo de secretos for the repository.

Escaneo de secretos is available if you have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

En este artículo

Nota: Las Escaneo de secretos para los repositorios privados se encuentran actualmente en beta y están sujetas a cambios. Para solicitar acceso al beta,, únete a la lista de espera.

Note: Your site administrator must enable escaneo de secretos for tu instancia de servidor de GitHub Enterprise before you can use this feature. For more information, see "Configuring escaneo de secretos for your appliance."

Enabling escaneo de secretos for repositories

You can enable escaneo de secretos for any repository that is owned by an organization. Once enabled, escaneo de secretos scans for any secrets in your entire Git history on all branches present in your GitHub repository.

  1. En GitHub Enterprise, visita la página principal del repositorio.

  2. Debajo de tu nombre de repositorio, da clic en Configuración. Botón de configuración del repositorio

  3. En la barra lateral izquierda, da clic en Seguridad & análisis. pestaña de "Seguridad & análisis" en la configuración de repositorio

  4. To the right of "Escaneo de secretos", click Enable. Enable escaneo de secretos for your repository

Excluding alerts from escaneo de secretos in repositories

You can use a secret_scanning.yml file to exclude directories from escaneo de secretos. For example, you can exclude directories that contain tests or randomly generated content.

  1. En GitHub Enterprise, visita la página principal del repositorio.

  2. En la parte superior de la lista de archivos, utilizando el menú desplegable de Agregar archivo, da clic en Crear archivo nuevo. "Crear archivo nuevo" en el menú desplegable de "Agregar archivo"

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from escaneo de secretos.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, escaneo de secretos will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, escaneo de secretos will ignore the entire file.

You can also ignore individual alerts from escaneo de secretos. For more information, see "Managing alerts from escaneo de secretos."

Further reading

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.