Note: Custom patterns for secret scanning is currently in beta and is subject to change.
About custom patterns for secret scanning
You can define custom patterns to identify secrets that are not detected by the default patterns supported by secret scanning. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see "Secret scanning patterns."
You can define custom patterns for your enterprise, organization, or repository. Secret scanning supports up to 20 custom patterns for each organization or enterprise account, and per repository.
Note: During the beta, there are some limitations when using custom patterns for secret scanning:
- There is no dry-run functionality.
- You cannot edit custom patterns after they're created. To change a pattern, you must delete it and recreate it.
- There is no API for creating, editing, or deleting custom patterns. However, results for custom patterns are returned in the secret scanning alerts API.
Regular expression syntax for custom patterns
You can specify custom patterns for secret scanning as one or more regular expressions.
- Secret format: an expression that describes the format of the secret itself.
- Before secret: an expression that describes the characters that come before the secret. By default, this is set to
\A|[^0-9A-Za-z]which means that the secret must be at the start of a line or be preceded by a non-alphanumeric character. - After secret: an expression that describes the characters that come after the secret. By default, this is set to
\z|[^0-9A-Za-z]which means that the secret must be followed by a new line or a non-alphanumeric character. - Additional match requirements: one or more optional expressions that the secret itself must or must not match.
For simple tokens you will usually only need to specify a secret format. The other fields provide flexibility so that you can specify more complex secrets without creating complex regular expressions. For an example of a custom pattern, see "Example of a custom pattern specified using additional requirements" below.
Secret scanning uses the Hyperscan library and only supports Hyperscan regex constructs, which are a subset of PCRE syntax. Hyperscan option modifiers are not supported. For more information on Hyperscan pattern constructs, see "Pattern support" in the Hyperscan documentation.
Defining a custom pattern for a repository
Before defining a custom pattern, you must ensure that secret scanning is enabled on your repository. For more information, see "Configuring secret scanning for your repositories."
-
En your GitHub Enterprise Server instance, vaya a la página principal del repositorio.
-
Debajo del nombre del repositorio, haz clic en Configuración.
-
In the left sidebar, click Security & analysis.
-
Debajo de "Seguridad y análisis de código", encuentra "GitHub Advanced Security".
-
En "Secret scanning", en "Patrones personalizados", haga clic en Nuevo patrón personalizado.
-
Enter the details for your new custom pattern:
- You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
- You can click More options to provide other surrounding content or additional match requirements for the secret format.
- Provide a sample test string to make sure your configuration is matching the patterns you expect.
-
When you're satisfied with your new custom pattern, click Create custom pattern.
After your pattern is created, El secret scanning escanea cualquier secreto en el total de tu historial de Git en todas las ramas presentes de tu repositorio de GitHub. For more information on viewing secret scanning alerts, see "Managing alerts from secret scanning."
Example of a custom pattern specified using additional requirements
A company has an internal token with five characteristics. They use the different fields to specify how to identify tokens as follows:
| Characteristic | Field and regular expression |
|---|---|
| Length between 5 and 10 characters | Secret format: [$#%@AA-Za-z0-9]{5,10} |
Does not end in a . | After secret: [^\.] |
| Contains numbers and uppercase letters | Additional requirements: secret must match [A-Z] and [0-9] |
| Does not include more than one lowercase letter in a row | Additional requirements: secret must not match [a-z]{2,} |
Contains one of $%@! | Additional requirements: secret must match [$%@!] |
These tokens would match the custom pattern described above:
a9@AAfT! # Secret string match: a9@AAfT
ee95GG@ZA942@aa # Secret string match: @ZA942@a
a9@AA!ee9 # Secret string match: a9@AA
These strings would not match the custom pattern described above:
a9@AA.!
a@AAAAA
aa9@AA!ee9
aAAAe9
Defining a custom pattern for an organization
Before defining a custom pattern, you must ensure that you enable secret scanning for the repositories that you want to scan in your organization. To enable secret scanning on all repositories in your organization, see "Managing security and analysis settings for your organization."
Note: As there is no dry-run functionality, we recommend that you test your custom patterns in a repository before defining them for your entire organization. That way, you can avoid creating excess false-positive secret scanning alerts.
-
En la esquina superior derecha de GitHub Enterprise Server, haga clic en la foto de perfil y luego en Your organizations.
-
Junto a la organización, haga clic en Settings.
-
In the left sidebar, click Security & analysis.
-
Debajo de "Seguridad y análisis de código", encuentra "GitHub Advanced Security".
-
En "Secret scanning", en "Patrones personalizados", haga clic en Nuevo patrón personalizado.
-
Enter the details for your new custom pattern:
- You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
- You can click More options to provide other surrounding content or additional match requirements for the secret format.
- Provide a sample test string to make sure your configuration is matching the patterns you expect.
-
When you're satisfied with your new custom pattern, click Create custom pattern.
After your pattern is created, secret scanning scans for any secrets in repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found and can review the alert in the repository where the secret is found. For more information on viewing secret scanning alerts, see "Managing alerts from secret scanning."
Defining a custom pattern for an enterprise account
Before defining a custom pattern, you must ensure that you enable secret scanning for your enterprise account. For more information, see "Enabling GitHub Advanced Security for your enterprise."
Note: As there is no dry-run functionality, we recommend that you test your custom patterns in a repository before defining them for your entire enterprise. That way, you can avoid creating excess false-positive secret scanning alerts.
-
En la esquina superior derecha de GitHub Enterprise Server, haga clic en la foto de perfil y luego en Configuración de empresa.
-
En la barra lateral de la empresa, haz clic en Directivas.
-
En Directivas, haga clic en "Seguridad avanzada".
-
En "Seguridad avanzada de GitHub", haga clic en la pestaña Características de seguridad.
-
Under "Secret scanning custom patterns", click New custom pattern.
-
Enter the details for your new custom pattern:
- You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
- You can click More options to provide other surrounding content or additional match requirements for the secret format.
- Provide a sample test string to make sure your configuration is matching the patterns you expect.
-
When you're satisfied with your new custom pattern, click Create custom pattern.
After your pattern is created, secret scanning scans for any secrets in repositories within your enterprise's organizations with GitHub Advanced Security enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing secret scanning alerts, see "Managing alerts from secret scanning."
Removing a custom pattern
-
Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account.
- For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "Defining a custom pattern for a repository" or "Defining a custom pattern for an organization" above.
- For an enterprise, under "Policies" display the "Advanced Security" area, and then click Security features. For more information, see "Defining a custom pattern for an enterprise account" above.
-
To the right of the custom pattern you want to remove, click Remove.
-
Review the confirmation, and click Remove custom pattern.