About evaluating alerts
There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:
- Check the validity of a secret, to see if the secret is still active. See Checking a secret's validity.
- Review a token's metadata. Applies to GitHub tokens only. For example, to see when the token was last used. See Reviewing GitHub token metadata.
Checking a secret's validity
Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.
By default, GitHub checks the validity of GitHub tokens and displays the validation status of the token in the alert view.
Organizations using GitHub Team or GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable validity checks for partner patterns. For more information, see Checking a secret's validity.
| 有効期限までの日数 | 状態 | 結果 |
|---|---|---|
| アクティブなシークレット | active | GitHub はこのシークレットのプロバイダーでチェックし、シークレットがアクティブであることを確認しました |
| アクティブである可能性があるシークレット | unknown | GitHub は、このトークンの種類の有効性チェックをまだサポートしていません |
| アクティブである可能性があるシークレット | unknown | GitHub はこのシークレットを検証できませんでした |
| シークレットが非アクティブ | inactive | 未承認のアクセスが既に行われていないことを確認する必要があります |
You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see シークレット スキャン用の REST API エンドポイント in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert. For more information, see the secret_scanning_alert event in Webhook のイベントとペイロード.
Reviewing GitHub token metadata
メモ
Metadata for GitHub tokens is currently in ベータ and subject to change.
In the view for an active GitHub token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.
Tokens, like personal access token and other credentials, are considered personal information. For more information about using GitHub tokens, see GitHub's Privacy Statement and Acceptable Use Policies.
Metadata for GitHub tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. GitHub auto-revokes GitHub tokens in public repositories, so metadata for GitHub tokens in public repositories is unlikely to be available. The following metadata is available for active GitHub tokens:
| Metadata | Description |
|---|---|
| Secret name | The name given to the GitHub token by its creator |
| Secret owner | The GitHub handle of the token's owner |
| Created on | Date the token was created |
| Expired on | Date the token expired |
| Last used on | Date the token was last used |
| Access | Whether the token has organization access |
漏洩したシークレットを含むリポジトリに対して管理者のアクセス許可を持つユーザーのみが、アラートのセキュリティ アラート詳細およびトークン メタデータを閲覧できます。 企業所有者は、この目的のためにリポジトリへの一時的なアクセスを要求できます。 If access is granted, GitHub will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours.