Skip to main content

Configuring secret scanning for your repositories

You can configure how GitHub scans your repositories for secrets that match advanced security patterns.

Who can use this feature

People with admin permissions to a repository can enable secret scanning for the repository.

Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. 詳細については、「GitHub Advanced Security について」を参照してください。

Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."

Enabling secret scanning

You can enable secret scanning for any repository that is owned by an organization. Once enabled, secret scanningはGitHubリポジトリ中に存在するすべてのブランチのGit履歴全体に対して、あらゆるシークレットをスキャンします。

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. リポジトリ名の下の [ 設定] をクリックします。 リポジトリの設定ボタン

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. If Advanced Security is not already enabled for the repository, to the right of "GitHub Advanced Security", click Enable. Enable GitHub Advanced Security for your repository

  5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository.

  6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If "Secret scanning" is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled. Enable secret scanning for your repository

  7. Optionally, if you want to enable push protection, click Enable to the right of "Push protection." プッシュ保護を有効にすると、secret scanning は、信頼度の高いシークレット (誤検知率が低いシークレット) のプッシュもチェックします。 Secret scanning には、作成者がシークレットを確認して削除できるように、検出したシークレットが一覧表示されます。また、必要に応じて、それらのシークレットをプッシュできるようにします。 For more information, see "Protecting pushes with secret scanning." Enable push protection for your repository

Excluding directories from secret scanning

You can use a secret_scanning.yml file to exclude directories from secret scanning. For example, you can exclude directories that contain tests or randomly generated content.

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. ファイルの一覧の上にある、 [ファイルの追加] ドロップダウンを使用し、 [新しいファイルの作成] をクリックします。 [ファイルの追加] ドロップダウンの [新しいファイルの作成]

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."

Further reading