Note: Secret scanning for organization-owned private repositories is currently in beta and subject to change.
プロジェクトを外部サービスと通信させる場合、認証にトークンまたは秘密鍵を使用できます。 トークンや秘密鍵は、サービスプロバイダが発行できるシークレットです。 リポジトリにシークレットをチェックインする場合、リポジトリへの読み取りアクセスを持つすべてのユーザがシークレットを使用して、自分の権限で外部サービスにアクセスできます。 シークレットは、プロジェクトのリポジトリの外の、安全な専用の場所に保存することをお勧めします。 Service providers can partner with
GitHub to provide their secret formats for scanning. For more information, see "Secret scanning."
If someone checks a secret from a GitHub partner into a public or private repository on GitHub, secret scanning catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository.
パブリックリポジトリの secret scanning について
Secret scanning is automatically enabled on public repositories. パブリックリポジトリにプッシュすると、GitHub がコミットの内容をスキャンしてシークレットを探します。 プライベートリポジトリをパブリックに切り替えると、GitHub はリポジトリ全体をスキャンしてシークレットを探します。
secret scanning が認証情報一式を検出すると、弊社はそのシークレットを発行したサービスプロバイダに通知します。 サービスプロバイダは認証情報を検証し、シークレットを取り消すか、新しいシークレットを発行するか、または直接連絡する必要があるかを決定します。これは、ユーザまたはサービスプロバイダに関連するリスクに依存します。 For an overview of how we work with token-issuing partners, see "Secret scanning."
現在 GitHub は、パブリックリポジトリをスキャンして、次のサービスプロバイダが発行したシークレットを探します。
Partner | Supported secret |
---|---|
Adafruit IO | Adafruit IO Key |
Alibaba Cloud | Alibaba Cloud Access Key ID and Access Key Secret pair |
Amazon Web Services (AWS) | Amazon AWS Access Key ID and Secret Access Key pair |
Atlassian | Atlassian API Token |
Atlassian | Atlassian JSON Web Token |
Azure | Azure DevOps Personal Access Token |
Azure | Azure SAS Token |
Azure | Azure Service Management Certificate |
Azure | Azure SQL Connection String |
Azure | Azure Storage Account Key |
Clojars | Clojars Deploy Token |
CloudBees CodeShip | CloudBees CodeShip Credential |
Databricks | Databricks Access Token |
Datadog | Datadog API Key |
Discord | Discord Bot Token |
Doppler | Doppler Personal Token |
Doppler | Doppler Service Token |
Doppler | Doppler CLI Token |
Doppler | Doppler SCIM Token |
Dropbox | Dropbox Access Token |
Dropbox | Dropbox Short Lived Access Token |
Dynatrace | Dynatrace Access Token |
Dynatrace | Dynatrace Internal Token |
Finicity | Finicity App Key |
Frame.io | Frame.io JSON Web Token |
Frame.io | Frame.io Developer Token |
GitHub | GitHub SSH Private Key |
GitHub | GitHub Personal Access Token |
GitHub | GitHub App Installation Access Token |
GoCardless | GoCardless Live Access Token |
GoCardless | GoCardless Sandbox Access Token |
Google Cloud | Google API Key |
Google Cloud | Google Cloud Private Key ID |
Hashicorp Terraform | Terraform Cloud / Enterprise API Token |
Hubspot | Hubspot API Key |
Mailchimp | Mailchimp API Key |
Mailchimp | Mandrill API Key |
Mailgun | Mailgun API Key |
MessageBird | MessageBird API Key |
npm | npm Access Token |
NuGet | NuGet API Key |
Palantir | Palantir JSON Web Token |
Plivo | Plivo Auth Token |
Postman | Postman API Key |
Proctorio | Proctorio Consumer Key |
Proctorio | Proctorio Linkage Key |
Proctorio | Proctorio Registration Key |
Proctorio | Proctorio Secret Key |
Pulumi | Pulumi Access Token |
Samsara | Samsara API Token |
Samsara | Samsara OAuth Access Token |
Shopify | Shopify App Shared Secret |
Shopify | Shopify Access Token |
Shopify | Shopify Custom App Access Token |
Shopify | Shopify Private App Password |
Slack | Slack API Token |
Slack | Slack Incoming Webhook URL |
Slack | Slack Workflow Webhook URL |
SSLMate | SSLMate API Key |
SSLMate | SSLMate Cluster Secret |
Stripe | Stripe Live API Secret Key |
Stripe | Stripe Test API Secret Key |
Stripe | Stripe Live API Restricted Key |
Stripe | Stripe Test API Restricted Key |
Tencent Cloud | Tencent Cloud Secret ID |
Twilio | Twilio Account String Identifier |
Twilio | Twilio API Key |
プライベートリポジトリの secret scanning について
If you're a repository administrator or an organization owner, you can enable secret scanning for private repositories that are owned by organizations. You can enable secret scanning for all your repositories, or for all new repositories within your organization. Secret scanning is not available for user-owned private repositories. For more information, see "Managing security and analysis settings for your repository" and "Managing security and analysis settings for your organization."
When you push commits to a private repository with secret scanning enabled, GitHub scans the contents of the commits for secrets.
When secret scanning detects a secret in a private repository, GitHub sends alerts.
-
GitHub は、リポジトリ管理者と Organizationのオーナーにメールアラートを送信します。
-
GitHub は、リポジトリにアラートを表示します。 詳しい情報については、「secret scanning からのアラートを管理する」を参照してください。
Repository administrators and organization owners can grant users and teams access to secret scanning alerts. For more information, see "Managing security and analysis settings for your repository."
To monitor results from secret scanning across your private repositories or your organization, you can use the secret scanning API. For more information about API endpoints, see "Secret scanning."
GitHub currently scans private repositories for secrets issued by the following service providers.
Partner | Supported secret | API slug |
---|---|---|
n/a | JSON Web Token | json_web_token |
n/a | OAuth Client Credential | api_credential_assignment |
Adafruit IO | Adafruit IO Key | adafruit_io_key |
Alibaba Cloud | Alibaba Cloud Access Key ID | alibaba_cloud_access_key_id |
Alibaba Cloud | Alibaba Cloud Access Key Secret | alibaba_cloud_access_key_secret |
Amazon Web Services (AWS) | Amazon AWS Access Key ID | aws_access_key_id |
Amazon Web Services (AWS) | Amazon AWS Secret Access Key | aws_secret_access_key |
Atlassian | Atlassian API Token | atlassian_api_token |
Atlassian | Atlassian JSON Web Token | atlassian_jwt |
Azure | Azure DevOps Personal Access Token | azure_devops_personal_access_token |
Azure | Azure SAS Token | azure_sas_token |
Azure | Azure Service Management Certificate | azure_management_certificate |
Azure | Azure SQL Connection String | azure_sql_connection_string |
Azure | Azure Storage Account Key | azure_storage_account_key |
Clojars | Clojars Deploy Token | clojars_deploy_token |
CloudBees CodeShip | CloudBees CodeShip Credential | codeship_credential |
Databricks | Databricks Access Token | databricks_access_token |
Discord | Discord Bot Token | discord_bot_token |
Doppler | Doppler Personal Token | doppler_personal_token |
Doppler | Doppler Service Token | doppler_service_token |
Doppler | Doppler CLI Token | doppler_cli_token |
Doppler | Doppler SCIM Token | doppler_scim_token |
Dropbox | Dropbox Access Token | dropbox_access_token |
Dropbox | Dropbox Short Lived Access Token | dropbox_short_lived_access_token |
Dynatrace | Dynatrace Access Token | dynatrace_access_token |
Dynatrace | Dynatrace Internal Token | dynatrace_internal_token |
Finicity | Finicity App Key | finicity_app_key |
Frame.io | Frame.io JSON Web Token | frameio_jwt |
Frame.io | Frame.io Developer Token | frameio_developer_token |
GitHub | GitHub SSH Private Key | github_ssh_private_key |
GitHub | GitHub Personal Access Token | github_personal_access_token |
GitHub | GitHub App Installation Access Token | github_app_installation_access_token |
GoCardless | GoCardless Live Access Token | gocardless_live_access_token |
GoCardless | GoCardless Sandbox Access Token | gocardless_sandbox_access_token |
Google Cloud | Google API Key | google_api_key |
Google Cloud | Google Cloud Private Key ID | google_cloud_private_key_id |
Hashicorp Terraform | Terraform Cloud / Enterprise API Token | terraform_api_token |
Hubspot | Hubspot API Key | hubspot_api_key |
Mailchimp | Mailchimp API Key | mailchimp_api_key |
Mailgun | Mailgun API Key | mailgun_api_key |
npm | npm Access Token | npm_access_token |
NuGet | NuGet API Key | nuget_api_key |
Palantir | Palantir JSON Web Token | palantir_jwt |
Postman | Postman API Key | postman_api_key |
Proctorio | Proctorio Consumer Key | proctorio_consumer_key |
Proctorio | Proctorio Linkage Key | proctorio_linkage_key |
Proctorio | Proctorio Registration Key | proctorio_registration_key |
Proctorio | Proctorio Secret Key | proctorio_secret_key |
Pulumi | Pulumi Access Token | pulumi_access_token |
Samsara | Samsara API Token | samsara_api_token |
Samsara | Samsara OAuth Access Token | samsara_oauth_access_token |
Shopify | Shopify App Shared Secret | shopify_app_shared_secret |
Shopify | Shopify Access Token | shopify_access_token |
Shopify | Shopify Custom App Access Token | shopify_custom_app_access_token |
Shopify | Shopify Private App Password | shopify_private_app_password |
Slack | Slack API Token | slack_api_token |
Slack | Slack Incoming Webhook URL | slack_incoming_webhook_url |
Slack | Slack Workflow Webhook URL | slack_workflow_webhook_url |
SSLMate | SSLMate API Key | sslmate_api_key |
SSLMate | SSLMate Cluster Secret | sslmate_cluster_secret |
Stripe | Stripe API Key | stripe_api_key |
Stripe | Stripe Live API Secret Key | stripe_live_secret_key |
Stripe | Stripe Test API Secret Key | stripe_test_secret_key |
Stripe | Stripe Live API Restricted Key | stripe_live_restricted_key |
Stripe | Stripe Test API Restricted Key | stripe_test_restricted_key |
Tencent Cloud | Tencent Cloud Secret ID | tencent_cloud_secret_id |
Twilio | Twilio Account String Identifier | twilio_account_sid |
Twilio | Twilio API Key | twilio_api_key |
注釈: Secret scanning では現在、シークレットを検出するための独自のパターンを定義することはできません。