シークレットスキャン用の REST API エンドポイント

シークレットスキャンについて

API を使って次のことができます。

リポジトリの secret scanning とプッシュ保護を有効または無効にする。詳しくは、「リポジトリの REST API エンドポイント」を参照し、「security_and_analysis オブジェクトのプロパティ」セクションを展開してください。
リポジトリからシークレットスキャンニングアラートを取得して更新します。詳細については、以下のセクションを参照してください。

secret scanning の詳細については、「シークレットスキャンについて」を参照してください。

List secret scanning alerts for an organization

Lists secret scanning alerts for eligible repositories in an organization, from newest to oldest.

The authenticated user must be an administrator or security manager for the organization to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Secret scanning alerts" repository permissions (read)

"List secret scanning alerts for an organization" のパラメーター

ヘッダー
名前, タイプ, 説明
`accept` string Setting to `application/vnd.github+json` is recommended.

パスパラメーター
名前, タイプ, 説明
`org` string 必須 The organization name. The name is not case sensitive.

クエリパラメーター
名前, タイプ, 説明
`state` string Set to `open` or `resolved` to only list secret scanning alerts in a specific state. 次のいずれかにできます: `open`, `resolved`
`secret_type` string A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types.
`exclude_secret_types` string A comma-separated list of secret types to exclude from the results. All default secret patterns are returned except those matching the specified types. Cannot be combined with the `secret_type` parameter. See "Supported secret scanning patterns" for a complete list of secret types.
`exclude_providers` string A comma-separated list of provider slugs to exclude from the results. Provider slugs use lowercase with underscores (e.g., `github_secret_scanning`, `clojars`). You can find the provider slug in the `provider_slug` field of each alert. Cannot be combined with the `providers` parameter.
`providers` string A comma-separated list of provider slugs to filter by. Provider slugs use lowercase with underscores (e.g., `github_secret_scanning`, `clojars`). You can find the provider slug in the `provider_slug` field of each alert. Cannot be combined with the `exclude_providers` parameter.
`resolution` string A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are `false_positive`, `wont_fix`, `revoked`, `pattern_edited`, `pattern_deleted` or `used_in_tests`.
`assignee` string Filters alerts by assignee. Use `*` to get all assigned alerts, `none` to get all unassigned alerts, or a GitHub username to get alerts assigned to a specific user.
`sort` string The property to sort the results by. `created` means when the alert was created. `updated` means when the alert was updated or resolved. デフォルト: `created` 次のいずれかにできます: `created`, `updated`
`direction` string The direction to sort the results by. デフォルト: `desc` 次のいずれかにできます: `asc`, `desc`
`page` integer The page number of the results to fetch. For more information, see "Using pagination in the REST API." デフォルト: `1`
`per_page` integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." デフォルト: `30`
`before` string A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. To receive an initial cursor on your first request, include an empty "before" query string.
`after` string A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. To receive an initial cursor on your first request, include an empty "after" query string.
`validity` string A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are `active`, `inactive`, and `unknown`.
`is_publicly_leaked` boolean A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. デフォルト: `false`
`is_multi_repo` boolean A boolean value representing whether or not to filter alerts by the multi-repo tag being present. デフォルト: `false`
`hide_secret` boolean A boolean value representing whether or not to hide literal secrets in the results. デフォルト: `false`
`is_bypassed` boolean A boolean value (`true` or `false`) indicating whether to filter alerts by their push protection bypass status. When set to `true`, only alerts that were created because a push protection rule was bypassed will be returned. When set to `false`, only alerts that were not caused by a push protection bypass will be returned.

http_status_code

status_code	説明
`200`	OK
`404`	Resource not found
`503`	Service unavailable

code_samples

request_example

get/orgs/{org}/secret-scanning/alerts

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/orgs/ORG/secret-scanning/alerts

Response

Status: 200

[
  {
    "number": 2,
    "created_at": "2020-11-06T18:48:51Z",
    "url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/2",
    "html_url": "https://github.com/owner/private-repo/security/secret-scanning/2",
    "locations_url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/2/locations",
    "state": "resolved",
    "resolution": "false_positive",
    "resolved_at": "2020-11-07T02:47:13Z",
    "resolved_by": {
      "login": "monalisa",
      "id": 2,
      "node_id": "MDQ6VXNlcjI=",
      "avatar_url": "https://alambic.github.com/avatars/u/2?",
      "gravatar_id": "",
      "url": "https://api.github.com/users/monalisa",
      "html_url": "https://github.com/monalisa",
      "followers_url": "https://api.github.com/users/monalisa/followers",
      "following_url": "https://api.github.com/users/monalisa/following{/other_user}",
      "gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
      "organizations_url": "https://api.github.com/users/monalisa/orgs",
      "repos_url": "https://api.github.com/users/monalisa/repos",
      "events_url": "https://api.github.com/users/monalisa/events{/privacy}",
      "received_events_url": "https://api.github.com/users/monalisa/received_events",
      "type": "User",
      "site_admin": true
    },
    "secret_type": "adafruit_io_key",
    "secret_type_display_name": "Adafruit IO Key",
    "secret": "aio_XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "repository": {
      "id": 1296269,
      "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
      "name": "Hello-World",
      "full_name": "octocat/Hello-World",
      "owner": {
        "login": "octocat",
        "id": 1,
        "node_id": "MDQ6VXNlcjE=",
        "avatar_url": "https://github.com/images/error/octocat_happy.gif",
        "gravatar_id": "",
        "url": "https://api.github.com/users/octocat",
        "html_url": "https://github.com/octocat",
        "followers_url": "https://api.github.com/users/octocat/followers",
        "following_url": "https://api.github.com/users/octocat/following{/other_user}",
        "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
        "organizations_url": "https://api.github.com/users/octocat/orgs",
        "repos_url": "https://api.github.com/users/octocat/repos",
        "events_url": "https://api.github.com/users/octocat/events{/privacy}",
        "received_events_url": "https://api.github.com/users/octocat/received_events",
        "type": "User",
        "site_admin": false
      },
      "private": false,
      "html_url": "https://github.com/octocat/Hello-World",
      "description": "This your first repo!",
      "fork": false,
      "url": "https://api.github.com/repos/octocat/Hello-World",
      "archive_url": "https://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
      "assignees_url": "https://api.github.com/repos/octocat/Hello-World/assignees{/user}",
      "blobs_url": "https://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
      "branches_url": "https://api.github.com/repos/octocat/Hello-World/branches{/branch}",
      "collaborators_url": "https://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
      "comments_url": "https://api.github.com/repos/octocat/Hello-World/comments{/number}",
      "commits_url": "https://api.github.com/repos/octocat/Hello-World/commits{/sha}",
      "compare_url": "https://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
      "contents_url": "https://api.github.com/repos/octocat/Hello-World/contents/{+path}",
      "contributors_url": "https://api.github.com/repos/octocat/Hello-World/contributors",
      "deployments_url": "https://api.github.com/repos/octocat/Hello-World/deployments",
      "downloads_url": "https://api.github.com/repos/octocat/Hello-World/downloads",
      "events_url": "https://api.github.com/repos/octocat/Hello-World/events",
      "forks_url": "https://api.github.com/repos/octocat/Hello-World/forks",
      "git_commits_url": "https://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
      "git_refs_url": "https://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
      "git_tags_url": "https://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
      "issue_comment_url": "https://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
      "issue_events_url": "https://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
      "issues_url": "https://api.github.com/repos/octocat/Hello-World/issues{/number}",
      "keys_url": "https://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
      "labels_url": "https://api.github.com/repos/octocat/Hello-World/labels{/name}",
      "languages_url": "https://api.github.com/repos/octocat/Hello-World/languages",
      "merges_url": "https://api.github.com/repos/octocat/Hello-World/merges",
      "milestones_url": "https://api.github.com/repos/octocat/Hello-World/milestones{/number}",
      "notifications_url": "https://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
      "pulls_url": "https://api.github.com/repos/octocat/Hello-World/pulls{/number}",
      "releases_url": "https://api.github.com/repos/octocat/Hello-World/releases{/id}",
      "stargazers_url": "https://api.github.com/repos/octocat/Hello-World/stargazers",
      "statuses_url": "https://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
      "subscribers_url": "https://api.github.com/repos/octocat/Hello-World/subscribers",
      "subscription_url": "https://api.github.com/repos/octocat/Hello-World/subscription",
      "tags_url": "https://api.github.com/repos/octocat/Hello-World/tags",
      "teams_url": "https://api.github.com/repos/octocat/Hello-World/teams",
      "trees_url": "https://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
      "hooks_url": "https://api.github.com/repos/octocat/Hello-World/hooks"
    },
    "push_protection_bypassed_by": {
      "login": "monalisa",
      "id": 2,
      "node_id": "MDQ6VXNlcjI=",
      "avatar_url": "https://alambic.github.com/avatars/u/2?",
      "gravatar_id": "",
      "url": "https://api.github.com/users/monalisa",
      "html_url": "https://github.com/monalisa",
      "followers_url": "https://api.github.com/users/monalisa/followers",
      "following_url": "https://api.github.com/users/monalisa/following{/other_user}",
      "gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
      "organizations_url": "https://api.github.com/users/monalisa/orgs",
      "repos_url": "https://api.github.com/users/monalisa/repos",
      "events_url": "https://api.github.com/users/monalisa/events{/privacy}",
      "received_events_url": "https://api.github.com/users/monalisa/received_events",
      "type": "User",
      "site_admin": true
    },
    "push_protection_bypassed": true,
    "push_protection_bypassed_at": "2020-11-06T21:48:51Z",
    "push_protection_bypass_request_reviewer": {
      "login": "octocat",
      "id": 3,
      "node_id": "MDQ6VXNlcjI=",
      "avatar_url": "https://alambic.github.com/avatars/u/3?",
      "gravatar_id": "",
      "url": "https://api.github.com/users/octocat",
      "html_url": "https://github.com/octocat",
      "followers_url": "https://api.github.com/users/octocat/followers",
      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
      "organizations_url": "https://api.github.com/users/octocat/orgs",
      "repos_url": "https://api.github.com/users/octocat/repos",
      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
      "received_events_url": "https://api.github.com/users/octocat/received_events",
      "type": "User",
      "site_admin": true
    },
    "push_protection_bypass_request_reviewer_comment": "Example response",
    "push_protection_bypass_request_comment": "Example comment",
    "push_protection_bypass_request_html_url": "https://github.com/owner/repo/secret_scanning_exemptions/1",
    "resolution_comment": "Example comment",
    "validity": "active",
    "publicly_leaked": false,
    "multi_repo": false,
    "is_base64_encoded": false,
    "first_location_detected": {
      "path": "/example/secrets.txt",
      "start_line": 1,
      "end_line": 1,
      "start_column": 1,
      "end_column": 64,
      "blob_sha": "af5626b4a114abcb82d63db7c8082c3c4756e51b",
      "blob_url": "https://api.github.com/repos/octocat/hello-world/git/blobs/af5626b4a114abcb82d63db7c8082c3c4756e51b",
      "commit_sha": "f14d7debf9775f957cf4f1e8176da0786431f72b",
      "commit_url": "https://api.github.com/repos/octocat/hello-world/git/commits/f14d7debf9775f957cf4f1e8176da0786431f72b"
    },
    "has_more_locations": true,
    "assigned_to": {
      "login": "octocat",
      "id": 1,
      "node_id": "MDQ6VXNlcjE=",
      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
      "gravatar_id": "",
      "url": "https://api.github.com/users/octocat",
      "html_url": "https://github.com/octocat",
      "followers_url": "https://api.github.com/users/octocat/followers",
      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
      "organizations_url": "https://api.github.com/users/octocat/orgs",
      "repos_url": "https://api.github.com/users/octocat/repos",
      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
      "received_events_url": "https://api.github.com/users/octocat/received_events",
      "type": "User",
      "site_admin": false
    }
  }
]

List secret scanning alerts for a repository

Lists secret scanning alerts for an eligible repository, from newest to oldest.

The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Secret scanning alerts" repository permissions (read)

"List secret scanning alerts for a repository" のパラメーター

ヘッダー
名前, タイプ, 説明
`accept` string Setting to `application/vnd.github+json` is recommended.

パスパラメーター
名前, タイプ, 説明
`owner` string 必須 The account owner of the repository. The name is not case sensitive.
`repo` string 必須 The name of the repository without the `.git` extension. The name is not case sensitive.

クエリパラメーター
名前, タイプ, 説明
`state` string Set to `open` or `resolved` to only list secret scanning alerts in a specific state. 次のいずれかにできます: `open`, `resolved`
`secret_type` string A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types.
`exclude_secret_types` string A comma-separated list of secret types to exclude from the results. All default secret patterns are returned except those matching the specified types. Cannot be combined with the `secret_type` parameter. See "Supported secret scanning patterns" for a complete list of secret types.
`exclude_providers` string A comma-separated list of provider slugs to exclude from the results. Provider slugs use lowercase with underscores (e.g., `github_secret_scanning`, `clojars`). You can find the provider slug in the `provider_slug` field of each alert. Cannot be combined with the `providers` parameter.
`providers` string A comma-separated list of provider slugs to filter by. Provider slugs use lowercase with underscores (e.g., `github_secret_scanning`, `clojars`). You can find the provider slug in the `provider_slug` field of each alert. Cannot be combined with the `exclude_providers` parameter.
`resolution` string A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are `false_positive`, `wont_fix`, `revoked`, `pattern_edited`, `pattern_deleted` or `used_in_tests`.
`assignee` string Filters alerts by assignee. Use `*` to get all assigned alerts, `none` to get all unassigned alerts, or a GitHub username to get alerts assigned to a specific user.
`sort` string The property to sort the results by. `created` means when the alert was created. `updated` means when the alert was updated or resolved. デフォルト: `created` 次のいずれかにできます: `created`, `updated`
`direction` string The direction to sort the results by. デフォルト: `desc` 次のいずれかにできます: `asc`, `desc`
`page` integer The page number of the results to fetch. For more information, see "Using pagination in the REST API." デフォルト: `1`
`per_page` integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." デフォルト: `30`
`before` string A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. To receive an initial cursor on your first request, include an empty "before" query string.
`after` string A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. To receive an initial cursor on your first request, include an empty "after" query string.
`validity` string A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are `active`, `inactive`, and `unknown`.
`is_publicly_leaked` boolean A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. デフォルト: `false`
`is_multi_repo` boolean A boolean value representing whether or not to filter alerts by the multi-repo tag being present. デフォルト: `false`
`hide_secret` boolean A boolean value representing whether or not to hide literal secrets in the results. デフォルト: `false`
`is_bypassed` boolean A boolean value (`true` or `false`) indicating whether to filter alerts by their push protection bypass status. When set to `true`, only alerts that were created because a push protection rule was bypassed will be returned. When set to `false`, only alerts that were not caused by a push protection bypass will be returned.

http_status_code

status_code	説明
`200`	OK
`404`	Repository is public or secret scanning is disabled for the repository
`503`	Service unavailable

code_samples

request_example

get/repos/{owner}/{repo}/secret-scanning/alerts

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/secret-scanning/alerts

Response

Status: 200

[
  {
    "number": 2,
    "created_at": "2020-11-06T18:48:51Z",
    "url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/2",
    "html_url": "https://github.com/owner/private-repo/security/secret-scanning/2",
    "locations_url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/2/locations",
    "state": "resolved",
    "resolution": "false_positive",
    "resolved_at": "2020-11-07T02:47:13Z",
    "resolved_by": {
      "login": "monalisa",
      "id": 2,
      "node_id": "MDQ6VXNlcjI=",
      "avatar_url": "https://alambic.github.com/avatars/u/2?",
      "gravatar_id": "",
      "url": "https://api.github.com/users/monalisa",
      "html_url": "https://github.com/monalisa",
      "followers_url": "https://api.github.com/users/monalisa/followers",
      "following_url": "https://api.github.com/users/monalisa/following{/other_user}",
      "gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
      "organizations_url": "https://api.github.com/users/monalisa/orgs",
      "repos_url": "https://api.github.com/users/monalisa/repos",
      "events_url": "https://api.github.com/users/monalisa/events{/privacy}",
      "received_events_url": "https://api.github.com/users/monalisa/received_events",
      "type": "User",
      "site_admin": true
    },
    "secret_type": "adafruit_io_key",
    "secret_type_display_name": "Adafruit IO Key",
    "secret": "aio_XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "push_protection_bypassed_by": {
      "login": "monalisa",
      "id": 2,
      "node_id": "MDQ6VXNlcjI=",
      "avatar_url": "https://alambic.github.com/avatars/u/2?",
      "gravatar_id": "",
      "url": "https://api.github.com/users/monalisa",
      "html_url": "https://github.com/monalisa",
      "followers_url": "https://api.github.com/users/monalisa/followers",
      "following_url": "https://api.github.com/users/monalisa/following{/other_user}",
      "gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
      "organizations_url": "https://api.github.com/users/monalisa/orgs",
      "repos_url": "https://api.github.com/users/monalisa/repos",
      "events_url": "https://api.github.com/users/monalisa/events{/privacy}",
      "received_events_url": "https://api.github.com/users/monalisa/received_events",
      "type": "User",
      "site_admin": true
    },
    "push_protection_bypassed": true,
    "push_protection_bypassed_at": "2020-11-06T21:48:51Z",
    "push_protection_bypass_request_reviewer": {
      "login": "octocat",
      "id": 3,
      "node_id": "MDQ6VXNlcjI=",
      "avatar_url": "https://alambic.github.com/avatars/u/3?",
      "gravatar_id": "",
      "url": "https://api.github.com/users/octocat",
      "html_url": "https://github.com/octocat",
      "followers_url": "https://api.github.com/users/octocat/followers",
      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
      "organizations_url": "https://api.github.com/users/octocat/orgs",
      "repos_url": "https://api.github.com/users/octocat/repos",
      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
      "received_events_url": "https://api.github.com/users/octocat/received_events",
      "type": "User",
      "site_admin": true
    },
    "push_protection_bypass_request_reviewer_comment": "Example response",
    "push_protection_bypass_request_comment": "Example comment",
    "push_protection_bypass_request_html_url": "https://github.com/owner/repo/secret_scanning_exemptions/1",
    "resolution_comment": "Example comment",
    "validity": "inactive",
    "publicly_leaked": false,
    "multi_repo": false,
    "is_base64_encoded": false,
    "first_location_detected": {
      "path": "/example/secrets.txt",
      "start_line": 1,
      "end_line": 1,
      "start_column": 1,
      "end_column": 64,
      "blob_sha": "af5626b4a114abcb82d63db7c8082c3c4756e51b",
      "blob_url": "https://api.github.com/repos/octocat/hello-world/git/blobs/af5626b4a114abcb82d63db7c8082c3c4756e51b",
      "commit_sha": "f14d7debf9775f957cf4f1e8176da0786431f72b",
      "commit_url": "https://api.github.com/repos/octocat/hello-world/git/commits/f14d7debf9775f957cf4f1e8176da0786431f72b"
    },
    "has_more_locations": true,
    "assigned_to": {
      "login": "octocat",
      "id": 1,
      "node_id": "MDQ6VXNlcjE=",
      "avatar_url": "https://github.com/images/error/octocat_happy.gif",
      "gravatar_id": "",
      "url": "https://api.github.com/users/octocat",
      "html_url": "https://github.com/octocat",
      "followers_url": "https://api.github.com/users/octocat/followers",
      "following_url": "https://api.github.com/users/octocat/following{/other_user}",
      "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
      "organizations_url": "https://api.github.com/users/octocat/orgs",
      "repos_url": "https://api.github.com/users/octocat/repos",
      "events_url": "https://api.github.com/users/octocat/events{/privacy}",
      "received_events_url": "https://api.github.com/users/octocat/received_events",
      "type": "User",
      "site_admin": false
    }
  }
]

Get a secret scanning alert

Gets a single secret scanning alert detected in an eligible repository.

The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Secret scanning alerts" repository permissions (read)

"Get a secret scanning alert" のパラメーター

ヘッダー
名前, タイプ, 説明
`accept` string Setting to `application/vnd.github+json` is recommended.

パスパラメーター
名前, タイプ, 説明
`owner` string 必須 The account owner of the repository. The name is not case sensitive.
`repo` string 必須 The name of the repository without the `.git` extension. The name is not case sensitive.
`alert_number` integer 必須 The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the `number` field in the response from the `GET /repos/{owner}/{repo}/code-scanning/alerts` operation.

クエリパラメーター
名前, タイプ, 説明
`hide_secret` boolean A boolean value representing whether or not to hide literal secrets in the results. デフォルト: `false`

http_status_code

status_code	説明
`200`	OK
`304`	Not modified
`404`	Repository is public, or secret scanning is disabled for the repository, or the resource is not found
`503`	Service unavailable

code_samples

request_example

get/repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER

Response

Status: 200

{
  "number": 42,
  "created_at": "2020-11-06T18:18:30Z",
  "url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42",
  "html_url": "https://github.com/owner/private-repo/security/secret-scanning/42",
  "locations_url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42/locations",
  "state": "open",
  "resolution": null,
  "resolved_at": null,
  "resolved_by": null,
  "secret_type": "mailchimp_api_key",
  "secret_type_display_name": "Mailchimp API Key",
  "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2",
  "push_protection_bypassed_by": null,
  "push_protection_bypassed": false,
  "push_protection_bypassed_at": null,
  "push_protection_bypass_request_reviewer": null,
  "push_protection_bypass_request_reviewer_comment": null,
  "push_protection_bypass_request_comment": null,
  "push_protection_bypass_request_html_url": null,
  "resolution_comment": null,
  "validity": "unknown",
  "publicly_leaked": false,
  "multi_repo": false
}

Update a secret scanning alert

Updates the status of a secret scanning alert in an eligible repository.

You can also use this endpoint to assign or unassign an alert to a user who has write access to the repository.

The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Secret scanning alerts" repository permissions (write)

"Update a secret scanning alert" のパラメーター

ヘッダー
名前, タイプ, 説明
`accept` string Setting to `application/vnd.github+json` is recommended.

パスパラメーター
名前, タイプ, 説明
`owner` string 必須 The account owner of the repository. The name is not case sensitive.
`repo` string 必須 The name of the repository without the `.git` extension. The name is not case sensitive.
`alert_number` integer 必須 The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the `number` field in the response from the `GET /repos/{owner}/{repo}/code-scanning/alerts` operation.

ボディパラメータ
名前, タイプ, 説明
`state` string Sets the state of the secret scanning alert. You must provide `resolution` when you set the state to `resolved`. 次のいずれかにできます: `open`, `resolved`
`resolution` string or null Required when the `state` is `resolved`. The reason for resolving the alert. 次のいずれかにできます: `false_positive`, `wont_fix`, `revoked`, `used_in_tests`, `null`
`resolution_comment` string or null An optional comment when closing or reopening an alert. Cannot be updated or deleted.
`assignee` string or null The username of the user to assign to the alert. Set to `null` to unassign the alert.
`validity` string or null Sets the validity of the secret scanning alert. Can be `active`, `inactive`, or `null` to clear the override. 次のいずれかにできます: `active`, `inactive`, `null`

http_status_code

status_code	説明
`200`	OK
`400`	Bad request, resolution comment is invalid or the resolution was not changed.
`403`	Delegated alert dismissal is enabled and the authenticated user is not a valid reviewer.
`404`	Repository is public, or secret scanning is disabled for the repository, or the resource is not found
`422`	State does not match the resolution or resolution comment, assignee does not have write access to the repository, or the requested validity change could not be applied to this alert
`503`	Service unavailable

code_samples

request_example

patch/repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}

curl -L \
  -X PATCH \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER \
  -d '{"state":"resolved","resolution":"false_positive"}'

Response

Status: 200

{
  "number": 42,
  "created_at": "2020-11-06T18:18:30Z",
  "url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42",
  "html_url": "https://github.com/owner/private-repo/security/secret-scanning/42",
  "locations_url": "https://api.github.com/repos/owner/private-repo/secret-scanning/alerts/42/locations",
  "state": "resolved",
  "resolution": "used_in_tests",
  "resolved_at": "2020-11-16T22:42:07Z",
  "resolved_by": {
    "login": "monalisa",
    "id": 2,
    "node_id": "MDQ6VXNlcjI=",
    "avatar_url": "https://alambic.github.com/avatars/u/2?",
    "gravatar_id": "",
    "url": "https://api.github.com/users/monalisa",
    "html_url": "https://github.com/monalisa",
    "followers_url": "https://api.github.com/users/monalisa/followers",
    "following_url": "https://api.github.com/users/monalisa/following{/other_user}",
    "gists_url": "https://api.github.com/users/monalisa/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/monalisa/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/monalisa/subscriptions",
    "organizations_url": "https://api.github.com/users/monalisa/orgs",
    "repos_url": "https://api.github.com/users/monalisa/repos",
    "events_url": "https://api.github.com/users/monalisa/events{/privacy}",
    "received_events_url": "https://api.github.com/users/monalisa/received_events",
    "type": "User",
    "site_admin": true
  },
  "secret_type": "mailchimp_api_key",
  "secret_type_display_name": "Mailchimp API Key",
  "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-us2",
  "push_protection_bypassed": false,
  "push_protection_bypassed_by": null,
  "push_protection_bypassed_at": null,
  "push_protection_bypass_request_reviewer": null,
  "push_protection_bypass_request_reviewer_comment": null,
  "push_protection_bypass_request_comment": null,
  "push_protection_bypass_request_html_url": null,
  "resolution_comment": "Example comment",
  "validity": "unknown",
  "publicly_leaked": false,
  "multi_repo": false,
  "assigned_to": {
    "login": "octocat",
    "id": 1,
    "node_id": "MDQ6VXNlcjE=",
    "avatar_url": "https://alambic.github.com/avatars/u/1?",
    "gravatar_id": "",
    "url": "https://api.github.com/users/octocat",
    "html_url": "https://github.com/octocat",
    "followers_url": "https://api.github.com/users/octocat/followers",
    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
    "organizations_url": "https://api.github.com/users/octocat/orgs",
    "repos_url": "https://api.github.com/users/octocat/repos",
    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
    "received_events_url": "https://api.github.com/users/octocat/received_events",
    "type": "User",
    "site_admin": false
  }
}

List locations for a secret scanning alert

Lists all locations for a given secret scanning alert for an eligible repository.

The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint.

OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Secret scanning alerts" repository permissions (read)

"List locations for a secret scanning alert" のパラメーター

ヘッダー
名前, タイプ, 説明
`accept` string Setting to `application/vnd.github+json` is recommended.

パスパラメーター
名前, タイプ, 説明
`owner` string 必須 The account owner of the repository. The name is not case sensitive.
`repo` string 必須 The name of the repository without the `.git` extension. The name is not case sensitive.
`alert_number` integer 必須 The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the `number` field in the response from the `GET /repos/{owner}/{repo}/code-scanning/alerts` operation.

クエリパラメーター
名前, タイプ, 説明
`page` integer The page number of the results to fetch. For more information, see "Using pagination in the REST API." デフォルト: `1`
`per_page` integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." デフォルト: `30`

http_status_code

status_code	説明
`200`	OK
`404`	Repository is public, or secret scanning is disabled for the repository, or the resource is not found
`503`	Service unavailable

code_samples

request_example

get/repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}/locations

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER/locations

Response

Status: 200

[
  {
    "type": "commit",
    "details": {
      "path": "/example/secrets.txt",
      "start_line": 1,
      "end_line": 1,
      "start_column": 1,
      "end_column": 64,
      "blob_sha": "af5626b4a114abcb82d63db7c8082c3c4756e51b",
      "blob_url": "https://api.github.com/repos/octocat/hello-world/git/blobs/af5626b4a114abcb82d63db7c8082c3c4756e51b",
      "commit_sha": "f14d7debf9775f957cf4f1e8176da0786431f72b",
      "commit_url": "https://api.github.com/repos/octocat/hello-world/git/commits/f14d7debf9775f957cf4f1e8176da0786431f72b"
    }
  },
  {
    "type": "wiki_commit",
    "details": {
      "path": "/example/Home.md",
      "start_line": 1,
      "end_line": 1,
      "start_column": 1,
      "end_column": 64,
      "blob_sha": "af5626b4a114abcb82d63db7c8082c3c4756e51b",
      "page_url": "https://github.com/octocat/Hello-World/wiki/Home/302c0b7e200761c9dd9b57e57db540ee0b4293a5",
      "commit_sha": "302c0b7e200761c9dd9b57e57db540ee0b4293a5",
      "commit_url": "https://github.com/octocat/Hello-World/wiki/_compare/302c0b7e200761c9dd9b57e57db540ee0b4293a5"
    }
  },
  {
    "type": "issue_title",
    "details": {
      "issue_title_url": "https://api.github.com/repos/octocat/Hello-World/issues/1347"
    }
  },
  {
    "type": "issue_body",
    "details": {
      "issue_body_url": "https://api.github.com/repos/octocat/Hello-World/issues/1347"
    }
  },
  {
    "type": "issue_comment",
    "details": {
      "issue_comment_url": "https://api.github.com/repos/octocat/Hello-World/issues/comments/1081119451"
    }
  },
  {
    "type": "discussion_title",
    "details": {
      "discussion_title_url": "https://github.com/community/community/discussions/39082"
    }
  },
  {
    "type": "discussion_body",
    "details": {
      "discussion_body_url": "https://github.com/community/community/discussions/39082#discussion-4566270"
    }
  },
  {
    "type": "discussion_comment",
    "details": {
      "discussion_comment_url": "https://github.com/community/community/discussions/39082#discussioncomment-4158232"
    }
  },
  {
    "type": "pull_request_title",
    "details": {
      "pull_request_title_url": "https://api.github.com/repos/octocat/Hello-World/pulls/2846"
    }
  },
  {
    "type": "pull_request_body",
    "details": {
      "pull_request_body_url": "https://api.github.com/repos/octocat/Hello-World/pulls/2846"
    }
  },
  {
    "type": "pull_request_comment",
    "details": {
      "pull_request_comment_url": "https://api.github.com/repos/octocat/Hello-World/issues/comments/1825855898"
    }
  },
  {
    "type": "pull_request_review",
    "details": {
      "pull_request_review_url": "https://api.github.com/repos/octocat/Hello-World/pulls/2846/reviews/80"
    }
  },
  {
    "type": "pull_request_review_comment",
    "details": {
      "pull_request_review_comment_url": "https://api.github.com/repos/octocat/Hello-World/pulls/comments/12"
    }
  }
]

Create a push protection bypass

Creates a bypass for a previously push protected secret.

The authenticated user must be the original author of the committed secret.

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Contents" repository permissions (write)

"Create a push protection bypass" のパラメーター

ヘッダー
名前, タイプ, 説明
`accept` string Setting to `application/vnd.github+json` is recommended.

パスパラメーター
名前, タイプ, 説明
`owner` string 必須 The account owner of the repository. The name is not case sensitive.
`repo` string 必須 The name of the repository without the `.git` extension. The name is not case sensitive.

ボディパラメータ
名前, タイプ, 説明
`reason` string 必須 The reason for bypassing push protection. 次のいずれかにできます: `false_positive`, `used_in_tests`, `will_fix_later`
`placeholder_id` string 必須 The ID of the push protection bypass placeholder. This value is returned on any push protected routes.

http_status_code

status_code	説明
`200`	OK
`403`	User does not have enough permissions to perform this action.
`404`	Placeholder ID not found, or push protection is disabled on this repository.
`422`	Bad request, input data missing or incorrect.
`503`	Service unavailable

code_samples

request_example

post/repos/{owner}/{repo}/secret-scanning/push-protection-bypasses

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/secret-scanning/push-protection-bypasses \
  -d '{"reason":"will_fix_later","placeholder_id":"2k4dM4tseyC5lPIsjl5emX9sPNk"}'

Response

Status: 200

{
  "reason": "will_fix_later",
  "expire_at": "2020-11-06T18:18:30Z",
  "token_type": "mailchimp_api_key"
}

Get secret scanning scan history for a repository

Lists the latest default incremental and backfill scans by type for a repository.

Note

This endpoint requires GitHub Advanced Security.

OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.

fine_grained_access

works_with_fine_grained_tokens:

permission_set:

"Secret scanning alerts" repository permissions (read)

"Get secret scanning scan history for a repository" のパラメーター

ヘッダー
名前, タイプ, 説明
`accept` string Setting to `application/vnd.github+json` is recommended.

パスパラメーター
名前, タイプ, 説明
`owner` string 必須 The account owner of the repository. The name is not case sensitive.
`repo` string 必須 The name of the repository without the `.git` extension. The name is not case sensitive.

http_status_code

status_code	説明
`200`	OK
`404`	Repository does not have GitHub Advanced Security or secret scanning enabled
`503`	Service unavailable

code_samples

request_example

get/repos/{owner}/{repo}/secret-scanning/scan-history

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2026-03-10" \
  https://api.github.com/repos/OWNER/REPO/secret-scanning/scan-history

Response

Status: 200

{
  "incremental_scans": [
    {
      "type": "git",
      "status": "completed",
      "completed_at": "2024-10-07T02:47:00Z"
    }
  ],
  "backfill_scans": [
    {
      "type": "git",
      "status": "completed",
      "started_at": "2024-10-07T02:47:00Z",
      "completed_at": "2024-10-07T02:50:00Z"
    },
    {
      "type": "issue",
      "status": "completed",
      "started_at": "2024-10-07T02:47:00Z",
      "completed_at": "2024-10-07T02:49:00Z"
    },
    {
      "type": "discussion",
      "status": "completed",
      "started_at": "2024-10-07T02:47:00Z",
      "completed_at": "2024-10-07T02:48:00Z"
    }
  ],
  "pattern_update_scans": [
    {
      "type": "discussion",
      "status": "in_progress",
      "started_at": "2024-10-07T02:47:00Z",
      "completed_at": "2024-10-07T02:51:00Z"
    }
  ],
  "custom_pattern_backfill_scans": [
    {
      "type": "git",
      "status": "completed",
      "started_at": "2024-10-07T02:47:00Z",
      "completed_at": "2024-10-07T02:55:00Z",
      "pattern_slug": "my-custom-pattern",
      "pattern_scope": "enterprise"
    },
    {
      "type": "git",
      "status": "completed",
      "started_at": "2024-10-07T02:47:00Z",
      "completed_at": "2024-10-07T02:55:00Z",
      "pattern_slug": "my-custom-pattern",
      "pattern_scope": "organization"
    }
  ],
  "generic_secrets_backfill_scans": [
    {
      "type": "git",
      "status": "completed",
      "started_at": "2024-10-07T02:47:00Z",
      "completed_at": "2024-10-07T02:55:00Z"
    }
  ]
}

シークレット スキャン用の REST API エンドポイント

request_example

Response

request_example

Response

request_example

Response

request_example

Response

request_example

Response

request_example

Response

request_example

Response

シークレットスキャン用の REST API エンドポイント