Skip to main content
설명서에 자주 업데이트를 게시하며 이 페이지의 번역이 계속 진행 중일 수 있습니다. 최신 정보는 영어 설명서를 참조하세요.

리포지토리에 대한 비밀 검사 구성

GitHub이(가) 리포지토리에서 유출된 비밀을 검사하고 경고를 생성하는 방법을 구성할 수 있습니다.

이 기능을 사용할 수 있는 사용자

People with admin permissions to a repository can enable secret scanning for the repository.

파트너에 대한 비밀 검사 경고는 퍼블릭 리포지토리 및 퍼블릭 npm 패키지에서 자동으로 실행되어 GitHub.com에서 유출된 비밀에 대해 서비스 공급자에게 알립니다.

사용자에 대한 비밀 검사 경고은(는) 모든 퍼블릭 리포지토리에서 무료로 사용할 수 있습니다. GitHub Advanced Security에 대한 라이선스가 있는 GitHub Enterprise Cloud를 사용하는 조직은 프라이빗 및 내부 리포지토리에서 사용자에 대한 비밀 검사 경고를 사용하도록 설정할 수도 있습니다. 자세한 내용은 "비밀 검사 정보" 및 "GitHub Advanced Security 정보"을 참조하세요.

Enabling secret scanning alerts for users

You can enable secret scanning alerts for users for any repository that is owned by an organization. Once enabled, secret scanning scans for any secrets in your entire Git history on all branches present in your GitHub repository. Secret scanning also analyzes issue descriptions and comments for secrets.

Note: Secret scanning for issue descriptions and comments is in public beta and subject to change.

Note: If your organization is owned by an enterprise account, an enterprise owner can also enable secret scanning at the enterprise level. For more information, see "Managing GitHub Advanced Security features for your enterprise."

You can use security overview to find a set of repositories and enable or disable secret scanning alerts for users for them all at the same time. For more information, see "Enabling security features for multiple repositories."

You can also use the organization settings page for "Code security and analysis" to enable or disable secret scanning alerts for users for all public repositories in an organization:

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. If Advanced Security is not already enabled for the repository, to the right of "GitHub Advanced Security", click Enable.

  5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository.

  6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If "Secret scanning" is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled.

    Screenshot of the "Secret scanning" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.

  7. Optionally, if you want to enable push protection, click Enable to the right of "Push protection." When you enable push protection, secret scanning also checks pushes for high-confidence secrets (those identified with a low false positive rate). Secret scanning lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. For more information, see "Protecting pushes with secret scanning." Enable push protection for your repository

Excluding directories from secret scanning alerts for users

You can configure a secret_scanning.yml file to exclude directories from secret scanning, including when you use push protection. For example, you can exclude directories that contain tests or randomly generated content.

  1. On GitHub.com, navigate to the main page of the repository.

  2. Above the list of files, select the Add file dropdown menu, then click Create new file.

    Alternatively, you can click in the file tree view on the left.

    Screenshot of the main page of the repository. Above the list of a files, a button, labeled "Add file," is outlined in dark orange. In the file tree view of the repository, a button, with the plus sign icon, is also outlined in dark orange.

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."

Further reading