Skip to main content

비밀 검사에서 경고 평가

경고의 유효성 검사와 같이 경고를 평가하고 수정의 우선 순위를 지정하는 데 도움이 되는 추가 기능에 대해 알아봅니다.

누가 이 기능을 사용할 수 있나요?

People with admin access to a repository can view 비밀 검사 경고 for the repository.

엔터프라이즈에 GitHub Advanced Security에 대한 라이선스가 있는 경우 GitHub Enterprise Server의 조직 소유 리포지토리의 GitHub Enterprise Server에서 Secret scanning를 사용할 수 있습니다. 자세한 내용은 "비밀 검사 경고 정보" 및 "GitHub Advanced Security 정보"을 참조하세요.

About evaluating alerts

There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:

  • Check the validity of a secret, to see if the secret is still active. Applies to GitHub tokens only. For more information, see "Checking a secret's validity."
  • Review a token's metadata. Applies to GitHub tokens only. For example, to see when the token was last used. For more information, see "Reviewing GitHub token metadata."

Checking a secret's validity

Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.

By default, GitHub checks the validity of GitHub tokens and displays the validation status of the token in the alert view.

ValidityStatusResult
Active secretactiveGitHub checked with this secret's provider and found that the secret is active
Possibly active secretunknownGitHub does not support validation checks for this token type yet
Possibly active secretunknownGitHub could not verify this secret
Secret inactiveinactiveYou should make sure no unauthorized access has already occurred

You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see "REST API endpoints for secret scanning" in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert. For more information, see the secret_scanning_alert event in "Webhook events and payloads."

Reviewing GitHub token metadata

Note

Metadata for GitHub tokens is currently in beta and subject to change.

In the view for an active GitHub token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.

Tokens, like personal access token and other credentials, are considered personal information. For more information about using GitHub tokens, see GitHub's Privacy Statement and Acceptable Use Policies.

Screenshot of the UI for a GitHub token, showing the token metadata.

Metadata for GitHub tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. GitHub auto-revokes GitHub tokens in public repositories, so metadata for GitHub tokens in public repositories is unlikely to be available. The following metadata is available for active GitHub tokens:

MetadataDescription
Secret nameThe name given to the GitHub token by its creator
Secret ownerThe GitHub handle of the token's owner
Created onDate the token was created
Expired onDate the token expired
Last used onDate the token was last used
AccessWhether the token has organization access

Next steps