👋 We've unified all of GitHub's product documentation in one place! Check out the content for REST API, GraphQL API, and Developers. Learn more on the GitHub blog.


Publicamos atualizações frequentes em nossa documentação, e a tradução desta página ainda pode estar em andamento. Para obter as informações mais recentes, acesse a documentação em inglês. Se houver problemas com a tradução desta página, entre em contato conosco.

About secret scanning

GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.

Neste artigo

If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.

If someone checks a secret from a GitHub partner into a public or private repository, varredura secreta can detect the secret and help you mitigate the impact of the leak.

Service providers can partner with GitHub to provide their secret formats for scanning. For more information, see "Secret scanning."

About varredura secreta for public repositories

When you push to a public repository, GitHub scans the content of the commits for secrets. If you switch a private repository to public, GitHub scans the entire repository for secrets.

When varredura secreta detects a set of credentials, we notify the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret, issue a new secret, or reach out to you directly, which will depend on the associated risks to you or the service provider.

GitHub currently scans public repositories for secrets issued by the following service providers.

  • Adafruit
  • Alibaba Cloud
  • Amazon Web Services (AWS)
  • Atlassian
  • Azure
  • CloudBees CodeShip
  • Databricks
  • Datadog
  • Discord
  • Dropbox
  • Dynatrace
  • GitHub
  • GoCardless
  • Google Cloud
  • Hashicorp Terraform
  • Hubspot
  • Mailgun
  • npm
  • NuGet
  • Palantir
  • Postman
  • Proctorio
  • Pulumi
  • Samsara
  • Slack
  • Stripe
  • Tencent Cloud
  • Twilio

Sobre o varredura secreta para repositórios privados

Note: Varredura secreta for private repositories is currently in beta and subject to change. To request access to the beta, join the waitlist.

When you push commits to a private repository with varredura secreta enabled, GitHub scans the contents of the commits for secrets.

When varredura secreta detects a secret in a private repository, GitHub sends alerts.

  • GitHub sends an email alert to the repository administrators and organization owners. If the secret is a personal access token from GitHub, we instead send the email alert directly to the owner of the token.

  • GitHub displays an alert in the repository. For more information, see "Managing alerts from varredura secreta."

GitHub currently scans private repositories for secrets issued by the following service providers.

  • Adafruit
  • Alibaba Cloud
  • Amazon Web Services (AWS)
  • Atlassian
  • Azure
  • CloudBees CodeShip
  • Databricks
  • Discord
  • Dropbox
  • Dynatrace
  • GitHub
  • GoCardless
  • Google Cloud
  • Hashicorp Terraform
  • Hubspot
  • Mailgun
  • npm
  • NuGet
  • Palantir
  • Postman
  • Proctorio
  • Pulumi
  • Samsara
  • Slack
  • Stripe
  • Tencent Cloud
  • Twilio

Note: Varredura secreta does not currently allow you to define your own patterns for detecting secrets.

Leia mais

Pergunte a uma pessoa

Não consegue encontrar o que procura?

Entrar em contato