Skip to main content

关于合作伙伴的机密扫描

当 secret scanning 在 GitHub 上的公共存储库中检测到服务提供方的身份验证详细信息时,警报将直接发送给该提供方。 这样作为 GitHub 合作伙伴的服务提供方便可及时采取措施来保护其系统。

谁可以使用此功能?

合作伙伴的机密扫描警报 默认在以下存储库上运行:

  • GitHub 上的公共存储库和公共 npm 包

About secret scanning alerts for partners

GitHub scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. To find out about our partner program, see "Secret scanning partner program."

Note

You cannot change the configuration of secret scanning for partner patterns on public repositories.

The reason partner alerts are directly sent to the secret providers whenever a leak is detected for one of their secrets is that this enables the provider to take immediate action to protect you and protect their resources. The notification process for regular alerts is different. Regular alerts are displayed on the repository's Security tab on GitHub for you to resolve.

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

What are the supported secrets

For information about the secrets and service providers supported by push protection, see "Supported secret scanning patterns."

Further reading