Skip to main content
We publish frequent updates to our documentation, and translation of this page may still be in progress. For the most current information, please visit the English documentation.

为存储库配置机密扫描

可以配置 GitHub 如何扫描存储库中遭到泄露的机密并生成警报。

Who can use this feature

People with admin permissions to a repository can enable secret scanning for the repository.

Secret scanning alerts for partners 自动在所有公共存储库上运行。 如果你拥有 GitHub Advanced Security 的许可证,则可以为组织拥有的任何存储库启用和配置 secret scanning alerts for users。

如果你的企业拥有 GitHub Advanced Security 的许可证,则 有关详细信息,请参阅“关于 secret scanning alerts for users”和“关于 GitHub Advanced Security”。

Enabling secret scanning alerts for users

You can enable secret scanning alerts for users for any repository that is owned by an organization. Once enabled, secret scanning scans for any secrets in your entire Git history on all branches present in your GitHub repository. Secret scanning also analyzes issue descriptions and comments for secrets.

Note: Secret scanning for issue descriptions and comments is in public beta and subject to change.

Note: If your organization is owned by an enterprise account, an enterprise owner can also enable secret scanning at the enterprise level. For more information, see "Managing GitHub Advanced Security features for your enterprise."

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. Repository settings button

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. If Advanced Security is not already enabled for the repository, to the right of "GitHub Advanced Security", click Enable. Enable GitHub Advanced Security for your repository

  5. Review the impact of enabling Advanced Security, then click Enable GitHub Advanced Security for this repository.

  6. When you enable Advanced Security, secret scanning may automatically be enabled for the repository due to the organization's settings. If "Secret scanning" is shown with an Enable button, you still need to enable secret scanning by clicking Enable. If you see a Disable button, secret scanning is already enabled. Enable secret scanning for your repository

  7. Optionally, if you want to enable push protection, click Enable to the right of "Push protection." When you enable push protection, secret scanning also checks pushes for high-confidence secrets (those identified with a low false positive rate). Secret scanning lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed. For more information, see "Protecting pushes with secret scanning." Enable push protection for your repository

Excluding directories from secret scanning alerts for users

You can use a secret_scanning.yml file to exclude directories from secret scanning. For example, you can exclude directories that contain tests or randomly generated content.

  1. On GitHub.com, navigate to the main page of the repository.

  2. Above the list of files, using the Add file drop-down, click Create new file. "Create new file" in the "Add file" dropdown

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
      - "foo/bar/*.js"
    

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."

Further reading