About the secret scanning alerts page
在为存储库启用 secret scanning 或将提交推送到启用了 secret scanning 的存储库时,GitHub 会扫描内容,以查找与服务提供商定义的模式以及企业、组织或存储库中定义的任何自定义模式匹配的机密。
当 secret scanning 检测到机密时,GitHub 将生成警报。 GitHub 在存储库的“安全性”选项卡中显示警报。
To help you triage alerts more effectively, GitHub separates alerts into two lists:
- High confidence alerts.
- Other alerts.
High confidence alerts list
The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page.
Other alerts list
The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys). These types of alerts have a higher rate of false positives.
In addition, alerts that fall into this category:
- Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts).
- Are not shown in the summary views for security overview, only in the "Secret scanning" view.
- Only have the first five detected locations shown on GitHub for non-provider patterns.
For GitHub to scan for non-provider patterns, you must first enable the feature for your repository or organization. For more information, see 为非提供程序模式启用机密扫描.
Viewing alerts
Alerts for secret scanning are displayed under the Security tab of the repository.
-
在 GitHub 上,导航到存储库的主页面。
-
在仓库名称下,单击 “Security”****。 如果看不到“Security”选项卡,请选择 下拉菜单,然后单击“Security”********。
-
In the left sidebar, under "Vulnerability alerts", click Secret scanning.
-
Optionally, toggle to "Other" to see alerts for non-provider patterns.
-
Under "Secret scanning", click the alert you want to view.
注意
只有对包含已泄露机密的存储库具有管理员权限的人员才能查看安全警报详细信息和警报的令牌元数据。 企业所有者可以出于此目的请求对存储库的临时访问权限。
Filtering alerts
You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar.
| Qualifier | Description |
|---|---|
bypassed | Display alerts for secrets where push protection has been bypassed (true). For more information, see 关于推送保护. |
confidence | Display alerts for high-confidence secrets which relate to supported secrets and custom patterns (high), or non-provider patterns such as private keys (other). See Supported secret scanning patterns. |
is | Display alerts that are open (open) or closed (closed). |
props | Display alerts for repositories with a specific custom property (CUSTOM_PROPERTY_NAME) set. For example, props:data_sensitivity:high display results for repositories with the data_sensitivity property set to the value high. |
provider | Display alerts for a specific provider (PROVIDER-NAME), for example, provider:github. For a list of supported partners, see Supported secret scanning patterns. |
repo | Display alerts detected in a specified repository (REPOSITORY-NAME), for example: repo:octo-repository. |
resolution | Display alerts closed as "false positive" (false-positive), "hidden by config" (hidden-by-config), "pattern deleted" (pattern-deleted), "pattern edited" (pattern-edited), "revoked" (revoked), "used in tests" (used-in-tests), or "won't fix" (wont-fix). |
secret-type | Display alerts for a specific secret type (SECRET-NAME), for example, secret-type:github_personal_access_token. For a list of supported secret types, see Supported secret scanning patterns. |
sort | Display alerts from newest to oldest (created-desc), oldest to newest (created-asc), most recently updated (updated-desc), or least recently updated (updated-asc). |
team | Display alerts owned by members of the specified team, for example: team:octocat-dependabot-team. |
topic | Display alerts with the matching repository topic, for example: topic:asdf. |
validity | Display alerts for secrets with a specific validity (active, inactive, or unknown). For more information about validity statuses, see 评估来自机密扫描的警报. |