Troubleshooting secret scanning

When using secret scanning to detect secrets in your repository, or secrets about to be committed into your repository, you may need to troubleshoot unexpected issues.

谁可以使用此功能?

Secret scanning 可用于以下存储库类型:

本文内容

注意

网站管理员必须先为实例启用 secret scanning,然后你才能使用此功能。 有关详细信息,请参阅“为设备配置密码扫描”。

如果企业所有者在企业级别设置了策略,你可能无法启用或禁用 secret scanning。 有关详细信息,请参阅“强制实施企业的代码安全性和分析策略”。

Detection of pattern pairs

Secret scanning will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource.

Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in 支持的机密扫描模式.

About legacy GitHub tokens

For GitHub tokens, we check the validity of the secret to determine whether the secret is active or inactive. This means that for legacy tokens, secret scanning won't detect a GitHub Enterprise Server personal access token on GitHub Enterprise Cloud. Similarly, a GitHub Enterprise Cloud personal access token won't be found on GitHub Enterprise Server.

Push protection limitations

If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see 支持的机密扫描模式.

If your secret is in the supported list, there are various reasons why push protection may not detect it.

  • Push protection only blocks leaked secrets on a subset of the most identifiable user-alerted patterns. Contributors can trust security defenses when such secrets are blocked as these are the patterns that have the lowest number of false positives.
  • The version of your secret may be old. 推送保护可能不支持某些旧版令牌,因为这些令牌生成的误报数可能高于其最新版本。 推送保护也可能不适用于旧令牌。 对于 Azure 存储密钥等令牌,GitHub 仅支持“最近创建”令牌,不支持与旧模式匹配的令牌。
  • The push may be too large, for example, if you're trying to push thousands of large files. A push protection scan may time out and not block a user if the push is too large. GitHub will still scan and create alerts, if needed, after the push.
  • If the push results in the detection of over five new secrets, we will only show you the first five (we will always show you a maximum of five secrets at one time).
  • If a push contains over 1,000 existing secrets (that is, secrets for which alerts have already been created), push protection will not block the push.
  • If you see a bypass request without commit or file path details, it means that push protection ran out of time. The push was too large or the history too complex to locate the commit that introduced the secret.