About the secret scanning alerts page
Quand vous activez l’secret scanning pour un dépôt ou que vous poussez des commits sur un dépôt où l’secret scanning est activée, GitHub recherche dans le contenu des secrets qui correspondent aux modèles définis par les fournisseurs de services et à tous les modèles personnalisés définis dans votre entreprise, organisation ou dépôt.
Lorsque secret scanning détecte un secret, GitHub génère une alerte. GitHub affiche une alerte sous l’onglet Sécurité du dépôt.
To help you triage alerts more effectively, GitHub separates alerts into two lists:
- Default alerts
- Generic alerts
Default alerts list
The default alerts list displays alerts that relate to supported patterns and specified custom patterns. This is the main view for alerts.
Generic alerts list
The generic alerts list displays alerts that relate to non-provider patterns (such as private keys), or generic secrets detected using AI (such as passwords). These types of alerts can have a higher rate of false positives or secrets used in tests. You can toggle to the generic alerts list from the default alerts list.
In addition, alerts that fall into this category:
- Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts).
- Are not shown in the summary views for security overview, only in the "Secret scanning" view.
- Only have the first five detected locations shown on GitHub for non-provider patterns, and only the first detected location shown for AI-detected generic secrets.
For GitHub to scan for non-provider patterns and generic secrets, you must first enable the features for your repository or organization. For more information, see Activation de l’analyse du secret des modèles non fournisseurs and Activation de la détection des secrets génériques de l’analyse des secrets de Copilot.
GitHub will continue to release new patterns and secret types to the generic alerts list and will promote them to the default list when feature-complete (e.g. when they have an appropriately low volume and false positive rate).
Viewing alerts
Alerts for secret scanning are displayed under the Security tab of the repository.
-
Sur GitHub, accédez à la page principale du référentiel.
-
Sous le nom du référentiel, cliquez sur Sécurité. Si vous ne voyez pas l’onglet « Sécurité », sélectionnez le menu déroulant et cliquez sur Sécurité.
-
In the left sidebar, under "Vulnerability alerts", click Secret scanning.
-
Optionally, toggle to "Generic" to see alerts for non-provider patterns or generic secrets detected using AI.
-
Under "Secret scanning", click the alert you want to view.
Remarque
Seules les personnes disposant d’autorisations d’administrateur dans le référentiel contenant un secret divulgué peuvent afficher les détails de l’alerte de sécurité et les métadonnées de jeton pour une alerte. Les propriétaires d’entreprise peuvent demander un accès temporaire au référentiel à cet effet.
-
Vous pouvez également attribuer l'alerte à une personne chargée de la résoudre à l'aide du contrôle Assignees affiché à droite, voir Attribution d'alertes.
Filtering alerts
You can apply various filters to the alerts list to help you find the alerts you're interested in. You can use the dropdown menus above the alerts list, or input the qualifiers listed in the table into the search bar.
| Qualifier | Description |
|---|---|
bypassed | Display alerts for secrets where push protection has been bypassed (true). For more information, see À propos de la protection lors du push. |
is | Display alerts that are open (open), closed (closed), found in a public repository (publicly-leaked), or found in more than one repository within the same organization or enterprise (multi-repository). |
props | Display alerts for repositories with a specific custom property (CUSTOM_PROPERTY_NAME) set. For example, props:data_sensitivity:high display results for repositories with the data_sensitivity property set to the value high. |
provider | Display alerts for a specific provider (PROVIDER-NAME), for example, provider:github. For a list of supported partners, see Supported secret scanning patterns. |
repo | Display alerts detected in a specified repository (REPOSITORY-NAME), for example: repo:octo-repository. |
resolution | Display alerts closed as "false positive" (false-positive), "hidden by config" (hidden-by-config), "pattern deleted" (pattern-deleted), "pattern edited" (pattern-edited), "revoked" (revoked), "used in tests" (used-in-tests), or "won't fix" (wont-fix). |
results | Display alerts for supported secrets and custom patterns (default), or for non-provider patterns (generic) such as private keys, and AI-detected generic secrets such as passwords. See Supported secret scanning patterns, and for more information about AI-detected generic secrets, see Détection responsable des secrets génériques avec l’analyse des secrets Copilot. |
secret-type | Display alerts for a specific secret type (SECRET-NAME), for example, secret-type:github_personal_access_token. For a list of supported secret types, see Supported secret scanning patterns. |
sort | Display alerts from newest to oldest (created-desc), oldest to newest (created-asc), most recently updated (updated-desc), or least recently updated (updated-asc). |
team | Display alerts owned by members of the specified team, for example: team:octocat-dependabot-team. |
topic | Display alerts with the matching repository topic, for example: topic:asdf. |
validity | Display alerts for secrets with a specific validity (active, inactive, or unknown). Applies only to GitHub tokens unless you enable validity checks. For more information about validity statuses, see Évaluation des alertes à partir de l’analyse des secrets. |