About secret scanning

Secret scanning is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, secret scanning scans commits in repositories for known types of secrets and alerts repository administrators upon detection.

Secret scanning scans your entire Git history on all branches present in your GitHub repository for secrets, even if the repository is archived. GitHub will also periodically run a full Git history scan for new secret types in existing content in public repositories where secret scanning is enabled when new supported secret types are added.

Additionally, secret scanning scans:

문제의 설명 및 댓글
열린 문제와 닫힌 과거 문제의 제목, 설명 및 댓글. 과거 파트너 패턴이 감지되면 관련 파트너에게 알림이 전송됩니다.
끌어오기 요청의 제목, 설명 및 댓글
GitHub Discussions의 제목, 설명 및 댓글
위키
비밀 gist입니다. 비밀 지스트에서 파트너 패턴이 감지되면 관련 파트너에게 알림이 전송됩니다.

This additional scanning is free for public repositories.

팁

Regardless of the enablement status of Advanced Security features, organizations on GitHub Team and GitHub Enterprise can run a free report to scan the code in the organization for leaked secrets.

To generate a report, open 조직의 보안 탭에 평가 페이지를 표시한 다음, 조직 검사를 클릭합니다..

When a supported secret is leaked, GitHub generates a secret scanning alert. Alerts are reported on the Security tab of repositories on GitHub, where you can view, evaluate, and resolve them. For more information, see 비밀 검사에서 경고 관리.

Service providers can partner with GitHub to provide their secret formats for scanning. We automatically run secret scanning for partner patterns on all public repositories and public npm packages. 파트너 프로그램에 대해 알아보려면 비밀 검사 파트너 프로그램을(를) 참조하세요.

Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner, and aren't displayed on GitHub. For more information about partner patterns, see About secret scanning alerts.

For information about the secrets and service providers supported by secret scanning, see 지원되는 비밀 검사 패턴.

You can use the REST API to monitor results from secret scanning across your repositories or organization. For more information about API endpoints, see 비밀 검사를 위한 REST API 엔드포인트.

You can also use security overview to see an organization-level view of which repositories have enabled secret scanning and the alerts found. For more information, see About security overview.

GitHub 도구를 사용하여 secret scanning 경고에 대한 응답으로 수행된 작업을 감사할 수 있습니다. 자세한 내용은 Auditing security alerts을(를) 참조하세요.

How secret scanning works

Below is a typical workflow that explains how secret scanning works:

Detection: Secret scanning automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.
Alerts: When a potential secret is detected, GitHub generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see About secret scanning alerts.
Review: When a secret is detected, you'll need to review the alert details provided.
Remediation: You then need to take appropriate action to remediate the exposure. This should always include rotating the affected credential to ensure it is no longer usable. It may also include removing the secret from the repository's history (using tools like git-filter-repo; see Removing sensitive data from a repository(리포지토리에서 중요한 데이터 제거) for more details) though this will likely involve a heavy cost in time and effort, and is usually unnecessary if the credentials have been revoked.
Monitoring: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed.
Integration with partners: GitHub works with various service providers to validate secrets. When a partner secret is detected, GitHub notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see 비밀 검사 파트너 프로그램.

About the benefits of secret scanning

Enhanced security: Secret scanning scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors.
Automated detection: The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves.
Real-time alerts: When a secret is detected, secret scanning provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions.
Integration with service providers: GitHub partners with various service providers to validate detected secrets. When a secret is identified, GitHub notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see 비밀 검사 파트너 프로그램.
Custom pattern support: Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment.
Ability to detect non-provider patterns: You can expand the detection to include non-provider patterns such as connection strings, authentication headers, and private keys, for your repository or organization.

일반 비밀 검색: Leverage secret scanning's AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see Copilot 비밀 검색을 사용한 일반 비밀의 책임 있는 감지.
정규식 생성기: Leverage secret scanning's AI capabilities to generate regular expressions that will capture all your custom patterns. For more information, see Copilot 비밀 검사를 사용하여 책임 있는 정규식 생성.

About secret scanning

누가 이 기능을 사용할 수 있나요?

이 문서의 내용