Evaluating alerts from secret scanning

Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret's validity.

누가 이 기능을 사용할 수 있나요?

리포지토리 소유자, 조직 소유자, 보안 관리자 및 관리자 역할이 있는 사용자

이 문서의 내용

About evaluating alerts

There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:

Checking a secret's validity

Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.

By default, GitHub checks the validity of GitHub tokens and displays the validation status of the token in the alert view.

Organizations using GitHub Team or GitHub Enterprise Cloud with a license for GitHub Secret Protection can also enable validity checks for partner patterns. For more information, see Checking a secret's validity.

유효성 검사상태결과
활성 비밀activeGitHub이(가) 이 비밀의 공급자에게 확인하여 비밀이 활성 상태임을 발견했습니다.
활성 비밀일 수 있음unknownGitHub은(는) 이 토큰 형식에 대한 유효성 검사를 아직 지원하지 않습니다.
활성 비밀일 수 있음unknownGitHub은(는) 이 비밀을 확인할 수 없습니다.
비활성 상태의 비밀inactive무단 액세스가 아직 발생하지 않았는지 확인해야 합니다.

파트너 패턴의 유효성 검사는 다음 리포지토리 유형에서 사용할 수 있습니다.

  •         [GitHub Secret Protection](/get-started/learning-about-github/about-github-advanced-security)이 활성화된 GitHub Team의 조직 소유 리포지토리

For information on how to enable validity checks for partner patterns, see Enabling validity checks for your repository, and for information on which partner patterns are currently supported, see 지원되는 비밀 검사 패턴.

You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see 비밀 검사를 위한 REST API 엔드포인트 in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert. For more information, see the secret_scanning_alert event in 웹후크 이벤트 및 페이로드.

Performing an on-demand validity check

Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking Verify secret in the alert view. GitHub will send the pattern to the relevant partner and display the validation status of the secret in the alert view.

Screenshot of the UI showing a secret scanning alert. A button, labeled "Verify secret" is highlighted with an orange outline.

Reviewing GitHub token metadata

참고 항목

Metadata for GitHub tokens is currently in 공개 미리 보기 and subject to change.

In the view for an active GitHub token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.

Tokens, like personal access token and other credentials, are considered personal information. For more information about using GitHub tokens, see GitHub's Privacy Statement and Acceptable Use Policies.

Screenshot of the UI for a GitHub token, showing the token metadata.

Metadata for GitHub tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. GitHub auto-revokes GitHub tokens in public repositories, so metadata for GitHub tokens in public repositories is unlikely to be available. The following metadata is available for active GitHub tokens:

MetadataDescription
Secret nameThe name given to the GitHub token by its creator
Secret ownerThe GitHub handle of the token's owner
Created onDate the token was created
Expired onDate the token expired
Last used onDate the token was last used
AccessWhether the token has organization access

Reviewing extended metadata for a token

참고 항목

토큰에 대한 확장 메타데이터 검사는 공개 미리 보기로 제공되며 변경될 수 있습니다.

In the view for an active GitHub token alert, you can see extended metadata information, such as owner and contact details.

The following table shows all the available metadata. Note that metadata checks are currently limited to OpenAI API, Google OAuth, and Slack tokens, and the metadata shown for each token may represent only a subset of what exists.

Metadata typeDescription
Owner IDProvider’s unique identifier for the user or service account that owns the secret
Owner nameHuman‑readable username or display name of the secret’s owner
Owner emailEmail address associated with the owner
Org nameName of the organization / workspace / project the secret belongs to
Org IDProvider’s unique identifier for that organization
Secret issued dateTimestamp when the secret (token or key) was created or most recently issued
Secret expiry dateTimestamp when the secret is scheduled to expire
Secret nameHuman‑assigned display name or label for the secret
Secret IDProvider’s unique identifier for the secret

Reviewing alert labels

In the alert view, you can review any labels assigned to the alert. The labels provide additional details about the alert, which can inform the approach you take for remediation.

Secret scanning alerts can have the following labels assigned to them. Depending on the labels assigned, you'll see additional information in the alert view.

LabelDescriptionAlert view information
public leakThe secret detected in your repository has also been found as publicly leaked by at least one of GitHub's scans of code, discussions, gists, issues, pull requests, and wikis. This may require you to address the alert with greater urgency, or remediate the alert differently compared to a privately exposed token.You'll see links to any specific public locations where the leaked secret has been detected.
multi-repoThe secret detected in your repository has been found across multiple repositories in your organization or enterprise. This information may help you more easily dedupe the alert across your organization or enterprise.If you have appropriate permissions, you'll see links to any specific alerts for the same secret in your organization or enterprise.

Next steps