About evaluating alerts
There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:
- Check the validity of a secret, to see if the secret is still active. Applies to GitHub tokens only. See Checking a secret's validity.
- Perform an "on-demand" validity check, to get the most up to date validation status. See Performing an on-demand validity check.
- Review a token's metadata. Applies to GitHub tokens only. For example, to see when the token was last used. See Reviewing GitHub token metadata.
- Review extended metadata checks for an exposed secret, to see details such as who owns the secret and how to contact the secret owner. Applies to OpenAI API, Google OAuth, and Slack tokens only. See Reviewing extended metadata for a token.
- Review the labels assigned to the alert. For more information, see Reviewing alert labels.
Checking a secret's validity
Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.
By default, GitHub checks the validity of GitHub tokens and displays the validation status of the token in the alert view.
Organizations using GitHub Team or GitHub Enterprise Cloud with a license for GitHub Secret Protection can also enable validity checks for partner patterns. For more information, see Checking a secret's validity.
| 유효성 검사 | 상태 | 결과 |
|---|---|---|
| 활성 비밀 | active | GitHub이(가) 이 비밀의 공급자에게 확인하여 비밀이 활성 상태임을 발견했습니다. |
| 활성 비밀일 수 있음 | unknown | GitHub은(는) 이 토큰 형식에 대한 유효성 검사를 아직 지원하지 않습니다. |
| 활성 비밀일 수 있음 | unknown | GitHub은(는) 이 비밀을 확인할 수 없습니다. |
| 비활성 상태의 비밀 | inactive | 무단 액세스가 아직 발생하지 않았는지 확인해야 합니다. |
파트너 패턴의 유효성 검사는 다음 리포지토리 유형에서 사용할 수 있습니다.
-
[GitHub Secret Protection](/get-started/learning-about-github/about-github-advanced-security)이 활성화된 GitHub Team 또는 GitHub Enterprise Cloud의 조직 소유 리포지토리
파트너 패턴의 유효성 확인은 데이터 보존 기능을 갖춘 GitHub Enterprise Cloud에서 GHE.com에 대해 제공되지 않습니다.
For information on how to enable validity checks for partner patterns, see 리포지토리에 대한 유효성 검사 사용, and for information on which partner patterns are currently supported, see 지원되는 비밀 검사 패턴.
You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see 비밀 검사를 위한 REST API 엔드포인트 in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert. For more information, see the secret_scanning_alert event in 웹후크 이벤트 및 페이로드.
Asking GitHub Copilot 채팅 about secret scanning alerts
With a GitHub Copilot Enterprise license, you can ask 부조종사 채팅 for help to better understand security alerts, including secret scanning alerts, in repositories in your organization. For more information, see GitHub에서 GitHub Copilot에 질문하기.
Performing an on-demand validity check
Once you have enabled validity checks for partner patterns for your repository, you can perform an "on-demand" validity check for any supported secret by clicking Verify secret in the alert view. GitHub will send the pattern to the relevant partner and display the validation status of the secret in the alert view.
Reviewing GitHub token metadata
참고 항목
Metadata for GitHub tokens is currently in 공개 미리 보기 and subject to change.
In the view for an active GitHub token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.
Tokens, like personal access token and other credentials, are considered personal information. For more information about using GitHub tokens, see GitHub's Privacy Statement and Acceptable Use Policies.
Metadata for GitHub tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. GitHub auto-revokes GitHub tokens in public repositories, so metadata for GitHub tokens in public repositories is unlikely to be available. The following metadata is available for active GitHub tokens:
| Metadata | Description |
|---|---|
| Secret name | The name given to the GitHub token by its creator |
| Secret owner | The GitHub handle of the token's owner |
| Created on | Date the token was created |
| Expired on | Date the token expired |
| Last used on | Date the token was last used |
| Access | Whether the token has organization access |
유출된 비밀을 포함하는 리포지토리에 대한 관리자 권한이 있는 사용자만 경고에 대한 보안 경고 세부 정보 및 토큰 메타데이터를 볼 수 있습니다. 엔터프라이즈 소유자는 이 목적을 위해 리포지토리에 대한 임시 액세스를 요청할 수 있습니다. If access is granted, GitHub will notify the owner of the repository containing the leaked secret, report the action in the repository owner and enterprise audit logs, and enable access for 2 hours. For more information, see 엔터프라이즈에서 사용자 소유 리포지토리 액세스.
Reviewing extended metadata for a token
참고 항목
토큰에 대한 확장 메타데이터 검사는 공개 미리 보기로 제공되며 변경될 수 있습니다.
In the view for an active GitHub token alert, you can see extended metadata information, such as owner and contact details.
The following table shows all the available metadata. Note that metadata checks are currently limited to OpenAI API, Google OAuth, and Slack tokens, and the metadata shown for each token may represent only a subset of what exists.
| Metadata type | Description |
|---|---|
| Owner ID | Provider’s unique identifier for the user or service account that owns the secret |
| Owner name | Human‑readable username or display name of the secret’s owner |
| Owner email | Email address associated with the owner |
| Org name | Name of the organization / workspace / project the secret belongs to |
| Org ID | Provider’s unique identifier for that organization |
| Secret issued date | Timestamp when the secret (token or key) was created or most recently issued |
| Secret expiry date | Timestamp when the secret is scheduled to expire |
| Secret name | Human‑assigned display name or label for the secret |
| Secret ID | Provider’s unique identifier for the secret |
Reviewing alert labels
In the alert view, you can review any labels assigned to the alert. The labels provide additional details about the alert, which can inform the approach you take for remediation.
Secret scanning alerts can have the following labels assigned to them. Depending on the labels assigned, you'll see additional information in the alert view.
| Label | Description | Alert view information |
|---|---|---|
public leak | The secret detected in your repository has also been found as publicly leaked by at least one of GitHub's scans of code, discussions, gists, issues, pull requests, and wikis. This may require you to address the alert with greater urgency, or remediate the alert differently compared to a privately exposed token. | You'll see links to any specific public locations where the leaked secret has been detected. |
multi-repo | The secret detected in your repository has been found across multiple repositories in your organization or enterprise. This information may help you more easily dedupe the alert across your organization or enterprise. | If you have appropriate permissions, you'll see links to any specific alerts for the same secret in your organization or enterprise. |