About 通用机密检测 with Copilot 机密扫描
Copilot 机密扫描's 通用机密检测 is an AI-powered expansion of secret scanning that identifies unstructured secrets (passwords) in your source code and then generates an alert.
注意
无需订阅 GitHub Copilot 即可使用 Copilot 机密扫描 的 通用机密检测。 Copilot 机密扫描 功能可用于具有 GitHub Secret Protection 许可证的组织和企业拥有的存储库。
GitHub Secret Protection users can already receive 机密扫描警报 for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. Copilot 机密扫描 uses large language models (LLMs) to identify this type of secret.
When a password is detected, an alert is displayed in the "Generic" list of secret scanning alerts (under the Security tab of the repository, organization, or enterprise), so that maintainers and security managers can review the alert and, where necessary, remove the credential or implement a fix.
对于 GitHub Enterprise Cloud 用户,企业所有者必须首先在企业级别设置策略,以控制是否可以为组织中的存储库启用和禁用 通用机密检测。 默认情况下,此策略设置为“允许”。 The feature must then be enabled for repositories and organizations.
Input processing
Input is limited to text (typically code) that a user has checked into a repository. The system provides this text to the LLM along with a meta prompt asking the LLM to find passwords within the scope of the input. The user does not interact with the LLM directly.
The system scans for passwords using the LLM. No additional data is collected by the system, other than what is already collected by the existing secret scanning feature.
Output and display
The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input.
These detected strings are surfaced as alerts on the secret scanning alerts page, but they are displayed in an additional list that is separate from regular 机密扫描警报. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. For information on how to view alerts for generic secrets, see 查看和筛选机密扫描警报.
Improving the performance of 通用机密检测
To improve the performance of 通用机密检测, we recommend closing false positive alerts appropriately.
Verify the accuracy of alerts and close as appropriate
Since Copilot 机密扫描's 通用机密检测 may generate more false positives than the existing secret scanning feature for partner patterns, it's important that you review the accuracy of these alerts. When you verify an alert to be a false positive, be sure to close the alert and mark the reason as "False positive" in the GitHub UI. The GitHub development team will use information on false positive volume and detection locations to improve the model. GitHub does not have access to the secret literals themselves.
Limitations of 通用机密检测
When using Copilot 机密扫描's 通用机密检测, you should consider the following limitations.
Limited scope
通用机密检测 currently only looks for instances of passwords in git content. The feature does not look for other types of generic secrets, and it does not look for secrets in non-git content, such as GitHub Issues.
Potential for false positive alerts
通用机密检测 may generate more false positive alerts when compared to the existing secret scanning feature (which detects partner patterns, and which has a very low false positive rate). To mitigate this excess noise, alerts are grouped in a separate list from partner pattern alerts, and security managers and maintainers should triage each alert to verify its accuracy.
Potential for incomplete reporting
通用机密检测 may miss instances of credentials checked into a repository. The LLM will improve over time. You retain ultimate responsibility for ensuring the security of your code.
Limitations by design
通用机密检测 has the following limitations by design:
- Copilot 机密扫描 will not detect secrets that are obviously fake or test passwords, or passwords with low entropy.
- Copilot 机密扫描 will only detect a maximum of 100 passwords per push.
- If five or more detected secrets within a single file are marked as false positive, Copilot 机密扫描 will stop generating new alerts for that file.
- Copilot 机密扫描 does not detect secrets in generated or vendored files.
- Copilot 机密扫描 does not detect secrets in encrypted files.
- Copilot 机密扫描 does not detect secrets in file types: SVG, PNG, JPEG, CSV, TXT, SQL, or ITEM.
- Copilot 机密扫描 does not detect secrets in test code. Copilot 机密扫描 skips detections when both conditions are met:
- The file path contains "test", "mock", or "spec", AND
- The file extension is
.cs,.go,.java,.js,.kt,.php,.py,.rb,.scala,.swift, or.ts.
Evaluation of 通用机密检测
通用机密检测 has been subject to Responsible AI Red Teaming and GitHub will continue to monitor the efficacy and safety of the feature over time.