🇺🇸English
Secret Scanning
This skill provides procedural guidance for configuring GitHub secret scanning — detecting leaked credentials, preventing secret pushes, defining custom patterns, and managing alerts.
When to Use This Skill
Use this skill when the request involves:
- Enabling or configuring secret scanning for a repository or organization
- Setting up push protection to block secrets before they reach the repository
- Defining custom secret patterns with regular expressions
- Resolving a blocked push from the command line
- Triaging, dismissing, or remediating secret scanning alerts
- Configuring delegated bypass for push protection
- Excluding directories from secret scanning via
secret_scanning.yml
- Understanding alert types (user, partner, push protection)
- Enabling validity checks or extended metadata checks
How Secret Scanning Works
Secret scanning automatically detects exposed credentials across:
- Entire Git history on all branches
- Issue descriptions, comments, and titles (open and closed)
- Pull request titles, descriptions, and comments
- GitHub Discussions titles, descriptions, and comments
- Wikis and secret gists
Availability
| Repository Type | Availability |
|---|
| Public repos | Automatic, free |
| Private/internal (org-owned) | Requires GitHub Secret Protection on Team/Enterprise Cloud |
| User-owned | Enterprise Cloud with Enterprise Managed Users |
Core Workflow — Enable Secret Scanning
Step 1: Enable Secret Protection
- Navigate to repository Settings → Advanced Security
- Click Enable next to "Secret Protection"
- Confirm by clicking Enable Secret Protection
For organizations, use security configurations to enable at scale:
- Settings → Advanced Security → Global settings → Security configurations
Step 2: Enable Push Protection
Push protection blocks secrets during the push process — before they reach the repository.
- Navigate to repository Settings → Advanced Security
- Enable "Push protection" under Secret Protection
Push protection blocks secrets in:
- Command line pushes
- GitHub UI commits
- File uploads
- REST API requests
- REST API content creation endpoints
Step 3: Configure Exclusions (Optional)
Create .github/secret_scanning.yml to auto-close alerts for specific directories:
paths-ignore:
- "docs/**"
- "test/fixtures/**"
- "**/*.example"
Limits:
- Maximum 1,000 entries in
paths-ignore
- File must be under 1 MB
- Excluded paths also skip push protection checks
Best practices:
- Be as specific as possible with exclusion paths
- Add comments explaining why each path is excluded
- Review exclusions periodically — remove stale entries
- Inform the security team about exclusions
Step 4: Enable Additional Features (Optional)
Non-provider patterns — detect private keys, connection strings, generic API keys:
- Settings → Advanced Security → enable "Scan for non-provider patterns"
AI-powered generic secret detection — uses Copilot to detect unstructured secrets like passwords:
- Settings → Advanced Security → enable "Use AI detection"
Validity checks — verify if detected secrets are still active:
- Settings → Advanced Security → enable "Validity checks"
- GitHub periodically tests detected credentials against provider APIs
- Status shown in alert:
active, inactive, or unknown
Extended metadata checks — additional context about who owns a secret:
- Requires validity checks to be enabled first
- Helps prioritize remediation and identify responsible teams
Core Workflow — Resolve Blocked Pushes
When push protection blocks a push from the command line:
Option A: Remove the Secret
If the secret is in the latest commit:
# Remove the secret from the file
# Then amend the commit
git commit --amend --all
git push
If the secret is in an earlier commit:
# Find the earliest commit containing the secret
git log
# Start interactive rebase before that commit
git rebase -i <COMMIT-ID>~1
# Change 'pick' to 'edit' for the offending commit
# Remove the secret, then:
git add .
git commit --amend
git rebase --continue
git push
Option B: Bypass Push Protection
- Visit the URL returned in the push error message (as the same user)
- Select a bypass reason:
- It's used in tests — alert created and auto-closed
- It's a false positive — alert created and auto-closed
- I'll fix it later — open alert created
- Click Allow me to push this secret
- Re-push within 3 hours
Option C: Request Bypass Privileges
If delegated bypass is enabled and you lack bypass privileges:
- Visit the URL from the push error
- Add a comment explaining why the secret is safe
- Click Submit request
- Wait for email notification of approval/denial
- If approved, push the commit; if denied, remove the secret
For detailed bypass and delegated bypass workflows, search references/push-protection.md.
Custom Patterns
Define organization-specific secret patterns using regular expressions.
Quick Setup
- Settings → Advanced Security → Custom patterns → New pattern
- Enter pattern name and regex for secret format
- Add a sample test string
- Click Save and dry run to test (up to 1,000 results)
- Review results for false positives
- Click Publish pattern
- Optionally enable push protection for the pattern
Scopes
Custom patterns can be defined at:
- Repository level — applies to that repo only
- Organization level — applies to all repos with secret scanning enabled
- Enterprise level — applies across all organizations
Copilot-Assisted Pattern Generation
Use Copilot secret scanning to generate regex from a text description of the secret type, including optional example strings.
For detailed custom pattern configuration, search references/custom-patterns.md.
Alert Management
Alert Types
| Type | Description | Visibility |
|---|
| User alerts | Secrets found in repository | Security tab |
| Push protection alerts | Secrets pushed via bypass | Security tab (filter: bypassed: true) |
| Partner alerts | Secrets reported to provider | Not shown in repo (provider-only) |
Alert Lists
- Default alerts — supported provider patterns and custom patterns
- Generic alerts — non-provider patterns and AI-detected secrets (limited to 5,000 per repo)
Remediation Priority
- Rotate the credential immediately — this is the critical action
- Review the alert for context (location, commit, author)
- Check validity status:
active (urgent), inactive (lower priority), unknown
- Remove from Git history if needed (time-intensive, often unnecessary after rotation)
Dismissing Alerts
Dismiss with a documented reason:
- False positive — detected string is not a real secret
- Revoked — credential has already been revoked
- Used in tests — secret is only in test code
For detailed alert types, validity checks, and REST API, search references/alerts-and-remediation.md.
Reference Files
For detailed documentation, load the following reference files as needed:
references/push-protection.md — Push protection mechanics, bypass workflow, delegated bypass, user push protection
- Search patterns:
bypass, delegated, bypass request, command line, REST API, user push protection
references/custom-patterns.md — Custom pattern creation, regex syntax, dry runs, Copilot regex generation, scopes
- Search patterns:
custom pattern, regex, , , , ,
Weekly Installs
266
Repository
github/awesome-copilot
GitHub Stars
26.7K
First Seen
6 days ago
Security Audits
Gen Agent Trust HubPassSocketPassSnykPass
Installed on
gemini-cli244
codex244
opencode240
cursor238
github-copilot237
kimi-cli236
