Introduction to secret scanning

GitHub scans repositories for known types of secrets, such as API keys and authentication tokens, to prevent fraudulent use of secrets that were committed accidentally. In this GitHub Skills course you will learn how to enable secret scanning to identify secrets and prevent them from being committed to your repository.

Finish 🏆

Congratulations friend, you've completed this course!

Here's a recap of all the tasks you've accomplished in your repository:

  • Enabled secret scanning if your repository has private or internal visibility
  • Committed a secret to the repository
  • Reviewed secrets that have been identified by secret scanning
  • Closed a secret scanning alert
  • Enabled secret scanning push protection to prevent secrets from being written to the repository (required only for private or internal repositories)
  • Attempted to commit a secret, but had that commit stopped by push protection
  • Bypassed push protection

It's important to note that secret scanning capabilities are available for free for all public repositories. Customers who want to enable secret scanning on private repos should find out more about GitHub Advanced Security or Set up a trial of GitHub Advanced Security.

In addition to the features you worked with here, GitHub Advanced Security also provides the following features:

  • Custom secret scanning patterns
  • Non-partner and generic patterns including passwords, RSA and SSH keys, and database connection strings
  • Code scanning with CodeQL
  • Security Overview
  • Supply chain security capabilities

What's next?


Get help: Post in our discussion boardReview the GitHub status page

© 2023 GitHub • Code of ConductMIT License