About types of alerts
There are two types of secret scanning alerts:
- Secret scanning alerts: Reported to users in the Security tab of the repository, when a supported secret is detected in the repository.
- Push protection alerts: Reported to users in the Security tab of the repository, when a contributor bypasses push protection.
About secret scanning alerts
When you enable secret scanning for a repository or push commits to a repository with secret scanning enabled, GitHub scans the contents for secrets that match patterns defined by service providers and any custom patterns defined in your enterprise, organization, or repository.
When secret scanning detects a secret, GitHub generates an alert. GitHub displays an alert in the Security tab of the repository.
To help you triage alerts more effectively, GitHub separates alerts into two lists:
- High confidence alerts.
- Other alerts.
High confidence alerts list
The "High confidence" alerts list displays alerts that relate to supported patterns and specified custom patterns. This list is always the default view for the alerts page.
Other alerts list
The "Other" alerts list displays alerts that relate to non-provider patterns (such as private keys). These types of alerts have a higher rate of false positives.
In addition, alerts that fall into this category:
- Are limited in quantity to 5000 alerts per repository (this includes open and closed alerts).
- Are not shown in the summary views for security overview, only in the "Secret scanning" view.
- Only have the first five detected locations shown on GitHub for non-provider patterns.
For GitHub to scan for non-provider patterns, you must first enable the feature for your repository or organization. For more information, see Enabling secret scanning for non-provider patterns.
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
About push protection alerts
Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the Security tab of the repository. To see all push protection alerts for a repository, you must filter by bypassed: true on the alerts page. For more information, see Viewing and filtering alerts from secret scanning.
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
メモ
Older versions of certain tokens may not be supported by push protection as these tokens may generate a higher number of false positives than their most recent version. Push protection may also not apply to legacy tokens. For tokens such as Azure Storage Keys, GitHub only supports recently created tokens, not tokens that match the legacy patterns. For more information about push protection limitations, see Secret scanning detection scope.