This guide assumes that you have planned and started a trial of GitHub Advanced Security for an existing or trial GitHub enterprise account, see Planning a trial of GitHub Advanced Security.
Introduction
Secret scanning features work the same way in private and internal repositories with GitHub Advanced Security enabled as they do in all public repositories. This article focuses on the additional functionality that you can use to protect your business from security leaks when you use GitHub Advanced Security, that is:
- Identify additional access tokens you use.
- Detect potential passwords using AI.
- Control and audit the bypass process for push protection.
- Enable validity checks for exposed tokens.
Security configuration for secret scanning
Most enterprises choose to enable secret scanning and push protection across all their repositories by applying security configurations with these features enabled. This ensures that repositories are checked for access tokens that have already been added to GitHub, in addition to flagging when users are about to leak tokens in GitHub. For information about creating an enterprise-level security configuration and applying it to your test repositories, see Enabling security features in your trial enterprise.
Provide access to view the results of secret scanning
By default, only the repository administrator and the organization owner can view all secret scanning alerts in their area. You should assign the predefined security manager role to all organization teams and users who you want to access the alerts found during the trial. You may also want to give the enterprise account owner this role for each organization in the trial. For more information, see Verwalten von Sicherheitsmanagern in deiner Organisation.
You can see a summary of any results found in the organizations in your trial enterprise in the Code security tab for the enterprise. There are also separate views for each type of security alert, see Einblicke in die Sicherheit anzeigen.
Identify additional access tokens
You can create custom patterns to identify additional access tokens at the repository, organization, and enterprise level. In most cases, you should define custom patterns at the enterprise level because this will ensure that the patterns are used across the whole enterprise. It will also make them easy to maintain if you need to update a pattern when the format for a token changes.
Once you have created and published custom patterns, both secret scanning and push protection automatically include the new patterns in all scans. For detailed information about creating custom patterns, see Definieren von benutzerdefinierten Mustern für die Geheimnisüberprüfung.
Use AI to detect potential passwords
At the enterprise level you have full control over whether or not to allow the use of AI to detect secrets that cannot be identified using regular expressions (also known as generic secrets or as non-provider patterns).
- Turn the feature on or off for the whole enterprise.
- Set a policy to block control of the feature at the organization and repository level.
- Set a policy to allow organization owners or repository administrators to control the feature.
Similar to custom patterns, if you enable AI detection both secret scanning and push protection automatically start using AI detection in all scans. For information about enterprise-level control, see Konfigurieren zusätzlicher Geheimüberprüfungseinstellungen für deine Unternehmen and Erzwingen von Richtlinien für die Codesicherheit und -analyse für Unternehmen.
Control and audit the bypass process
When push protection blocks a push to GitHub in a public repository without GitHub Advanced Security, the user has two simple options: bypass the control, or remove the highlighted content from the branch and its history. If they chose to bypass push protection, a secret scanning alert is automatically created. This allows developers to rapidly unblock their work while still providing an audit trail for the content identified by secret scanning.
Larger teams usually want to maintain tighter control over the potential publication of access tokens and other secrets. With GitHub Advanced Security, you can define a reviewers group to approve requests to bypass push protection, reducing the risk of a developer accidentally leaking a token that is still active. Reviewers are defined in an organization-level security configuration or in the settings for a repository. For more information, see Info zur delegierten Umgehung für den Pushschutz.
Enable validity checks
You can enable validity checks to check whether detected tokens are still active at the repository, organization, and enterprise level. Generally, it is worth enabling this feature across the whole enterprise using enterprise or organization-level security configurations. For more information, see Aktivieren von Gültigkeitsüberprüfungen für Ihr Repository.
Next steps
When you have enabled the additional controls for secret scanning available with GitHub Advanced Security, you're ready to test them against your business needs, and explore further. You may also be ready to look into trialing code scanning.