Enabling validity checks for your repository

Enabling validity checks on your repository helps you prioritize the remediation of alerts as it tells you if a secret is active or inactive.

Who can use this feature?

Validity checks for partner patterns is available on all types of repositories on GitHub. To use this feature, you must have a license for GitHub Advanced Security.

In this article

About validity checks

You can enable validity checks for secrets identified as service provider tokens for your repository. Once enabled, GitHub will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of GitHub's secret scanning partnership program. To find out about our partner program, see "Secret scanning partner program."

GitHub displays the validation status of the secret in the alert view, so you can see if the secret is active, inactive, or if the validation status is unknown. You can optionally perform an "on-demand" validity check for the secret in the alert view.

You can additionally choose to enable validity checks for partner patterns. Once enabled, GitHub will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of GitHub's formal secret scanning partnership program. GitHub typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.

GitHub displays the validation status of the secret in the alert view.

You can filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on.

Note

GitHub typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.

For more information on using validity checks, see "Evaluating alerts from secret scanning."

Enabling validity checks

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under Secret scanning, select the checkbox next to "Automatically verify if a secret is valid by sending it to the relevant partner".

You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see "REST API endpoints for repositories."

Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise settings. For more information on enabling at the organization-level, see "Creating a custom security configuration." For more information on enabling at the enterprise-level, see "Managing GitHub Advanced Security features for your enterprise" and "REST API endpoints for enterprise code security and analysis."

Further reading