Managing custom patterns

You can view, edit, and remove custom patterns, as well as enable push protection for custom patterns.

Who can use this feature?

Secret scanning alerts for partners runs automatically on public repositories and public npm packages to notify service providers about leaked secrets on GitHub.

Secret scanning alerts for users are available for user-owned public repositories for free. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable secret scanning alerts for users on their private and internal repositories. Additionally, secret scanning alerts for users are available and in beta on user-owned repositories for GitHub Enterprise Cloud with Enterprise Managed Users. For more information, see "About secret scanning alerts" and "About GitHub Advanced Security."

For information about how you can try GitHub Advanced Security for free, see "Setting up a trial of GitHub Advanced Security."

In this article

Custom patterns are user-defined patterns that you can use to identify secrets that are not detected by the default patterns supported by secret scanning. For more information, see "Defining custom patterns for secret scanning."

At the enterprise level, only the creator of a custom pattern can edit the pattern, and use it in a dry run. There are no similar restrictions for editing custom patterns at repository and organization level.

Editing a custom pattern

When you save a change to a custom pattern, this closes all the secret scanning alerts that were created using the previous version of the pattern.

  1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account.

  2. Under "Secret scanning", to the right of the custom pattern you want to edit, click .

  3. When you're ready to test your edited custom pattern, to identify matches without creating alerts, click Save and dry run.

  4. When you have reviewed and tested your changes, click Publish changes.

  5. Optionally, to enable push protection for your custom pattern, click Enable.

    Note:

    • Push protection for custom patterns will only apply to repositories that have secret scanning as push protection enabled. For more information about enabling push protection, see "About push protection."
    • Enabling push protection for commonly found custom patterns can be disruptive to contributors.

    Screenshot of custom pattern page with the button to enable push protection emphasized.

  6. Optionally, to disable push protection for your custom pattern, click Disable.

    Screenshot of the custom pattern page with the button to disable push protection highlighted with a dark orange outline.

Removing a custom pattern

When you remove a custom pattern, GitHub gives you the option to close the secret scanning alerts relating to the pattern, or keep these alerts.

  1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account.
  2. To the right of the custom pattern you want to remove, click .
  3. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern.
  4. Click Yes, delete this pattern.

Enabling push protection for a custom pattern

You can enable secret scanning as a push protection for custom patterns stored at the enterprise, organization, or repository level.

Enabling push protection for a custom pattern stored in an enterprise

Notes:

  • To enable push protection for custom patterns, secret scanning as push protection needs to be enabled at the enterprise level. For more information, see "About push protection."
  • Enabling push protection for commonly found custom patterns can be disruptive to contributors.

Before enabling push protection for a custom pattern at enterprise level, you must also test your custom patterns using dry runs. You can only perform a dry run on repositories that you have administration access to. If an enterprise owner wants access to perform dry runs on any repository in an organization, they must be assigned the organization owner role. For more information, see "Managing your role in an organization owned by your enterprise."

  1. In the top-right corner of GitHub, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. On the left side of the page, in the enterprise account sidebar, click Policies.

  4. Under "Policies", click Code security and analysis.

  5. Under "Code security and analysis", click Security features.

  6. Under "Secret scanning", under "Custom patterns", click for the pattern of interest.

    Note

    At the enterprise level, you can only edit and enable push protection for custom patterns that you created.

  7. To enable push protection for your custom pattern, scroll down to "Push Protection", and click Enable.

    Note

    The option to enable push protection is visible for published patterns only.

    Screenshot of the custom pattern page with the button to enable push protection highlighted with a dark orange outline.

Enabling secret scanning as a push protection in an organization for a custom pattern

Before enabling push protection for a custom pattern at organization level, you must ensure that you enable secret scanning for the repositories that you want to scan in your organization. To enable secret scanning on all repositories in your organization, see "Managing security and analysis settings for your organization."

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Next to the organization, click Settings.

  3. In the "Security" section of the sidebar, click Code security and analysis.

    Note

    If your organization is enrolled in the security configurations and global settings public beta, instead of "Code security and analysis", you will see a "Code security" dropdown menu. Select Code security, then click Global settings. For next steps on managing custom patterns for your organization with global settings, see "Configuring global security settings for your organization." For information on enabling push protection for specific custom patterns, reference the following steps.

  4. Under "Code security and analysis", find "GitHub Advanced Security."

  5. Under "Secret scanning", under "Custom patterns", click for the pattern of interest.

  6. To enable push protection for your custom pattern, scroll down to "Push Protection", and click Enable.

    Notes:

    • The option to enable push protection is visible for published patterns only.
    • Push protection for custom patterns will only apply to repositories in your organization that have secret scanning as push protection enabled. For more information, see "About push protection."
    • Enabling push protection for commonly found custom patterns can be disruptive to contributors.

    Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.

Enabling secret scanning as a push protection in a repository for a custom pattern

Before enabling push protection for a custom pattern at repository level, you must define the custom pattern for the repository, and test it in the repository. For more information, see "Defining custom patterns for secret scanning."

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Code security and analysis", find "GitHub Advanced Security."

  5. Under "Secret scanning", under "Custom patterns", click for the pattern of interest.

  6. To enable push protection for your custom pattern, scroll down to "Push Protection", and click Enable.

    Note

    The option to enable push protection is visible for published patterns only.

    Screenshot of the "Push protection" section of the custom pattern page. A button, labeled "Enable", is outlined in dark orange.