Skip to main content

Enabling secret scanning for non-provider patterns

You can enable secret scanning to detect additional potential secrets at the repository and organization levels.

Who can use this feature?

Repository owners, organization owners, security managers, and users with the admin role

Scanning for non-provider patterns is available for the following repositories:

  • Public, private, and internal repositories in organizations using GitHub Enterprise Cloud with GitHub Advanced Security enabled

Enabling scanning for non-provider patterns

You can enable scanning for non-provider patterns. Non-provider patterns correspond to secrets such as private keys and they have a higher ratio of false positives.

For more information about non-provider patterns, see "Supported secret scanning patterns."

Enabling detection of non-provider patterns for a repository

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under Secret scanning, to the right of "Non-provider patterns", click Enable.

Enabling detection of non-provider patterns for an organization

You can enable scanning for non-provider patterns at the organization level using the GitHub-recommended security configuration or by applying a custom security configuration. For more information, see "Applying the GitHub-recommended security configuration in your organization" and "Creating a custom security configuration."

Further reading