Using advanced secret scanning and push protection features

Learn how you can customize secret scanning to meet the needs of your company.

Who can use this feature?

Secret scanning is available for organization-owned repositories, and in beta for user-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. For more information, see "About secret scanning alerts" and "About GitHub Advanced Security."

Excluding folders and files from secret scanning

You can customize secret scanning to exclude directories or files from analysis, by configuring a secret_scanning.yml file in your repository.

Non-provider patterns

Secret scanning can also alert you to the potential use of other types of secret in code, for example: HTTP authentication headers, connection strings, and private keys. These non-provider patterns are more difficult to detect reliably so this feature is not enabled by default.

Custom patterns

You can extend the capabilities of secret scanning to search for your own patterns. These custom patterns can range from your service API keys to connection strings into cloud resources.

Delegated bypass for push protection

You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.