Skip to main content

비밀 검사 경고 정보

다양한 유형의 비밀 검사 경고에 대해 알아봅니다.

누가 이 기능을 사용할 수 있나요?

리포지토리 소유자, 조직 소유자, 보안 관리자 및 관리자 역할이 있는 사용자

Secret scanning은(는) 다음 리포지토리에 사용할 수 있습니다.

  • 퍼블릭 리포지토리(무료)
  • GitHub Advanced Security 지원가 있는 GitHub Enterprise Cloud에 대한 사용자 소유 리포지토리

About types of alerts

There are three types of secret scanning alerts:

  • User alerts: Reported to users in the Security tab of the repository, when a supported secret is detected in the repository.
  • Push protection alerts: Reported to users in the Security tab of the repository, when a contributor bypasses push protection.
  • Partner alerts: Reported directly to secret providers that are part of secret scanning's partner program. These alerts are not reported in the Security tab of the repository.

About user alerts

When GitHub detects a supported secret in a repository that has secret scanning enabled, a user alert is generated and displayed in the Security tab of the repository.

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

About push protection alerts

Push protection scans pushes for supported secrets. If push protection detects a supported secret, it will block the push. When a contributor bypasses push protection to push a secret to the repository, a push protection alert is generated and displayed in the Security tab of the repository. To see all push protection alerts for a repository, you must filter by bypassed: true on the alerts page. For more information, see Viewing and filtering alerts from secret scanning.

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

Note

You can also enable push protection for your personal account, called "push protection for users", which prevents you from accidentally pushing supported secrets to any public repository. Alerts are not created if you choose to bypass your user-based push protection only. Alerts are only created if the repository itself has push protection enabled. For more information, see Push protection for users.

Older versions of certain tokens may not be supported by push protection as these tokens may generate a higher number of false positives than their most recent version. Push protection may also not apply to legacy tokens. For tokens such as Azure Storage Keys, GitHub only supports recently created tokens, not tokens that match the legacy patterns. For more information about push protection limitations, see Troubleshooting secret scanning.

About partner alerts

When GitHub detects a leaked secret in a public repository or npm package, an alert is sent directly to the secret provider, if they are part of GitHub's secret scanning partner program. For more information about secret scanning alerts for partners, see Secret scanning partner program and Supported secret scanning patterns.

Partner alerts are not sent to repository administrators, so you do not need to take any action for this type of alert.

Next steps

Further reading