Über „secret scanning" (Durchsuchen nach Geheimnissen)

Wenn Dein Projekt mit einem externen Dienst kommuniziert, verwende allenfalls ein Token oder einen privaten Schlüssel für die Authentifizierung. Token und private Schlüssel sind Beispiele für Geheimnisse, die ein Dienstanbieter ausstellen kann. Wenn Du ein Geheimnis in ein Repository einfügst, kann jedermann mit Lesezugriff auf das Repository das Geheimnis verwenden, um mit Deinen Privilegien auf den externen Dienst zuzugreifen. Wir empfehlen, dass Du Geheimnisse an einem dedizierten, sicheren Ort außerhalb Deines Projekt-Repositorys speicherst. Service providers can partner with

GitHub to provide their secret formats for scanning. For more information, see "Secret scanning."

If someone checks a secret from a GitHub partner into a public or private repository on GitHub, secret scanning catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository.

Informationen über secret scanning für öffentliche Repositorys

Secret scanning is automatically enabled on public repositories. Wenn Du in ein öffentliches Repository überträgst, wird GitHub den Inhalt des Commit auf Geheimnisse durchsuchen. Wenn Du ein privates Repository auf öffentlich umstellst, wird GitHub das gesamte Repository nach Geheimnissen durchsuchen.

Wenn secret scanning einen Satz von Anmeldeinformationen erkennt, benachrichtigen wir den Dienstanbieter, der das Geheimnis ausgegeben hat. Der Dienstanbieter prüft die Anmeldeinformationen und entscheidet dann, ob er das Geheimnis widerrufen, ein neues Geheimnis ausstellen oder sich direkt an Dich wenden soll, was von den damit verbundenen Risiken für Dich oder den Dienstleister abhängt. For an overview of how we work with token-issuing partners, see "Secret scanning."

GitHub durchsucht derzeit öffentliche Repositorys nach Geheimnissen, die von den folgenden Dienstanbietern veröffentlicht wurden.

Partner	Supported secret
Adafruit IO	Adafruit IO Key
Alibaba Cloud	Alibaba Cloud Access Key ID and Access Key Secret pair
Amazon Web Services (AWS)	Amazon AWS Access Key ID and Secret Access Key pair
Atlassian	Atlassian API Token
Atlassian	Atlassian JSON Web Token
Azure	Azure DevOps Personal Access Token
Azure	Azure SAS Token
Azure	Azure Service Management Certificate
Azure	Azure SQL Connection String
Azure	Azure Storage Account Key
Clojars	Clojars Deploy Token
CloudBees CodeShip	CloudBees CodeShip Credential
Databricks	Databricks Access Token
Datadog	Datadog API Key
Discord	Discord Bot Token
Doppler	Doppler Personal Token
Doppler	Doppler Service Token
Doppler	Doppler CLI Token
Doppler	Doppler SCIM Token
Dropbox	Dropbox Access Token
Dropbox	Dropbox Short Lived Access Token
Dynatrace	Dynatrace Access Token
Dynatrace	Dynatrace Internal Token
Finicity	Finicity App Key
Frame.io	Frame.io JSON Web Token
Frame.io	Frame.io Developer Token
GitHub	GitHub SSH Private Key
GitHub	GitHub Personal Access Token
GitHub	GitHub App Installation Access Token
GoCardless	GoCardless Live Access Token
GoCardless	GoCardless Sandbox Access Token
Google Cloud	Google API Key
Google Cloud	Google Cloud Private Key ID
Hashicorp Terraform	Terraform Cloud / Enterprise API Token
Hubspot	Hubspot API Key
Mailchimp	Mailchimp API Key
Mailchimp	Mandrill API Key
Mailgun	Mailgun API Key
MessageBird	MessageBird API Key
npm	npm Access Token
NuGet	NuGet API Key
Palantir	Palantir JSON Web Token
Plivo	Plivo Auth Token
Postman	Postman API Key
Proctorio	Proctorio Consumer Key
Proctorio	Proctorio Linkage Key
Proctorio	Proctorio Registration Key
Proctorio	Proctorio Secret Key
Pulumi	Pulumi Access Token
Samsara	Samsara API Token
Samsara	Samsara OAuth Access Token
Shopify	Shopify App Shared Secret
Shopify	Shopify Access Token
Shopify	Shopify Custom App Access Token
Shopify	Shopify Private App Password
Slack	Slack API Token
Slack	Slack Incoming Webhook URL
Slack	Slack Workflow Webhook URL
SSLMate	SSLMate API Key
SSLMate	SSLMate Cluster Secret
Stripe	Stripe Live API Secret Key
Stripe	Stripe Test API Secret Key
Stripe	Stripe Live API Restricted Key
Stripe	Stripe Test API Restricted Key
Tencent Cloud	Tencent Cloud Secret ID
Twilio	Twilio Account String Identifier
Twilio	Twilio API Key

Informationen zu secret scanning für private Repositorys

If you're a repository administrator or an organization owner, you can enable secret scanning for private repositories that are owned by organizations. You can enable secret scanning for all your repositories, or for all new repositories within your organization. Secret scanning is not available for user-owned private repositories. For more information, see "Managing security and analysis settings for your repository" and "Managing security and analysis settings for your organization."

When you push commits to a private repository with secret scanning enabled, GitHub scans the contents of the commits for secrets.

When secret scanning detects a secret in a private repository, GitHub sends alerts.

• GitHub sendet E-Mail-Warnungen zu den Repository-Administratoren und den Organisations-Inhabern.

• GitHub zeigt eine Warnung im Repository an. Weitere Informationen findest Du unter „Warnungen von secret scanning verwalten."

Repository administrators and organization owners can grant users and teams access to secret scanning alerts. For more information, see "Managing security and analysis settings for your repository."

To monitor results from secret scanning across your private repositories or your organization, you can use the secret scanning API. For more information about API endpoints, see "Secret scanning."

GitHub currently scans private repositories for secrets issued by the following service providers.

Partner	Supported secret	API slug
–	JSON Web Token	json_web_token
–	OAuth Client Credential	api_credential_assignment
Adafruit IO	Adafruit IO Key	adafruit_io_key
Alibaba Cloud	Alibaba Cloud Access Key ID	alibaba_cloud_access_key_id
Alibaba Cloud	Alibaba Cloud Access Key Secret	alibaba_cloud_access_key_secret
Amazon Web Services (AWS)	Amazon AWS Access Key ID	aws_access_key_id
Amazon Web Services (AWS)	Amazon AWS Secret Access Key	aws_secret_access_key
Atlassian	Atlassian API Token	atlassian_api_token
Atlassian	Atlassian JSON Web Token	atlassian_jwt
Azure	Azure DevOps Personal Access Token	azure_devops_personal_access_token
Azure	Azure SAS Token	azure_sas_token
Azure	Azure Service Management Certificate	azure_management_certificate
Azure	Azure SQL Connection String	azure_sql_connection_string
Azure	Azure Storage Account Key	azure_storage_account_key
Clojars	Clojars Deploy Token	clojars_deploy_token
CloudBees CodeShip	CloudBees CodeShip Credential	codeship_credential
Databricks	Databricks Access Token	databricks_access_token
Discord	Discord Bot Token	discord_bot_token
Doppler	Doppler Personal Token	doppler_personal_token
Doppler	Doppler Service Token	doppler_service_token
Doppler	Doppler CLI Token	doppler_cli_token
Doppler	Doppler SCIM Token	doppler_scim_token
Dropbox	Dropbox Access Token	dropbox_access_token
Dropbox	Dropbox Short Lived Access Token	dropbox_short_lived_access_token
Dynatrace	Dynatrace Access Token	dynatrace_access_token
Dynatrace	Dynatrace Internal Token	dynatrace_internal_token
Finicity	Finicity App Key	finicity_app_key
Frame.io	Frame.io JSON Web Token	frameio_jwt
Frame.io	Frame.io Developer Token	frameio_developer_token
GitHub	GitHub SSH Private Key	github_ssh_private_key
GitHub	GitHub Personal Access Token	github_personal_access_token
GitHub	GitHub App Installation Access Token	github_app_installation_access_token
GoCardless	GoCardless Live Access Token	gocardless_live_access_token
GoCardless	GoCardless Sandbox Access Token	gocardless_sandbox_access_token
Google Cloud	Google API Key	google_api_key
Google Cloud	Google Cloud Private Key ID	google_cloud_private_key_id
Hashicorp Terraform	Terraform Cloud / Enterprise API Token	terraform_api_token
Hubspot	Hubspot API Key	hubspot_api_key
Mailchimp	Mailchimp API Key	mailchimp_api_key
Mailgun	Mailgun API Key	mailgun_api_key
npm	npm Access Token	npm_access_token
NuGet	NuGet API Key	nuget_api_key
Palantir	Palantir JSON Web Token	palantir_jwt
Postman	Postman API Key	postman_api_key
Proctorio	Proctorio Consumer Key	proctorio_consumer_key
Proctorio	Proctorio Linkage Key	proctorio_linkage_key
Proctorio	Proctorio Registration Key	proctorio_registration_key
Proctorio	Proctorio Secret Key	proctorio_secret_key
Pulumi	Pulumi Access Token	pulumi_access_token
Samsara	Samsara API Token	samsara_api_token
Samsara	Samsara OAuth Access Token	samsara_oauth_access_token
Shopify	Shopify App Shared Secret	shopify_app_shared_secret
Shopify	Shopify Access Token	shopify_access_token
Shopify	Shopify Custom App Access Token	shopify_custom_app_access_token
Shopify	Shopify Private App Password	shopify_private_app_password
Slack	Slack API Token	slack_api_token
Slack	Slack Incoming Webhook URL	slack_incoming_webhook_url
Slack	Slack Workflow Webhook URL	slack_workflow_webhook_url
SSLMate	SSLMate API Key	sslmate_api_key
SSLMate	SSLMate Cluster Secret	sslmate_cluster_secret
Stripe	Stripe API Key	stripe_api_key
Stripe	Stripe Live API Secret Key	stripe_live_secret_key
Stripe	Stripe Test API Secret Key	stripe_test_secret_key
Stripe	Stripe Live API Restricted Key	stripe_live_restricted_key
Stripe	Stripe Test API Restricted Key	stripe_test_restricted_key
Tencent Cloud	Tencent Cloud Secret ID	tencent_cloud_secret_id
Twilio	Twilio Account String Identifier	twilio_account_sid
Twilio	Twilio API Key	twilio_api_key

Weiterführende Informationen

• "About securing your repository"
• "Keeping your account and data secure"