Skip to main content
All products
Code security

Configuring secret scanning for your repositories

In this article

You can configure how GitHub scans your repositories for leaked secrets and generates alerts.

Who can use this feature

People with admin permissions to a public repository can enable secret scanning for the repository.

Secret scanning alerts for partners runs automatically on public repositories to notify service providers about leaked secrets on GitHub.com.

Secret scanning alerts for users are available for free on all public repositories. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable secret scanning alerts for users on their private and internal repositories. For more information, see "About secret scanning" and "About GitHub Advanced Security."

Enabling secret scanning alerts for users

You can enable secret scanning alerts for users for any free public repository that you own. Once enabled, secret scanning scans for any secrets in your entire Git history on all branches present in your GitHub repository.

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Scroll down to the bottom of the page, and click Enable for secret scanning. If you see a Disable button, it means that secret scanning is already enabled for the repository.

    Screenshot of the "Secret scanning" section of the "Code security and analysis" page, with the "Enable" button highlighted in a dark orange outline.

Enabling secret scanning alerts for users for all your public repositories

You can enable secret scanning alerts for users for all of your public repositories through your personal account settings.

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    Screenshot of dropdown menu for the user profile icon. The "Settings" option is highlighted in a dark orange outline.

  2. In the "Security" section of the sidebar, click Code security and analysis.

  3. Under "Code security and analysis", to the right of "Secret scanning", click Disable all or Enable all.

    Screenshot of the setting options for "Secret scanning" on the personal account settings page. The options "Enable all" and "Disable all" are highlighted with an orange outline

  4. Optionally, to automatically enable secret scanning for any new public repositories that you create, below "Secret scanning", select the checkbox for "Automatically enable for new public repositories."

    Screenshot of the setting options for "Secret scanning" on the personal account settings page. The option "Automatically enable for new public repositories" is highlighted with an orange outline

Excluding directories from secret scanning alerts for users

You can configure a secret_scanning.yml file to exclude directories from secret scanning. For example, you can exclude directories that contain tests or randomly generated content.

  1. On GitHub.com, navigate to the main page of the repository.

  2. Above the list of files, using the Add file drop-down, click Create new file. "Create new file" in the "Add file" dropdown

  3. In the file name field, type .github/secret_scanning.yml.

  4. Under Edit new file, type paths-ignore: followed by the paths you want to exclude from secret scanning.

    paths-ignore:
  - "foo/bar/*.js"

    You can use special characters, such as * to filter paths. For more information about filter patterns, see "Workflow syntax for GitHub Actions."

    Notes:

    • If there are more than 1,000 entries in paths-ignore, secret scanning will only exclude the first 1,000 directories from scans.
    • If secret_scanning.yml is larger than 1 MB, secret scanning will ignore the entire file.

You can also ignore individual alerts from secret scanning. For more information, see "Managing alerts from secret scanning."