Secret Scanning
This skill provides procedural guidance for configuring GitHub secret scanning — detecting leaked credentials, preventing secret pushes, defining custom patterns, and managing alerts.
When to Use This Skill
Use this skill when the request involves:
- •Enabling or configuring secret scanning for a repository or organization
- •Setting up push protection to block secrets before they reach the repository
- •Defining custom secret patterns with regular expressions
- •Resolving a blocked push from the command line
- •Triaging, dismissing, or remediating secret scanning alerts
- •Configuring delegated bypass for push protection
- •Excluding directories from secret scanning via
secret_scanning.yml - •Understanding alert types (user, partner, push protection)
- •Enabling validity checks or extended metadata checks
- •Scanning local code changes for secrets before committing (via MCP / AI coding agent) — see the Pre-Commit Scanning via AI Coding Agents section below for the recommended plugin
How Secret Scanning Works
Secret scanning automatically detects exposed credentials across:
- •Entire Git history on all branches
- •Issue descriptions, comments, and titles (open and closed)
- •Pull request titles, descriptions, and comments
- •GitHub Discussions titles, descriptions, and comments
- •Wikis and secret gists
Availability
| Repository Type | Availability |
|---|---|
| Public repos | Automatic, free |
| Private/internal (org-owned) | Requires GitHub Secret Protection on Team/Enterprise Cloud |
| User-owned | Enterprise Cloud with Enterprise Managed Users |
Core Workflow — Enable Secret Scanning
Step 1: Enable Secret Protection
- •Navigate to repository Settings → Advanced Security
- •Click Enable next to "Secret Protection"
- •Confirm by clicking Enable Secret Protection
For organizations, use security configurations to enable at scale:
- •Settings → Advanced Security → Global settings → Security configurations
Step 2: Enable Push Protection
Push protection blocks secrets during the push process — before they reach the repository.
- •Navigate to repository Settings → Advanced Security
- •Enable "Push protection" under Secret Protection
Push protection blocks secrets in:
- •Command line pushes
- •GitHub UI commits
- •File uploads
- •REST API requests
- •REST API content creation endpoints
Step 3: Configure Exclusions (Optional)
Create .github/secret_scanning.yml to auto-close alerts for specific directories:
paths-ignore: - "docs/**" - "test/fixtures/**" - "**/*.example"
Limits:
- •Maximum 1,000 entries in
paths-ignore - •File must be under 1 MB
- •Excluded paths also skip push protection checks
Best practices:
- •Be as specific as possible with exclusion paths
- •Add comments explaining why each path is excluded
- •Review exclusions periodically — remove stale entries
- •Inform the security team about exclusions
Step 4: Enable Additional Features (Optional)
Non-provider patterns — detect private keys, connection strings, generic API keys:
- •Settings → Advanced Security → enable "Scan for non-provider patterns"
AI-powered generic secret detection — uses Copilot to detect unstructured secrets like passwords:
- •Settings → Advanced Security → enable "Use AI detection"
Validity checks — verify if detected secrets are still active:
- •Settings → Advanced Security → enable "Validity checks"
- •GitHub periodically tests detected credentials against provider APIs
- •Status shown in alert:
active,inactive, orunknown
Extended metadata checks — additional context about who owns a secret:
- •Requires validity checks to be enabled first
- •Helps prioritize remediation and identify responsible teams
Core Workflow — Resolve Blocked Pushes
When push protection blocks a push from the command line:
Option A: Remove the Secret
If the secret is in the latest commit:
# Remove the secret from the file # Then amend the commit git commit --amend --all git push
If the secret is in an earlier commit:
# Find the earliest commit containing the secret git log # Start interactive rebase before that commit git rebase -i <COMMIT-ID>~1 # Change 'pick' to 'edit' for the offending commit # Remove the secret, then: git add . git commit --amend git rebase --continue git push
Option B: Bypass Push Protection
- •Visit the URL returned in the push error message (as the same user)
- •Select a bypass reason:
- •It's used in tests — alert created and auto-closed
- •It's a false positive — alert created and auto-closed
- •I'll fix it later — open alert created
- •Click Allow me to push this secret
- •Re-push within 3 hours
Option C: Request Bypass Privileges
If delegated bypass is enabled and you lack bypass privileges:
- •Visit the URL from the push error
- •Add a comment explaining why the secret is safe
- •Click Submit request
- •Wait for email notification of approval/denial
- •If approved, push the commit; if denied, remove the secret
For detailed bypass and delegated bypass workflows, search
references/push-protection.md.
Custom Patterns
Define organization-specific secret patterns using regular expressions.
Quick Setup
- •Settings → Advanced Security → Custom patterns → New pattern
- •Enter pattern name and regex for secret format
- •Add a sample test string
- •Click Save and dry run to test (up to 1,000 results)
- •Review results for false positives
- •Click Publish pattern
- •Optionally enable push protection for the pattern
Scopes
Custom patterns can be defined at:
- •Repository level — applies to that repo only
- •Organization level — applies to all repos with secret scanning enabled
- •Enterprise level — applies across all organizations
Copilot-Assisted Pattern Generation
Use Copilot secret scanning to generate regex from a text description of the secret type, including optional example strings.
For detailed custom pattern configuration, search
references/custom-patterns.md.
Alert Management
Alert Types
| Type | Description | Visibility |
|---|---|---|
| User alerts | Secrets found in repository | Security tab |
| Push protection alerts | Secrets pushed via bypass | Security tab (filter: bypassed: true) |
| Partner alerts | Secrets reported to provider | Not shown in repo (provider-only) |
Alert Lists
- •Default alerts — supported provider patterns and custom patterns
- •Generic alerts — non-provider patterns and AI-detected secrets (limited to 5,000 per repo)
Remediation Priority
- •Rotate the credential immediately — this is the critical action
- •Review the alert for context (location, commit, author)
- •Check validity status:
active(urgent),inactive(lower priority),unknown - •Remove from Git history if needed (time-intensive, often unnecessary after rotation)
Dismissing Alerts
Dismiss with a documented reason:
- •False positive — detected string is not a real secret
- •Revoked — credential has already been revoked
- •Used in tests — secret is only in test code
For detailed alert types, validity checks, and REST API, search
references/alerts-and-remediation.md.
Pre-Commit Scanning via AI Coding Agents
For scanning code changes for secrets inside an AI coding agent before committing, install the Advanced Security plugin which provides the run_secret_scanning MCP tool and a dedicated scanning skill.
GitHub Copilot CLI:
/plugin install advanced-security@copilot-plugins
Visual Studio Code:
- •In Copilot Chat, open Chat: Plugins (or use
@agentPlugins) and install theadvanced-securityplugin - •Then run
/secret-scanningin Copilot Chat
See: Advanced Security Plugin — Secret Scanning Skill
Announced in Secret scanning in AI coding agents via the GitHub MCP Server (March 2026)
Reference Files
For detailed documentation, load the following reference files as needed:
- •
references/push-protection.md— Push protection mechanics, bypass workflow, delegated bypass, user push protection- •Search patterns:
bypass,delegated,bypass request,command line,REST API,user push protection
- •Search patterns:
- •
references/custom-patterns.md— Custom pattern creation, regex syntax, dry runs, Copilot regex generation, scopes- •Search patterns:
custom pattern,regex,dry run,publish,organization,enterprise,Copilot
- •Search patterns:
- •
references/alerts-and-remediation.md— Alert types, validity checks, extended metadata, generic alerts, secret removal, REST API- •Search patterns:
user alert,partner alert,validity,metadata,generic,remediation,git history,REST API
- •Search patterns: