Note: Secret scanning for organization-owned repositories is currently in beta and subject to change.
Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."
プロジェクトを外部サービスと通信させる場合、認証にトークンまたは秘密鍵を使用できます。 トークンや秘密鍵は、サービスプロバイダが発行できるシークレットです。 リポジトリにシークレットをチェックインする場合、リポジトリへの読み取りアクセスを持つすべてのユーザがシークレットを使用して、自分の権限で外部サービスにアクセスできます。 シークレットは、プロジェクトのリポジトリの外の、安全な専用の場所に保存することをお勧めします。
Service providers can partner with GitHub to provide their secret formats for scanning.
If someone checks a secret from a GitHub partner into a repository on GitHub Enterprise Server, secret scanning catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository.
GitHub Enterprise Server の secret scanning について
Secret scanning は、GitHub Advanced Security の一環として、Organization が所有するリポジトリ全てで使用できます。 ユーザ所有のリポジトリでは使用できません。
リポジトリの管理者または Organization のオーナーは、Organization が所有するリポジトリで secret scanning を有効化できます。 You can enable secret scanning for all your repositories, or for all new repositories within your organization. For more information, see "Managing security and analysis settings for your repository" and "Managing security and analysis settings for your organization."
secret scanningが有効化されているリポジトリにコミットをプッシュすると、GitHub はコミットの内容をスキャンしてシークレットを探します。
secret scanning がリポジトリでシークレットを検出した場合、GitHub はアラートを生成します。
-
GitHub は、リポジトリ管理者と Organizationのオーナーにメールアラートを送信します。
-
GitHub displays an alert in the repository. For more information, see "Managing alerts from secret scanning."
Repository administrators and organization owners can grant users and teams access to secret scanning alerts. 詳しい情報については「リポジトリのセキュリティ及び分析の設定の管理」を参照してください。
GitHub currently scans repositories for secrets issued by the following service providers.
| Partner | Supported secret | API slug |
|---|---|---|
| n/a | JSON Web Token | json_web_token |
| n/a | OAuth Client Credential | api_credential_assignment |
| Adafruit IO | Adafruit IO Key | adafruit_io_key |
| Alibaba Cloud | Alibaba Cloud Access Key ID | alibaba_cloud_access_key_id |
| Alibaba Cloud | Alibaba Cloud Access Key Secret | alibaba_cloud_access_key_secret |
| Amazon Web Services (AWS) | Amazon AWS Access Key ID | aws_access_key_id |
| Amazon Web Services (AWS) | Amazon AWS Secret Access Key | aws_secret_access_key |
| Asana | Asana Personal Access Token | asana_personal_access_token |
| Atlassian | Atlassian API Token | atlassian_api_token |
| Atlassian | Atlassian JSON Web Token | atlassian_jwt |
| Azure | Azure DevOps Personal Access Token | azure_devops_personal_access_token |
| Azure | Azure SAS Token | azure_sas_token |
| Azure | Azure Service Management Certificate | azure_management_certificate |
| Azure | Azure SQL Connection String | azure_sql_connection_string |
| Azure | Azure Storage Account Key | azure_storage_account_key |
| Clojars | Clojars Deploy Token | clojars_deploy_token |
| CloudBees CodeShip | CloudBees CodeShip Credential | codeship_credential |
| Databricks | Databricks Access Token | databricks_access_token |
| Discord | Discord Bot Token | discord_bot_token |
| Doppler | Doppler Personal Token | doppler_personal_token |
| Doppler | Doppler Service Token | doppler_service_token |
| Doppler | Doppler CLI Token | doppler_cli_token |
| Doppler | Doppler SCIM Token | doppler_scim_token |
| Dropbox | Dropbox Access Token | dropbox_access_token |
| Dropbox | Dropbox Short Lived Access Token | dropbox_short_lived_access_token |
| Dynatrace | Dynatrace Access Token | dynatrace_access_token |
| Dynatrace | Dynatrace Internal Token | dynatrace_internal_token |
| Facebook Access Token | facebook_access_token | |
| Finicity | Finicity App Key | finicity_app_key |
| Frame.io | Frame.io JSON Web Token | frameio_jwt |
| Frame.io | Frame.io Developer Token | frameio_developer_token |
| GitHub | GitHub SSH Private Key | github_ssh_private_key |
| GitHub | GitHub Personal Access Token | github_personal_access_token |
| GitHub | GitHub App Installation Access Token | github_app_installation_access_token |
| GoCardless | GoCardless Live Access Token | gocardless_live_access_token |
| GoCardless | GoCardless Sandbox Access Token | gocardless_sandbox_access_token |
| Google Cloud | Google API Key | google_api_key |
| Google Cloud | Google Cloud Private Key ID | google_cloud_private_key_id |
| Grafana | Grafana API Key | grafana_api_key |
| Hashicorp Terraform | Terraform Cloud / Enterprise API Token | terraform_api_token |
| Hubspot | Hubspot API Key | hubspot_api_key |
| Intercom | Intercom Access Token | intercom_access_token |
| Lob | Lob Live API Key | lob_live_api_key |
| Lob | Lob Test API Key | lob_test_api_key |
| Mailchimp | Mailchimp API Key | mailchimp_api_key |
| Mailgun | Mailgun API Key | mailgun_api_key |
| npm | npm Access Token | npm_access_token |
| NuGet | NuGet API Key | nuget_api_key |
| Palantir | Palantir JSON Web Token | palantir_jwt |
| Postman | Postman API Key | postman_api_key |
| Proctorio | Proctorio Consumer Key | proctorio_consumer_key |
| Proctorio | Proctorio Linkage Key | proctorio_linkage_key |
| Proctorio | Proctorio Registration Key | proctorio_registration_key |
| Proctorio | Proctorio Secret Key | proctorio_secret_key |
| Pulumi | Pulumi Access Token | pulumi_access_token |
| PyPI | PyPI API Token | pypi_api_token |
| RubyGems | RubyGems API Key | rubygems_api_key |
| Samsara | Samsara API Token | samsara_api_token |
| Samsara | Samsara OAuth Access Token | samsara_oauth_access_token |
| SendGrid | SendGrid API Key | sendgrid_api_key |
| Shopify | Shopify App Shared Secret | shopify_app_shared_secret |
| Shopify | Shopify Access Token | shopify_access_token |
| Shopify | Shopify Custom App Access Token | shopify_custom_app_access_token |
| Shopify | Shopify Private App Password | shopify_private_app_password |
| Slack | Slack API Token | slack_api_token |
| Slack | Slack Incoming Webhook URL | slack_incoming_webhook_url |
| Slack | Slack Workflow Webhook URL | slack_workflow_webhook_url |
| SSLMate | SSLMate API Key | sslmate_api_key |
| SSLMate | SSLMate Cluster Secret | sslmate_cluster_secret |
| Stripe | Stripe API Key | stripe_api_key |
| Stripe | Stripe Live API Secret Key | stripe_live_secret_key |
| Stripe | Stripe Test API Secret Key | stripe_test_secret_key |
| Stripe | Stripe Live API Restricted Key | stripe_live_restricted_key |
| Stripe | Stripe Test API Restricted Key | stripe_test_restricted_key |
| Tencent Cloud | Tencent Cloud Secret ID | tencent_cloud_secret_id |
| Twilio | Twilio Account String Identifier | twilio_account_sid |
| Twilio | Twilio API Key | twilio_api_key |
注釈: Secret scanning では現在、シークレットを検出するための独自のパターンを定義することはできません。