GitHub: Setting up secret scanning to detect and prevent the accidental exposure of sensitive information

Updated on
January 12, 2023

Get a free security audit today

I accept the terms and conditions

Secret scanning is a critical step in any git repository. It’s one that helps you detect and prevent the accidental exposure of sensitive information such as passwords, API keys, and other secrets in your repositories. This technical reference guide will provide you with a step-by-step process to setting up secret scanning to detect and prevent accidental exposure of sensitive information.

1. Enabling secret scanning:

  • To enable secret scanning in GitHub, sign in to your GitHub account and navigate to the repository you want to enable secret scanning for.
  • In the top right corner of the page, choose Settings.
  • In the left sidebar, choose Security.
  • Under "Secret scanning," click Enable secret scanning.

2. Configuring secret scanning:

  • To configure secret scanning in GitHub, sign in to your GitHub account and navigate to the repository you want to configure secret scanning for.
  • In the top right corner of the page, choose Settings.
  • In the left sidebar, choose Security.
  • Under "Secret scanning," click Configure.
  • Use the secret scanning configuration interface to specify the secrets you want to scan for and the actions to take when a secret is detected.

3. Viewing secret scanning results:

  • To view secret scanning results in GitHub, sign in to your GitHub account and navigate to the repository you want to view secret scanning results for.
  • In the top right corner of the page, choose Settings.
  • In the left sidebar, choose Security.
  • Under "Secret scanning," click Results.
  • Use the secret scanning results interface to view the detected secrets and the actions taken.

By following these steps, you can set up and configure secret scanning in GitHub to detect and prevent the accidental exposure of sensitive information in your repositories. This can help you protect your sensitive data and maintain the security of your organization. Another great option is to use a tool from our friends at TruffleSec. Trufflehog is an open-source tool to find leaked credentials.