Sobre a varredura de segredos para parceiros

Quando a secret scanning detecta detalhes de autenticação para um provedor de serviços em um repositório público no GitHub, um alerta é enviado diretamente ao provedor. Isso permite que os provedores de serviços parceiros do GitHub tomem medidas imediatas para proteger seus sistemas.

Quem pode usar esse recurso?

O Alertas de verificação de segredo para parceiros é executado por padrão nos seguintes repositórios:

  • Repositórios públicos e pacotes npm públicos no GitHub.

Neste artigo

About secret scanning alerts for partners

GitHub scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. To find out about our partner program, see Secret scanning partner program.

Observação

You cannot change the configuration of secret scanning for partner patterns on public repositories.

Secret scanning alerts for partners scans:

  • Descriptions and comments in issues
  • Titles, descriptions, and comments, in open and closed historical issues. A notification is sent to the relevant partner when a historical partner pattern is detected.
  • Titles, descriptions, and comments in pull requests
  • Titles, descriptions, and comments in GitHub Discussions
  • Wikis
  • Secret gists. A notification is sent to the relevant partner when a partner pattern is detected in a secret gist.

The reason partner alerts are directly sent to the secret providers whenever a leak is detected for one of their secrets is that this enables the provider to take immediate action to protect you and protect their resources. The notification process for regular alerts is different. Regular alerts are displayed on the repository's Security tab on GitHub for you to resolve.

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

What are the supported secrets

For information about the secrets and service providers supported by push protection, see Supported secret scanning patterns.

Further reading