Skip to main content
GitHub Docs
Search
Select language: current language is English
Open Search BarClose Search Bar
Open Menu
Open Sidebar
  • Secure coding/
  • GitHub security features
  • Audit security alerts
  • Enable security features in trial
  • Choose security configuration
    • Configure global settings
    • Edit custom configuration
    • Delete custom configuration
    • Push protection
    • Enable push protection
    • Resolve alerts
    • Push protection from the REST API
    • Generate regular expressions with AI
    • About CodeQL code scanning
    • Configure advanced setup
    • Hardware resources for CodeQL
    • Disable Copilot Autofix
    • Track alerts in issues
    • CodeQL query suites
    • C# CodeQL queries
    • Python CodeQL queries
    • Using code scanning with your existing CI system
    • Alerts in generated code
    • Cannot enable CodeQL in a private repository
    • Logs not detailed enough
    • Resource not accessible
    • Two CodeQL workflows
    • GitHub Advanced Security disabled
    • Results file too large
    • Preparing code for analysis
    • Advanced setup of the CodeQL CLI
    • Testing custom queries
    • Specifying command options in a CodeQL configuration file
    • Extractor options
    • bqrs diff
    • database add-diagnostic
    • database create
    • database index-files
    • database run-queries
    • dataset check
    • dataset upgrade
    • execute language-server
    • execute upgrades
    • github merge-results
    • pack ci
    • pack install
    • pack resolve-dependencies
    • query format
    • resolve extensions-by-pack
    • resolve library-path
    • resolve qlpacks
    • resolve tests
    • test run
    • Manage CodeQL databases
    • CodeQL model editor
    • Test CodeQL queries
    • Telemetry
    • About global security advisories
    • Permission levels
    • Edit repository advisories
    • Add collaborators
    • Best practices
    • Dependency graph
    • Export dependencies as SBOM
    • Customize dependency review action
    • Overview
    • Dependabot ecosystem support
    • Configure notifications
    • Manage auto-dismissed alerts
    • Dependabot version updates
    • Control dependency update
    • Auto-update actions
    • Manage Dependabot on self-hosted runners
    • Troubleshoot Dependabot on Actions
    • Manage alerts/
    • Evaluate alerts

    Evaluating alerts from secret scanning

    Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret's validity.

    Who can use this feature?

    Repository owners, organization owners, security managers, and users with the admin role

    In this article

    • About evaluating alerts
    • Checking a secret's validity
    • Reviewing GitHub token metadata
    • Next steps

    About evaluating alerts

    There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:

    • Check the validity of a secret, to see if the secret is still active. Applies to GitHub tokens only. For more information, see Checking a secret's validity.
    • Review a token's metadata. Applies to GitHub tokens only. For example, to see when the token was last used. For more information, see Reviewing GitHub token metadata.

    Checking a secret's validity

    Validity checks help you prioritize alerts by telling you which secrets are active or inactive. An active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority.

    By default, GitHub checks the validity of GitHub tokens and displays the validation status of the token in the alert view.

    Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable validity checks for partner patterns. For more information, see Checking a secret's validity in the GitHub Enterprise Cloud documentation.

    ValidityStatusResult
    Active secretactiveGitHub checked with this secret's provider and found that the secret is active
    Possibly active secretunknownGitHub does not support validation checks for this token type yet
    Possibly active secretunknownGitHub could not verify this secret
    Secret inactiveinactiveYou should make sure no unauthorized access has already occurred

    You can use the REST API to retrieve a list of the most recent validation status for each of your tokens. For more information, see REST API endpoints for secret scanning in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert. For more information, see the secret_scanning_alert event in Webhook events and payloads.

    Reviewing GitHub token metadata

    Note

    Metadata for GitHub tokens is currently in public preview and subject to change.

    In the view for an active GitHub token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take.

    Tokens, like personal access token and other credentials, are considered personal information. For more information about using GitHub tokens, see Acceptable Use Policies.

    Metadata for GitHub tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. GitHub auto-revokes GitHub tokens in public repositories, so metadata for GitHub tokens in public repositories is unlikely to be available. The following metadata is available for active GitHub tokens:

    MetadataDescription
    Secret nameThe name given to the GitHub token by its creator
    Secret ownerThe GitHub handle of the token's owner
    Created onDate the token was created
    Expired onDate the token expired
    Last used onDate the token was last used
    AccessWhether the token has organization access

    Next steps

    • Resolving alerts from secret scanning

    Help and support

    Did you find what you needed?

    Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

    Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant