DiscordSign up
SKILLS.SH

secret-scanning

Guide for configuring and managing GitHub secret scanning, push protection, custom patterns, and secret alert remediation. For pre-commit secret scanning in AI…

INSTALLATION
npx skills add https://github.com/github/awesome-copilot --skill secret-scanning
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$28

How Secret Scanning Works

Secret scanning automatically detects exposed credentials across:

  • Entire Git history on all branches
  • Issue descriptions, comments, and titles (open and closed)
  • Pull request titles, descriptions, and comments
  • GitHub Discussions titles, descriptions, and comments
  • Wikis and secret gists

Availability

Repository Type

Availability

Public repos

Automatic, free

Private/internal (org-owned)

Requires GitHub Secret Protection on Team/Enterprise Cloud

User-owned

Enterprise Cloud with Enterprise Managed Users

Core Workflow — Enable Secret Scanning

Step 1: Enable Secret Protection

  • Navigate to repository SettingsAdvanced Security
  • Click Enable next to "Secret Protection"
  • Confirm by clicking Enable Secret Protection

For organizations, use security configurations to enable at scale:

  • Settings → Advanced Security → Global settings → Security configurations

Step 2: Enable Push Protection

Push protection blocks secrets during the push process — before they reach the repository.

  • Navigate to repository SettingsAdvanced Security
  • Enable "Push protection" under Secret Protection

Push protection blocks secrets in:

  • Command line pushes
  • GitHub UI commits
  • File uploads
  • REST API requests
  • REST API content creation endpoints

Step 3: Configure Exclusions (Optional)

Create .github/secret_scanning.yml to auto-close alerts for specific directories:

paths-ignore:

  - "docs/**"

  - "test/fixtures/**"

  - "**/*.example"

Limits:

  • Maximum 1,000 entries in paths-ignore
  • File must be under 1 MB
  • Excluded paths also skip push protection checks

Best practices:

  • Be as specific as possible with exclusion paths
  • Add comments explaining why each path is excluded
  • Review exclusions periodically — remove stale entries
  • Inform the security team about exclusions

Step 4: Enable Additional Features (Optional)

Non-provider patterns — detect private keys, connection strings, generic API keys:

  • Settings → Advanced Security → enable "Scan for non-provider patterns"

AI-powered generic secret detection — uses Copilot to detect unstructured secrets like passwords:

  • Settings → Advanced Security → enable "Use AI detection"

Validity checks — verify if detected secrets are still active:

  • Settings → Advanced Security → enable "Validity checks"
  • GitHub periodically tests detected credentials against provider APIs
  • Status shown in alert: active, inactive, or unknown

Extended metadata checks — additional context about who owns a secret:

  • Requires validity checks to be enabled first
  • Helps prioritize remediation and identify responsible teams

Core Workflow — Resolve Blocked Pushes

When push protection blocks a push from the command line:

Option A: Remove the Secret

If the secret is in the latest commit:

# Remove the secret from the file

# Then amend the commit

git commit --amend --all

git push

If the secret is in an earlier commit:

# Find the earliest commit containing the secret

git log

# Start interactive rebase before that commit

git rebase -i <COMMIT-ID>~1

# Change 'pick' to 'edit' for the offending commit

# Remove the secret, then:

git add .

git commit --amend

git rebase --continue

git push

Option B: Bypass Push Protection

  • Visit the URL returned in the push error message (as the same user)
  • Select a bypass reason:
  • It's used in tests — alert created and auto-closed
  • It's a false positive — alert created and auto-closed
  • I'll fix it later — open alert created
  • Click Allow me to push this secret
  • Re-push within 3 hours

Option C: Request Bypass Privileges

If delegated bypass is enabled and you lack bypass privileges:

  • Visit the URL from the push error
  • Add a comment explaining why the secret is safe
  • Click Submit request
  • Wait for email notification of approval/denial
  • If approved, push the commit; if denied, remove the secret

For detailed bypass and delegated bypass workflows, search references/push-protection.md.

Custom Patterns

Define organization-specific secret patterns using regular expressions.

Quick Setup

  • Settings → Advanced Security → Custom patterns → New pattern
  • Enter pattern name and regex for secret format
  • Add a sample test string
  • Click Save and dry run to test (up to 1,000 results)
  • Review results for false positives
  • Click Publish pattern
  • Optionally enable push protection for the pattern

Scopes

Custom patterns can be defined at:

  • Repository level — applies to that repo only
  • Organization level — applies to all repos with secret scanning enabled
  • Enterprise level — applies across all organizations

Copilot-Assisted Pattern Generation

Use Copilot secret scanning to generate regex from a text description of the secret type, including optional example strings.

For detailed custom pattern configuration, search references/custom-patterns.md.

Alert Management

Alert Types

Type

Description

Visibility

User alerts

Secrets found in repository

Security tab

Push protection alerts

Secrets pushed via bypass

Security tab (filter: bypassed: true)

Partner alerts

Secrets reported to provider

Not shown in repo (provider-only)

Alert Lists

  • Default alerts — supported provider patterns and custom patterns
  • Generic alerts — non-provider patterns and AI-detected secrets (limited to 5,000 per repo)

Remediation Priority

  • Rotate the credential immediately — this is the critical action
  • Review the alert for context (location, commit, author)
  • Check validity status: active (urgent), inactive (lower priority), unknown
  • Remove from Git history if needed (time-intensive, often unnecessary after rotation)

Dismissing Alerts

Dismiss with a documented reason:

  • False positive — detected string is not a real secret
  • Revoked — credential has already been revoked
  • Used in tests — secret is only in test code

For detailed alert types, validity checks, and REST API, search references/alerts-and-remediation.md.

Pre-Commit Scanning via AI Coding Agents

For scanning code changes for secrets inside an AI coding agent before committing, install the Advanced Security plugin which provides the run_secret_scanning MCP tool and a dedicated scanning skill.

GitHub Copilot CLI:

/plugin install advanced-security@copilot-plugins

Visual Studio Code:

  • In Copilot Chat, open Chat: Plugins (or use @agentPlugins) and install the advanced-security plugin
  • Then run /secret-scanning in Copilot Chat

See: Advanced Security Plugin — Secret Scanning Skill

Announced in Secret scanning in AI coding agents via the GitHub MCP Server (March 2026)

Reference Files

For detailed documentation, load the following reference files as needed:

  • references/push-protection.md — Push protection mechanics, bypass workflow, delegated bypass, user push protection
  • Search patterns: bypass, delegated, bypass request, command line, REST API, user push protection
  • references/custom-patterns.md — Custom pattern creation, regex syntax, dry runs, Copilot regex generation, scopes
  • Search patterns: custom pattern, regex, dry run, publish, organization, enterprise, Copilot
  • references/alerts-and-remediation.md — Alert types, validity checks, extended metadata, generic alerts, secret removal, REST API
  • Search patterns: user alert, partner alert, validity, metadata, generic, remediation, git history, REST API
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card