title

shortTitle

intro

product

allowTitleToDifferFromFilename

type

versions

topics

Choosing {% data variables.product.prodname_GH_secret_protection %}

Secret protection

Learn how {% data variables.product.prodname_GH_secret_protection %} can help you detect secrets in your codebases and prevent leaks before they happen using continuous monitoring and prevention tools.

{% data reusables.gated-features.secret-protection %}

true

overview

feature
secret-risk-assessment

Secret scanning

Secret Protection

Code Security

Organizations

Security

About {% data variables.product.prodname_GH_secret_protection %}

{% data variables.product.prodname_secret_protection %} includes the following features to help you detect and prevent secret leaks, allowing continuous monitoring and detection. For details about the features and their availability, see {% data variables.product.prodname_GH_secret_protection %}.

{% data reusables.secret-protection.product-list %}

In addition, {% data variables.product.prodname_secret_protection %} includes a free scanning feature, the risk assessment report, to help organizations understand their secret leak footprint across their {% data variables.product.github %} perimeter. See AUTOTITLE.

{% data variables.product.prodname_secret_protection %} is billed per active committer to the repositories where it is enabled. It is available to users with a {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} plan, see AUTOTITLE.

Why you should enable {% data variables.product.prodname_secret_protection %} for 100% of your organization's repositories

{% data variables.product.github %} recommends enabling {% data variables.product.prodname_GH_secret_protection %} products for all repositories, in order to protect your organization from the risk of secret leaks and exposures. {% data variables.product.prodname_GH_secret_protection %} is free to enable for public repositories, and available as a purchasable add-on for private and internal repositories.

{% data reusables.secret-risk-assessment.what-is-scanned %}. See AUTOTITLE
The {% data variables.product.prodname_secret_risk_assessment %} and {% data variables.product.prodname_secret_scanning %} scan code that has already been committed into your repositories. With push protection, your code is scanned for secrets before commits are saved on {% data variables.product.github %}, during the push process, and the push is blocked if any secrets are detected. See AUTOTITLE.
If you have one or more secret patterns that are internal to your organization, these will not be detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. You can define custom patterns that are only valid in your organization, and extend the {% data variables.product.prodname_secret_scanning %} capabilities to detect these patterns. See AUTOTITLE.
Knowing which secrets could be exploited makes it easy to prioritize remediation of leaked secrets found by {% data variables.product.prodname_secret_scanning %}. Validity checks tell you if an active secret is one that could still be exploited, so these alerts should be reviewed and remediated as a priority. See AUTOTITLE.
You may also want to detect leaks of unstructured secrets such as passwords. This is possible with our AI-powered {% data variables.secret-scanning.copilot-secret-scanning %}. See AUTOTITLE.
Visualizing the prevention, detection, and remediation of security data is critical to understanding where to direct effort and where security initiatives are having an impact. Security overview has dedicated views that allow you to dig deep into the current state of your codebases at the organization and enterprise level. See AUTOTITLE.

In addition to detecting and preventing secret leaks, you should consider building code security into all of your organization workflows to secure your software supply chain. See AUTOTITLE.

If you require help evaluating your security needs or options, contact GitHub's Sales team.

{% ifversion fpt or ghec %}

Alternatively, you can trial {% data variables.product.prodname_GHAS %} for free to assess your needs. See AUTOTITLE.

{% endif %}

Enabling {% data variables.product.prodname_secret_protection %}

{% ifversion ghes %} A site administrator must enable {% data variables.product.prodname_AS %} for {% data variables.location.product_location %} before you can use these security features. See AUTOTITLE. {% endif %}

{% ifversion security-configurations %} {% data reusables.security-configurations.enable-security-features-with-gh-config %} {% endif %}

{% data variables.product.prodname_security_configurations_caps %} can be applied at enterprise and organization level. You can also configure additional security settings for your organization. These settings, called {% data variables.product.prodname_global_settings %}, are then inherited by all repositories in the organization. With {% data variables.product.prodname_global_settings %}, you can customize how security features analyze your organization. See AUTOTITLE.

In addition, repository administrators can enable security features at the repository level.

Enabling {% data variables.product.prodname_secret_protection %} from the {% data variables.product.prodname_secret_risk_assessment %}

{% data reusables.secret-risk-assessment.public-preview-note %}

{% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.security-overview %} {% data reusables.security-overview.open-assessments-view %}

Click the Enable Secret Protection dropdown in the banner display, and then select one of the options for enabling the feature in your organization's repositories.
- For public repositories for free: Click to enable for only public repositories in your organization.
- For all repositories: Click Enable Secret Protection to enable both {% data variables.product.prodname_secret_scanning %} and push protection for all repositories in your organization, at the estimated cost displayed. You will incur usage costs or need to purchase {% data variables.product.prodname_GH_secret_protection %} licenses.
  
  Alternatively, click Configure in settings to customize which repositories you want to enable {% data variables.product.prodname_secret_protection %} for. See {% ifversion fpt or ghec %}AUTOTITLE and {% endif %}AUTOTITLE.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

choosing-github-secret-protection.md

choosing-github-secret-protection.md

About {% data variables.product.prodname_GH_secret_protection %}

Why you should enable {% data variables.product.prodname_secret_protection %} for 100% of your organization's repositories

Enabling {% data variables.product.prodname_secret_protection %}

Enabling {% data variables.product.prodname_secret_protection %} from the {% data variables.product.prodname_secret_risk_assessment %}

Files

choosing-github-secret-protection.md

Latest commit

History

choosing-github-secret-protection.md

File metadata and controls

About {% data variables.product.prodname_GH_secret_protection %}

Why you should enable {% data variables.product.prodname_secret_protection %} for 100% of your organization's repositories

Enabling {% data variables.product.prodname_secret_protection %}

Enabling {% data variables.product.prodname_secret_protection %} from the {% data variables.product.prodname_secret_risk_assessment %}