diff --git a/assets/images/enterprise/3.3/settings/security-and-analysis-disable-or-enable-all.png b/assets/images/enterprise/3.3/settings/security-and-analysis-disable-or-enable-all.png deleted file mode 100644 index e1e61d878a09..000000000000 Binary files a/assets/images/enterprise/3.3/settings/security-and-analysis-disable-or-enable-all.png and /dev/null differ diff --git a/assets/images/enterprise/3.3/settings/security-and-analysis-enable-by-default-in-modal.png b/assets/images/enterprise/3.3/settings/security-and-analysis-enable-by-default-in-modal.png deleted file mode 100644 index 903e382ef92f..000000000000 Binary files a/assets/images/enterprise/3.3/settings/security-and-analysis-enable-by-default-in-modal.png and /dev/null differ diff --git a/assets/images/enterprise/3.3/settings/security-and-analysis-enable-or-disable-feature-checkbox.png b/assets/images/enterprise/3.3/settings/security-and-analysis-enable-or-disable-feature-checkbox.png deleted file mode 100644 index c3126a203617..000000000000 Binary files a/assets/images/enterprise/3.3/settings/security-and-analysis-enable-or-disable-feature-checkbox.png and /dev/null differ diff --git a/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png b/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png deleted file mode 100644 index b7995b18bb32..000000000000 Binary files a/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png and /dev/null differ diff --git a/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png b/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png index fb10f813d449..c6100feebb27 100644 Binary files a/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png and b/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png differ diff --git a/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png b/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png deleted file mode 100644 index e1333644b282..000000000000 Binary files a/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png and /dev/null differ diff --git a/content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account.md b/content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account.md index 2f6ed491c772..13085f94665e 100644 --- a/content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account.md +++ b/content/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account.md @@ -31,11 +31,12 @@ For an overview of repository-level security, see "[AUTOTITLE](/code-security/ge {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.security-analysis %} -3. Under "Code security and analysis", to the right of the feature, click **Disable all** or **Enable all**. - {% ifversion ghes %}!["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/enterprise/3.3/settings/security-and-analysis-disable-or-enable-all.png){% else %}!["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/help/settings/security-and-analysis-disable-or-enable-all.png){% endif %} -6. Optionally, enable the feature by default for new repositories that you own. - {% ifversion ghes %}!["Enable by default" option for new repositories](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-by-default-in-modal.png){% else %}!["Enable by default" option for new repositories](/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png){% endif %} -7. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories you own. +1. Under "Code security and analysis", to the right of the feature, click **Disable all** or **Enable all**. +1. Optionally, enable the feature by default for new repositories that you own.{% ifversion not ghes %} + + ![Screenshot of the "Enable FEATURE" modal dialog, with the "Enable by default for new private repositories" option highlighted with a dark orange outline.](/assets/images/help/settings/security-and-analysis-enable-by-default-in-modal.png){% endif %} + +1. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories you own. {% data reusables.security.displayed-information %} @@ -44,7 +45,6 @@ For an overview of repository-level security, see "[AUTOTITLE](/code-security/ge {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.security-analysis %} 3. Under "Code security and analysis", to the right of the feature, enable or disable the feature by default for new repositories that you own. - {% ifversion ghes %}![Checkbox for enabling or disabling a feature for new repositories](/assets/images/enterprise/3.3/settings/security-and-analysis-enable-or-disable-feature-checkbox.png){% else %}![Checkbox for enabling or disabling a feature for new repositories](/assets/images/help/settings/security-and-analysis-enable-or-disable-feature-checkbox.png){% endif %} ## Further reading diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index 63a010020dd6..de685cc48f30 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -121,7 +121,7 @@ Before you can proceed with pilot programs and rolling out {% data variables.pro **Note:** When {% data variables.product.prodname_secret_scanning %} detects a secret in repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} and have a license for {% data variables.product.prodname_GH_advanced_security %}, {% data variables.product.prodname_dotcom %} alerts all users with access to security alerts for the repository. {% ifversion ghec %} -Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-alerts)."{% endif %} +Secrets found in public repositories using {% data variables.secret-scanning.partner_alerts %} are reported directly to the partner, without creating an alert on {% data variables.product.product_name %}. For details about the supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."{% endif %} {% endnote %} diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 53c3ad718837..68f303f0c17f 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -74,7 +74,7 @@ The security overview shows which security features are enabled for the reposito ### {% data variables.secret-scanning.partner_alerts_caps %} -Automatically detect leaked secrets across all public repositories. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-alerts)." +Automatically detect leaked secrets across all public repositories. {% data variables.product.company_short %} informs the relevant service provider that the secret may be compromised. For details of the supported secrets and service providers, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." {% endif %} ## Available with {% data variables.product.prodname_GH_advanced_security %} diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/about-secret-scanning.md index 7ca479dc80ca..044cf1c609ca 100644 --- a/content/code-security/secret-scanning/about-secret-scanning.md +++ b/content/code-security/secret-scanning/about-secret-scanning.md @@ -53,7 +53,7 @@ You can also enable {% data variables.product.prodname_secret_scanning %} as a p {% ifversion fpt or ghec %} ## About {% data variables.secret-scanning.partner_alerts %} -When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. {% ifversion secret-scanning-issue-body-comments %}{% data reusables.secret-scanning.scan-issue-description-and-comments %}{% endif %} If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-alerts)." +When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. {% ifversion secret-scanning-issue-body-comments %}{% data reusables.secret-scanning.scan-issue-description-and-comments %}{% endif %} If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories. @@ -62,7 +62,7 @@ You cannot change the configuration of {% data variables.product.prodname_secret ## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes or ghae %} on {% data variables.product.product_name %}{% endif %} {% ifversion ghes or ghae %} -{% data variables.secret-scanning.user_alerts_caps %} is available on all organization-owned repositories as part of {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories.{% endif %}{% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts_caps %} are available for free on all public repositories{% endif %}{% ifversion fpt %}.{% endif %}{%ifversion ghec %}, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %} When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-issue-body-comments %}{% data reusables.secret-scanning.scan-issue-description-and-comments %}{% endif %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings. {% endif %}For more information, see "{% ifversion fpt or ghec %}[Supported secrets for user alerts](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-user-alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns){% endif %}." +{% data variables.secret-scanning.user_alerts_caps %} is available on all organization-owned repositories as part of {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories.{% endif %}{% ifversion fpt or ghec %}{% data variables.secret-scanning.user_alerts_caps %} are available for free on all public repositories{% endif %}{% ifversion fpt %}.{% endif %}{%ifversion ghec %}, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}.{% endif %} When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-issue-body-comments %}{% data reusables.secret-scanning.scan-issue-description-and-comments %}{% endif %} When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings. {% endif %}For more information, see "{% ifversion fpt or ghec %}[Supported secrets](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns){% endif %}." {% ifversion secret-scanning-issue-body-comments %} {% note %} diff --git a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md index 11d682b19cc4..a1e8c9cba53b 100644 --- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md +++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md @@ -27,7 +27,7 @@ shortTitle: Manage secret alerts {% ifversion fpt or ghec %} {% note %} -**Note:** Alerts are created only for repositories with {% data variables.secret-scanning.user_alerts %} enabled. Secrets found in public repositories using the free {% data variables.secret-scanning.partner_alerts %} service are reported directly to the partner, without creating an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-alerts)." +**Note:** Alerts are created only for repositories with {% data variables.secret-scanning.user_alerts %} enabled. Secrets found in public repositories using the free {% data variables.secret-scanning.partner_alerts %} service are reported directly to the partner, without creating an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." {% endnote %} {% endif %} @@ -35,8 +35,8 @@ shortTitle: Manage secret alerts {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} 1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**. -1. Under "{% data variables.product.prodname_secret_scanning_caps %}" click the alert you want to view.{% ifversion secret-scanning-validity-check %} -1. Optionally, if the leaked secret is a {% data variables.product.company_short %} token, check the validity of the secret and follow the remediation steps. +2. Under "{% data variables.product.prodname_secret_scanning_caps %}" click the alert you want to view.{% ifversion secret-scanning-validity-check %} +3. Optionally, if the leaked secret is a {% data variables.product.company_short %} token, check the validity of the secret and follow the remediation steps. ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the validity check and suggested remediation steps.](/assets/images/help/repository/secret-scanning-validity-check.png) @@ -61,7 +61,8 @@ shortTitle: Manage secret alerts ![Screenshot of a {% data variables.product.prodname_secret_scanning %} alert. A dropdown menu, titled "Close as", is expanded and highlighted in a dark orange outline.](/assets/images/help/repository/secret-scanning-dismiss-alert-web-ui-link-partner-documentation.png) {% else %} -1. To dismiss an alert, select the "Mark as" dropdown menu and click a reason for resolving an alert. + +1 To dismiss an alert, select the "Mark as" dropdown menu and click a reason for resolving an alert. {% endif %}{% ifversion secret-scanning-dismissal-comment %} 1. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the {% data variables.product.prodname_secret_scanning_caps %} API. The comment is contained in the `resolution_comment` field. For more information, see "[AUTOTITLE](/rest/secret-scanning#update-a-secret-scanning-alert)" in the REST API documentation. 1. Click **Close alert**. @@ -80,7 +81,7 @@ Once a secret has been committed to a repository, you should consider the secret {% ifversion fpt or ghec %} {% note %} -**Note:** If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-alerts)." +**Note:** If a secret is detected in a public repository on {% data variables.product.prodname_dotcom_the_website %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." {% endnote %} {% endif %} diff --git a/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md b/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md index e09c6576cdcc..6b6680f0c667 100644 --- a/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md +++ b/content/code-security/secret-scanning/protecting-pushes-with-secret-scanning.md @@ -32,7 +32,7 @@ You can monitor security alerts to discover when users are bypassing push protec {% data reusables.secret-scanning.bypass-reasons-and-alerts %} -For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-push-protection)." +For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." ## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection diff --git a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md b/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md index 2e43a84e8122..e0b0a20ad655 100644 --- a/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md +++ b/content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md @@ -15,7 +15,7 @@ shortTitle: Push a blocked branch ## About push protection for {% data variables.product.prodname_secret_scanning %} -The push protection feature of {% data variables.product.prodname_secret_scanning %} helps to prevent security leaks by scanning for secrets before you push changes to your repository. {% data reusables.secret-scanning.push-protection-overview %} For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-push-protection)." +The push protection feature of {% data variables.product.prodname_secret_scanning %} helps to prevent security leaks by scanning for secrets before you push changes to your repository. {% data reusables.secret-scanning.push-protection-overview %} For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." {% data reusables.secret-scanning.push-protection-remove-secret %} diff --git a/content/code-security/secret-scanning/secret-scanning-patterns.md b/content/code-security/secret-scanning/secret-scanning-patterns.md index 5da7c95a4afa..446a0c1b442d 100644 --- a/content/code-security/secret-scanning/secret-scanning-patterns.md +++ b/content/code-security/secret-scanning/secret-scanning-patterns.md @@ -21,40 +21,33 @@ redirect_from: {% ifversion fpt or ghec %} ## About {% data variables.product.prodname_secret_scanning %} patterns -{% data variables.product.product_name %} maintains these different sets of {% data variables.product.prodname_secret_scanning %} patterns: +{% data variables.product.product_name %} maintains these different sets of default {% data variables.product.prodname_secret_scanning %} patterns: -1. **Partner patterns.** Used to detect potential secrets in all public repositories. - - For details, see "[Supported secrets for partner alerts](#supported-secrets-for-partner-alerts)." - - {% data reusables.secret-scanning.partner-program-link %} -2. **User alert patterns.** Used to detect potential secrets in {% ifversion fpt %}public{% endif %} repositories with {% data variables.secret-scanning.user_alerts %} enabled. For details, see "[Supported secrets for user alerts](#supported-secrets-for-user-alerts)."{% ifversion secret-scanning-push-protection %} -3. **Push protection patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} as a push protection enabled. For details, see "[Supported secrets for push protection](#supported-secrets-for-push-protection)."{% endif %} +1. **Partner patterns.** Used to detect potential secrets in all public repositories.{% data reusables.secret-scanning.partner-program-link %} +1. **User alert patterns.** Used to detect potential secrets in {% ifversion fpt %}public{% endif %} repositories with {% data variables.secret-scanning.user_alerts %} enabled. {% ifversion secret-scanning-push-protection %} +1. **Push protection patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} as a push protection enabled.{% endif %} {% ifversion fpt %} -Owners of public repositories, as well as organizations using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %}, can enable {% data variables.secret-scanning.user_alerts %} on their repositories. For details of these patterns, see the "[Supported secrets for user alerts](#supported-secrets-for-user-alerts) section below. +Owners of public repositories, as well as organizations using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %}, can enable {% data variables.secret-scanning.user_alerts %} on their repositories. {% endif %} +For details about all the supported patterns, see the "[Supported secrets](#supported-secrets) section below. + If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning)." -## Supported secrets for partner alerts +## About partner alerts -{% data variables.product.product_name %} currently scans public repositories for secrets issued by the following service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." +Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-partners)." {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} - - -Partner | Supported secret ---- | --- -{%- for entry in secretScanning.isPublic %} -{{ entry.provider }} | {{ entry.supportedSecret }} -{%- endfor %} - - {% endif %} -## Supported secrets for {% ifversion fpt or ghec %}user {% endif %}alerts +## About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts -When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by the following service providers and generates {% data variables.secret-scanning.alerts %}. You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} +{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}. + +You can see these alerts on the **Security** tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-alerts-for-users)."{% endif %} {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} @@ -68,34 +61,102 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re {% endnote %} {% endif %} - - -Provider | Supported secret | Secret type ---- | --- | --- -{%- for entry in secretScanning.isPrivateWithGhas %} -{{ entry.provider }} | {{ entry.supportedSecret }} | {{ entry.secretType }} | -{%- endfor %} - - {% ifversion secret-scanning-push-protection %} -## Supported secrets for push protection +## About push protection alerts -{% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by the following service providers. +Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers. {% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %} {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "[AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning#push-protection-and-pattern-versions)." - - -Provider | Supported secret | Secret type ---- | --- | --- -{%- for entry in secretScanning.hasPushProtection %} -{{ entry.provider }} | {{ entry.supportedSecret }} | {{ entry.secretType }} +{% endif %} + +## Supported secrets + +This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token{% ifversion secret-scanning-validity-check %}, as well as whether a validity check is performed on the token{% endif %}.{% ifversion fpt or ghec %} +- **Pattern**—token for which leaks are reported to the relevant token partner. Applies to public repositories only. +- **User**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}{% ifversion ghes or ghae %} +- **{% data variables.product.prodname_secret_scanning_caps %} alert**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.{% endif %}{% ifversion secret-scanning-push-protection %} +- **Push protection**—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled.{% endif %}{% ifversion secret-scanning-validity-check %} +- **Validity check**—token for which a validity check is implemented. Currently only applies to GitHub tokens.{% endif %} + + +{% ifversion fpt %} + +| Token | Partner | User | Validity check | +|----|:----:|:----:|:----:| +{%- for entry in secretScanningData %} +| {{ entry.secretType }} | {% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | +{%- endfor %} + +{% endif %} + + +{% ifversion ghec %} + +| Token | Partner | User | Push protection | Validity check | +|----|----|:----:|:----:|:----:| +{%- for entry in secretScanningData %} +| {{ entry.secretType }} | {% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | +{%- endfor %} +{% endif %} + + +{% ifversion ghes = 3.4 %} + +| Token | {% data variables.product.prodname_secret_scanning_caps %} alert | +|----|----| +{%- for entry in secretScanningData %} +| {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {%- endfor %} - {% endif %} + + +{% ifversion ghes = 3.5 or ghes = 3.6 or ghes = 3.7 or ghes = 3.8 %} + +| Token | {% data variables.product.prodname_secret_scanning_caps %} alert | Push protection | +|----|----|:----:| +{%- for entry in secretScanningData %} +| {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | +{%- endfor %} + +{% endif %} + + +{% ifversion ghes > 3.8 % %} + +| Token | {% data variables.product.prodname_secret_scanning_caps %} alert | Push protection | Validity check | +|----|----|:----:|:----:| +{%- for entry in secretScanningData %} +| {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | +{%- endfor %} + +{% endif %} + + +{% ifversion ghae < 3.5 %} + +| Token | {% data variables.product.prodname_secret_scanning_caps %} alert | +|----|----| +{%- for entry in secretScanningData %} +| {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | +{%- endfor %} + +{% endif %} + + +{% ifversion ghae = 3.5 or ghae > 3.5 %} + +| Token | {% data variables.product.prodname_secret_scanning_caps %} alert | Push protection | +|----|----|:----:| +{%- for entry in secretScanningData %} +| {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | +{%- endfor %} + +{% endif %} + ## Further reading - "[AUTOTITLE](/code-security/getting-started/securing-your-repository)" diff --git a/content/code-security/secret-scanning/troubleshooting-secret-scanning.md b/content/code-security/secret-scanning/troubleshooting-secret-scanning.md index 4d70ad85948d..c985e70478f1 100644 --- a/content/code-security/secret-scanning/troubleshooting-secret-scanning.md +++ b/content/code-security/secret-scanning/troubleshooting-secret-scanning.md @@ -22,7 +22,7 @@ topics: {% data variables.product.prodname_secret_scanning_caps %} will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource. -Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the tables in "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." +Pairs pushed to different files, or not pushed to the same repository, will not result in alerts. For more information about the supported pattern pairs, see the table in "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns)." {% ifversion secret-scanning-validity-check %} ## About legacy GitHub tokens @@ -33,7 +33,7 @@ For {% data variables.product.prodname_dotcom %} tokens, we check the validity o {% ifversion secret-scanning-push-protection %} ## Push protection limitations -If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-push-protection)." +If push protection did not detect a secret that you think should have been detected, then you should first check that push protection supports the secret type in the list of supported secrets. For further information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)." If your secret is in the supported list, there are various reasons why push protection may not detect it. diff --git a/data/secret-scanning.yml b/data/secret-scanning.yml index e90093ea1452..47a880d9e808 100644 --- a/data/secret-scanning.yml +++ b/data/secret-scanning.yml @@ -9,6 +9,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Adobe' supportedSecret: 'Adobe Device Token' @@ -21,6 +22,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Adobe' supportedSecret: 'Adobe JSON Web Token' @@ -33,6 +35,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Adobe' supportedSecret: 'Adobe Service Token' @@ -45,6 +48,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Adobe' supportedSecret: 'Adobe Short-Lived Access Token' @@ -57,26 +61,20 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false - -- provider: 'Alibaba Cloud' - supportedSecret: 'Alibaba Cloud Access Key ID and Access Key Secret pair' - versions: - fpt: '*' - ghec: '*' - isPublic: true - isPrivateWithGhas: false - hasPushProtection: false + hasValidityCheck: false - provider: 'Alibaba Cloud' supportedSecret: 'Alibaba Cloud Access Key ID with Alibaba Cloud Access Key Secret' secretType: 'alibaba_cloud_access_key_id
alibaba_cloud_access_key_secret' versions: + fpt: '*' ghec: '*' ghes: '>=3.5' ghae: '>= 3.5' - isPublic: false + isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Amazon' supportedSecret: 'Amazon OAuth Client ID with Amazon OAuth Client Secret' @@ -88,26 +86,20 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true - -- provider: 'Amazon Web Services (AWS)' - supportedSecret: 'Amazon AWS Access Key ID and Secret Access Key pair' - versions: - fpt: '*' - ghec: '*' - isPublic: true - isPrivateWithGhas: false - hasPushProtection: false + hasValidityCheck: false - provider: 'Amazon Web Services (AWS)' supportedSecret: 'Amazon AWS Access Key ID with Amazon AWS Secret Access Key' secretType: 'aws_access_key_id
aws_secret_access_key' versions: + fpt: '*' ghec: '*' ghes: '>=3.5' ghae: '>= 3.5' - isPublic: false + isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Amazon Web Services (AWS)' supportedSecret: 'Amazon AWS Session Token with Amazon AWS Temporary Access Key ID and Amazon AWS Secret Access Key' @@ -119,6 +111,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Asana' supportedSecret: 'Asana Personal Access Token' @@ -130,6 +123,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Atlassian' supportedSecret: 'Atlassian API Token' @@ -142,6 +136,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Atlassian' supportedSecret: 'Atlassian JSON Web Token' @@ -154,6 +149,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Atlassian' supportedSecret: 'Bitbucket Server Personal Access Token' @@ -165,6 +161,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure Active Directory Application Secret' @@ -177,6 +174,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure Batch Key Identifiable' @@ -189,6 +187,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure Cache for Redis Access Key' @@ -200,6 +199,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure CosmosDB Key Identifiable' @@ -212,6 +212,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure DevOps Personal Access Token' @@ -224,6 +225,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure ML Studio (classic) Web Service Key' @@ -236,6 +238,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure ML Studio (classic) Web Service Key' @@ -247,6 +250,7 @@ isPublic: false isPrivateWithGhas: false hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure SAS Token' @@ -259,6 +263,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure Search Admin Key' @@ -271,6 +276,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure Search Query Key' @@ -283,6 +289,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure Service Management Certificate' @@ -295,6 +302,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure SQL Connection String' @@ -307,6 +315,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Azure' supportedSecret: 'Azure Storage Account Key' @@ -319,6 +328,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Beamer' supportedSecret: 'Beamer API Key' @@ -330,6 +340,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Checkout.com' supportedSecret: 'Checkout.com Production Secret Key' @@ -342,6 +353,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Checkout.com' supportedSecret: 'Checkout.com Test Secret Key' @@ -354,6 +366,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Chief Tools' supportedSecret: 'Chief Tools Token' @@ -366,6 +379,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Clojars' supportedSecret: 'Clojars Deploy Token' @@ -378,6 +392,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'CloudBees CodeShip' supportedSecret: 'CloudBees CodeShip Credential' @@ -390,6 +405,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Contentful' supportedSecret: 'Contentful Personal Access Token' @@ -401,24 +417,18 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Contributed Systems' supportedSecret: 'Contributed Systems Credentials' + secretType: 'CONTRIBUTED_SYSTEMS_CREDENTIALS' versions: fpt: '*' ghec: '*' isPublic: true isPrivateWithGhas: false hasPushProtection: false - -- provider: 'Crates.io' - supportedSecret: 'Crates.io API Token' - versions: - fpt: '*' - ghec: '*' - isPublic: true - isPrivateWithGhas: false - hasPushProtection: false + hasValidityCheck: false - provider: 'Databricks' supportedSecret: 'Databricks Access Token' @@ -431,15 +441,18 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Datadog' supportedSecret: 'Datadog API Key' + secretType: 'DATADOG_API_KEY' versions: fpt: '*' ghec: '*' isPublic: true isPrivateWithGhas: false hasPushProtection: false + hasValidityCheck: false - provider: 'DevCycle' supportedSecret: 'DevCycle Client API Key' @@ -452,6 +465,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'DevCycle' supportedSecret: 'DevCycle Mobile API Key' @@ -463,6 +477,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'DevCycle' supportedSecret: 'DevCycle Server API Key' @@ -475,6 +490,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'DigitalOcean' supportedSecret: 'DigitalOcean OAuth Token' @@ -487,6 +503,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'DigitalOcean' supportedSecret: 'DigitalOcean Personal Access Token' @@ -499,6 +516,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'DigitalOcean' supportedSecret: 'DigitalOcean Refresh Token' @@ -511,6 +529,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'DigitalOcean' supportedSecret: 'DigitalOcean System Token' @@ -523,6 +542,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Discord' supportedSecret: 'Discord API Token V2' @@ -534,6 +554,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Discord' supportedSecret: 'Discord Bot Token' @@ -546,6 +567,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Doppler' supportedSecret: 'Doppler Audit Token' @@ -558,6 +580,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Doppler' supportedSecret: 'Doppler CLI Token' @@ -570,6 +593,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Doppler' supportedSecret: 'Doppler Personal Token' @@ -582,6 +606,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Doppler' supportedSecret: 'Doppler SCIM Token' @@ -594,6 +619,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Doppler' supportedSecret: 'Doppler Service Token' @@ -606,6 +632,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Dropbox' supportedSecret: 'Dropbox Access Token' @@ -618,6 +645,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Dropbox' supportedSecret: 'Dropbox Short Lived Access Token' @@ -630,6 +658,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Duffel' supportedSecret: 'Duffel Live Access Token' @@ -641,6 +670,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Duffel' supportedSecret: 'Duffel Test Access Token' @@ -652,6 +682,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Dynatrace' supportedSecret: 'Dynatrace Access Token' @@ -664,6 +695,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Dynatrace' supportedSecret: 'Dynatrace Internal Token' @@ -676,6 +708,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'EasyPost' supportedSecret: 'EasyPost Production API Key' @@ -687,6 +720,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'EasyPost' supportedSecret: 'EasyPost Test API Key' @@ -698,6 +732,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'eBay' supportedSecret: 'eBay Production Client ID (App ID) with eBay Production Client Secret (Cert ID)' @@ -709,6 +744,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'eBay' supportedSecret: 'eBay Sandbox Client ID (App ID) with eBay Sandbox Client Secret (Cert ID)' @@ -720,6 +756,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Fastly' supportedSecret: 'Fastly API Token' @@ -731,6 +768,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Figma' supportedSecret: 'Figma Personal Access Token' @@ -743,6 +781,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Finicity' supportedSecret: 'Finicity App Key' @@ -755,6 +794,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Flutterwave' supportedSecret: 'Flutterwave Live API Secret Key' @@ -766,6 +806,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Flutterwave' supportedSecret: 'Flutterwave Test API Secret Key' @@ -777,6 +818,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Frame.io' supportedSecret: 'Frame.io Developer Token' @@ -789,6 +831,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Frame.io' supportedSecret: 'Frame.io JSON Web Token' @@ -801,6 +844,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'FullStory' supportedSecret: 'FullStory API Key' @@ -813,6 +857,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'GitHub' supportedSecret: 'GitHub App Installation Access Token' @@ -825,6 +870,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: true - provider: 'GitHub' supportedSecret: 'GitHub OAuth Access Token' @@ -837,6 +883,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: true - provider: 'GitHub' supportedSecret: 'GitHub Personal Access Token' @@ -849,6 +896,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: true - provider: 'GitHub' supportedSecret: 'GitHub Refresh Token' @@ -861,6 +909,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: true - provider: 'GitHub' supportedSecret: 'GitHub SSH Private Key' @@ -873,6 +922,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: true - provider: 'GitLab' supportedSecret: 'GitLab Access Token' @@ -884,6 +934,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'GoCardless' supportedSecret: 'GoCardless Live Access Token' @@ -896,6 +947,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'GoCardless' supportedSecret: 'GoCardless Sandbox Access Token' @@ -908,6 +960,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Google' supportedSecret: 'Firebase Cloud Messaging Server Key' @@ -919,6 +972,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Google' supportedSecret: 'Google Cloud Storage Service Account Access Key ID with Google Cloud Storage Access Key Secret' @@ -930,6 +984,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Google' supportedSecret: 'Google Cloud Storage User Access Key ID with Google Cloud Storage Access Key Secret' @@ -941,6 +996,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Google' supportedSecret: 'Google OAuth Access Token' @@ -952,6 +1008,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Google' supportedSecret: 'Google OAuth Client ID with Google OAuth Client Secret' @@ -963,6 +1020,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Google' supportedSecret: 'Google OAuth Refresh Token' @@ -974,6 +1032,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Google Cloud' supportedSecret: 'Google API Key' @@ -986,6 +1045,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Google Cloud' supportedSecret: 'Google Cloud Private Key ID' @@ -998,6 +1058,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Grafana' supportedSecret: 'Grafana API Key' @@ -1009,6 +1070,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Grafana' supportedSecret: 'Grafana Cloud API Key' @@ -1020,6 +1082,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Grafana' supportedSecret: 'Grafana Cloud API Token' @@ -1031,6 +1094,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Grafana' supportedSecret: 'Grafana Project API Key' @@ -1042,6 +1106,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Grafana' supportedSecret: 'Grafana Project Service Account Token' @@ -1053,6 +1118,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'HashiCorp' supportedSecret: 'HashiCorp Vault Batch Token' @@ -1064,6 +1130,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'HashiCorp' supportedSecret: 'HashiCorp Vault Batch Token (v1.10.0+)' @@ -1075,6 +1142,7 @@ isPublic: false isPrivateWithGhas: false hasPushProtection: true + hasValidityCheck: false - provider: 'HashiCorp' supportedSecret: 'HashiCorp Vault Root Service Token' @@ -1086,6 +1154,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'HashiCorp' supportedSecret: 'HashiCorp Vault Root Service Token (v1.10.0+)' @@ -1097,6 +1166,7 @@ isPublic: false isPrivateWithGhas: false hasPushProtection: true + hasValidityCheck: false - provider: 'HashiCorp' supportedSecret: 'HashiCorp Vault Service Token' @@ -1108,6 +1178,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'HashiCorp' supportedSecret: 'HashiCorp Vault Service Token (v1.10.0+)' @@ -1119,6 +1190,7 @@ isPublic: false isPrivateWithGhas: false hasPushProtection: true + hasValidityCheck: false - provider: 'Hashicorp Terraform' supportedSecret: 'Terraform Cloud / Enterprise API Token' @@ -1131,6 +1203,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Highnote' supportedSecret: 'Highnote RK Live Key' @@ -1142,6 +1215,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Highnote' supportedSecret: 'Highnote RK Test Key' @@ -1153,6 +1227,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Highnote' supportedSecret: 'Highnote SK Live Key' @@ -1164,6 +1239,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Highnote' supportedSecret: 'Highnote SK Test Key' @@ -1175,6 +1251,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Hubspot' supportedSecret: 'Hubspot API Key' @@ -1187,6 +1264,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Hubspot' supportedSecret: 'Hubspot API Personal Access Key' @@ -1199,6 +1277,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Intercom' supportedSecret: 'Intercom Access Token' @@ -1210,6 +1289,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Ionic' supportedSecret: 'Ionic Personal Access Token' @@ -1222,6 +1302,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Ionic' supportedSecret: 'Ionic Refresh Token' @@ -1234,6 +1315,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'JD Cloud' supportedSecret: 'JD Cloud Access Key' @@ -1246,6 +1328,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'JFrog' supportedSecret: 'JFrog Platform Access Token' @@ -1257,6 +1340,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'JFrog' supportedSecret: 'JFrog Platform API Key' @@ -1268,6 +1352,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Linear' supportedSecret: 'Linear API Key' @@ -1280,6 +1365,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Linear' supportedSecret: 'Linear OAuth Access Token' @@ -1292,6 +1378,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Lob' supportedSecret: 'Lob Live API Key' @@ -1303,6 +1390,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Lob' supportedSecret: 'Lob Test API Key' @@ -1314,6 +1402,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'LocalStack' supportedSecret: 'LocalStack API Key' @@ -1326,6 +1415,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'LogicMonitor' supportedSecret: 'LogicMonitor Bearer Token' @@ -1337,6 +1427,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'LogicMonitor' supportedSecret: 'LogicMonitor LMV1 Access Key' @@ -1348,6 +1439,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Mailchimp' supportedSecret: 'Mailchimp API Key' @@ -1360,15 +1452,18 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Mailchimp' supportedSecret: 'Mandrill API Key' + secretType: 'MANDRILL_API' versions: fpt: '*' ghec: '*' isPublic: true isPrivateWithGhas: false hasPushProtection: false + hasValidityCheck: false - provider: 'Mailgun' supportedSecret: 'Mailgun API Key' @@ -1381,6 +1476,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Mapbox' supportedSecret: 'Mapbox Secret Access Token' @@ -1392,6 +1488,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'MessageBird' supportedSecret: 'MessageBird API Key' @@ -1404,6 +1501,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Meta' supportedSecret: 'Facebook Access Token' @@ -1416,6 +1514,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Midtrans' supportedSecret: 'Midtrans Production Server Key' @@ -1427,6 +1526,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Midtrans' supportedSecret: 'Midtrans Sandbox Server Key' @@ -1438,6 +1538,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'New Relic' supportedSecret: 'New Relic Insights Query Key' @@ -1449,6 +1550,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'New Relic' supportedSecret: 'New Relic License Key' @@ -1460,6 +1562,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'New Relic' supportedSecret: 'New Relic Personal API Key' @@ -1471,6 +1574,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'New Relic' supportedSecret: 'New Relic REST API Key' @@ -1482,6 +1586,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Notion' supportedSecret: 'Notion Integration Token' @@ -1493,6 +1598,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Notion' supportedSecret: 'Notion OAuth Client Secret' @@ -1504,6 +1610,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'npm' supportedSecret: 'npm Access Token' @@ -1516,6 +1623,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'NuGet' supportedSecret: 'NuGet API Key' @@ -1528,6 +1636,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Octopus Deploy' supportedSecret: 'Octopus Deploy API Key' @@ -1540,6 +1649,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Oculus' supportedSecret: 'Oculus Very Tiny Encrypted Session' @@ -1551,6 +1661,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Onfido' supportedSecret: 'Onfido Live API Token' @@ -1562,6 +1673,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Onfido' supportedSecret: 'Onfido Sandbox API Token' @@ -1573,6 +1685,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'OpenAI' supportedSecret: 'OpenAI API Key' @@ -1585,6 +1698,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Palantir' supportedSecret: 'Palantir JSON Web Token' @@ -1597,6 +1711,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Persona' supportedSecret: 'Persona Production API Key' @@ -1608,6 +1723,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Persona' supportedSecret: 'Persona Sandbox API Key' @@ -1619,6 +1735,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'PlanetScale' supportedSecret: 'PlanetScale Database Password' @@ -1631,6 +1748,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'PlanetScale' supportedSecret: 'PlanetScale OAuth Token' @@ -1643,6 +1761,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'PlanetScale' supportedSecret: 'PlanetScale Service Token' @@ -1655,26 +1774,20 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true - -- provider: 'Plivo' - supportedSecret: 'Plivo Auth ID and Token' - versions: - fpt: '*' - ghec: '*' - isPublic: true - isPrivateWithGhas: false - hasPushProtection: false + hasValidityCheck: false - provider: 'Plivo' supportedSecret: 'Plivo Auth ID with Plivo Auth Token' secretType: 'plivo_auth_id
plivo_auth_token' versions: + fpt: '*' ghec: '*' ghes: '*' ghae: '*' - isPublic: false + isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Postman' supportedSecret: 'Postman API Key' @@ -1687,6 +1800,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Postman' supportedSecret: 'Postman Collection Key' @@ -1698,6 +1812,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Prefect' supportedSecret: 'Prefect Server API Key' @@ -1710,6 +1825,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Prefect' supportedSecret: 'Prefect User API Key' @@ -1721,15 +1837,18 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Prefect' supportedSecret: 'Prefect User API Token' + secretType: 'PREFECT_USER_API_TOKEN' versions: fpt: '*' ghec: '*' isPublic: true isPrivateWithGhas: false hasPushProtection: false + hasValidityCheck: false - provider: 'Proctorio' supportedSecret: 'Proctorio Consumer Key' @@ -1742,6 +1861,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Proctorio' supportedSecret: 'Proctorio Linkage Key' @@ -1754,6 +1874,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Proctorio' supportedSecret: 'Proctorio Registration Key' @@ -1766,6 +1887,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Proctorio' supportedSecret: 'Proctorio Secret Key' @@ -1778,6 +1900,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Pulumi' supportedSecret: 'Pulumi Access Token' @@ -1790,6 +1913,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'PyPI' supportedSecret: 'PyPI API Token' @@ -1802,6 +1926,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'ReadMe' supportedSecret: 'ReadMe API Access Key' @@ -1814,6 +1939,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'redirect.pizza' supportedSecret: 'redirect.pizza API Token' @@ -1826,6 +1952,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'RubyGems' supportedSecret: 'RubyGems API Key' @@ -1838,6 +1965,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Samsara' supportedSecret: 'Samsara API Token' @@ -1850,6 +1978,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Samsara' supportedSecret: 'Samsara OAuth Access Token' @@ -1862,6 +1991,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Segment' supportedSecret: 'Segment Public API Token' @@ -1874,6 +2004,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'SendGrid' supportedSecret: 'SendGrid API Key' @@ -1886,6 +2017,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Sendinblue' supportedSecret: 'Sendinblue API Key' @@ -1898,6 +2030,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Sendinblue' supportedSecret: 'Sendinblue SMTP Key' @@ -1910,6 +2043,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Shippo' supportedSecret: 'Shippo Live API Token' @@ -1921,6 +2055,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Shippo' supportedSecret: 'Shippo Test API Token' @@ -1932,6 +2067,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify Access Token' @@ -1944,6 +2080,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify App Client Credentials' @@ -1955,6 +2092,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify App Client Secret' @@ -1966,6 +2104,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify App Shared Secret' @@ -1978,6 +2117,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify Custom App Access Token' @@ -1990,6 +2130,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify Marketplace Token' @@ -2001,6 +2142,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify Merchant Token' @@ -2012,6 +2154,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify Partner API Token' @@ -2023,6 +2166,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Shopify' supportedSecret: 'Shopify Private App Password' @@ -2035,6 +2179,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Slack' supportedSecret: 'Slack API Token' @@ -2047,6 +2192,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Slack' supportedSecret: 'Slack Incoming Webhook URL' @@ -2059,6 +2205,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Slack' supportedSecret: 'Slack Workflow Webhook URL' @@ -2071,6 +2218,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Square' supportedSecret: 'Square Access Token' @@ -2082,6 +2230,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Square' supportedSecret: 'Square Production Application Secret' @@ -2093,6 +2242,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Square' supportedSecret: 'Square Sandbox Application Secret' @@ -2104,6 +2254,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'SSLMate' supportedSecret: 'SSLMate API Key' @@ -2116,6 +2267,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'SSLMate' supportedSecret: 'SSLMate Cluster Secret' @@ -2128,6 +2280,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Stripe' supportedSecret: 'Stripe API Key' @@ -2139,6 +2292,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Stripe' supportedSecret: 'Stripe Live API Restricted Key' @@ -2151,6 +2305,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Stripe' supportedSecret: 'Stripe Live API Secret Key' @@ -2163,6 +2318,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Stripe' supportedSecret: 'Stripe Live API Secret Key' @@ -2174,6 +2330,7 @@ isPublic: false isPrivateWithGhas: false hasPushProtection: true + hasValidityCheck: false - provider: 'Stripe' supportedSecret: 'Stripe Test API Restricted Key' @@ -2186,6 +2343,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Stripe' supportedSecret: 'Stripe Test API Secret Key' @@ -2198,6 +2356,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Stripe' supportedSecret: 'Stripe Webhook Signing Secret' @@ -2209,6 +2368,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Supabase' supportedSecret: 'Supabase Service Key' @@ -2221,6 +2381,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Tableau' supportedSecret: 'Tableau Personal Access Token' @@ -2232,6 +2393,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Telegram' supportedSecret: 'Telegram Bot Token' @@ -2243,6 +2405,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Telnyx' supportedSecret: 'Telnyx API V2 Key' @@ -2255,6 +2418,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Tencent Cloud' supportedSecret: 'Tencent Cloud Secret ID' @@ -2267,6 +2431,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Tencent WeChat' supportedSecret: 'Tencent WeChat API App ID' @@ -2279,6 +2444,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Twilio' supportedSecret: 'Twilio Access Token' @@ -2290,6 +2456,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Twilio' supportedSecret: 'Twilio Account String Identifier' @@ -2302,6 +2469,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Twilio' supportedSecret: 'Twilio API Key' @@ -2314,6 +2482,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Typeform' supportedSecret: 'Typeform Personal Access Token' @@ -2326,6 +2495,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'Uniwise' supportedSecret: 'WISEflow API Key' @@ -2338,15 +2508,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true - -- provider: 'Valour' - supportedSecret: 'Valour Access Token' - versions: - fpt: '*' - ghec: '*' - isPublic: true - isPrivateWithGhas: false - hasPushProtection: false + hasValidityCheck: false - provider: 'WakaTime' supportedSecret: 'WakaTime App Secret' @@ -2359,6 +2521,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'WakaTime' supportedSecret: 'WakaTime OAuth Access Token' @@ -2371,6 +2534,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'WakaTime' supportedSecret: 'WakaTime OAuth Refresh Token' @@ -2383,6 +2547,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'WorkOS' supportedSecret: 'WorkOS Production API Key' @@ -2394,6 +2559,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false - provider: 'WorkOS' supportedSecret: 'WorkOS Staging API Key' @@ -2405,6 +2571,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Cloud Access Secret' @@ -2417,6 +2584,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Cloud API Key' @@ -2429,6 +2597,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Cloud IAM Cookie' @@ -2441,6 +2610,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Cloud IAM Token' @@ -2453,6 +2623,7 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Dictionary API Key' @@ -2465,15 +2636,18 @@ isPublic: true isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Passport OAuth Token' + secretType: 'YANDEX_PASSPORT_OAUTH_TOKEN' versions: fpt: '*' ghec: '*' isPublic: true isPrivateWithGhas: false hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Predictor API Key' @@ -2485,6 +2659,7 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false + hasValidityCheck: false - provider: 'Yandex' supportedSecret: 'Yandex.Translate API Key' @@ -2496,23 +2671,17 @@ isPublic: false isPrivateWithGhas: true hasPushProtection: false - -- provider: 'Zuplo' - supportedSecret: 'Zuplo Consumer API' - versions: - fpt: '*' - ghec: '*' - isPublic: true - isPrivateWithGhas: false - hasPushProtection: false + hasValidityCheck: false - provider: 'Zuplo' supportedSecret: 'Zuplo Consumer API Key' secretType: 'zuplo_consumer_api_key' versions: + fpt: '*' ghec: '*' ghes: '>3.6' ghae: '>3.6' - isPublic: false + isPublic: true isPrivateWithGhas: true hasPushProtection: true + hasValidityCheck: false diff --git a/middleware/contextualizers/secret-scanning.js b/middleware/contextualizers/secret-scanning.js index 6ab0827155c8..797dbd747f85 100644 --- a/middleware/contextualizers/secret-scanning.js +++ b/middleware/contextualizers/secret-scanning.js @@ -13,17 +13,9 @@ export default async function secretScanning(req, res, next) { const { currentVersion } = req.context - // Create separate properties for each table for now - this keeps things simpler in the Markdown. - // In the future if we combine the tables into a single table or some other format, we - // can just add the entire secretScanning array to the context here. - const currentVersionData = secretScanningData.filter((entry) => + req.context.secretScanningData = secretScanningData.filter((entry) => getApplicableVersions(entry.versions).includes(currentVersion) ) - req.context.secretScanning = { - isPublic: currentVersionData.filter((entry) => entry.isPublic), - isPrivateWithGhas: currentVersionData.filter((entry) => entry.isPrivateWithGhas), - hasPushProtection: currentVersionData.filter((entry) => entry.hasPushProtection), - } return next() } diff --git a/tests/helpers/schemas/secret-scanning-schema.js b/tests/helpers/schemas/secret-scanning-schema.js index 5f48e6304898..944ea365c9cc 100644 --- a/tests/helpers/schemas/secret-scanning-schema.js +++ b/tests/helpers/schemas/secret-scanning-schema.js @@ -39,7 +39,8 @@ delete versionsProps.required // }, // "isPublic": true, // "isPrivateWithGhas": true, -// "hasPushProtection": false +// "hasPushProtection": false, +// "hasValidityCheck": false // }, export default { @@ -50,11 +51,12 @@ export default { required: [ 'provider', 'supportedSecret', - // 'secretType', // TODO: Once the secretTypes are fully populated in the JSON, make this required. + 'secretType', 'versions', 'isPublic', 'isPrivateWithGhas', 'hasPushProtection', + 'hasValidityCheck', ], properties: { provider: { @@ -83,6 +85,10 @@ export default { description: 'whether the secret has push protection', type: 'boolean', }, + hasValidityCheck: { + description: 'whether the secret has its validation status checked', + type: 'boolean', + }, }, }, }