为存储库启用有效性检查

对存储库启用有效性检查有助于确定警报修正的优先级,因为该检查会告知机密是处于活动状态还是非活动状态。

谁可以使用此功能?

合作伙伴模式的有效性检查可用于以下存储库类型:

GHE.com 上的 具有数据驻留的 GitHub Enterprise Cloud 不支持针对合作伙伴模式的有效性检查。

本文内容

About validity checks

You can enable validity checks for secrets identified as service provider tokens for your repository. Once enabled, GitHub will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of GitHub's secret scanning partnership program. To find out about our partner program, see Secret scanning partner program.

GitHub displays the validation status of the secret in the alert view, so you can see if the secret is active, inactive, or if the validation status is unknown. You can optionally perform an "on-demand" validity check for the secret in the alert view.

You can additionally choose to enable validity checks for partner patterns. Once enabled, GitHub will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of GitHub's formal secret scanning partnership program. GitHub typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.

GitHub displays the validation status of the secret in the alert view.

You can filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on.

注意

GitHub typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.

For more information on using validity checks, see Evaluating alerts from secret scanning.

Enabling validity checks

注意

You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see REST API endpoints for repositories.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Advanced Security.

  4. Under "Secret Protection", to the right of "Validity checks", click Enable.

  5. Scroll to the bottom of the page and click Save changes.

Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise. For more information on enabling at the organization-level, see Creating a custom security configuration. For more information on enabling at the enterprise-level, see Creating a custom security configuration for your enterprise.

Further reading