GitHub Secret Scanning is GitHub's built-in feature that detects known credential patterns in repository content and alerts repository owners or partner services.
GitHub Secret Scanning
GitHub Secret Scanning is GitHub's built-in feature that detects known credential patterns in repository content and alerts repository owners or partner services.
Why It Matters
GitHub Secret Scanning checks every push against patterns from 200+ service providers. When a match is found, the provider is notified and can automatically revoke the key. This is free for public repos and available with GitHub Advanced Security for private repos.
How It Works
On each push, GitHub scans the diff against a database of known secret patterns (contributed by partners). If a match is found, GitHub notifies the repository owner and optionally the partner service (e.g., AWS, Stripe), which can automatically revoke the credential.
Best Practices
- Enable push protection to block secrets before they're pushed
- Configure alerts to notify the security team, not just the pusher
- Partner with GitHub for custom secret patterns if you're a provider
- Use in combination with pre-commit hooks for defense in depth
Common Mistakes
- Assuming it catches everything (custom/internal keys won't match partner patterns)
- Dismissing alerts without rotating the detected key
- Not enabling push protection (which prevents the push rather than alerting after)
How ShieldKey Helps
If GitHub Secret Scanning detects a ShieldKey Shield Token in a repo, you can revoke it instantly without rotating the underlying API key — the fastest possible response to a scanning alert.
Try ShieldKey FreeFAQ
Is GitHub Secret Scanning free?
Secret scanning alerts are free for all public repositories. For private repos, it's available with GitHub Advanced Security. Push protection (blocking secrets before push) is available in both.