Skill

secret-scanning

Guides configuring GitHub secret scanning, push protection, custom patterns, exclusions, and alert remediation. Enables pre-commit scanning for AI coding agents via MCP.

Github

Git

security

From awesome-copilot

Install

Run in your terminal

npx claudepluginhub ctr26/dotfiles --plugin awesome-copilot

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

references/alerts-and-remediation.md

references/custom-patterns.md

references/push-protection.md

Skill Content

Similar Skills

context7-mcp

Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.

context7-plugin

51.8k

context7-mcp

Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.

context7

50.8k

context7-cli

3 files

Uses ctx7 CLI to fetch current library docs, manage AI coding skills (install/search/generate), and configure Context7 MCP for AI editors.

context7

50.8k

Stats

Stars28207

Forks3270

Last CommitMar 24, 2026

Actions

View Source View Plugin View on GitHub View README

Secret Scanning

This skill provides procedural guidance for configuring GitHub secret scanning — detecting leaked credentials, preventing secret pushes, defining custom patterns, and managing alerts.

When to Use This Skill

Use this skill when the request involves:

Enabling or configuring secret scanning for a repository or organization
Setting up push protection to block secrets before they reach the repository
Defining custom secret patterns with regular expressions
Resolving a blocked push from the command line
Triaging, dismissing, or remediating secret scanning alerts
Configuring delegated bypass for push protection
Excluding directories from secret scanning via secret_scanning.yml
Understanding alert types (user, partner, push protection)
Enabling validity checks or extended metadata checks
Scanning local code changes for secrets before committing (via MCP / AI coding agent) — see the Pre-Commit Scanning via AI Coding Agents section below for the recommended plugin

How Secret Scanning Works

Secret scanning automatically detects exposed credentials across:

Entire Git history on all branches
Issue descriptions, comments, and titles (open and closed)
Pull request titles, descriptions, and comments
GitHub Discussions titles, descriptions, and comments
Wikis and secret gists

Availability

Repository Type	Availability
Public repos	Automatic, free
Private/internal (org-owned)	Requires GitHub Secret Protection on Team/Enterprise Cloud
User-owned	Enterprise Cloud with Enterprise Managed Users

Core Workflow — Enable Secret Scanning

Step 1: Enable Secret Protection

Navigate to repository Settings → Advanced Security
Click Enable next to "Secret Protection"
Confirm by clicking Enable Secret Protection

For organizations, use security configurations to enable at scale:

Settings → Advanced Security → Global settings → Security configurations

Step 2: Enable Push Protection

Push protection blocks secrets during the push process — before they reach the repository.

Navigate to repository Settings → Advanced Security
Enable "Push protection" under Secret Protection

Push protection blocks secrets in:

Command line pushes
GitHub UI commits
File uploads
REST API requests
REST API content creation endpoints

Step 3: Configure Exclusions (Optional)

Create .github/secret_scanning.yml to auto-close alerts for specific directories:

paths-ignore:
  - "docs/**"
  - "test/fixtures/**"
  - "**/*.example"

Limits:

Maximum 1,000 entries in paths-ignore
File must be under 1 MB
Excluded paths also skip push protection checks

Best practices:

Be as specific as possible with exclusion paths
Add comments explaining why each path is excluded
Review exclusions periodically — remove stale entries
Inform the security team about exclusions

Step 4: Enable Additional Features (Optional)

Non-provider patterns — detect private keys, connection strings, generic API keys:

Settings → Advanced Security → enable "Scan for non-provider patterns"

AI-powered generic secret detection — uses Copilot to detect unstructured secrets like passwords:

Settings → Advanced Security → enable "Use AI detection"

Validity checks — verify if detected secrets are still active:

Settings → Advanced Security → enable "Validity checks"
GitHub periodically tests detected credentials against provider APIs
Status shown in alert: active, inactive, or unknown

Extended metadata checks — additional context about who owns a secret:

Requires validity checks to be enabled first
Helps prioritize remediation and identify responsible teams

Core Workflow — Resolve Blocked Pushes

When push protection blocks a push from the command line:

Option A: Remove the Secret

If the secret is in the latest commit:

# Remove the secret from the file
# Then amend the commit
git commit --amend --all
git push

If the secret is in an earlier commit:

# Find the earliest commit containing the secret
git log

# Start interactive rebase before that commit
git rebase -i <COMMIT-ID>~1

# Change 'pick' to 'edit' for the offending commit
# Remove the secret, then:
git add .
git commit --amend
git rebase --continue
git push

Option B: Bypass Push Protection

Visit the URL returned in the push error message (as the same user)
Select a bypass reason:
- It's used in tests — alert created and auto-closed
- It's a false positive — alert created and auto-closed
- I'll fix it later — open alert created
Click Allow me to push this secret
Re-push within 3 hours

Option C: Request Bypass Privileges

If delegated bypass is enabled and you lack bypass privileges:

Visit the URL from the push error
Add a comment explaining why the secret is safe
Click Submit request
Wait for email notification of approval/denial
If approved, push the commit; if denied, remove the secret

For detailed bypass and delegated bypass workflows, search references/push-protection.md.

Custom Patterns

Define organization-specific secret patterns using regular expressions.

Quick Setup

Settings → Advanced Security → Custom patterns → New pattern
Enter pattern name and regex for secret format
Add a sample test string
Click Save and dry run to test (up to 1,000 results)
Review results for false positives
Click Publish pattern
Optionally enable push protection for the pattern

Scopes

Custom patterns can be defined at:

Repository level — applies to that repo only
Organization level — applies to all repos with secret scanning enabled
Enterprise level — applies across all organizations

Copilot-Assisted Pattern Generation

Use Copilot secret scanning to generate regex from a text description of the secret type, including optional example strings.

For detailed custom pattern configuration, search references/custom-patterns.md.

Alert Management

Alert Types

Type	Description	Visibility
User alerts	Secrets found in repository	Security tab
Push protection alerts	Secrets pushed via bypass	Security tab (filter: `bypassed: true`)
Partner alerts	Secrets reported to provider	Not shown in repo (provider-only)

Alert Lists

Default alerts — supported provider patterns and custom patterns
Generic alerts — non-provider patterns and AI-detected secrets (limited to 5,000 per repo)

Remediation Priority

Rotate the credential immediately — this is the critical action
Review the alert for context (location, commit, author)
Check validity status: active (urgent), inactive (lower priority), unknown
Remove from Git history if needed (time-intensive, often unnecessary after rotation)

Dismissing Alerts

Dismiss with a documented reason:

False positive — detected string is not a real secret
Revoked — credential has already been revoked
Used in tests — secret is only in test code

For detailed alert types, validity checks, and REST API, search references/alerts-and-remediation.md.

Pre-Commit Scanning via AI Coding Agents

For scanning code changes for secrets inside an AI coding agent before committing, install the Advanced Security plugin which provides the run_secret_scanning MCP tool and a dedicated scanning skill.

GitHub Copilot CLI:

/plugin install advanced-security@copilot-plugins

Visual Studio Code:

In Copilot Chat, open Chat: Plugins (or use @agentPlugins) and install the advanced-security plugin
Then run /secret-scanning in Copilot Chat

See: Advanced Security Plugin — Secret Scanning Skill

Announced in Secret scanning in AI coding agents via the GitHub MCP Server (March 2026)

Reference Files

For detailed documentation, load the following reference files as needed:

references/push-protection.md — Push protection mechanics, bypass workflow, delegated bypass, user push protection
- Search patterns: bypass, delegated, bypass request, command line, REST API, user push protection
references/custom-patterns.md — Custom pattern creation, regex syntax, dry runs, Copilot regex generation, scopes
- Search patterns: custom pattern, regex, dry run, publish, organization, enterprise, Copilot
references/alerts-and-remediation.md — Alert types, validity checks, extended metadata, generic alerts, secret removal, REST API
- Search patterns: user alert, partner alert, validity, metadata, generic, remediation, git history, REST API