Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repo sync #34818

Merged
merged 14 commits into from
Oct 2, 2024
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ allowTitleToDifferFromFilename: true
There are some additional features that can help you to evaluate alerts in order to better prioritize and manage them. You can:

* Check the validity of a secret, to see if the secret is still active. {% ifversion fpt or ghes %}**Applies to {% data variables.product.company_short %} tokens only**.{% endif %} For more information, see "[Checking a secret's validity](#checking-a-secrets-validity)."{% ifversion secret-scanning-validity-check-partner-patterns %}
* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand-validity-check](#performing-an-on-demand-validity-check)."{% endif %}
* Perform an "on-demand" validity check, to get the most up to date validation status. For more information, see "[Performing an on-demand validity check](#performing-an-on-demand-validity-check)."{% endif %}
* Review a token's metadata. **Applies to {% data variables.product.company_short %} tokens only**. For example, to see when the token was last used. For more information, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% ifversion secret-scanning-multi-repo-public-leak %}
* Review the labels assigned to the alert. For more information, see "[Reviewing alert labels](#reviewing-alert-labels)."{% endif %}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,48 @@ allowTitleToDifferFromFilename: true

## Fixing alerts

Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets:
Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.github %} recommends the following actions for compromised secrets:

* For a compromised {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, delete the compromised token, create a new token, and update any services that use the old token. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."
{%- ifversion token-audit-log %}
* {% ifversion ghec %}If your organization is owned by an enterprise account, identify{% else %}Identify{% endif %} any actions taken by the compromised token on your enterprise's resources. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token)."
{%- endif %}
* For all other secrets, first verify that the secret committed to {% data variables.product.product_name %} is valid. If so, create a new secret, update any services that use the old secret, and then delete the old secret.
* Verify that the secret committed to {% data variables.product.github %} is valid. {% ifversion fpt or ghes %}**Applies to {% data variables.product.github %} tokens only**. See "[Checking a secret's validity](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."{% endif %}{% ifversion secret-scanning-validity-check-partner-patterns %}See "[Performing an on-demand validity check](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#performing-an-on-demand-validity-check)".{% endif %}{% ifversion secret-scanning-report-secret-github-pat %}
* For secrets detected in private repositories, report the leaked secret to {% data variables.product.github %}, who will treat it like any publicly leaked secret and revoke it. **Applies to {% data variables.product.github %} {% data variables.product.pat_generic %}s only**. See "[Reporting a leaked secret](#reporting-a-leaked-secret)." {% endif %}
* Review and update any services that use the old token. For {% data variables.product.github %} {% data variables.product.pat_generic %}s, delete the compromised token and create a new token. See "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)."
* Depending on the secret provider, check your security logs for any unauthorized activity.

{% ifversion fpt or ghec %}
{% ifversion secret-scanning-report-secret-github-pat %}

### Reporting a leaked secret

> [!NOTE]
> If a secret is detected in a public repository on {% data variables.product.prodname_dotcom %} and the secret also matches a partner pattern, an alert is generated and the potential secret is reported to the service provider. For details of partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
> {% data reusables.secret-scanning.report-secret-pat-beta-note %} The feature is currently only available for {% data variables.product.github %} {% data variables.product.pat_generic %}s (v1 and v2).

{% endif %}

{% ifversion fpt or ghec %}

If a secret is detected in a **public** repository on {% data variables.product.github %} and the secret also matches a supported partner pattern, the potential secret is **automatically reported** to the service provider. For details of all supported partner patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."

{% endif %}

{% ifversion secret-scanning-report-secret-github-pat %}

For secrets detected in **private** repositories, anyone who can view {% data variables.secret-scanning.alerts %} for a repository can choose to report the privately exposed secret directly to {% data variables.product.github %}.

By reporting the secret, the token provider will treat the privately exposed secret as if it had been publicly leaked. This means the token provider may revoke the secret, so you should first consider reviewing and updating any services that use the secret. If possible, you should also consider notifying the token owner before reporting the token, so that the token owner is aware that the secret may get revoked.

You will only see the option to report a privately exposed secret to {% data variables.product.github %} if the following conditions are met:

* The secret is a {% data variables.product.github %} {% data variables.product.pat_generic %}.
* The secret's validity has not been confirmed, or the secret's validity has been confirmed as `active`.

{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
1. From the alert list, click the alert you want to view.
1. In the alert view for the leaked secret, click **Report leak**.

> [!NOTE] In order to prevent breaking workflows, consider first rotating the secret before continuing, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan.

1. Review the information in the dialog box, then click **I understand the consequence, report this secret**.

{% endif %}

Expand Down
4 changes: 4 additions & 0 deletions data/features/secret-scanning-report-secret-github-pat.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Reference: #15374
# Secret scanning one-click report and revocation (for GitHub PATs only)
versions:
ghec: '*'
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Reporting a privately exposed secret to {% data variables.product.github %} is in {% data variables.release-phases.public_preview %} and subject to change.
Loading