The Wayback Machine - https://web.archive.org/web/20211223082433/https://docs.github.com/en/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
Free, Pro, & Team
English
 
Code security
  • Get started
  • Account and profile
  • Authentication
  • Repositories
  • GitHub
  • Enterprise administrators
  • Billing and payments
  • Organizations
  • Code security
  • Pull requests
  • GitHub Issues
  • GitHub Actions
  • GitHub Codespaces
  • GitHub Packages
  • Search on GitHub
  • Developers
  • REST API
  • GraphQL API
  • GitHub CLI
  • GitHub Discussions
  • GitHub Sponsors
  • Building communities
  • GitHub Pages
  • Education
  • GitHub Desktop
  • Atom
  • Electron
  • CodeQL
  • npm
    • Free, Pro, & Team
  • Free, Pro, & Team
  • Enterprise Cloud
  • Enterprise Server 3.3
  • Enterprise Server 3.2
  • GitHub AE
    • English
  • English
  • 简体中文 (Simplified Chinese)
  • 日本語 (Japanese)
  • Español (Spanish)
  • Português do Brasil (Portuguese)

    •  

    Defining custom patterns for secret scanning

    In this article

    You can define custom patterns for secret scanning in organizations and private repositories.

    Secret scanning is available for all public repositories, and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see "About GitHub Advanced Security."

    About custom patterns for secret scanning

    GitHub performs secret scanning on public and private repositories for secret patterns provided by GitHub and GitHub partners. For more information on the secret scanning partner program, see "Secret scanning partner program."

    However, there can be situations where you want to scan for other secret patterns in your private repositories. For example, you might have a secret pattern that is internal to your organization. For these situations, you can define custom secret scanning patterns in your enterprise, organization, or private repository on GitHub. You can define up to 500 custom patterns for each organization or enterprise account, and up to 100 custom patterns per private repository.

    Regular expression syntax for custom patterns

    Custom patterns for secret scanning are specified as regular expressions. Secret scanning uses the Hyperscan library and only supports Hyperscan regex constructs, which are a subset of PCRE syntax. Hyperscan option modifiers are not supported. For more information on Hyperscan pattern constructs, see "Pattern support" in the Hyperscan documentation.

    Defining a custom pattern for a repository

    Before defining a custom pattern, you must ensure that secret scanning is enabled on your repository. For more information, see "Configuring secret scanning for your repositories."

    1. On GitHub.com, navigate to the main page of the repository.

    2. Under your repository name, click Settings. Repository settings button

    3. In the left sidebar, click Security & analysis. "Security & analysis" tab in repository settings

    4. Under "Configure security and analysis features", find "GitHub Advanced Security."

    5. Under "Secret scanning", under "Custom patterns", click New pattern.

    6. Enter the details for your new custom pattern:

      1. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
      2. You can click More options to provide other surrounding content or additional match requirements for the secret format.
      3. Provide a sample test string to make sure your configuration is matching the patterns you expect.

      Create a custom secret scanning pattern form

    7. When you are satisfied with your new custom pattern, click Create pattern.

    After your pattern is created, secret scanning scans for any secrets in your entire Git history on all branches present in your GitHub repository. For more information on viewing secret scanning alerts, see "Managing alerts from secret scanning."

    Defining a custom pattern for an organization

    Before defining a custom pattern, you must ensure that you enable secret scanning for the private repositories that you want to scan in your organization. To enable secret scanning on all private repositories in your organization, see "Managing security and analysis settings for your organization."

    Note: As there is no dry-run functionality, we recommend that you test your custom patterns in a repository before defining them for your entire organization. That way, you can avoid creating excess false-positive secret scanning alerts.

    1. In the top right corner of GitHub.com, click your profile photo, then click Your organizations. Your organizations in the profile menu

    2. Next to the organization, click Settings. The settings button

    3. In the left sidebar, click Security & analysis. "Security & analysis" tab in organization settings

    4. Under "Configure security and analysis features", find "GitHub Advanced Security."

    5. Under "Secret scanning", under "Custom patterns", click New pattern.

    6. Enter the details for your new custom pattern:

      1. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
      2. You can click More options to provide other surrounding content or additional match requirements for the secret format.
      3. Provide a sample test string to make sure your configuration is matching the patterns you expect.

      Create a custom secret scanning pattern form

    7. When you are satisfied with your new custom pattern, click Create pattern.

    After your pattern is created, secret scanning scans for any secrets in private repositories in your organization, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing secret scanning alerts, see "Managing alerts from secret scanning."

    Defining a custom pattern for an enterprise account

    Before defining a custom pattern, you must ensure that you enable secret scanning for your enterprise account. For more information, see "Enabling GitHub Advanced Security for your enterprise."

    Note: As there is no dry-run functionality, we recommend that you test your custom patterns in a repository before defining them for your entire enterprise. That way, you can avoid creating excess false-positive secret scanning alerts.

    1. In the enterprise sidebar, click Policies. Policies tab in the enterprise account sidebar

    2. Under Policies, click "Advanced Security." "Advanced Security" policies in sidebar

    3. Under "GitHub Advanced Security", click the Security features tab.

    4. Under "Secret scanning custom patterns", click New pattern.

    5. Enter the details for your new custom pattern:

      1. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
      2. You can click More options to provide other surrounding content or additional match requirements for the secret format.
      3. Provide a sample test string to make sure your configuration is matching the patterns you expect.

      Create a custom secret scanning pattern form

    6. When you are satisfied with your new custom pattern, click Create pattern.

    After your pattern is created, secret scanning scans for any secrets in private repositories within your enterprise's organizations with GitHub Advanced Security enabled, including their entire Git history on all branches. Organization owners and repository administrators will be alerted to any secrets found, and can review the alert in the repository where the secret is found. For more information on viewing secret scanning alerts, see "Managing alerts from secret scanning."

    Editing a custom pattern

    When you save a change to a custom pattern, this closes all the secret scanning alerts that were created using the previous version of the pattern.

    1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account.
    2. Under "Secret scanning", to the right of the custom pattern you want to edit, click .
    3. When you have reviewed and tested your changes, click Save changes.

    Removing a custom pattern

    1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account.

    2. To the right of the custom pattern you want to remove, click .

    3. Review the confirmation, and select a method for dealing with any open alerts relating to the custom pattern.

    4. Click Yes, delete this pattern.

      Confirming deletion of a custom secret scanning pattern

    Help us make these docs great!

    All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

    Make a contribution

    Or, learn how to contribute.