🔐 Secret scanning validity checks are generally available! - Feedback

[erinhav]

At GitHub, we've been thinking deeply about how we can make secret leaks easier to triage and remediate. Validity checks help you identify active and inactive secrets, so you can better manage risk and prioritize alerts effectively.

Following over a year of iterative improvements based on your feedback, we're thrilled to announce that validity checks are now generally available!

Please note that on July 24, validity checks will also be retroactively enabled for any repositories which had attached the GitHub recommended configuration before July 2, 2024. Validity checks are included in the recommended configs today and will apply as normal to any newly attached repositories. If you wish to directly manage feature enablement moving forward, we recommend unattaching the recommended configuration and attaching your own custom configuration to those repositories.

What are validity checks?

Supported for over 85% of provider-based secret alerts, partner validity checks indicate if a secret is active or inactive. Active secrets are still exploitable and should be addressed immediately.

These checks are run on an ongoing basis for supported providers for any repositories that have enabled the validity check feature; you can also perform on demand validity checks from the alert details page.

Validity checks must be enabled (e.g. the feature is opt-in). Enterprise cloud customers with GitHub Advanced Security can enable validity checks through security configurations at the organization level and the 'Code security and analysis' settings page at the repository and enterprise levels. Validity checks are also included as part of the 'GitHub recommended' configuration.

📖 Helpful information:

• Learn more about validity checks for secret scanning
• Supported provider tokens with validity checks