🔐 Secret scanning validity checks are generally available!

[erinhav]

At GitHub, we've been thinking deeply about how we can make secret leaks easier to triage and remediate. Validity checks help you identify active and inactive secrets, so you can better manage risk and prioritize alerts effectively.

Following over a year of iterative improvements based on your feedback, we're thrilled to announce that validity checks are now generally available!

Please note that on July 24, validity checks will also be retroactively enabled for any repositories which had attached the GitHub recommended configuration before July 2, 2024. Validity checks are included in the recommended configs today and will apply as normal to any newly attached repositories. If you wish to directly manage feature enablement moving forward, we recommend unattaching the recommended configuration and attaching your own custom configuration to those repositories.

What are validity checks?

Supported for over 85% of provider-based secret alerts, partner validity checks indicate if a secret is active or inactive. Active secrets are still exploitable and should be addressed immediately.

These checks are run on an ongoing basis for supported providers for any repositories that have enabled the validity check feature; you can also perform on demand validity checks from the alert details page.

Validity checks must be enabled (e.g. the feature is opt-in). Enterprise cloud customers with GitHub Advanced Security can enable validity checks through security configurations at the organization level and the 'Code security and analysis' settings page at the repository and enterprise levels. Validity checks are also included as part of the 'GitHub recommended' configuration.

📖 Helpful information:

• Learn more about validity checks for secret scanning
• Supported provider tokens with validity checks

[Alirezaseyed]

Here’s how you can guide the person step-by-step to resolve their issue with GitHub Secret Scanning Validity Checks:

---

Explanation of the Issue:

The "Validity checks" feature in GitHub helps identify whether a secret (such as an API key or token) is still active or not. This helps prioritize which secrets to address first by distinguishing between active (still exploitable) and inactive ones.

Main Points:

1. Retroactive Enablement:

   • As of July 24, 2024, any repositories that were using GitHub’s recommended configuration before July 2, 2024, will have validity checks automatically enabled.

2. Direct Feature Management:

   • If they want to manually manage feature enablement (rather than using GitHub’s default settings), they need to detach GitHub’s recommended configuration and apply a custom security configuration.

3. Enabling Validity Checks:

   • Validity checks are opt-in and can be enabled at:
     • The organization level for GitHub Advanced Security users
     • The repository settings under "Code security and analysis"

4. Running Validity Checks:

   • Validity checks can also be run on-demand via the Alert Details page for specific secret alerts.

Steps to Enable and Manage Validity Checks:

1. Check if Validity Checks Are Enabled:

   • If they are using GitHub's recommended configuration, validity checks should already be enabled as of July 24, 2024, for any repositories configured before July 2, 2024.
   • If the repository was added later, ensure it's using the recommended GitHub configuration, which includes validity checks by default.

2. Manually Manage Validity Checks (if needed):

   • Go to the repository settings in GitHub.
   • Under "Security & Analysis", look for "Code security and analysis" settings.
   • Disable the GitHub recommended configuration if they prefer custom settings.
   • Then, manually enable Secret Scanning and Validity Checks as per their preferences.

3. Run Validity Checks on Demand:

   • To manually check the status of secrets, navigate to the Alerts page of the repository.
   • Click on an alert and trigger a validity check from the "Alert Details" section.

Resources:

• GitHub Documentation on Validity Checks for further details on GitHub Advanced Security features and secret scanning configuration.

---

Let them follow these steps, and they should be able to manage or enable validity checks for their repositories.