Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions content/code-security/concepts/secret-security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ contentType: concepts
children:
- /secret-leakage-risks
- /secret-scanning
- /public-monitoring
- /push-protection
- /secret-security-with-github
- /about-alerts
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
title: Public monitoring for secret scanning
shortTitle: Public monitoring
allowTitleToDifferFromFilename: true
intro: 'Public monitoring detects credentials leaked by your enterprise members in public repositories across {% data variables.product.github %}, giving you visibility into secret exposure beyond your enterprise''s boundaries.'
versions:
feature: secret-scanning-public-monitoring
product: 'Public monitoring is available for enterprises on {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %} or {% data variables.product.prodname_GH_secret_protection %} enabled. Public monitoring is **not available for {% data variables.enterprise.data_residency %}**.'
contentType: concepts
category:
- Protect your secrets
---

{% data reusables.secret-scanning.public-monitoring-public-preview %}

## About public monitoring

{% data variables.product.github %} monitors for secrets leaked across {% data variables.product.github %} in real time. Public monitoring attributes publicly exposed secrets back to your enterprise, based on where your people commit.

{% data variables.product.prodname_secret_scanning_caps %} detects secrets in repositories that your enterprise owns. Public monitoring extends this detection to secrets found in arbitrary public repos across {% data variables.product.github %}.com, regardless of whether or not your enterprise owns the repository where it was leaked.

This gives enterprise security administrators visibility into credential exposure they wouldn't otherwise be aware of, helping identify potential risks and leaked secrets which could be exploited by bad actors.

## How public monitoring works

Public monitoring scans public repositories, including non-code content like issue and pull request comments across {% data variables.product.github %} for secrets associated with your enterprise. When a secret is detected, an alert is surfaced in the enterprise-level security overview.

### Attribution methods

Public monitoring uses two methods to associate detected secrets with your enterprise:

* **Enterprise membership:** Secrets leaked by users who are members of your enterprise
* **Verified domain matching:** Secrets leaked by users whose email address matches a verified domain of your enterprise, even if they are not direct enterprise members

Both attribution methods are active when public monitoring is enabled.

## Requirements

To use public monitoring, your enterprise must:

* Have {% data variables.product.prodname_GH_advanced_security %} or {% data variables.product.prodname_GH_secret_protection %} enabled
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,11 @@ Validity checks are separate from {% data variables.product.prodname_secret_scan
## How can I access this feature?

{% data reusables.gated-features.secret-scanning %}

{% ifversion secret-scanning-public-monitoring %}

## Public monitoring

In addition to scanning repositories your enterprise owns, you can enable public monitoring to detect secrets leaked by your enterprise members in public repositories across {% data variables.product.github %}. This extends {% data variables.product.prodname_secret_scanning %} beyond the repositories your enterprise owns to follow your members' activity across the platform. See [AUTOTITLE](/code-security/concepts/secret-security/public-monitoring).

{% endif %}
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: Enabling public monitoring for your enterprise
shortTitle: Enable public monitoring
intro: 'Start detecting secrets your enterprise members leak in public repositories outside your enterprise''s boundaries.'
versions:
feature: secret-scanning-public-monitoring
permissions: Enterprise owners can enable public monitoring for their enterprise.
contentType: how-tos
category:
- Secure at scale
---

{% data reusables.secret-scanning.public-monitoring-public-preview %}

## Prerequisites

Before enabling public monitoring, ensure your enterprise has:

* {% data variables.product.prodname_GH_advanced_security %} or {% data variables.product.prodname_GH_secret_protection %} enabled
* While not necessary, we recommend having at one verified domain configured (see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)) in order to get the full value for the feature.

## Enabling public monitoring

{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.advanced-security-tab %}
1. Under "Additional Settings," toggle **Public monitoring**.
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,6 @@ contentType: how-tos
children:
- /edit-custom-configuration
- /delete-custom-configuration
- /enabling-public-monitoring-for-your-enterprise
---

Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,10 @@ Before you configure {% data variables.product.prodname_GH_secret_protection %}:
* **For all repositories**: Click to see an estimated cost for {% data variables.product.prodname_GH_secret_protection %} for all repositories in your organization.
* If you are satisfied with the pricing estimate, to enable {% data variables.product.prodname_secret_scanning %} alerts and push protection across your organization, click **Enable {% data variables.product.prodname_secret_protection %}**.
* Alternatively, click **Configure in settings** to customize which repositories you want to enable {% data variables.product.prodname_secret_protection %} for. See [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).

{% ifversion secret-scanning-public-monitoring %}

> [!TIP]
> To extend secret detection beyond repositories your enterprise owns, enterprise owners can enable public monitoring. Public monitoring detects secrets leaked by enterprise members in public repositories across {% data variables.product.github %}. For more information, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/enabling-public-monitoring-for-your-enterprise).

{% endif %}
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,14 @@ If your organization is owned by an enterprise account, an enterprise owner can

A repository administrator can choose to disable {% data variables.product.prodname_secret_scanning %} for a repository at any time. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository).

{% ifversion secret-scanning-public-monitoring %}

## Extending detection with public monitoring

The enablement steps above configure {% data variables.product.prodname_secret_scanning %} for repositories your organization or enterprise owns. To detect secrets leaked by your enterprise members in public repositories across {% data variables.product.github %}, you can enable public monitoring at the enterprise level. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/enabling-public-monitoring-for-your-enterprise).

{% endif %}

## Next steps

* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ children:
- /viewing-security-insights
- /viewing-metrics-for-pull-request-alerts
- /viewing-metrics-for-secret-scanning-push-protection
- /viewing-public-monitoring-alerts
- /viewing-metrics-for-dependabot-alerts
- /export-risk-report-csv
---
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
title: Viewing public monitoring alerts
shortTitle: View public monitoring alerts
allowTitleToDifferFromFilename: true
intro: 'Find out which credentials your enterprise members have exposed in public repositories across {% data variables.product.github %}.'
permissions: 'Enterprise owners can access the public monitoring page in security overview.'
versions:
feature: secret-scanning-public-monitoring
contentType: how-tos
category:
- Secure at scale
---

{% data reusables.secret-scanning.public-monitoring-public-preview %}

## About the public monitoring page

The **Public monitoring** page is a dedicated view within the enterprise-level security overview. It displays alerts for secrets detected in public repositories across {% data variables.product.github %} that are attributed to your enterprise members or users with an email matching your enterprise's verified domain.

> [!NOTE]
> The Public monitoring page is available at the enterprise level only. It is not available at the organization level.

## Prerequisites

Public monitoring must be enabled for your enterprise. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/manage-your-coverage/enabling-public-monitoring-for-your-enterprise).

## Viewing public monitoring alerts

{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.security-and-code-quality-tab %}
1. In the left sidebar, click **{% octicon "key" aria-hidden="true" aria-label="key" %} Public monitoring**.

The alert list shows each detected secret with the following details:

* The type of secret detected (for example, "Google API Key")
* A partial secret value
* Who the leak is attributed to and in which public repository
* How long ago the secret was detected

1. Click an alert to open the detail panel. The panel includes:
* The date the secret was committed
* The full secret literal
* Attribution details, including the committer's username and email
* The file location where the secret was detected, with the secret highlighted in context
* A **Recommendations** tab with suggested remediation steps
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ You can download a CSV file of the overview dashboard data for your organization

{% data reusables.security-overview.enterprise-filters-tip %}

{% ifversion secret-scanning-public-monitoring %}
The enterprise security overview also includes a **Public monitoring** page, where you can view alerts for secrets leaked by enterprise members in public repositories outside your enterprise. See [AUTOTITLE](/code-security/how-tos/view-and-interpret-data/analyze-organization-data/viewing-public-monitoring-alerts).
{% endif %}

{% endif %}

## Next steps
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,16 @@ category:

{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}

{% ifversion secret-scanning-public-monitoring %}

## Public monitoring scope

When public monitoring is enabled for your enterprise, {% data variables.product.prodname_secret_scanning %} extends detection beyond repositories your enterprise owns. Public monitoring scans public repositories, including non-code content like pull request comments, across {% data variables.product.github %} for secrets associated with your enterprise members or users with an email address matching your enterprise's verified domain.

Public monitoring alerts appear in the enterprise-level security overview, on the dedicated **Public monitoring** page. See [AUTOTITLE](/code-security/concepts/secret-security/public-monitoring).

{% endif %}

## Detection of pattern pairs

{% data variables.product.prodname_secret_scanning_caps %} will only detect pattern pairs, such as AWS Access Keys and Secrets, if the ID and the secret are found in the same file, and both are pushed to the repository. Pair matching helps reduce false positives since both elements of a pair (the ID and the secret) must be used together to access the provider's resource.
Expand Down
Loading
Loading