secret-scanning▌
github/awesome-copilot · updated Apr 8, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
This skill provides procedural guidance for configuring GitHub secret scanning — detecting leaked credentials, preventing secret pushes, defining custom patterns, and managing alerts.
Secret Scanning
This skill provides procedural guidance for configuring GitHub secret scanning — detecting leaked credentials, preventing secret pushes, defining custom patterns, and managing alerts.
When to Use This Skill
Use this skill when the request involves:
- Enabling or configuring secret scanning for a repository or organization
- Setting up push protection to block secrets before they reach the repository
- Defining custom secret patterns with regular expressions
- Resolving a blocked push from the command line
- Triaging, dismissing, or remediating secret scanning alerts
- Configuring delegated bypass for push protection
- Excluding directories from secret scanning via
secret_scanning.yml - Understanding alert types (user, partner, push protection)
- Enabling validity checks or extended metadata checks
- Scanning local code changes for secrets before committing (via MCP / AI coding agent) — see the Pre-Commit Scanning via AI Coding Agents section below for the recommended plugin
How Secret Scanning Works
Secret scanning automatically detects exposed credentials across:
- Entire Git history on all branches
- Issue descriptions, comments, and titles (open and closed)
- Pull request titles, descriptions, and comments
- GitHub Discussions titles, descriptions, and comments
- Wikis and secret gists
Availability
| Repository Type | Availability |
|---|---|
| Public repos | Automatic, free |
| Private/internal (org-owned) | Requires GitHub Secret Protection on Team/Enterprise Cloud |
| User-owned | Enterprise Cloud with Enterprise Managed Users |
Core Workflow — Enable Secret Scanning
Step 1: Enable Secret Protection
- Navigate to repository Settings → Advanced Security
- Click Enable next to "Secret Protection"
- Confirm by clicking Enable Secret Protection
For organizations, use security configurations to enable at scale:
- Settings → Advanced Security → Global settings → Security configurations
Step 2: Enable Push Protection
Push protection blocks secrets during the push process — before they reach the repository.
- Navigate to repository Settings → Advanced Security
- Enable "Push protection" under Secret Protection
Push protection blocks secrets in:
- Command line pushes
- GitHub UI commits
- File uploads
- REST API requests
- REST API content creation endpoints
Step 3: Configure Exclusions (Optional)
Create .github/secret_scanning.yml to auto-close alerts for specific directories:
paths-ignore:
- "docs/**"
- "test/fixtures/**"
- "**/*.example"
Limits:
- Maximum 1,000 entries in
paths-ignore - File must be under 1 MB
- Excluded paths also skip push protection checks
Best practices:
- Be as specific as possible with exclusion paths
- Add comments explaining why each path is excluded
- Review exclusions periodically — remove stale entries
- Inform the security team about exclusions
Step 4: Enable Additional Features (Optional)
Non-provider patterns — detect private keys, connection strings, generic API keys:
- Settings → Advanced Security → enable "Scan for non-provider patterns"
AI-powered generic secret detection — uses Copilot to detect unstructured secrets like passwords:
- Settings → Advanced Security → enable "Use AI detection"
Validity checks — verify if detected secrets are still active:
- Settings → Advanced Security → enable "Validity checks"
- GitHub periodically tests detected credentials against provider APIs
- Status shown in alert:
active,inactive, orunknown
Extended metadata checks — additional context about who owns a secret:
- Requires validity checks to be enabled first
- Helps prioritize remediation and identify responsible teams
Core Workflow — Resolve Blocked Pushes
When push protection blocks a push from the command line:
Option A: Remove the Secret
If the secret is in the latest commit:
# Remove the secret from the file
# Then amend the commit
git commit --amend --all
git push
If the secret is in an earlier commit:
# Find the earliest commit containing the secret
git log
# Start interactive rebase before that commit
git rebase -i <COMMIT-ID>~1
# Change 'pick' to 'edit' for the offending commit
# Remove the secret, then:
git add .
git commit --amend
git rebase --continue
git push
Option B: Bypass Push Protection
- Visit the URL returned in the push error message (as the same user)
- Select a bypass reason:
- It's used in tests — alert created and auto-closed
- It's a false positive — alert created and auto-closed
- I'll fix it later — open alert created
- Click Allow me to push this secret
- Re-push within 3 hours
Option C: Request Bypass Privileges
If delegated bypass is enabled and you lack bypass privileges:
- Visit the URL from the push error
- Add a comment explaining why the secret is safe
- Click Submit request
- Wait for email notification of approval/denial
- If approved, push the commit; if denied, remove the secret
For detailed bypass and delegated bypass workflows, search
references/push-protection.md.
Custom Patterns
Define organization-specific secret patterns using regular expressions.
Quick Setup
- Settings → Advanced Security → Custom patterns → New pattern
- Enter pattern name and regex for secret format
- Add a sample test string
- Click Save and dry run to test (up to 1,000 results)
- Review results for false positives
- Click Publish pattern
- Optionally enable push protection for the pattern
Scopes
Custom patterns can be defined at:
- Repository level — applies to that repo only
- Organization level — applies to all repos with secret scanning enabled
- Enterprise level — applies across all organizations
Copilot-Assisted Pattern Generation
Use Copilot secret scanning to generate regex from a text description of the secret type, including optional example strings.
For detailed custom pattern configuration, search
references/custom-patterns.md.
Alert Management
Alert Types
| Type | Description | Visibility |
|---|---|---|
| User alerts | Secrets found in repository | Security tab |
| Push protection alerts | Secrets pushed via bypass | Security tab (filter: bypassed: true) |
| Partner alerts | Secrets reported to provider | Not shown in repo (provider-only) |
Alert Lists
- Default alerts — supported provider patterns and custom patterns
- Generic alerts — non-provider patterns and AI-detected secrets (limited to 5,000 per repo)
Remediation Priority
- Rotate the credential immediately — this is the critical action
- Review the alert for context (location, commit, author)
- Check validity status:
active(urgent),inactive(lower priority),unknown - Remove from Git history if needed (time-intensive, often unnecessary after rotation)
Dismissing Alerts
Dismiss with a documented reason:
- False positive — detected string is not a real secret
- Revoked — credential has already been revoked
- Used in tests — secret is only in test code
For detailed alert types, validity checks, and REST API, search
references/alerts-and-remediation.md.
Pre-Commit Scanning via AI Coding Agents
For scanning code changes for secrets inside an AI coding agent before committing, install the Advanced Security plugin which provides the run_secret_scanning MCP tool and a dedicated scanning skill.
GitHub Copilot CLI:
/plugin install advanced-security@copilot-plugins
Visual Studio Code:
- In Copilot Chat, open Chat: Plugins (or use
@agentPlugins) and install theadvanced-securityplugin - Then run
/secret-scanningin Copilot Chat
See: Advanced Security Plugin — Secret Scanning Skill
Announced in Secret scanning in AI coding agents via the GitHub MCP Server (March 2026)
Reference Files
For detailed documentation, load the following reference files as needed:
references/push-protection.md— Push protection mechanics, bypass workflow, delegated bypass, user push protection- Search patterns:
bypass,delegated,bypass request,command line,REST API,user push protection
- Search patterns:
references/custom-patterns.md— Custom pattern creation, regex syntax, dry runs, Copilot regex generation, scopes- Search patterns:
custom pattern,regex,dry run,publish,organization,enterprise,Copilot
- Search patterns:
references/alerts-and-remediation.md— Alert types, validity checks, extended metadata, generic alerts, secret removal, REST API- Search patterns:
user alert,partner alert,validity,metadata,generic,remediation,git history,REST API
- Search patterns:
How to use secret-scanning on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add secret-scanning
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches secret-scanning from GitHub repository github/awesome-copilot and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate secret-scanning. Access the skill through slash commands (e.g., /secret-scanning) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
User Story & Requirements Generation
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Competitive Analysis
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Roadmap Prioritization
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client
- ›Access to product documentation and roadmap tools (Jira, Notion, etc.)
- ›Understanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
- ›Stakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Installation Steps
- 1.Install product management skill
- 2.Start with user story generation for known feature
- 3.Progress to competitive analysis: research 2-3 competitors
- 4.Use for roadmap prioritization: apply RICE/ICE scoring
- 5.Draft stakeholder communications and refine based on feedback
- 6.Build template library for recurring PM tasks
- 7.Share effective prompts with product team
Common Pitfalls
- ⚠Not validating competitive research—verify facts before sharing
- ⚠Accepting user stories without involving engineering team
- ⚠Over-relying on frameworks without qualitative judgment
- ⚠Not customizing outputs to company culture and communication style
- ⚠Skipping stakeholder validation of generated requirements
Best Practices▌
✓ Do
- +Validate research and competitive analysis with real data
- +Collaborate with engineering when generating technical requirements
- +Customize frameworks and templates to your company context
- +Use skill for first drafts, refine with stakeholder input
- +Document successful prompt patterns for PM tasks
- +Combine AI efficiency with human judgment and intuition
✗ Don't
- −Don't publish competitive analysis without fact-checking
- −Don't finalize user stories without engineering review
- −Don't make prioritization decisions solely on AI scoring
- −Don't skip customer validation of generated requirements
- −Don't ignore company-specific context and culture
💡 Pro Tips
- ★Provide context: company goals, constraints, customer feedback
- ★Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
- ★Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
- ★Use skill for 70% generation + 30% customization to company needs
When to Use This▌
✓ Use When
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid When
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path▌
- 1Basic: user stories, feature specs, status updates
- 2Intermediate: competitive analysis, prioritization frameworks, PRDs
- 3Advanced: product strategy, go-to-market planning, OKR setting
- 4Expert: product vision, market positioning, business model innovation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★53 reviews- ★★★★★Olivia Nasser· Dec 28, 2024
We added secret-scanning from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Olivia Farah· Dec 28, 2024
secret-scanning fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★William Lopez· Dec 20, 2024
Keeps context tight: secret-scanning is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Aisha Gonzalez· Dec 16, 2024
secret-scanning reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Aanya Khanna· Dec 16, 2024
Registry listing for secret-scanning matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Shikha Mishra· Dec 8, 2024
secret-scanning is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Rahul Santra· Nov 27, 2024
secret-scanning fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Aanya Brown· Nov 27, 2024
secret-scanning reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Olivia Johnson· Nov 11, 2024
Registry listing for secret-scanning matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Layla Huang· Nov 7, 2024
Keeps context tight: secret-scanning is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 53