Secret scanning detects generic passwords with AI (public beta)

Secret scanning now detects generic passwords using AI. Passwords are difficult to find with custom patterns — the AI-powered detection offers greater precision for unstructured credentials that can cause security breaches if exposed.

Passwords found in git content will create a secret scanning alert in a separate tab from regular alerts. Passwords will not be detected in non-git content, like GitHub Issues or pull requests, and are not included in push protection. Password detection is backed by the Copilot API and is available for all repositories with a GitHub Advanced Security license. You do not need a Copilot license to enable generic secret detection.

To start detecting passwords, select “Use AI detection to find additional secrets” within your code security and analysis settings at the repository level, or the code security global settings at the organization level.

Filter repositories by configuration attachment failure reason in the code security configurations UI

Organization owners and security managers can now filter the table of repositories on the code security configurations settings page by configuration attachment failure reason.

This is useful when you’ve attempted to attach a code security configuration to many repositories at the same time, and some have failed. The reason for the failure is also now listed in the row with the repository name.

Use the search bar to filter by failure-reason: and then insert one of the following options:
actions_disabled – When you are attempting to rollout default setup for code scanning, but the repository does not have Actions enabled on it.
code_scanning – When you are attempting to rollout default setup for code scanning, but the repository already has advanced setup for code scanning.
enterprise_policy – When the enterprise does not permit GitHub Advanced Security to be enabled in this organization.
not_enough_licenses – When enabling advanced security on these repositories would exceed your seat allowance.
not_purchased – When you are attempting to rollout a configuration with GitHub Advanced Security features, but GitHub Advanced Security has not been purchased.
unknown – When something unexpected occurred.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more

Secret scanning AI-generated custom patterns (general availability)

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

Generally available as of today, you can now leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

Defining custom patterns is now simpler and more efficient. You can leverage AI to generate patterns via text input — without expert knowledge in regular expressions.

With secret scanning, you can create your own custom detectors by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

All GitHub Advanced Security customers on GitHub Enterprise Cloud can use the regular expression generator today. Anyone able to define custom patterns is able to use the regular expression generator (e.g. any admin at the repository, organization, or enterprise levels). You do not need a GitHub Copilot license to use the regular expression generator.

Learn more about the regular expression generator or how to define your own custom patterns.

See more
View all changes