зеркало из https://github.com/github/docs.git
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Courtney Claessens <courtneycl@github.com>
This commit is contained in:
Anne-Marie
GitHub
Родитель
5fbcec4c1d
Коммит
23639500d8
|
|
@ -118,9 +118,9 @@ Across all of your enterprise's organizations, you can allow or disallow people
|
|||
|
||||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
## Enforcing a policy to manage the use of generic secret detection for {% data variables.product.prodname_secret_scanning %} in your enterprise's repositories
|
||||
## Enforcing a policy to manage the use of {% data variables.secret-scanning.generic-secret-detection %} for {% data variables.product.prodname_secret_scanning %} in your enterprise's repositories
|
||||
|
||||
Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage and configure generic secret detection for {% data variables.product.prodname_secret_scanning %} for the repositories. {% data reusables.advanced-security.ghas-must-be-enabled %}
|
||||
Across all of your enterprise's organizations, you can allow or disallow people with admin access to repositories to manage and configure AI detection in {% data variables.product.prodname_secret_scanning %} for the repositories. {% data reusables.advanced-security.ghas-must-be-enabled %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
title: Enabling Copilot secret scanning's generic secret detection
|
||||
shortTitle: Enable generic secret detection
|
||||
intro: 'You can enable {% data variables.secret-scanning.generic-secret-detection %} for your repository or organization. Alerts for generic secrets, such as passwords, are displayed in a separate list on the {% data variables.product.prodname_secret_scanning %} alerts page.'
|
||||
allowTitleToDifferFromFilename: true
|
||||
versions:
|
||||
feature: secret-scanning-ai-generic-secret-detection
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
type: how_to
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- AI
|
||||
- Copilot
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/enabling-ai-powered-generic-secret-detection
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection
|
||||
---
|
||||
|
||||
## Enabling {% data variables.secret-scanning.generic-secret-detection %}
|
||||
|
||||
{% data reusables.secret-scanning.generic-secret-detection-policy-note %}
|
||||
|
||||
You can then enable {% data variables.secret-scanning.generic-secret-detection %} in the security settings page of your repository or organization.
|
||||
|
||||
{% data reusables.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
|
||||
|
||||
### Enabling {% data variables.secret-scanning.generic-secret-detection %} for your repository
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
{% data reusables.repositories.navigate-to-ghas-settings %}
|
||||
1. Under "Secret scanning", select the checkbox next to "Scan for generic secrets".
|
||||
|
||||
### Enabling {% data variables.secret-scanning.generic-secret-detection %} for your organization
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
|
||||
1. Under "Secret scanning", select the checkbox next to "Scan for generic secrets".
|
||||
|
||||
For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."
|
||||
|
||||
## Further reading
|
||||
|
||||
* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)
|
||||
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)
|
||||
|
|
@ -10,12 +10,16 @@ topics:
|
|||
- Advanced Security
|
||||
- Secret scanning
|
||||
- AI
|
||||
- Copilot
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai
|
||||
---
|
||||
|
||||
## Generating a regular expression for a repository with AI
|
||||
|
||||
{% data reusables.secret-scanning.copilot-secret-scanning-expression-generator-subscription-note %}
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
|
|
@ -44,4 +48,4 @@ redirect_from:
|
|||
|
||||
## Further reading
|
||||
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator)"
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator)"
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
title: Enhance your secret detection capabilities with Copilot secret scanning
|
||||
shortTitle: Copilot secret scanning
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Learn how {% data variables.product.prodname_secret_scanning %} uses AI to detect generic secrets in your code, and generate regular expressions for your custom patterns.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
versions:
|
||||
ghec: '*'
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- Repositories
|
||||
- Copilot
|
||||
children:
|
||||
- /responsible-ai-generic-secrets
|
||||
- /enabling-ai-powered-generic-secret-detection
|
||||
- /responsible-use-ai-regex-generator
|
||||
- /generating-regular-expressions-for-custom-patterns-with-ai
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection
|
||||
---
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
---
|
||||
title: Responsible detection of generic secrets with Copilot secret scanning
|
||||
shortTitle: Generic secret detection
|
||||
intro: 'Learn how {% data variables.secret-scanning.copilot-secret-scanning %} uses AI responsibly to scan and create alerts for unstructured secrets, such as passwords.'
|
||||
allowTitleToDifferFromFilename: true
|
||||
versions:
|
||||
feature: secret-scanning-ai-generic-secret-detection
|
||||
fpt: '*'
|
||||
type: rai
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- AI
|
||||
- Copilot
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets
|
||||
---
|
||||
|
||||
<!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
|
||||
|
||||
## About {% data variables.secret-scanning.generic-secret-detection %} with {% data variables.secret-scanning.copilot-secret-scanning %}
|
||||
|
||||
{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that identifies unstructured secrets (passwords) in your source code and then generates an alert.
|
||||
|
||||
{% data reusables.rai.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
|
||||
|
||||
{% data variables.product.prodname_GH_advanced_security %} users can already receive {% data variables.secret-scanning.alerts %} for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. {% data variables.secret-scanning.copilot-secret-scanning %} uses large language models (LLMs) to identify this type of secret.
|
||||
|
||||
When a password is detected, an alert is displayed in the "Experimental" list of {% data variables.product.prodname_secret_scanning %} alerts (under the **Security** tab of the repository, organization, or enterprise), so that maintainers and security managers can review the alert and, where necessary, remove the credential or implement a fix.
|
||||
|
||||
{% data reusables.rai.secret-scanning.generic-secret-detection-policy-note %} The feature must then be enabled for repositories and organizations.
|
||||
|
||||
### Input processing
|
||||
|
||||
Input is limited to text (typically code) that a user has checked into a repository. The system provides this text to the LLM along with a meta prompt asking the LLM to find passwords within the scope of the input. The user does not interact with the LLM directly.
|
||||
|
||||
The system scans for passwords using the LLM. No additional data is collected by the system, other than what is already collected by the existing {% data variables.product.prodname_secret_scanning %} feature.
|
||||
|
||||
### Output and display
|
||||
|
||||
The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input.
|
||||
|
||||
These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %}
|
||||
|
||||
## Improving the performance of {% data variables.secret-scanning.generic-secret-detection %}
|
||||
|
||||
To improve the performance of {% data variables.secret-scanning.generic-secret-detection %}, we recommend closing false positive alerts appropriately.
|
||||
|
||||
### Verify the accuracy of alerts and close as appropriate
|
||||
|
||||
Since {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} may generate more false positives than the existing {% data variables.product.prodname_secret_scanning %} feature for partner patterns, it's important that you review the accuracy of these alerts. When you verify an alert to be a false positive, be sure to close the alert and mark the reason as "False positive" in the {% data variables.product.prodname_dotcom %} UI. The {% data variables.product.prodname_dotcom %} development team will use information on false positive volume and detection locations to improve the model. {% data variables.product.prodname_dotcom %} does not have access to the secret literals themselves.
|
||||
|
||||
## Limitations of {% data variables.secret-scanning.generic-secret-detection %}
|
||||
|
||||
When using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %}, you should consider the following limitations.
|
||||
|
||||
### Limited scope
|
||||
|
||||
{% data variables.secret-scanning.generic-secret-detection-caps %} currently only looks for instances of passwords in git content. The feature does not look for other types of generic secrets, and it does not look for secrets in non-git content, such as {% data variables.product.prodname_github_issues %}.
|
||||
|
||||
### Potential for false positive alerts
|
||||
|
||||
{% data variables.secret-scanning.generic-secret-detection-caps %} may generate more false positive alerts when compared to the existing {% data variables.product.prodname_secret_scanning %} feature (which detects partner patterns, and which has a very low false positive rate). To mitigate this excess noise, alerts are grouped in a separate list from partner pattern alerts, and security managers and maintainers should triage each alert to verify its accuracy.
|
||||
|
||||
### Potential for incomplete reporting
|
||||
|
||||
{% data variables.secret-scanning.generic-secret-detection-caps %} may miss instances of credentials checked into a repository. The LLM will improve over time. You retain ultimate responsibility for ensuring the security of your code.
|
||||
|
||||
### Limitations by design
|
||||
|
||||
{% data variables.secret-scanning.generic-secret-detection-caps %} has the following limitations by design:
|
||||
|
||||
* {% data variables.secret-scanning.copilot-secret-scanning %} will not detect secrets that are obviously fake or test passwords, or passwords with low entropy.
|
||||
* {% data variables.secret-scanning.copilot-secret-scanning %} will only detect a maximum of 100 passwords per push.
|
||||
* If five or more detected secrets within a single file are marked as false positive, {% data variables.secret-scanning.copilot-secret-scanning %} will stop generating new alerts for that file.
|
||||
* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in generated or vendored files.
|
||||
* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in encrypted files.
|
||||
* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in file types: SVG, PNG, JPEG, CSV, TXT, SQL, or ITEM.
|
||||
* {% data variables.secret-scanning.copilot-secret-scanning %} does not detect secrets in test code. {% data variables.secret-scanning.copilot-secret-scanning %} skips detections where:
|
||||
* The file path contains "test", "mock", or "spec".
|
||||
* The file extension is `.cs`, `.go`, `.java`, `.js`, `.kt`, `.php`, `.py`, `.rb`, `.scala`, `.swift`, or `.ts`.
|
||||
|
||||
## Evaluation of {% data variables.secret-scanning.generic-secret-detection %}
|
||||
|
||||
{% data variables.secret-scanning.generic-secret-detection-caps %} has been subject to Responsible AI Red Teaming and {% data variables.product.prodname_dotcom %} will continue to monitor the efficacy and safety of the feature over time.
|
||||
|
||||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
## Next steps
|
||||
|
||||
* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection)
|
||||
* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Further reading
|
||||
|
||||
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning){% ifversion ghec %}
|
||||
* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories){% endif %}
|
||||
|
|
@ -12,10 +12,12 @@ topics:
|
|||
- Advanced Security
|
||||
- Secret scanning
|
||||
- AI
|
||||
- Copilot
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/about-the-regular-expression-generator-for-custom-patterns
|
||||
- /code-security/secret-scanning/about-generating-regular-expressions-with-ai
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/about-generating-regular-expressions-with-ai
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator
|
||||
---
|
||||
|
||||
<!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
|
||||
|
|
@ -24,6 +26,8 @@ redirect_from:
|
|||
|
||||
{% data variables.product.prodname_secret_scanning_caps %} scans repositories for a predefined set of secrets from our partner program, as well as custom patterns that are user-defined. Custom patterns are formatted as regular expressions.
|
||||
|
||||
{% data reusables.rai.secret-scanning.copilot-secret-scanning-expression-generator-subscription-note %}
|
||||
|
||||
Regular expressions can be challenging for people to write. The {% data variables.secret-scanning.custom-pattern-regular-expression-generator %} makes it possible for you to define your custom patterns without knowledge of regular expressions. Within the existing custom pattern page, you can launch a generative AI experience where you input a text description of what pattern you would like to detect, include optional example strings that should be detected, and get matching regular expressions in return.
|
||||
|
||||
### Input processing
|
||||
|
|
@ -60,7 +64,7 @@ Note that the {% data variables.secret-scanning.custom-pattern-regular-expressio
|
|||
|
||||
## Next steps
|
||||
|
||||
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)
|
||||
* [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)
|
||||
* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
|
||||
{% endif %}
|
||||
|
||||
|
|
@ -20,6 +20,7 @@ children:
|
|||
- /managing-alerts-from-secret-scanning
|
||||
- /working-with-secret-scanning-and-push-protection
|
||||
- /using-advanced-secret-scanning-and-push-protection-features
|
||||
- /copilot-secret-scanning
|
||||
- /troubleshooting-secret-scanning-and-push-protection
|
||||
- /secret-scanning-partnership-program
|
||||
---
|
||||
|
|
|
|||
|
|
@ -104,14 +104,6 @@ Scan for and detect secrets that are not specific to a service provider, such as
|
|||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
### Generic secret detection
|
||||
|
||||
Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Performing validity checks
|
||||
|
||||
Validity checks help you prioritize alerts by telling you which secrets are `active` or `inactive`. For more information, see{% ifversion secret-scanning-validity-check-partner-patterns %} "[AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository)" and{% endif %} "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity)."
|
||||
|
|
@ -122,12 +114,15 @@ Validity checks help you prioritize alerts by telling you which secrets are `act
|
|||
|
||||
Define your own patterns for secrets used by your organization that {% data variables.product.prodname_secret_scanning %} can scan for and detect. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)."
|
||||
|
||||
{% ifversion secret-scanning-custom-pattern-ai-generated %}
|
||||
|
||||
You can also leverage AI to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
### {% data variables.secret-scanning.copilot-secret-scanning %}
|
||||
|
||||
* **{% data variables.secret-scanning.generic-secret-detection-caps %}**: Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to detect unstructured secrets, such as passwords, in your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."{% ifversion secret-scanning-custom-pattern-ai-generated %}
|
||||
* **{% data variables.secret-scanning.custom-pattern-regular-expression-generator-caps %}**: Leverage {% data variables.product.prodname_secret_scanning %}'s AI capabilities to generate regular expressions that will capture all your custom patterns. For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator).{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Further reading
|
||||
|
|
|
|||
|
|
@ -66,4 +66,4 @@ Partner alerts are not sent to repository administrators, so you do not need to
|
|||
* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns){% ifversion ghec or ghes %}
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion secret-scanning-non-provider-patterns %}
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns)"{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets)"{% endif %}
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)"{% endif %}
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ In addition, alerts that fall into this category:
|
|||
* Are not shown in the summary views for security overview, only in the "{% data variables.product.prodname_secret_scanning_caps %}" view.
|
||||
* Only have the first five detected locations shown on {% data variables.product.prodname_dotcom %} for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %}, and only the first detected location shown for AI-detected generic secrets{% endif %}.
|
||||
|
||||
For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection){% endif %}."
|
||||
For {% data variables.product.company_short %} to scan for non-provider patterns{% ifversion secret-scanning-ai-generic-secret-detection %} and generic secrets{% endif %}, you must first enable the feature{% ifversion secret-scanning-ai-generic-secret-detection %}s{% endif %} for your repository or organization. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/non-provider-patterns/enabling-secret-scanning-for-non-provider-patterns){% ifversion secret-scanning-ai-generic-secret-detection %}" and "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/enabling-ai-powered-generic-secret-detection){% endif %}."
|
||||
|
||||
{% ifversion secret-scanning-alert-experimental-list %}
|
||||
|
||||
|
|
@ -109,7 +109,7 @@ You can apply various filters to the alerts list to help you find the alerts you
|
|||
|`provider:PROVIDER-NAME`|Displays alerts for a specific provider, for example, `provider:github`. For a list of supported partners, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."|
|
||||
| {% ifversion secret-scanning-non-provider-patterns %} |
|
||||
|{% ifversion secret-scanning-alert-experimental-list %}`results:default`{% else %}`confidence:high`{% endif %}| Displays alerts for {% ifversion secret-scanning-alert-experimental-list %}{% else %}high-confidence secrets, which relate to {% endif %}supported secrets and custom patterns. For a list of supported patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)." |
|
||||
|{% ifversion secret-scanning-alert-experimental-list %}`results:experimental`{% else %}`confidence:other`{% endif %}| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets)."{% endif %}|
|
||||
|{% ifversion secret-scanning-alert-experimental-list %}`results:experimental`{% else %}`confidence:other`{% endif %}| Displays alerts for non-provider patterns, such as private keys{% ifversion secret-scanning-ai-generic-secret-detection %}, and AI-detected generic secrets, such as passwords{% endif %}. For a list of supported non-provider patterns, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns)." {% ifversion secret-scanning-ai-generic-secret-detection %}For more information about AI-detected generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."{% endif %}|
|
||||
| {% endif %} |
|
||||
|
||||
## Next steps
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ For simple tokens you will usually only need to specify a secret format. The oth
|
|||
|
||||
### Using the regular expression generator
|
||||
|
||||
{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/responsible-use-ai-regex-generator)" and "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)."
|
||||
{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-use-ai-regex-generator)" and "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ topics:
|
|||
children:
|
||||
- /defining-custom-patterns-for-secret-scanning
|
||||
- /managing-custom-patterns
|
||||
- /responsible-use-ai-regex-generator
|
||||
- /generating-regular-expressions-for-custom-patterns-with-ai
|
||||
- /metrics-for-custom-patterns
|
||||
---
|
||||
|
||||
|
|
|
|||
|
|
@ -1,46 +0,0 @@
|
|||
---
|
||||
title: Enabling AI-powered generic secret detection
|
||||
shortTitle: Enable generic secret detection
|
||||
intro: 'You can enable AI-powered generic secret detection for your repository or organization. Alerts for generic secrets, such as passwords, are displayed in a separate list on the {% data variables.product.prodname_secret_scanning %} alerts page.'
|
||||
versions:
|
||||
feature: secret-scanning-ai-generic-secret-detection
|
||||
type: how_to
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- AI
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/enabling-ai-powered-generic-secret-detection
|
||||
---
|
||||
|
||||
{% data reusables.secret-scanning.generic-secret-detection-ai %}
|
||||
|
||||
## Enabling AI-powered generic secret detection for your repository
|
||||
|
||||
To use generic secret detection, an enterprise owner must first set a policy at the enterprise level that controls whether repositories can enable or disable AI detection. This policy is set to "allowed" by default.
|
||||
|
||||
You can then enable the feature in the "Code security and analysis" settings page of your repository.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
{% data reusables.repositories.navigate-to-ghas-settings %}
|
||||
1. Under "Secret scanning", select the checkbox next to "Use AI detection to find additional secrets".
|
||||
|
||||
## Enabling AI-powered generic secret detection for your organizations
|
||||
|
||||
To use generic secret detection, an enterprise owner must first set a policy at the enterprise level that controls whether repositories in an organization can enable or disable AI detection. This policy is set to "allowed" by default.
|
||||
|
||||
You can then enable the feature in the security settings page of your organization.
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
|
||||
1. Under "Secret scanning", select the checkbox next to "Use AI detection to find additional secrets".
|
||||
|
||||
For information on how to view alerts for generic secrets that have been detected using AI, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."
|
||||
|
||||
## Further reading
|
||||
|
||||
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets)
|
||||
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
title: Generic secret detection
|
||||
shortTitle: Generic secret detection
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'You can use AI in combination with {% data variables.product.prodname_secret_scanning %} to detect unstructured passwords in git content.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
versions:
|
||||
feature: secret-scanning-ai-generic-secret-detection
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- Repositories
|
||||
children:
|
||||
- /responsible-ai-generic-secrets
|
||||
- /enabling-ai-powered-generic-secret-detection
|
||||
---
|
||||
|
|
@ -1,90 +0,0 @@
|
|||
---
|
||||
title: Responsible detection of generic secrets with AI
|
||||
shortTitle: Generic secret detection
|
||||
intro: 'Learn how {% data variables.product.prodname_secret_scanning %} uses AI responsibly to scan and create alerts for unstructured secrets, such as passwords.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
allowTitleToDifferFromFilename: true
|
||||
versions:
|
||||
feature: secret-scanning-ai-generic-secret-detection
|
||||
fpt: '*'
|
||||
type: rai
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- AI
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/about-the-detection-of-generic-secrets-with-secret-scanning
|
||||
- /code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/about-the-detection-of-generic-secrets-with-secret-scanning
|
||||
---
|
||||
|
||||
<!--Note on the versioning above ^. This article is visible to free, pro, team users for transparency. They cannot use the feature so `fpt` is not included in the feature definition.-->
|
||||
|
||||
{% data reusables.rai.secret-scanning.generic-secret-detection-ai %}
|
||||
|
||||
## About generic secret detection for {% data variables.product.prodname_secret_scanning %}
|
||||
|
||||
Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that identifies unstructured secrets (passwords) in your source code and then generates an alert.
|
||||
|
||||
{% data variables.product.prodname_GH_advanced_security %} users can already receive {% data variables.secret-scanning.alerts %} for partner or custom patterns found in their source code, but unstructured secrets are not easily discoverable. AI-powered generic secret detection uses large language models (LLMs) to identify this type of secret.
|
||||
|
||||
When a password is detected, an alert is displayed in the list of {% data variables.product.prodname_secret_scanning %} alerts (under the **Security** tab of the repository, organization, or enterprise), so that maintainers and security managers can review the alert and, where necessary, remove the credential or implement a fix.
|
||||
|
||||
To use the feature, an enterprise owner sets a policy at the enterprise level that controls whether repositories can enable or disable AI detection. This policy is set to "allowed" by default. The feature must then be enabled for repositories and organizations.
|
||||
|
||||
### Input processing
|
||||
|
||||
Input is limited to text (typically code) that a user has checked into a repository. The system provides this text to the LLM along with a meta prompt asking the LLM to find passwords within the scope of the input. The user does not interact with the LLM directly.
|
||||
|
||||
The system scans for passwords using the LLM. No additional data is collected by the system, other than what is already collected by the existing {% data variables.product.prodname_secret_scanning %} feature.
|
||||
|
||||
### Output and display
|
||||
|
||||
The LLM scans for strings that resemble passwords and verifies that the identified strings included in the response actually exist in the input.
|
||||
|
||||
These detected strings are surfaced as alerts on the {% data variables.product.prodname_secret_scanning %} alerts page, but they are displayed in an additional list that is separate from regular {% data variables.secret-scanning.alerts %}. The intent is that this separate list is triaged with more scrutiny to verify the validity of the findings. Each alert notes that it was detected using AI. {% ifversion secret-scanning-ai-generic-secret-detection %}For information on how to view alerts for generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts)."{% endif %}
|
||||
|
||||
## Improving the performance of generic secret detection
|
||||
|
||||
To improve the performance of generic secret detection, we recommend closing false positive alerts appropriately and providing feedback when you encounter issues.
|
||||
|
||||
### Verify the accuracy of alerts and close as appropriate
|
||||
|
||||
Since AI-powered generic secret detection may generate more false positives than the existing {% data variables.product.prodname_secret_scanning %} feature for partner patterns, it's important that you review the accuracy of these alerts. When you verify an alert to be a false positive, be sure to close the alert and mark the reason as "False positive" in the {% data variables.product.prodname_dotcom %} UI. The {% data variables.product.prodname_dotcom %} development team will use this information to improve the model.
|
||||
|
||||
### Provide feedback
|
||||
|
||||
Generic secret detection is currently in {% data variables.release-phases.public_preview %}. If you encounter any issues or limitations with the feature, we recommend that you provide feedback through the **Give feedback** button listed under each detected secret in the list of alerts for the repository, organization, or enterprise. This can help the developers improve the tool and address any concerns or limitations.
|
||||
|
||||
## Limitations of generic secret detection
|
||||
|
||||
When using generic secret detection for {% data variables.product.prodname_secret_scanning %}, you should consider the following limitations.
|
||||
|
||||
### Limited scope
|
||||
|
||||
AI-powered generic secret detection currently only looks for instances of passwords in git content. The feature does not look for other types of generic secrets, and it does not look for secrets in non-git content, such as {% data variables.product.prodname_github_issues %}.
|
||||
|
||||
### Potential for false positive alerts
|
||||
|
||||
AI-powered generic secret detection may generate more false positive alerts when compared to the existing {% data variables.product.prodname_secret_scanning %} feature (which detects partner patterns, and which has a very low false positive rate). To mitigate this excess noise, alerts are grouped in a separate list from partner pattern alerts, and security managers and maintainers should triage each alert to verify its accuracy.
|
||||
|
||||
### Potential for incomplete reporting
|
||||
|
||||
AI-powered generic secret detection may miss instances of credentials checked into a repository. The LLM will improve over time. You retain ultimate responsibility for ensuring the security of your code.
|
||||
|
||||
## Evaluation of generic secret detection
|
||||
|
||||
Generic secret detection has been subject to Responsible AI Red Teaming and {% data variables.product.prodname_dotcom %} will continue to monitor the efficacy and safety of the feature over time.
|
||||
|
||||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
## Next steps
|
||||
|
||||
* [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/enabling-ai-powered-generic-secret-detection)
|
||||
* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Further reading
|
||||
|
||||
* [AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)
|
||||
* [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-generic-secret-detection-for-secret-scanning-in-your-enterprises-repositories)
|
||||
|
|
@ -15,7 +15,6 @@ topics:
|
|||
children:
|
||||
- /excluding-folders-and-files-from-secret-scanning
|
||||
- /non-provider-patterns
|
||||
- /generic-secret-detection
|
||||
- /custom-patterns
|
||||
- /delegated-bypass-for-push-protection
|
||||
---
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ You can customize several {% data variables.product.prodname_global_settings %}
|
|||
|
||||
{% ifversion ghes < 3.15 %}
|
||||
* [Scanning for non-provider patterns](#scanning-for-non-provider-patterns){% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
* [Generic secret detection](#generic-secret-detection){% endif %}
|
||||
* [Generic secret detection with {% data variables.secret-scanning.copilot-secret-scanning %}](#generic-secret-detection-with-copilot-secret-scanning){% endif %}
|
||||
* [Adding a resource link for blocked commits](#adding-a-resource-link-for-blocked-commits){% ifversion ghec or ghes %}
|
||||
* [Defining custom patterns](#defining-custom-patterns){% endif %}
|
||||
|
||||
|
|
@ -121,11 +121,11 @@ You can choose to scan for non-provider patterns, such as private keys, to detec
|
|||
|
||||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
### Generic secret detection
|
||||
### {% data variables.secret-scanning.generic-secret-detection-caps %} with {% data variables.secret-scanning.copilot-secret-scanning %}
|
||||
|
||||
Generic secret detection is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Use AI detection to find additional secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/generic-secret-detection/responsible-ai-generic-secrets)."
|
||||
{% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %} is an AI-powered expansion of {% data variables.product.prodname_secret_scanning %} that scans and creates alerts for unstructured secrets, such as passwords. To enable these scans, select **Scan for generic secrets**. Be aware that generic secrets often have a higher rate of false positives than other types of alert. To learn more about generic secrets, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets)."
|
||||
|
||||
{% data reusables.secret-scanning.generic-secret-detection-ai %}
|
||||
{% data reusables.secret-scanning.copilot-secret-scanning-generic-secrets-subscription-note %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
1. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
|
||||
1. In the "Pattern name" field, type a name for your pattern.
|
||||
1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %}
|
||||
1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see "[AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-ai)."{% endif %}
|
||||
1. You can click **More options {% octicon "chevron-down" aria-label="down" %}** to provide other surrounding content or additional match requirements for the secret format.
|
||||
1. Provide a sample test string to make sure your configuration is matching the patterns you expect.
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
{% ifversion secret-scanning-custom-pattern-ai-generated %}
|
||||
|
||||
> [!NOTE]
|
||||
> You do not need a subscription to {% data variables.product.prodname_copilot %} to use {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}. {% data variables.secret-scanning.copilot-secret-scanning %} features are available to private repositories in {% data variables.product.prodname_ghe_cloud %} enterprises that have a license for {% data variables.product.prodname_GH_advanced_security %}.
|
||||
|
||||
{% endif %}
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
> [!NOTE]
|
||||
> You do not need a subscription to {% data variables.product.prodname_copilot %} to use {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %}. {% data variables.secret-scanning.copilot-secret-scanning %} features are available to private repositories in {% data variables.product.prodname_ghe_cloud %} enterprises that have a license for {% data variables.product.prodname_GH_advanced_security %}.
|
||||
|
||||
{% endif %}
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
<!--This reusable is an intentional duplicate of data/reusables/secret-scanning/generic-secret-detection-ai.md. The duplicate is necessary to enforce legal review of Responsible AI content. If you are updating this content, you may also want to update data/reusables/secret-scanning/generic-secret-detection-ai.md. -->
|
||||
{% note %}
|
||||
|
||||
**Note:** {% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
Generic secret detection for {% data variables.product.prodname_secret_scanning %} is in {% data variables.release-phases.public_preview %}. Functionality and documentation are subject to change. During this phase, generic secret detection is limited to looking for passwords in source code.
|
||||
{% elsif fpt %}
|
||||
Generic secret detection for {% data variables.product.prodname_secret_scanning %} is in {% data variables.release-phases.public_preview %}. Functionality and documentation are subject to change. The feature is available for enterprise accounts that use {% data variables.product.prodname_GH_advanced_security %} on {% data variables.product.prodname_ghe_cloud %}.
|
||||
{% endif %}
|
||||
|
||||
{% endnote %}
|
||||
|
|
@ -0,0 +1 @@
|
|||
To use {% data variables.secret-scanning.generic-secret-detection %}, an enterprise owner must first set a policy at the enterprise level that controls whether the feature can be enabled and disabled for repositories in an organization. This policy is set to "allowed" by default.
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
{% ifversion secret-scanning-custom-pattern-ai-generated %}
|
||||
|
||||
> [!NOTE]
|
||||
> You do not need a subscription to {% data variables.product.prodname_copilot %} to use {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}. {% data variables.secret-scanning.copilot-secret-scanning %} features are available to private repositories in {% data variables.product.prodname_ghe_cloud %} enterprises with {% data variables.product.prodname_GH_advanced_security %} enabled.
|
||||
|
||||
{% endif %}
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
> [!NOTE]
|
||||
> You do not need a subscription to {% data variables.product.prodname_copilot %} to use {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.generic-secret-detection %}. {% data variables.secret-scanning.copilot-secret-scanning %} features are available to private repositories in {% data variables.product.prodname_ghe_cloud %} enterprises that have {% data variables.product.prodname_GH_advanced_security %} enabled.
|
||||
|
||||
{% endif %}
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
<!--This reusable is an intentional duplicate of data/reusables/rai/secret-scanning/generic-secret-detection-ai.md. The duplicate is necessary to enforce legal review of Responsible AI content. If you are updating this content, you may also want to update data/reusables/rai/secret-scanning/generic-secret-detection-ai.md. -->
|
||||
{% note %}
|
||||
|
||||
**Note:** {% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
Generic secret detection for {% data variables.product.prodname_secret_scanning %} is in {% data variables.release-phases.public_preview %}. Functionality and documentation are subject to change. During this phase, generic secret detection is limited to looking for passwords in source code.
|
||||
{% elsif fpt %}
|
||||
Generic secret detection for {% data variables.product.prodname_secret_scanning %} is in {% data variables.release-phases.public_preview %}. Functionality and documentation are subject to change. The feature is available for enterprise accounts that use {% data variables.product.prodname_GH_advanced_security %} on {% data variables.product.prodname_ghe_cloud %}.
|
||||
{% endif %}
|
||||
|
||||
{% endnote %}
|
||||
|
|
@ -0,0 +1 @@
|
|||
To use {% data variables.secret-scanning.generic-secret-detection %}, an enterprise owner must first set a policy at the enterprise level that controls whether the feature can be enabled and disabled for repositories in an organization. This policy is set to "allowed" by default.
|
||||
|
|
@ -9,3 +9,7 @@ user_alerts_caps: >-
|
|||
alerts: 'secret scanning alerts'
|
||||
alerts_caps: 'Secret scanning alerts'
|
||||
custom-pattern-regular-expression-generator: 'regular expression generator'
|
||||
custom-pattern-regular-expression-generator-caps: 'Regular expression generator'
|
||||
copilot-secret-scanning: 'Copilot secret scanning'
|
||||
generic-secret-detection: 'generic secret detection'
|
||||
generic-secret-detection-caps: 'Generic secret detection'
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче