Secret scanning shows metadata for GitHub tokens - [Public Beta] (#35351)

Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com>
2023-04-11 21:48:14 +02:00 · 2023-04-11 21:48:14 +02:00 · 2929966919
--- a/assets/images/help/repository/secret-scanning-github-token-metadata.png
+++ b/assets/images/help/repository/secret-scanning-github-token-metadata.png
--- a/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md
+++ b/content/code-security/secret-scanning/managing-alerts-from-secret-scanning.md
@ -35,8 +35,8 @@ shortTitle: Manage secret alerts
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
 1. In the left sidebar, under "Vulnerability alerts", click **{% data variables.product.prodname_secret_scanning_caps %}**.
-2. Under "{% data variables.product.prodname_secret_scanning_caps %}" click the alert you want to view.{% ifversion secret-scanning-validity-check %}
-3. Optionally, if the leaked secret is a {% data variables.product.company_short %} token, check the validity of the secret and follow the remediation steps.
+1. Under "{% data variables.product.prodname_secret_scanning_caps %}" click the alert you want to view.{% ifversion secret-scanning-validity-check %}
+1. Optionally, if the leaked secret is a {% data variables.product.company_short %} token, check the validity of the secret and follow the remediation steps. {% ifversion secret-scanning-github-token-metadata %}If the {% data variables.product.company_short %} token is currently active, you can also review the token metadata. For more information on reviewing token metadata, see "[Reviewing {% data variables.product.company_short %} token metadata](#reviewing-github-token-metadata)."{% endif %}

   ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the validity check and suggested remediation steps.](/assets/images/help/repository/secret-scanning-validity-check.png)

@ -68,6 +68,34 @@ shortTitle: Manage secret alerts
 1. Click **Close alert**.
 {% endif %}

+{% ifversion secret-scanning-github-token-metadata %}
+## Reviewing {% data variables.product.company_short %} token metadata
+
+{% note %}
+
+**Note:** Metadata for {% data variables.product.company_short %} tokens is currently in public beta and subject to change.
+
+{% endnote %}
+
+In the view for an active {% data variables.product.company_short %} token alert, you can review certain metadata about the token. This metadata may help you identify the token and decide what remediation steps to take. For more information on viewing individual alerts, see "[Managing {% data variables.product.prodname_secret_scanning %} alerts](#managing-secret-scanning-alerts)." 
+
+Tokens, like {% data variables.product.pat_generic %} and other credentials, are considered personal information. For more information about using {% data variables.product.company_short %} tokens, see [GitHub's Privacy Statement](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement) and [Acceptable Use Policies](/free-pro-team@latest/site-policy/acceptable-use-policies/github-acceptable-use-policies).
+
+   ![Screenshot of the UI for a {% data variables.product.company_short %} token, showing the token metadata.](/assets/images/help/repository/secret-scanning-github-token-metadata.png)
+
+ Metadata for {% data variables.product.company_short %} tokens is available for active tokens in any repository with secret scanning enabled. If a token has been revoked or its status cannot be validated, metadata will not be available. {% data variables.product.company_short %} auto-revokes {% data variables.product.company_short %} tokens in public repositories, so metadata for {% data variables.product.company_short %} tokens in public repositories is unlikely to be available. The following metadata is available for active {% data variables.product.company_short %} tokens:
+
+|Metadata|Description|
+|-------------------------|--------------------------------------------------------------------------------|
+|Secret name| The name given to the {% data variables.product.company_short %} token by its creator|
+|Secret owner| The {% data variables.product.company_short %} handle of the token's owner|
+|Created on| Date the token was created|
+|Expired on| Date the token expired|
+|Last used on| Date the token was last used|
+|Access| Whether the token has organization access|
+
+{% endif %}
+
 ## Securing compromised secrets

 Once a secret has been committed to a repository, you should consider the secret compromised. {% data variables.product.prodname_dotcom %} recommends the following actions for compromised secrets:
--- a/data/features/secret-scanning-github-token-metadata.yml
+++ b/data/features/secret-scanning-github-token-metadata.yml
@ -0,0 +1,6 @@
+# Reference: #9142.
+# Secret scanning: GitHub token metadata
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.10'