GitHub Secret Scanner¶

The GitHub Secret Scanner extension is a cronjob that regularly checks GitHub secret alerts and manages the lifecycle of respective findings.

Configuration Example¶

ghas:
  on_unsupported: warning
  schedule: '0 0 * * *'           # daily at midnight
  successful_jobs_history_limit: 1
  failed_jobs_history_limit: 1
  github_instances:
    - hostname: github.com
      orgs:
        - open-component-model
        - acme-org
    - hostname: github.acme.org
      orgs:
        - internal-team

Top-Level Options¶

Option

Type

Default

Description

on_unsupported

string

warning

Behaviour when artefact kind/type/access is unsupported. Options: fail, ignore, warning.

schedule

string

0 0 * * *

Cron schedule for running the cronjob (daily at midnight by default).

successful_jobs_history_limit

int

1

Number of successful job executions to retain in history.

failed_jobs_history_limit

int

1

Number of failed job executions to retain in history.

github_instances

list

[]

List of GitHub instances to monitor. See github_instances fields below.

GitHub Instances Fields¶

Each entry in the github_instances list supports the following fields:

Option

Type

Required

Description

hostname

string

yes

Hostname of the GitHub instance (e.g., github.com, github.enterprise.com).

orgs

list

yes

List of GitHub organizations to fetch secret alerts for.

Configuration Details¶

on_unsupported¶

Defines the behaviour when an artefact kind, type, or access method is not supported:

  • fail: Raise an exception and stop processing

  • ignore: Silently skip the unsupported artefact

  • warning (default): Skip the artefact and log a warning message

schedule¶

The cron schedule expression that determines when the GitHub Secret Scanner cronjob runs. Default is 0 0 * * * (daily at midnight).

Common schedule patterns:

# Every day at midnight
schedule: '0 0 * * *'

# Every 6 hours
schedule: '0 */6 * * *'

# Every Monday at 9 AM
schedule: '0 9 * * 1'

# Every hour
schedule: '0 * * * *'

successful_jobs_history_limit¶

Number of successful cronjob executions to retain in Kubernetes history. Default is 1. This controls how many completed job pods are kept for auditing and debugging purposes.

failed_jobs_history_limit¶

Number of failed cronjob executions to retain in Kubernetes history. Default is 1. This controls how many failed job pods are kept for troubleshooting purposes.

github_instances¶

Configures which GitHub instances and organizations to monitor for secret alerts. This allows monitoring across multiple GitHub deployments (public GitHub and GitHub Enterprise instances).

Multiple Instance Support¶

You can configure multiple GitHub instances to monitor different organizational boundaries:

github_instances:
  - hostname: github.com
    orgs:
      - my-open-source-org
      - another-public-org
  - hostname: github.enterprise.acme.com
    orgs:
      - internal-security
      - platform-team

Hostname¶

The hostname of the GitHub instance. For public GitHub, use github.com. For GitHub Enterprise Server installations, use your enterprise hostname (e.g., github.acme.org).

Organizations¶

List of GitHub organization names to monitor for secret alerts. The GHAS extension will check all repositories within these organizations that have GitHub Advanced Security enabled.

Example with multiple organizations:

ghas:
  github_instances:
    - hostname: github.com
      orgs:
        - ocm-project
        - security-team
        - compliance-team