GitHub Secret Scanner¶
The GitHub Secret Scanner extension is a cronjob that regularly checks GitHub secret alerts and manages the lifecycle of respective findings.
Configuration Example¶
ghas:
on_unsupported: warning
schedule: '0 0 * * *' # daily at midnight
successful_jobs_history_limit: 1
failed_jobs_history_limit: 1
github_instances:
- hostname: github.com
orgs:
- open-component-model
- acme-org
- hostname: github.acme.org
orgs:
- internal-team
Top-Level Options¶
Option |
Type |
Default |
Description |
|---|---|---|---|
|
string |
|
Behaviour when artefact kind/type/access is unsupported. Options: |
|
string |
|
Cron schedule for running the cronjob (daily at midnight by default). |
|
int |
|
Number of successful job executions to retain in history. |
|
int |
|
Number of failed job executions to retain in history. |
|
list |
|
List of GitHub instances to monitor. See github_instances fields below. |
GitHub Instances Fields¶
Each entry in the github_instances list supports the following fields:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Hostname of the GitHub instance (e.g., |
|
list |
yes |
List of GitHub organizations to fetch secret alerts for. |
Configuration Details¶
on_unsupported¶
Defines the behaviour when an artefact kind, type, or access method is not supported:
fail: Raise an exception and stop processingignore: Silently skip the unsupported artefactwarning(default): Skip the artefact and log a warning message
schedule¶
The cron schedule expression that determines when the GitHub Secret Scanner cronjob runs.
Default is 0 0 * * * (daily at midnight).
Common schedule patterns:
# Every day at midnight
schedule: '0 0 * * *'
# Every 6 hours
schedule: '0 */6 * * *'
# Every Monday at 9 AM
schedule: '0 9 * * 1'
# Every hour
schedule: '0 * * * *'
successful_jobs_history_limit¶
Number of successful cronjob executions to retain in Kubernetes history. Default is 1.
This controls how many completed job pods are kept for auditing and debugging purposes.
failed_jobs_history_limit¶
Number of failed cronjob executions to retain in Kubernetes history. Default is 1.
This controls how many failed job pods are kept for troubleshooting purposes.
github_instances¶
Configures which GitHub instances and organizations to monitor for secret alerts. This allows monitoring across multiple GitHub deployments (public GitHub and GitHub Enterprise instances).
Multiple Instance Support¶
You can configure multiple GitHub instances to monitor different organizational boundaries:
github_instances:
- hostname: github.com
orgs:
- my-open-source-org
- another-public-org
- hostname: github.enterprise.acme.com
orgs:
- internal-security
- platform-team
Hostname¶
The hostname of the GitHub instance. For public GitHub, use github.com. For GitHub Enterprise
Server installations, use your enterprise hostname (e.g., github.acme.org).
Organizations¶
List of GitHub organization names to monitor for secret alerts. The GHAS extension will check all repositories within these organizations that have GitHub Advanced Security enabled.
Example with multiple organizations:
ghas:
github_instances:
- hostname: github.com
orgs:
- ocm-project
- security-team
- compliance-team