Secret scanning in a SourceCraft repository

Secret Scanning is a tool that checks every commit in the repository history for sensitive data contained in the code, e.g., API keys, tokens, certificates, and other secrets.

Warning

Deleting a commit with a secret is not a fail-safe measure. If its hash is disclosed, the commit remains accessible from the SourceCraft interface.

Revoke and reissue any publicly available secrets.

To view secrets detected in a repository:

  1. Open the SourceCraft home page.

  2. On the Home tab, navigate to Repositories and select a repository.

  3. Under Security on the repository page, go to Secret scanning.

    Note

    Similarly, you can view a general list of detected secrets for all organization repositories.

    The list of secrets shows the last detection date.

    To download a SARIF (Static Analysis Results Interchange Format) file for audit or integration with external systems, click Download SARIF.

  4. To view information about a specific incident, select it from the list.

    For each secret found, the following information will be provided:

    • Secret type.
    • Commit ID and last detection time.
    • Path to the file and the code snippet containing the secret.
    • Incident status: Open or Resolved.
    • False positive mark (if any).

    Under Activity, you can view the history of events for a specific secret detected in the repository: when the warning was opened, who and when marked it as resolved or reopened it.

  5. To mark an incident as resolved, follow these steps:

    1. Next to the incident, click Resolved.
    2. Add a comment for the incident.
    3. Optionally, mark the incident as a false positive.
    4. Click Resolve.

  6. To reopen an incident, click Reopen next to it.

See also

Previous
Enabling and disabling security scanning
Next
Analyzing dependencies