Repository has secret scanning enabled to detect sensitive data
repository_secret_scanning_enabled
GitHub repository configuration for secret scanning-which detects secrets (API keys, tokens, passwords) in commits and Git history-is evaluated to determine if detection is active.
Risk
Without secret scanning, exposed credentials can persist unnoticed, enabling:
- Unauthorized access to cloud and third-party services
- Supply-chain compromise via tampered pipelines
- Data exfiltration and repo takeover
This degrades confidentiality and integrity, and increases blast radius of a single leaked key.
prowler github --checks repository_secret_scanning_enabled
Recommendation
Enable secret scanning (and push protection where available) across repositories.
- Store secrets in a dedicated secrets manager, never in code
- Define custom patterns and enable generic detection for org-specific secrets
- Rotate and revoke exposed credentials quickly
- Enforce least privilege and add defense-in-depth monitoring
Remediation
gh api -X PATCH repos/<OWNER>/<REPO> -H "Accept: application/vnd.github+json" -H "Content-Type: application/json" -d '{"security_and_analysis":{"secret_scanning":{"status":"enabled"}}}'
- In GitHub, open the target repository and go to Settings
- In the left sidebar, click Code security and analysis
- Under Secret scanning, click Enable (or set to Enabled)
- Confirm if prompted
Source Code
Resource Type
NotDefined