GitHub Secret Scanning API Now Offers More Filters and Workflow Help

GitHub's secret scanning tools now offer more control. Developers can use new API filters and get detailed alerts, making it easier to find and fix leaked secrets in code.
By Newsroom | Technology, Software Development |

GitHub has rolled out a series of enhancements to its secret scanning capabilities, focusing on making the detection and management of leaked credentials more granular and accessible through its APIs and automated workflows. These updates aim to provide users with greater control over how secret scanning alerts are filtered, communicated, and handled, particularly concerning delegated workflows and bypass requests.

The core of these changes involves significant expansions to the information surfaced via GitHub's REST API and webhooks. This includes new filters for the API, more detailed webhook payloads, and improved visibility into delegated alert dismissal processes. Specifically, developers can now exclude certain secret_types directly through the REST API, mirroring functionality previously available only in the UI. Additionally, alerts with delegated closure requests will now provide the requester's comment (closure_request_comment) and a direct html_url to the alert's location within GitHub for both API and webhook events. This granular detail aims to streamline automated remediation and auditing efforts.

Read More: Motorola Razr Fold Pre-Order April 13, Sale May 21

Delegated Workflows Get Deeper Integration

A substantial portion of these improvements targets the management of delegated workflows, particularly for alert dismissals and push protection bypasses. Reviewers involved in these processes will now see expiry deadlines directly in request emails, and submitters will receive confirmation emails.

  • Delegated Alert Dismissal: This feature, now generally available for secret scanning, allows organizations to enforce a review process before alerts are dismissed. The improvements bring enterprise-level management and REST API support for managing these dismissal requests, including custom role support for reviewers. Alerts can also be reopened after dismissal, and all closure requests are now logged on the alert timeline.

  • Push Protection Bypass Controls: These controls are also seeing expanded API and webhook support. Details regarding bypass requests, including the reviewer and comments, are now integrated into API endpoints, webhooks, and audit logs. This allows for better tracking and automation around these exceptions.

Enhanced Data Visibility and Filtering

The expanded data points available through the API and webhooks are designed to give developers and security teams a more complete picture of secret scanning events.

  • Alert Location Details: The html_url field added to alert locations provides a direct link to the precise location of a detected secret, enhancing the speed of investigation and remediation.

  • Secret Type Filtering: The new exclude_secret_types filter in the REST API allows for more precise alert management, enabling users to tailor the scanning process to their specific needs and reduce noise from known, non-sensitive patterns.

  • Base64-Encoded Tokens: The general availability of detection for Base64-encoded GitHub tokens (first announced in February 2025) means improved visibility into potentially leaked Personal Access Tokens (PATs).

Broader Security Posture Management

These updates are part of a larger effort to integrate security more seamlessly into development workflows, making it easier to manage organizational security postures and comply with auditing requirements.

  • Alert Assignees and Security Campaigns: These features, now generally available, aid in tracking and remediating alerts more effectively, with REST API support for viewing and updating campaigns, and assigning users to alerts.

  • Enterprise Governance: Recent improvements also extend to enterprise-level permissions for secret scanning, including delegated bypass controls for push protection and the introduction of an Enterprise Security Manager role.

Background and Evolution

The ongoing refinement of secret scanning tools reflects a broader trend toward proactive security measures within development pipelines. Features like delegated alert dismissal, initially in public preview in May 2025, and expanded API support for bypass requests (February 2025) demonstrate a sustained effort to balance security oversight with development velocity. The detection of specific encoded tokens, like Base64-encoded GitHub tokens, also indicates a maturing approach to identifying increasingly sophisticated methods of credential exposure. These incremental changes collectively aim to provide more robust, adaptable, and automated tools for securing code repositories.

Read More: Software 'Rebuild' vs 'Build' Explained for Developers

Frequently Asked Questions

Q: What are the main updates to GitHub's secret scanning?
GitHub has made secret scanning more detailed and easier to use with APIs and automated workflows. New filters and more information in alerts help developers manage leaked secrets better.
Q: How do the new API filters help developers?
Developers can now use new filters in the REST API to exclude certain types of secrets they don't want scanned. This helps reduce noise and focus on real security risks.
Q: What improvements are made for delegated workflows?
Delegated workflows for dismissing alerts and bypassing push protection now show expiry deadlines in emails. Submitters get confirmation emails, and reviewers have more tools to manage these requests.
Q: How does the API give more details about alerts?
Alerts now include an `html_url` that links directly to where the secret was found in the code. This helps security teams investigate and fix issues much faster.
Q: What is the benefit of detecting Base64-encoded tokens?
GitHub can now better detect leaked Personal Access Tokens (PATs) that are encoded in Base64. This improves security by finding more ways secrets might be exposed.