GitHub secret scanning is adding support for extended metadata checks in security configurations. This change makes it substantially easier to enable extended metadata checks at scale.

As announced previously, repositories with validity checks enabled will automatically see extended metadata checks enabled as part of this change. You can track feature enablement status by monitoring the audit log for your enterprise or organization.

What are extended metadata checks?

With extended metadata checks, secret scanning alerts now display details about a secret’s owner, secret creation and expiry dates, and project or organization context when information is available from the secret provider. This feature extends validity checks to additional context about the secret.

For example, leaked OpenAI keys with information available will display the secret owner’s name, email, and identifier, in addition to information about the organization.

These new metadata keys expand on existing validity checks to give more actionable context for triage and remediation, enabling development and security teams to assess exposure faster and prioritize remediation.

Note: The availability of metadata depends on the secret provider, the type of token, and sometimes even the secret itself. GitHub makes a best effort to display all available metadata, but not every key will always be present.

What’s changing?

Extended metadata checks are currently available to Enterprise Cloud customers with secret scanning who have validity checks enabled. You can now enable or disable the feature at organization and enterprise levels with security configurations. Repositories with validity checks enabled with security configurations will see metadata checks automatically enabled for them as part of this change.

Learn more and share feedback

Learn more about securing your repositories with secret scanning or share feedback about secret scanning and extended metadata checks.