Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidanceDetermining Control Applicability
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: AzureAuto Checks: GCPAuto Checks: GitHubEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
GitHub Auto Checks Detailed Explanations
Ensure secret scanning is enabled to detect sensitive dataEnsure code owner approval is required for owned code changesEnsure at least two approvals are required before merging codeEnsure branches are deleted automatically after mergingEnsure unresolved conversations block mergesEnsure force push is disabled for all branchesEnsure admins are subject to branch protection rulesEnsure a CODEOWNERS file exists in the repositoryEnsure inactive repositories are archivedEnsure all required status checks pass before mergingEnsure linear history is enforced on the default branchEnsure branch protection is enforced on the default branchEnsure the default branch cannot be deletedEnsure vulnerability scanning is enabled for repository dependenciesEnsure public repositories include a SECURITY.md fileEnsure all organization members have MFA enabledEnsure only signed commits are accepted

Ensure secret scanning is enabled to detect sensitive data

Framework Reference: A.8.16 (Monitoring Activities) Integration: GitHub – Secret Scanning

Why this matters

Secret scanning detects exposed credentials, API keys, tokens, and other sensitive data accidentally committed to repositories.
Without secret scanning, these exposures may go unnoticed and lead to credential misuse, unauthorized access, or data breaches.

Enabling secret scanning ensures that:

  • Commits and pushes are automatically scanned for sensitive patterns
  • Developers are alerted immediately when credentials are detected
  • Repositories meet audit and compliance requirements for secure development practices

Without this control, secrets can remain exposed in version history or public forks, making your organization vulnerable to compromise.

What this check does

This check verifies that:

  • Secret scanning is enabled for the repository (GitHub Docs – Configuring secret scanning)
  • Push protection is active to block pushes containing known secret patterns (GitHub Docs – About push protection)
  • The check passes if both are correctly configured and enabled. If either is disabled or unsupported, the result is reported as “Unable to verify.”

How to fix it

From the GitHub Web Console

Navigate to your repository on GitHub.

  1. Go to Settings → Security & analysis.
  2. Under Secret scanning, click Enable.
  3. Enable Push protection to prevent commits with detected secrets.

If your organization uses private repositories, verify that GitHub Advanced Security or Secret Protection is enabled for your plan.

Using the GitHub REST API (Optional)

You can also enable secret scanning programmatically:

curl \ -X PATCH \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR_TOKEN>" \ https://api.github.com/repos/<owner>/<repo>/secret-scanning \ -d '{"state":"enabled"}' 

Refer to GitHub REST API – Secret scanning endpoints for full details.

Exceptions

Secret scanning is automatically enabled for all public repositories.

Private repositories require GitHub Advanced Security to activate this feature.

Custom or organization-defined secret patterns must be configured separately in your security settings.

Further Resources

About secret scanning

Configuring secret scanning for your repositories

About push protection

GitHub REST API – Secret scanning

Was this article helpful?

Powered by Product Fruits