curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER/locations ... [ { "type": "commit", "details": { "path": "/example/secrets.txt", "start_line": 1, "end_line": 1, "start_column": 1, "end_column": 64, "blob_sha": "af5626b4a114abcb82d63db7c8082c3c4756e51b", "blob_url": "https://api.github.com/repos/octocat/hello-world/git/blobs/af5626b4a114abcb82d63db7c8082c3c4756e51b", "commit_sha": "f14d7debf9775f957cf4f1e8176da0786431f72b", "commit_ur

Learn how to find, evaluate, and resolve alerts for secrets stored in your repository.

April 30, 2025 - With the “List secret scanning alerts” endpoint for an enterprise, organization, or repository, you can use the query parameter secret_type to request alerts for non-provider patterns or passwords.

2 weeks ago - Secret scanning has new API filters, richer webhook payloads, and improvements to delegated alert workflows:

GitHub also periodically rescans repositories when new secret types are added. ... When secret scanning detects a credential leak, GitHub generates an alert on your repository's Security and quality tab with details about the exposed credential.

May 20, 2025 - You can now request secret scanning alerts through the API without exposing the actual secret literals. This new hide_secret query parameter helps reduce risk when working with secret scanning alert…

Available on GitHub Enterprise Server when the enterprise has GitHub Secret Protection enabled. ... User alerts: Reported to users in the Security and quality tab of the repository, when a supported secret is detected in the repository.

curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2022-11-28" \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER/locations

GitHub Apps must have the secret_scanning_alerts read permission to use this endpoint. ... curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER

Lists all secret scanning alerts for a private repository, from newest to oldest.

The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the Secret scanning API.

June 24, 2025 - The secret scanning REST API now returns additional metadata to help you triage alerts more effectively. The new first_location_detected object provides structured location data for the first detected instance of…

1 week ago - Team and Topic filters for secret scanning campaigns: Campaigns now support the same team and topic filter options as code scanning campaigns. Provider field and filtering in the alerts API: Alert responses now include provider and provider_slug, with new providers and exclude_providers query parameters on all three list endpoints.

January 17, 2025 - GitHub Secret Scanning is designed to detect tokens and credentials that might have been accidentally committed into repositories. The API provides automated scans for repository content to identify known secret formats, alerting users so they can rotate keys and revoke any compromised credentials...

For more information, see REST API endpoints for secret scanning in the REST API documentation. You can also use webhooks to be notified of activity relating to a secret scanning alert.

Optionally, toggle to "Generic" to see alerts for non-provider patterns or generic secrets detected using AI. Under "Secret scanning", click the alert you want to view.

Secret scanning is available for the following repository types: ... User alerts: Reported to users in the Security tab of the repository, when a supported secret is detected in the repository.

Review extended metadata checks for an exposed secret, to see details such as who owns the secret and how to contact the secret owner. Applies to OpenAI API, Google OAuth, and Slack tokens only. See Reviewing extended metadata for a token. Review the labels assigned to the alert.

GitHub Apps must have the secret_scanning_alerts read permission to use this endpoint. ... curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ http(s)://HOSTNAME/api/v3/orgs/ORG/secret-scanning/alerts

Optionally, toggle to "Generic" to see alerts for non-provider patterns or generic secrets detected using AI. Under "Secret scanning", click the alert you want to view.