Verify `secret_scanning` Setting in `security_and_analysis`

Type: Rule
ID: github-org-secret-scanning-sa
Source: v2/rules/github/org/secret-scanning-sa.yaml
Rego Source: secret-scanning-sa.rego
Labels: GitHub, Organization

Verify secret scanning is configured in the GitHub repository.

note

This rule requires Github Organization Discovery Evidence. See here for more details.

tip

Signed Evidence for this rule IS NOT required by default but is recommended.

warning

Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.

Usage example

uses: github/org/secret-scanning-sa@v2

Mitigation

Ensure that the Secret Scanning setting is enabled to detect and prevent the exposure of secrets in the organization’s repositories, enhancing security.

Description

This rule checks if the secret_scanning setting is enabled to detect and prevent the exposure of secrets in the organization’s repositories. It performs the following steps:

Checks the secret scanning settings of the GitHub organization.
Verifies that the secret scanning setting is enabled.

Evidence Requirements:

Evidence must be provided by the Scribe Platform's CLI tool through scanning GitHub organization resources.

Evidence Requirements

Field	Value
signed	False
content_body_type	generic
target_type	data
predicate_type	http://scribesecurity.com/evidence/discovery/v0.1
labels	- platform=github - asset_type=organization

Usage example​

Mitigation​

Description​

Evidence Requirements​

Usage example

Mitigation

Description

Evidence Requirements