Extended Metadata Checks Now Available

GitHub secret scanning is expanding its capabilities with improved support for extended metadata checks in security configurations. This enhancement makes it substantially easier to enable and manage the feature at scale across your organization.

What Extended Metadata Checks Provide

Extended metadata checks enhance secret scanning alerts by displaying rich context about leaked secrets:

• Secret owner information: Name, email, and identifier of the secret owner
• Temporal data: Secret creation and expiry dates
• Organizational context: Project or organization information associated with the secret
• Provider-specific details: Additional metadata available from the secret provider (e.g., OpenAI keys display owner and organization information)

These metadata additions expand on existing validity checks to provide development and security teams with actionable context for faster triage, remediation assessment, and prioritization.

What's Changing

Extended metadata checks are now available to Enterprise Cloud customers with secret scanning and validity checks enabled. Key improvements include:

• Configuration flexibility: Enable or disable extended metadata checks at organization and enterprise levels using security configurations
• Automatic enablement: Repositories with validity checks already enabled via security configurations will have metadata checks automatically enabled
• Audit trail: Track feature enablement status by monitoring enterprise or organization audit logs

Important Notes

The availability of metadata depends on several factors:

• The specific secret provider
• The type of token or credential
• The individual secret itself

GitHub makes a best-effort approach to display all available metadata, but not every secret will contain all metadata fields.

Next Steps

Learn more about securing your repositories with secret scanning in the GitHub documentation, or share feedback about this feature.