Why GitHub sends my hardcoded secrets to the providers when Secret Scanning is disabled?

[nir-valtman]

Select Topic Area

Question

Body

I tried to push a hardcoded AWS credentials to a public repository and check if anyone tries to use it.
Before the git push, I validated that Secrets Scanning is disabled.
However, a few minutes later, I noticed an authentication event from AWS Internal with the call to AttachUserPolicy on AWS. I don't see a reason why would AWS trigger this call, as the secret was just generated and never used.

Would be great to get your response and suggested approach to avoid sending the hardcoded secrets to the providers for validation when Secrets Scanning is disabled

Thanks!

[15MariamS]

The short answer

• Secret scanning for partners is on by default and cannot be disabled
• Secret scanning for users can be enabled/disabled. This lets you see, prevent, and get alerted on secrets that GitHub finds—including those sent to partners—and take action as you see fit

More details

You've mentioned that you've disabled secret scanning, but you're still seeing authentication events from AWS. This is because secret scanning for partners is always enabled for public repositories, even if you've disabled secret scanning for your own repository.

Secret scanning for partners is a security feature that helps to protect your open source community and partners' services from abuse. When you push a hardcoded secret to a public repository, GitHub scans the repository for known secret formats and sends any findings to partners. Partners can then revoke the secret or take other appropriate action.

While you can't disable secret scanning for partners for public repositories, you can enable or disable user-facing secret scanning alerts for your own repository. This will not change how the partner program works, but it will allow you to see what secrets are discovered in your repository and take action on those. For example, not all partners will revoke secrets, so enabling secret scanning for your repository will give you the chance to take action on those secrets as you see fit.

You can also use secret scanning for push protection to block your secret-containing pushes from entering your public repository in the first place. If you enable push protection, GitHub will not send secrets to partners if you push a secret to your repository.