alerts
Creates, updates, deletes, gets or lists an alerts resource.
Overview
| Name | alerts |
| Type | Resource |
| Id | github.secret_scanning.alerts |
Fields
The following fields are returned by SELECT queries:
- get_alert
- list_alerts_for_repo
- list_alerts_for_org
Response
| Name | Datatype | Description |
|---|---|---|
secret_type_display_name | string | User-friendly name for the detected secret, matching the secret_type. For a list of built-in patterns, see "Supported secret scanning patterns." |
assigned_to | object | A GitHub user. (title: Simple User) |
closure_request_comment | string | An optional comment from the closure request author. |
closure_request_reviewer | object | A GitHub user. (title: Simple User) |
closure_request_reviewer_comment | string | An optional comment from the closure request reviewer. |
created_at | string (date-time) | The time that the alert was created in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
first_location_detected | object | Details on the location where the token was initially detected. This can be a commit, wiki commit, issue, discussion, pull request. |
has_more_locations | boolean | A boolean value representing whether or not the token in the alert was detected in more than one location. |
html_url | string (uri) | The GitHub URL of the alert resource. |
is_base64_encoded | boolean | A boolean value representing whether or not alert is base64 encoded |
locations_url | string (uri) | The REST API URL of the code locations for this alert. |
multi_repo | boolean | Whether the detected secret was found in multiple repositories under the same organization or enterprise. |
number | integer | The security alert number. |
provider | string | The provider of the secret that was detected. |
provider_slug | string | The slug identifier for the provider of the secret that was detected. Use this value for filtering by provider with the providers or exclude_providers parameters. |
publicly_leaked | boolean | Whether the detected secret was publicly leaked. |
push_protection_bypass_request_comment | string | An optional comment when requesting a push protection bypass. |
push_protection_bypass_request_html_url | string (uri) | The URL to a push protection bypass request. |
push_protection_bypass_request_reviewer | object | A GitHub user. (title: Simple User) |
push_protection_bypass_request_reviewer_comment | string | An optional comment when reviewing a push protection bypass. |
push_protection_bypassed | boolean | Whether push protection was bypassed for the detected secret. |
push_protection_bypassed_at | string (date-time) | The time that push protection was bypassed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
push_protection_bypassed_by | object | A GitHub user. (title: Simple User) |
resolution | string | Required when the state is resolved. The reason for resolving the alert. (false_positive, wont_fix, revoked, used_in_tests) |
resolution_comment | string | An optional comment to resolve an alert. |
resolved_at | string (date-time) | The time that the alert was resolved in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
resolved_by | object | A GitHub user. (title: Simple User) |
secret | string | The secret that was detected. |
secret_type | string | The type of secret that secret scanning detected. |
state | string | Sets the state of the secret scanning alert. You must provide resolution when you set the state to resolved. (open, resolved) |
updated_at | string (date-time) | The time that the alert was last updated in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
url | string (uri) | The REST API URL of the alert resource. |
validity | string | The token status as of the latest validity check. (active, inactive, unknown) |
Response
| Name | Datatype | Description |
|---|---|---|
secret_type_display_name | string | User-friendly name for the detected secret, matching the secret_type. For a list of built-in patterns, see "Supported secret scanning patterns." |
assigned_to | object | A GitHub user. (title: Simple User) |
closure_request_comment | string | An optional comment from the closure request author. |
closure_request_reviewer | object | A GitHub user. (title: Simple User) |
closure_request_reviewer_comment | string | An optional comment from the closure request reviewer. |
created_at | string (date-time) | The time that the alert was created in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
first_location_detected | object | Details on the location where the token was initially detected. This can be a commit, wiki commit, issue, discussion, pull request. |
has_more_locations | boolean | A boolean value representing whether or not the token in the alert was detected in more than one location. |
html_url | string (uri) | The GitHub URL of the alert resource. |
is_base64_encoded | boolean | A boolean value representing whether or not alert is base64 encoded |
locations_url | string (uri) | The REST API URL of the code locations for this alert. |
multi_repo | boolean | Whether the detected secret was found in multiple repositories under the same organization or enterprise. |
number | integer | The security alert number. |
provider | string | The provider of the secret that was detected. |
provider_slug | string | The slug identifier for the provider of the secret that was detected. Use this value for filtering by provider with the providers or exclude_providers parameters. |
publicly_leaked | boolean | Whether the detected secret was publicly leaked. |
push_protection_bypass_request_comment | string | An optional comment when requesting a push protection bypass. |
push_protection_bypass_request_html_url | string (uri) | The URL to a push protection bypass request. |
push_protection_bypass_request_reviewer | object | A GitHub user. (title: Simple User) |
push_protection_bypass_request_reviewer_comment | string | An optional comment when reviewing a push protection bypass. |
push_protection_bypassed | boolean | Whether push protection was bypassed for the detected secret. |
push_protection_bypassed_at | string (date-time) | The time that push protection was bypassed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
push_protection_bypassed_by | object | A GitHub user. (title: Simple User) |
resolution | string | Required when the state is resolved. The reason for resolving the alert. (false_positive, wont_fix, revoked, used_in_tests) |
resolution_comment | string | An optional comment to resolve an alert. |
resolved_at | string (date-time) | The time that the alert was resolved in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
resolved_by | object | A GitHub user. (title: Simple User) |
secret | string | The secret that was detected. |
secret_type | string | The type of secret that secret scanning detected. |
state | string | Sets the state of the secret scanning alert. You must provide resolution when you set the state to resolved. (open, resolved) |
updated_at | string (date-time) | The time that the alert was last updated in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
url | string (uri) | The REST API URL of the alert resource. |
validity | string | The token status as of the latest validity check. (active, inactive, unknown) |
Response
| Name | Datatype | Description |
|---|---|---|
secret_type_display_name | string | User-friendly name for the detected secret, matching the secret_type. For a list of built-in patterns, see "Supported secret scanning patterns." |
assigned_to | object | A GitHub user. (title: Simple User) |
closure_request_comment | string | An optional comment from the closure request author. |
closure_request_reviewer | object | A GitHub user. (title: Simple User) |
closure_request_reviewer_comment | string | An optional comment from the closure request reviewer. |
created_at | string (date-time) | The time that the alert was created in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
first_location_detected | object | Details on the location where the token was initially detected. This can be a commit, wiki commit, issue, discussion, pull request. |
has_more_locations | boolean | A boolean value representing whether or not the token in the alert was detected in more than one location. |
html_url | string (uri) | The GitHub URL of the alert resource. |
is_base64_encoded | boolean | A boolean value representing whether or not alert is base64 encoded |
locations_url | string (uri) | The REST API URL of the code locations for this alert. |
multi_repo | boolean | Whether the detected secret was found in multiple repositories in the same organization or enterprise. |
number | integer | The security alert number. |
provider | string | The provider of the secret that was detected. |
provider_slug | string | The slug identifier for the provider of the secret that was detected. Use this value for filtering by provider with the providers or exclude_providers parameters. |
publicly_leaked | boolean | Whether the secret was publicly leaked. |
push_protection_bypass_request_comment | string | An optional comment when requesting a push protection bypass. |
push_protection_bypass_request_html_url | string (uri) | The URL to a push protection bypass request. |
push_protection_bypass_request_reviewer | object | A GitHub user. (title: Simple User) |
push_protection_bypass_request_reviewer_comment | string | An optional comment when reviewing a push protection bypass. |
push_protection_bypassed | boolean | Whether push protection was bypassed for the detected secret. |
push_protection_bypassed_at | string (date-time) | The time that push protection was bypassed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
push_protection_bypassed_by | object | A GitHub user. (title: Simple User) |
repository | object | A GitHub repository. (title: Simple Repository) |
resolution | string | Required when the state is resolved. The reason for resolving the alert. (false_positive, wont_fix, revoked, used_in_tests) |
resolution_comment | string | The comment that was optionally added when this alert was closed |
resolved_at | string (date-time) | The time that the alert was resolved in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
resolved_by | object | A GitHub user. (title: Simple User) |
secret | string | The secret that was detected. |
secret_type | string | The type of secret that secret scanning detected. |
state | string | Sets the state of the secret scanning alert. You must provide resolution when you set the state to resolved. (open, resolved) |
updated_at | string (date-time) | The time that the alert was last updated in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ. |
url | string (uri) | The REST API URL of the alert resource. |
validity | string | The token status as of the latest validity check. (active, inactive, unknown) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_alert | select | owner, repo, alert_number | hide_secret | Gets a single secret scanning alert detected in an eligible repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead. |
list_alerts_for_repo | select | owner, repo | state, secret_type, exclude_secret_types, exclude_providers, providers, resolution, assignee, sort, direction, page, per_page, before, after, validity, is_publicly_leaked, is_multi_repo, hide_secret | Lists secret scanning alerts for an eligible repository, from newest to oldest. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead. |
list_alerts_for_org | select | org | state, secret_type, exclude_secret_types, exclude_providers, providers, resolution, assignee, sort, direction, page, per_page, before, after, validity, is_publicly_leaked, is_multi_repo, hide_secret | Lists secret scanning alerts for eligible repositories in an organization, from newest to oldest. The authenticated user must be an administrator or security manager for the organization to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead. |
update_alert | update | owner, repo, alert_number, state, assignee, validity | Updates the status of a secret scanning alert in an eligible repository. You can also use this endpoint to assign or unassign an alert to a user who has write access to the repository. The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint. OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
alert_number | integer | The number that identifies an alert. You can find this at the end of the URL for a code scanning alert within GitHub, and in the number field in the response from the GET /repos/{owner}/{repo}/code-scanning/alerts operation. |
org | string | The organization name. The name is not case sensitive. |
owner | string | The account owner of the repository. The name is not case sensitive. |
repo | string | The name of the repository without the .git extension. The name is not case sensitive. |
after | string | A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. To receive an initial cursor on your first request, include an empty "after" query string. |
assignee | string | Filters alerts by assignee. Use * to get all assigned alerts, none to get all unassigned alerts, or a GitHub username to get alerts assigned to a specific user. |
before | string | A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. To receive an initial cursor on your first request, include an empty "before" query string. |
direction | string | The direction to sort the results by. |
exclude_providers | string | A comma-separated list of provider slugs to exclude from the results. Provider slugs use lowercase with underscores (e.g., github_secret_scanning, clojars). You can find the provider slug in the provider_slug field of each alert. Cannot be combined with the providers parameter. |
exclude_secret_types | string | A comma-separated list of secret types to exclude from the results. All default secret patterns are returned except those matching the specified types. Cannot be combined with the secret_type parameter. See "Supported secret scanning patterns" for a complete list of secret types. |
hide_secret | boolean | A boolean value representing whether or not to hide literal secrets in the results. |
is_multi_repo | boolean | A boolean value representing whether or not to filter alerts by the multi-repo tag being present. |
is_publicly_leaked | boolean | A boolean value representing whether or not to filter alerts by the publicly-leaked tag being present. |
page | integer | The page number of the results to fetch. For more information, see "Using pagination in the REST API." |
per_page | integer | The number of results per page (max 100). For more information, see "Using pagination in the REST API." |
providers | string | A comma-separated list of provider slugs to filter by. Provider slugs use lowercase with underscores (e.g., github_secret_scanning, clojars). You can find the provider slug in the provider_slug field of each alert. Cannot be combined with the exclude_providers parameter. |
resolution | string | A comma-separated list of resolutions. Only secret scanning alerts with one of these resolutions are listed. Valid resolutions are false_positive, wont_fix, revoked, pattern_edited, pattern_deleted or used_in_tests. |
secret_type | string | A comma-separated list of secret types to return. All default secret patterns are returned. To return generic patterns, pass the token name(s) in the parameter. See "Supported secret scanning patterns" for a complete list of secret types. |
sort | string | The property to sort the results by. created means when the alert was created. updated means when the alert was updated or resolved. |
state | string | Set to open or resolved to only list secret scanning alerts in a specific state. |
validity | string | A comma-separated list of validities that, when present, will return alerts that match the validities in this list. Valid options are active, inactive, and unknown. |
SELECT examples
- get_alert
- list_alerts_for_repo
- list_alerts_for_org
Gets a single secret scanning alert detected in an eligible repository.
The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.
SELECT
secret_type_display_name,
assigned_to,
closure_request_comment,
closure_request_reviewer,
closure_request_reviewer_comment,
created_at,
first_location_detected,
has_more_locations,
html_url,
is_base64_encoded,
locations_url,
multi_repo,
number,
provider,
provider_slug,
publicly_leaked,
push_protection_bypass_request_comment,
push_protection_bypass_request_html_url,
push_protection_bypass_request_reviewer,
push_protection_bypass_request_reviewer_comment,
push_protection_bypassed,
push_protection_bypassed_at,
push_protection_bypassed_by,
resolution,
resolution_comment,
resolved_at,
resolved_by,
secret,
secret_type,
state,
updated_at,
url,
validity
FROM github.secret_scanning.alerts
WHERE owner = '{{ owner }}' -- required
AND repo = '{{ repo }}' -- required
AND alert_number = '{{ alert_number }}' -- required
AND hide_secret = '{{ hide_secret }}'
;
Lists secret scanning alerts for an eligible repository, from newest to oldest.
The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.
SELECT
secret_type_display_name,
assigned_to,
closure_request_comment,
closure_request_reviewer,
closure_request_reviewer_comment,
created_at,
first_location_detected,
has_more_locations,
html_url,
is_base64_encoded,
locations_url,
multi_repo,
number,
provider,
provider_slug,
publicly_leaked,
push_protection_bypass_request_comment,
push_protection_bypass_request_html_url,
push_protection_bypass_request_reviewer,
push_protection_bypass_request_reviewer_comment,
push_protection_bypassed,
push_protection_bypassed_at,
push_protection_bypassed_by,
resolution,
resolution_comment,
resolved_at,
resolved_by,
secret,
secret_type,
state,
updated_at,
url,
validity
FROM github.secret_scanning.alerts
WHERE owner = '{{ owner }}' -- required
AND repo = '{{ repo }}' -- required
AND state = '{{ state }}'
AND secret_type = '{{ secret_type }}'
AND exclude_secret_types = '{{ exclude_secret_types }}'
AND exclude_providers = '{{ exclude_providers }}'
AND providers = '{{ providers }}'
AND resolution = '{{ resolution }}'
AND assignee = '{{ assignee }}'
AND sort = '{{ sort }}'
AND direction = '{{ direction }}'
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
AND before = '{{ before }}'
AND after = '{{ after }}'
AND validity = '{{ validity }}'
AND is_publicly_leaked = '{{ is_publicly_leaked }}'
AND is_multi_repo = '{{ is_multi_repo }}'
AND hide_secret = '{{ hide_secret }}'
;
Lists secret scanning alerts for eligible repositories in an organization, from newest to oldest.
The authenticated user must be an administrator or security manager for the organization to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.
SELECT
secret_type_display_name,
assigned_to,
closure_request_comment,
closure_request_reviewer,
closure_request_reviewer_comment,
created_at,
first_location_detected,
has_more_locations,
html_url,
is_base64_encoded,
locations_url,
multi_repo,
number,
provider,
provider_slug,
publicly_leaked,
push_protection_bypass_request_comment,
push_protection_bypass_request_html_url,
push_protection_bypass_request_reviewer,
push_protection_bypass_request_reviewer_comment,
push_protection_bypassed,
push_protection_bypassed_at,
push_protection_bypassed_by,
repository,
resolution,
resolution_comment,
resolved_at,
resolved_by,
secret,
secret_type,
state,
updated_at,
url,
validity
FROM github.secret_scanning.alerts
WHERE org = '{{ org }}' -- required
AND state = '{{ state }}'
AND secret_type = '{{ secret_type }}'
AND exclude_secret_types = '{{ exclude_secret_types }}'
AND exclude_providers = '{{ exclude_providers }}'
AND providers = '{{ providers }}'
AND resolution = '{{ resolution }}'
AND assignee = '{{ assignee }}'
AND sort = '{{ sort }}'
AND direction = '{{ direction }}'
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
AND before = '{{ before }}'
AND after = '{{ after }}'
AND validity = '{{ validity }}'
AND is_publicly_leaked = '{{ is_publicly_leaked }}'
AND is_multi_repo = '{{ is_multi_repo }}'
AND hide_secret = '{{ hide_secret }}'
;
UPDATE examples
- update_alert
Updates the status of a secret scanning alert in an eligible repository.
You can also use this endpoint to assign or unassign an alert to a user who has write access to the repository.
The authenticated user must be an administrator for the repository or for the organization that owns the repository to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the repo or security_events scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the public_repo scope instead.
UPDATE github.secret_scanning.alerts
SET
state = '{{ state }}',
resolution = '{{ resolution }}',
resolution_comment = '{{ resolution_comment }}',
assignee = '{{ assignee }}'
WHERE
owner = '{{ owner }}' --required
AND repo = '{{ repo }}' --required
AND alert_number = '{{ alert_number }}' --required
AND state = '{{ state }}' --required
AND assignee = '{{ assignee }}' --required
RETURNING
secret_type_display_name,
assigned_to,
closure_request_comment,
closure_request_reviewer,
closure_request_reviewer_comment,
created_at,
first_location_detected,
has_more_locations,
html_url,
is_base64_encoded,
locations_url,
multi_repo,
number,
provider,
provider_slug,
publicly_leaked,
push_protection_bypass_request_comment,
push_protection_bypass_request_html_url,
push_protection_bypass_request_reviewer,
push_protection_bypass_request_reviewer_comment,
push_protection_bypassed,
push_protection_bypassed_at,
push_protection_bypassed_by,
resolution,
resolution_comment,
resolved_at,
resolved_by,
secret,
secret_type,
state,
updated_at,
url,
validity;