GitHub Secret Scanning

Threat Assessment Overview

GitHub Secret Scanning provides automated detection of credentials, API keys, tokens, and other sensitive data accidentally committed to the repository to prevent security breaches.

Assessment Classification

Assessment Type: Secret Detection / Credential Security
Approach Used: TBD
Status: Not Implemented
Date Identified: 2025-10-30
Date First Implemented: TBD
Date Last Reviewed: 2025-10-30
Date Retired: N/A

Coverage Scope

Secret Types: API keys, authentication tokens, database credentials, private keys, certificates Detection: Commit history scanning, real-time push protection, pull request analysis Integrations: Azure service connection strings, OAuth tokens, payment processor credentials Notification: Automated alerts for detected secrets with remediation guidance

Success Criteria

Real-time detection of secrets before they reach the repository
Historical scan of existing codebase for exposed credentials
Automated alerts with clear remediation steps
Zero high-confidence secret exposures in production code

Compensating Controls

Azure Key Vault Integration:

Sensitive configuration stored in Azure Key Vault
Function app managed identity for secret access
Environment-specific configuration separation

Azure Key Vault configuration and usage
Environment configuration management
Security incident response procedures
Credential rotation policies

Threat Assessment Overview​

Assessment Classification​

Coverage Scope​

Success Criteria​

Compensating Controls​

Related Documentation​

Threat Assessment Overview

Assessment Classification

Coverage Scope

Success Criteria

Compensating Controls

Related Documentation