Documentation Index
Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
Use this file to discover all available pages before exploring further.
| Field | Value |
|---|---|
| Category | CICD-SEC-6 |
| Severity | MEDIUM |
| Auto-fix | ✗ |
| Source | Repository configuration |
What the check does
Readssecurity_and_analysis.secret_scanning.status on the repository response. Fires when the field is explicitly "disabled". Silent when the field is absent (the feature isn’t available for this repo).
Why it matters
Pipefort already detects hardcoded secrets in workflow YAML (the inline-string CICD-SEC-6 check). Secret scanning is the broader, GitHub-side detective control:- Scans every commit on every branch — not just
.github/workflows/. - Catches leaks in source files, test fixtures, comments, anywhere.
- Detects partner-verified token formats (AWS, GCP, Stripe, etc.) including some private patterns.
How to fix
Settings → Code security → Secret scanning → Enable. Then pair with Push protection, which prevents the leaked secret from ever reaching the remote in the first place.Public repos: secret scanning is free and on by default for new repos. Private repos: requires GitHub Advanced Security. Pipefort stays silent when the feature is unavailable rather than emitting noise.