Secret scanning: how to know that the scan has passed ?

[aj0424754]

Hello,

We use secret scanning and have activated it on our repositories.
We are not using code scanning (our repositories are mainly on infrastructure components).
After waiting some days, we have noticed this:

• for some repositories, the status "clear" or "high" is updated (with 0 secret scanning alerts, but with dependabot alerts)
• for other repositories, the status remains "unknown" (0 secret scanning alert, 0 dependabot alert)

We think the status "clear" is updated from code scanning or dependabot alerts, but not from secret scanning.
How to make sure that the secret scanning is effective? Are there any log of execution available, or status update related?

[just-joshing]

Hi! At the moment, Clear and Unknown are very similar.
The general rule (but there are some exceptions) is:

If you have no alerts and all 3 security features (code scanning, secret scanning, and Dependabot alerts) are turned on for the repo, your risk score will be Clear.

If you have no alerts but you don't have all 3 security features enabled, then your risk score will be Unknown because we don't know if you would have alerts for the disabled security feature.

Even if you don't have all 3 security features enabled, if you had any alerts in the enabled features, your risk score would be at least Low.

In your screenshot, the second repository shows a little 'x' next to the code scanning icon. If you hover over the icon, a tooltip will show up. I'm guessing that tooltip will say "no supported language". That's a special case when we calculate risk. If we detect that your repository doesn't use any of the programming languages CodeQL/code scanning supports, then we don't consider whether code scanning is enabled/disabled when calculating whether to show Clear vs Unknown.