Access a repository’s secret scanning scan history with the REST API
A new REST API endpoint lists the secret scanning scan history for a repository, giving you visibility into when different types of secret scanning scans have occurred in your repository. This information can be helpful for auditing purposes and troubleshooting.
To get your repository’s scan history, call the /repos/{owner}/{repo}/secret-scanning/scan-history endpoint. The following table lists the responses returned by the API:
| Response | Description |
|---|---|
incremental_scans | The latest scan for all patterns on new git content committed to a repository |
backfill_scans | The latest scan for all patterns on the entire contents of a specific type (git, issues, pull-requests, discussions, wiki) |
custom_pattern_backfill_scans | The latest scan for a specific custom pattern on the entire contents of a specific type (git, issues, pull-requests, discussions, wiki) |
pattern_update_scans | The latest scan for a new or updated native pattern on git content in a repository |
Secret scanning covers multiple scan sources, triggers, and methods of scanning. Scans listed in the API are not an exhaustive list of all scans for a repository. The following scans are not included:
– incremental scans and pattern update scans for non-git content types
– non-git backfills for custom patterns set at the repository level
– any pattern update scans completed before September 2024
– scans for passwords detected with Copilot Secret Scanning
A repository must have a GitHub Advanced Security license to get the scan history.
Learn more about how to secure your repositories with secret scanning.