Secret scanning metadata checks in security configurations, enabled for repos with validity [public preview] (#59312)

Co-authored-by: Laura Coursen <lecoursen@github.com>
Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>

Author: 3 people

content/code-security/concepts/secret-security/about-validity-checks.md

@@ -0,0 +1,56 @@
+---
+title: About validity checks
+shortTitle: Validity checks
+intro: 'Validity checks and extended metadata checks help you prioritize remediation of exposed credentials that pose immediate security risks.'
+product: |
+  {% data reusables.gated-features.secret-scanning %}{% ifversion secret-risk-assessment %}
+
+  {% data variables.secret-scanning.secret-risk-assessment-cta-product %}{% endif %}
+contentType: concepts
+topics:
+  - Secret scanning
+  - Secret Protection
+versions:
+  fpt: '*'
+  ghec: '*'
+---
+
+## About validity checks
+
+Validity checks, a feature of {% data variables.product.prodname_secret_scanning %}, verify whether a detected secret is still active and could be exploited. This helps you prioritize remediation by focusing first on secrets that are confirmed to be active.
+
+You can enable automatic validity checks for detected secrets. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret to the issuer and testing it against APIs provided by that service. Validity checks are available for secrets from many service providers, and support continues to expand as {% data variables.product.company_short %} partners with additional services.
+
+{% data variables.product.company_short %} prioritizes privacy when checking the validity of the credential. We typically make GET requests, pick the least intrusive endpoints, and select endpoints that don't return any personal information.
+
+{% data variables.product.github %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view.
+
+## About extended metadata checks
+
+{% data reusables.security-configurations.extended-metadata-checks %}
+
+Extended metadata checks provide **additional contextual information** about detected secrets. They are often referred to as **analyzers** in other tools.
+
+You can enable extended metadata checks if validity checks are enabled. Then, you'll get information that helps you:
+
+* **Gain deeper insight into detected secrets**: Know who owns a secret.
+* **Prioritize remediation**: Understand the scope and impact of each exposed secret.
+* **Improve incident response**: Quickly identify responsible teams or individuals when a secret is leaked.
+* **Enhance compliance**: Ensure secrets align with your organization’s governance and security policies.
+* **Reduce false positives**: Use additional context to determine if a detection requires action.
+
+The specific metadata available depends on what the service provider shares with {% data variables.product.github %}. Not all secret types support extended metadata checks. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#verifying-token-metadata).
+
+## Getting started with validity and extended metadata checks
+
+{% data reusables.secret-scanning.extended-metadata-checks-note %}
+
+You can enable validity and extended metadata checks at the repository, organization, or enterprise level to help prioritize which exposed credentials pose the most immediate security risks.
+
+For large organizations, we recommend using **security configurations** to enable these features at the organization or enterprise level. Security configurations allow you to centrally manage  {% data variables.product.prodname_secret_scanning %} settings and apply them consistently across many repositories.
+
+To get started:
+
+* For repositories, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/enabling-validity-checks-for-your-repository)
+* For an organization, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration)
+* For an enterprise, see [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise)

content/code-security/concepts/secret-security/index.md

@@ -15,6 +15,7 @@ children:
   - /about-push-protection
   - /about-secret-security-with-github
   - /about-alerts
+  - /about-validity-checks
   - /about-delegated-bypass-for-push-protection
   - /about-bypass-requests-for-push-protection
   - /about-secret-scanning-for-partners

content/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise.md

@@ -56,7 +56,10 @@ When creating a security configuration, keep in mind that:
 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description.
 1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:
     {% ifversion secret-scanning-validity-check-partner-patterns %}
-    * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion org-npp-enablement-security-configurations %}
+    * **Validity checks**.  To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion fpt or ghec %}
+    * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/about-validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token).
+    > [!NOTE]
+    > You can only enable extended metadata checks if validity checks are enabled.{% endif %}{% ifversion org-npp-enablement-security-configurations %}
     * **Non-provider patterns**. To learn more about scanning for non-provider patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
     * **Scan for generic passwords**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %}
     * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion push-protection-delegated-bypass-configurations-enterprise %}

content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration.md

@@ -45,7 +45,10 @@ With {% data variables.product.prodname_custom_security_configurations %}, you c
 1. To help identify your {% data variables.product.prodname_custom_security_configuration %} and clarify its purpose on the "{% data variables.product.prodname_security_configurations_caps %}" page, name your configuration and create a description.
 1. Optionally, enable "{% data variables.product.prodname_secret_protection %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. Enabling {% data variables.product.prodname_secret_protection %} enables alerts for {% data variables.product.prodname_secret_scanning %}. In addition, you can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_secret_scanning %} features:
     {% ifversion secret-scanning-validity-check-partner-patterns %}
-    * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion org-npp-enablement-security-configurations %}
+    * **Validity checks**. To learn more about validity checks for partner patterns, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).{% endif %}{% ifversion fpt or ghec %}
+    * **Extended metadata**. To learn more about extended metadata checks, see [About extended metadata checks](/code-security/concepts/secret-security/about-validity-checks#about-extended-metadata-checks) and [AUTOTITLE](/code-security/tutorials/remediate-leaked-secrets/evaluating-alerts#reviewing-extended-metadata-for-a-token).
+    > [!NOTE]
+    > You can only enable extended metadata checks if validity checks are enabled.{% endif %}{% ifversion org-npp-enablement-security-configurations %}
     * **Non-provider patterns**. To learn more about scanning for non-provider patterns, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#non-provider-patterns) and [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/viewing-alerts).{% endif %}{% ifversion secret-scanning-ai-generic-secret-detection %}
     * **Scan for generic passwords**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).{% endif %}
     * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion push-protection-delegated-bypass-configurations %}

content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enabling-extended-metadata-checks-for-your-repository.md

@@ -17,27 +17,31 @@ redirect_from:
 
 {% data reusables.secret-scanning.metadata-checks-public-preview %}
 
-## About extended metadata checks
+{% data reusables.secret-scanning.extended-metadata-checks-note %}
 
-Extended metadata checks, often referred to as analyzers in other tools, are a {% data variables.product.prodname_secret_scanning %} feature that you can enable for supported tokens.
+This article shows how you can enable extended metadata checks for individual repositories through repository settings. Alternatively, you can enable them at scale using **security configurations** at the organization or enterprise level. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/creating-a-custom-security-configuration) or [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-enterprise-security/establish-complete-coverage/creating-a-custom-security-configuration-for-your-enterprise).
 
-When you enable extended metadata checks for tokens, {% data variables.product.prodname_secret_scanning %} provides you with additional information about detected secrets, such as ownership and contact details. This information helps you:
+## Prerequisites
 
-* **Gain deeper insight into detected secrets**: Know who owns a secret.
-* **Improve incident response**: Quickly identify responsible teams or individuals when a secret is leaked.
-* **Enhance compliance**: Ensure secrets align with your organization’s governance and security policies.
+Before enabling metadata checks, you need to ensure that validity checks are enabled for the repository. See [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository#enabling-validity-checks).
 
-This information appears on {% data variables.product.github %}, in the page for the related secret scanning alert, helping you prioritize and remediate exposures more efficiently.
+## Enabling extended metadata checks
 
-Metadata availability varies depending on the secret type. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#verifying-token-metadata).
+{% ifversion fpt or ghec %}
 
-## Enabling extended metadata checks
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghas-products %}
+1. Under "{% data variables.product.prodname_secret_protection %}" and "Validity checks", to the right of "Extended metadata", click **Enable**.{% else %}
+1. Under "{% data variables.product.prodname_secret_protection %}" and "Validity checks", to the right of "Extended metadata", click **Enable**.{% endif %}
 
-Before enabling metadata checks, you need to ensure that validity checks are enabled for the repository. See [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository#enabling-validity-checks).
+{% elsif ghes %}
 
 {% data reusables.secret-scanning.validity-check-enablement %}
 1. Under "{% data variables.product.prodname_secret_protection %}", to the right of "Extended metadata", click **Enable**.
 
+{% endif %}
+
 ## Further reading
 
 * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)

content/code-security/how-tos/secure-your-secrets/customize-leak-detection/enabling-validity-checks-for-your-repository.md

@@ -14,30 +14,15 @@ redirect_from:
   - /code-security/secret-scanning/enabling-secret-scanning-features/enabling-validity-checks-for-your-repository
 ---
 
-## About validity checks
-
-You can enable validity checks for secrets identified as service provider tokens for your repository. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s secret scanning partnership program. {% data reusables.secret-scanning.partner-program-link %}
-
-{% data variables.product.company_short %} displays the validation status of the secret in the alert view, so you can see if the secret is `active`, `inactive`, or if the validation status is `unknown`. You can optionally perform an "on-demand" validity check for the secret in the alert view.
-
-You can additionally choose to enable validity checks for partner patterns. Once enabled, {% data variables.product.company_short %} will periodically check the validity of a detected credential by sending the secret directly to the provider, as part of {% data variables.product.company_short %}'s formal secret scanning partnership program. {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.
-
-{% data variables.product.company_short %} displays the validation status of the secret in the alert view.
-
-You can filter by validation status on the alerts page, to help you prioritize which alerts you need to take action on.
-
-> [!NOTE]
-> {% data variables.product.company_short %} typically makes GET requests to check the validity of the credential, picks the least intrusive endpoints, and selects endpoints that don't return any personal information.
-
-For more information on using validity checks, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts#checking-a-secrets-validity).
+You can enable validity checks for individual repositories through repository settings. Validity checks verify whether detected secrets are still active, helping you prioritize remediation efforts. For information about what validity checks are and how they work, see [AUTOTITLE](/code-security/concepts/secret-security/about-validity-checks).
 
 ## Enabling validity checks
 
->[!NOTE] You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see [AUTOTITLE](/rest/repos/repos#update-a-repository).
-
 {% data reusables.secret-scanning.validity-check-enablement %}
 1. Scroll to the bottom of the page and click **Save changes**.
 
+>[!NOTE] You can also use the REST API to enable validity checks for partner patterns for your repository. For more information, see [AUTOTITLE](/rest/repos/repos#update-a-repository).
+
 Alternatively, organization owners and enterprise administrators can enable the feature for all repositories in the organization or enterprise. For more information on enabling at the organization-level, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration).
 For more information on enabling at the enterprise-level, see [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise).
 

data/reusables/secret-scanning/extended-metadata-checks-note.md

@@ -0,0 +1,4 @@
+<!-- expires 2026-03-28 -->
+<!-- To check on whether this can be deleted or not, see the PM in ref: 20867 -->
+> [!NOTE]
+> Starting on February 18, 2026, {% data variables.product.github %} will automatically enable extended metadata checks for repositories that have validity checks enabled. For repositories managed by security configurations, {% data variables.product.github %} will update those configurations and apply the feature to attached repositories. This is a one-time transition to help organizations benefit from enhanced metadata without manual configuration.

data/reusables/security-configurations/extended-metadata-checks.md

@@ -0,0 +1 @@
+> [!NOTE] Extended metadata checks in security configurations is currently in public preview and subject to change.