We announced two weeks ago that we are changing how you receive notifications for secret scanning alerts. From today, those changes are in effect.

What action should I take?

If you are a repository administrator, organization owner, security manager, or user with read access to secret scanning alerts:

  • Watch your repositories of interest by choosing "All activity" or "Security alerts." This helps you choose what events GitHub will notify you about.
  • In your user notification settings, you must choose "Email" in the "Watching" section. This tells GitHub how to notify you. Secret scanning only supports email notifications at this time.

If you're a commit author:

As long as you are not ignoring the repository in your watch settings, commit authors always receive notifications for new secrets that are leaked. This means you receive a notification for any secret committed after an initial historical scan has run on the repository.

Learn more