The Admin Tool is a companion app for detect-secrets-stream to allow it to scan private / internal repositories and add security personnel (security focals). This documentation is intended for GitHub Enterprise organization admins.
- As a GitHub organization admin, why have I been asked to install the Detect Secrets Admin Tool GitHub App and / or review a PR in
dss-config? - As a GitHub organization admin, what should I look for when reviewing a PR in
dss-config? - How can I remove the Detect Secrets Admin Tool Github App from a single repository?
- How can I remove the Detect Secrets Admin Tool Github App from my organization?
- Does the Detect Secrets Admin Tool provide status checks on commits?
- What does it mean if I can only request to install the Detect Secrets Admin Tool to a repository or organization?
As a GitHub organization admin, why have I been asked to install the Detect Secrets Admin Tool GitHub App and / or review a PR in dss-config?
If you're a GitHub organization admin who has been asked to install the Detect Secrets Admin Tool GitHub to your organization and/or approve a PR in dss-config, this means that security focals associated with your GitHub organization have found it necessary to monitor for secret leaks within your organization via the Admin Tool GitHub app.
The Admin Tool provides security focals with a unified view of all secret leaks across a set of GitHub organizations, including both public and private repositories within those organizations.
In order for the Admin Tool to function, it needs to:
- Gain permission to scan private repositories
- Associate security focals to organizations, so the security focals can be subscribed to token leak communications, such as ServiceNow and email notifications.
Why have I been asked to install the Detect Secrets Admin Tool GitHub App?
The Detect Secrets Admin Tool GitHub app grants the Admin Tool permission to scan private repositories. The GitHub app needs to be installed at the GitHub organization level, and only organization admins have permission to do so. This is why you, as an organization admin, have been asked to install the app.
Why have I been asked to review a PR in
dss-config?
The config files contributed by security focals in dss-config are used by the Admin Tool to build associations between security focals and GitHub organizations. Once the PR has been merged, it will allow the security focals listed in the file to be copied on all communications for tokens leaked within the organizations listed in the file.
When reviewing PRs in dss-config, it is important to verify that all the security-focal-emails listed in the PR's config file (in dss-config/org_set_config/<filename>.yaml) should have access to Service Now tickets regarding secret leaks in your organization. You should also verify that your organization appears under organizations in that file, otherwise you should not need to review the PR.
Permission from an organization admin is required.
- Go to
<github_host>/organizations/<org-name>/settings/installations - In the Installed Github App list, click the
Configurebutton next toDetect Secrets Admin Tool - Under
Repository access, chooseOnly select repositories, then click thexnext to the repository you want to remove the app from
Permission from an organization admin is required.
- Go to
<github_host>/organizations/<org-name>/settings/installations - In the Installed Github App list, click the
Configurebutton next toDetect Secrets Admin Tool - Under
Uninstall Detect Secrets Admin Tool, click theUninstallbutton
No. The Detect Secrets Admin Tool runs entirely in the background, invisible to developers. It will only send a notification if it finds verified secrets in new commits, upon which the secrets will be reported to the remediation team.
What does it mean if I can only request to install the Detect Secrets Admin Tool to a repository or organization?
This means that you do not have sufficient permissions to install the Detect Secrets Admin Tool app. If you encounter this problem, please contact the organization admin for the organization or repository.