> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-6 — Secret scanning is disabled

> Leaked credentials in commits and pull requests will not be detected.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-6`                               |
| Severity | MEDIUM                                     |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Reads `security_and_analysis.secret_scanning.status` on the repository response. Fires when the field is explicitly `"disabled"`. Silent when the field is absent (the feature isn't available for this repo).

## Why it matters

Pipefort already detects hardcoded secrets *in workflow YAML* (the inline-string [CICD-SEC-6](/rules/cicd-sec-6) check). Secret scanning is the broader, GitHub-side detective control:

* Scans every commit on every branch — not just `.github/workflows/`.
* Catches leaks in source files, test fixtures, comments, anywhere.
* Detects partner-verified token formats (AWS, GCP, Stripe, etc.) including some private patterns.

Disabling it leaves a large class of credential leaks invisible.

## How to fix

Settings → Code security → **Secret scanning** → **Enable**.

Then pair with [Push protection](/rules/cicd-sec-6-secret-push-protection-off), which prevents the leaked secret from ever reaching the remote in the first place.

> Public repos: secret scanning is free and on by default for new repos.
> Private repos: requires GitHub Advanced Security. Pipefort stays silent when the feature is unavailable rather than emitting noise.
