{"id":71759,"date":"2025-08-12T08:08:45","date_gmt":"2025-08-12T16:08:45","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=71759"},"modified":"2025-08-12T08:30:17","modified_gmt":"2025-08-12T16:30:17","slug":"hunting-living-secrets-secret-validity-checks-arrive-in-github-advanced-security-for-azure-devops","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/hunting-living-secrets-secret-validity-checks-arrive-in-github-advanced-security-for-azure-devops\/","title":{"rendered":"Hunting Living Secrets: Secret Validity Checks Arrive in GitHub Advanced Security for Azure DevOps"},"content":{"rendered":"<p>If you\u2019ve ever waded through a swamp of secret scanning alerts wondering, \u201cWhich of these are actually dangerous right now?\u201d \u2014 this enhancement is for you.<\/p>\n<p>Secret validity checks in <strong>GitHub Advanced Security for Azure DevOps<\/strong> (and the standalone <strong>Secret Protection<\/strong> experience) add a high\u2011signal field to each alert: <code>Active<\/code> (still usable), or <code>Unknown<\/code> (couldn\u2019t be verified).<\/p>\n<p>Instead of treating every alert like a five\u2011alarm fire, you can now fast\u2011path the truly risky stuff and spend less time chasing ghosts.<\/p>\n<hr \/>\n<h3>TL;DR<\/h3>\n<table>\n<thead>\n<tr>\n<th>Status<\/th>\n<th>What it really means<\/th>\n<th>First instinct<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Active<\/td>\n<td>The credential still works right now.<\/td>\n<td>Fix immediately.<\/td>\n<\/tr>\n<tr>\n<td>Unknown<\/td>\n<td>Couldn\u2019t verify (no activity, unsupported, provider issue, throttling, network).<\/td>\n<td>Treat as possibly active; retry or rotate if sensitive.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>Why This Matters<\/h3>\n<p>Traditional secret scanning:<\/p>\n<blockquote>\n<p>Found something \u2192 raise alert \u2192 you investigate \u2192 sometimes it was revoked months ago \u2192 wasted cycles.<\/p>\n<\/blockquote>\n<p>Secret scanning + validity checks:<\/p>\n<blockquote>\n<p>Found something \u2192 provider queried automatically \u2192 you know if it still opens doors.<\/p>\n<\/blockquote>\n<p>This feature doesn\u2019t revoke secrets for you\u2014it improves <strong>prioritization<\/strong>. You spend your time on \u201cliving\u201d (Active) secrets first, not archaeological specimens.<\/p>\n<hr \/>\n<h3>How It Works<\/h3>\n<ul>\n<li>Secret scanning detects a string matching a supported partner\/provider pattern. <\/li>\n<li>The platform securely queries the provider to confirm whether the credential still works. <\/li>\n<li>You get a status: <code>Active<\/code> or <code>Unknown<\/code>. <\/li>\n<li>You trigger an on\u2011demand verification after remediation to confirm it is no longer active.<\/li>\n<\/ul>\n<p>Supported provider patterns are listed<a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/repos\/security\/github-advanced-security-secret-scan-patterns?view=azure-devops#partner-provider-patterns\" target=\"_blank\"> here <\/a>(bookmark it; it will evolve). If a pattern isn\u2019t supported, the alert may remain <strong>Unknown<\/strong>\u2014that\u2019s expected.<\/p>\n<hr \/>\n<h3>Before You Start<\/h3>\n<p>Make sure:<\/p>\n<ul>\n<li>GitHub Advanced Security for Azure DevOps is enabled for the project\/repository (or Secret protection is enabled in the standalone experience). <\/li>\n<li>Secret scanning is turned on (validity checks are an enhancement, not a standalone feature).<\/li>\n<\/ul>\n<p>Once those are true, validity checks just start for newly detected supported secret types. No extra toggle. No YAML fiddling.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Validity-checking-list.png\" alt=\"Validity checking list image\"width=\"desired width\" height=\"desired height\" class=\"alignnone size-medium wp-image-71773\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Validity-checking-list.png 2020w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Validity-checking-list-300x172.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Validity-checking-list-1024x586.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Validity-checking-list-768x440.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Validity-checking-list-1536x879.png 1536w\" sizes=\"(max-width: 2020px) 100vw, 2020px\" \/><\/p>\n<hr \/>\n<h3>Typical Workflow<\/h3>\n<ol class=\"typical-workflow\">\n<li>\n<p>\n      <strong>Filter for Active secrets<\/strong>\n    <\/p>\n<figure class=\"wp-block-image\">\n<p>    <img decoding=\"async\" width=\"2020\" height=\"1150\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Vallidation-panels.png\" alt=\"Validation panels image\" class=\"alignnone size-medium wp-image-71772\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Vallidation-panels.png 2020w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Vallidation-panels-300x171.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Vallidation-panels-1024x583.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Vallidation-panels-768x437.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Vallidation-panels-1536x874.png 1536w\" sizes=\"(max-width: 2020px) 100vw, 2020px\" \/> <\/figure>\n<p>\n      <strong>I see list filters to only results that are Active <\/strong>\n    <\/p>\n<figure class=\"wp-block-image\">\n<p>    <img decoding=\"async\" width=\"2014\" height=\"1147\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alerts-list-filtered-by-Validation-status-Active.png\" alt=\"Alerts list filtered by Validation status Active image\" class=\"alignnone size-medium wp-image-71771\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alerts-list-filtered-by-Validation-status-Active.png 2014w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alerts-list-filtered-by-Validation-status-Active-300x171.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alerts-list-filtered-by-Validation-status-Active-1024x583.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alerts-list-filtered-by-Validation-status-Active-768x437.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alerts-list-filtered-by-Validation-status-Active-1536x875.png 1536w\" sizes=\"(max-width: 2014px) 100vw, 2014px\" \/> <\/figure>\n<\/li>\n<li>\n<p>\n      <strong>Open an Active alert and see when it was last verified<\/strong>\n    <\/p>\n<figure class=\"wp-block-image\">\n<p>    <img decoding=\"async\" width=\"1996\" height=\"1140\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alert-detail-panel-showing-Active-and-Recommendations-Remediation.png\" alt=\"Alert detail panel showing Active and Recommendations &#038; Remediation image\" class=\"alignnone size-medium wp-image-71770\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alert-detail-panel-showing-Active-and-Recommendations-Remediation.png 1996w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alert-detail-panel-showing-Active-and-Recommendations-Remediation-300x171.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alert-detail-panel-showing-Active-and-Recommendations-Remediation-1024x585.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alert-detail-panel-showing-Active-and-Recommendations-Remediation-768x439.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Alert-detail-panel-showing-Active-and-Recommendations-Remediation-1536x877.png 1536w\" sizes=\"(max-width: 1996px) 100vw, 1996px\" \/> <\/figure>\n<p>\n      <strong>I then proceed with the recommended remediation, including rotation\/revocation and code removal.<\/strong>\n    <\/p>\n<\/li>\n<li>\n<p>\n      <strong>Run on\u2011demand verification by clicking \u201cVerify Secret\u201d<\/strong>\n    <\/p>\n<figure class=\"wp-block-image\">\n<p>    <img decoding=\"async\" width=\"2017\" height=\"1153\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Verify-Re-verify-action-in-progress.png\" alt=\"Verify \/ Re-verify action in progress image\" class=\"alignnone size-medium wp-image-71769\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Verify-Re-verify-action-in-progress.png 2017w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Verify-Re-verify-action-in-progress-300x171.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Verify-Re-verify-action-in-progress-1024x585.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Verify-Re-verify-action-in-progress-768x439.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/Verify-Re-verify-action-in-progress-1536x878.png 1536w\" sizes=\"(max-width: 2017px) 100vw, 2017px\" \/> <\/figure>\n<p>\n      <strong>Wait a couple of minutes, verification has updated<\/strong>\n    <\/p>\n<figure class=\"wp-block-image\">\n<p>    <img decoding=\"async\" width=\"2014\" height=\"1149\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/verification-completed.png\" alt=\"Verification completed image\" class=\"alignnone size-medium wp-image-71768\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/verification-completed.png 2014w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/verification-completed-300x171.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/verification-completed-1024x584.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/verification-completed-768x438.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/08\/verification-completed-1536x876.png 1536w\" sizes=\"(max-width: 2014px) 100vw, 2014px\" \/> <\/figure>\n<\/li>\n<li>\n<p>\n      <strong>Sweep Unknown secrets<\/strong>\n    <\/p>\n<ul>\n<li>\n        Strategy: Retry verification later, or treat as Active if it\u2019s high\u2011privilege or high\u2011impact.\n      <\/li>\n<\/ul>\n<\/li>\n<li>\n<p>\n      <strong>Close alerts<\/strong> according to your policy once remediation + verification (if applicable) are complete.\n    <\/p>\n<\/li>\n<\/ol>\n<hr \/>\n<h3>Dealing with \u201cUnknown\u201d<\/h3>\n<p><strong>Unknown \u2260 safe.<\/strong> Classify Unknown secrets with three quick questions:<\/p>\n<ol>\n<li>What is the potential blast radius? (Production infrastructure vs. internal sandbox.) <\/li>\n<li>How sensitive is the data it gates? <\/li>\n<li>What\u2019s the rotation cost? (Cheap to rotate? Do it.)<\/li>\n<\/ol>\n<p>If 2+ factors lean \u201crisky,\u201d act as if Active and remediate.<\/p>\n<hr \/>\n<h3>FAQ Quick Hits<\/h3>\n<ul>\n<li>\n<p><strong>Does this revoke secrets automatically?<\/strong><br \/>\nNo. It informs prioritization; remediation is manual (or via your automation).<\/p>\n<\/li>\n<li>\n<p><strong>Will all secret types support validation?<\/strong><br \/>\nMore partners will onboard over time\u2014track the supported patterns list.<\/p>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>Final Call to Action<\/h3>\n<ul>\n<li>Confirm secret scanning is enabled. <\/li>\n<li>Filter for <code>Active<\/code> secrets today. <\/li>\n<li>Use built-in Recommendations &amp; Remediation. <\/li>\n<li>Run on-demand verification to validate your fix. <\/li>\n<li>Track how quickly you neutralize live credentials, then improve from there.<\/li>\n<\/ul>\n<p>Fewer ghosts. More real wins.<\/p>\n<p><strong>Happy hunting.<\/strong><\/p>\n<hr \/>\n<h3>Appendix: Reference Link<\/h3>\n<ul>\n<li><a href=\"https:\/\/aka.ms\/ghazdo-secret-validation\">Explore secret scanning in greater depth<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/repos\/security\/github-advanced-security-secret-scan-patterns?view=azure-devops#partner-provider-patterns\">Supported provider patterns for validation<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/repos\/security\/configure-github-advanced-security-features?view=azure-devops&amp;tabs=yaml\">Configure GitHub Advanced Security for Azure DevOps features &#8211; Azure Repos | Microsoft Learn<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/release-notes\/2025\/sprint-260-update#github-advanced-security-for-azure-devops-1\">Curious what\u2019s new? Our release notes have the highlights<\/a><\/li>\n<\/ul>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019ve ever waded through a swamp of secret scanning alerts wondering, \u201cWhich of these are actually dangerous right now?\u201d \u2014 this enhancement is for you. Secret validity checks in GitHub Advanced Security for Azure DevOps (and the standalone Secret Protection experience) add a high\u2011signal field to each alert: Active (still usable), or Unknown (couldn\u2019t [&hellip;]<\/p>\n","protected":false},"author":46375,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,249,251],"tags":[],"class_list":["post-71759","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-open-source","category-security"],"acf":[],"blog_post_summary":"<p>If you\u2019ve ever waded through a swamp of secret scanning alerts wondering, \u201cWhich of these are actually dangerous right now?\u201d \u2014 this enhancement is for you. Secret validity checks in GitHub Advanced Security for Azure DevOps (and the standalone Secret Protection experience) add a high\u2011signal field to each alert: Active (still usable), or Unknown (couldn\u2019t [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/46375"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=71759"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71759\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=71759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=71759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=71759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}