GitHub Secret Scanning Disabled
Detects when GitHub Secret Scanning is disabled for a repository. Adversaries may disable secret scanning to evade detection of hardcoded secrets, such as API keys or credentials, that could be used for further compromise or data exfiltration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/16"
3integration = ["github"]
4maturity = "production"
5updated_date = "2025/12/16"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when GitHub Secret Scanning is disabled for a repository. Adversaries may disable secret scanning to
11evade detection of hardcoded secrets, such as API keys or credentials, that could be used for further
12compromise or data exfiltration.
13"""
14from = "now-9m"
15index = ["logs-github.audit-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "GitHub Secret Scanning Disabled"
19references = [
20 "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
21 "https://trigger.dev/blog/shai-hulud-postmortem",
22 "https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
23]
24risk_score = 21
25rule_id = "21c3536f-b674-43db-9bfc-dcf4cf9dcc37"
26severity = "low"
27tags = [
28 "Domain: Cloud",
29 "Use Case: Threat Detection",
30 "Tactic: Defense Evasion",
31 "Data Source: Github",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35query = '''
36configuration where event.dataset == "github.audit" and event.type == "change" and event.action == "repository_secret_scanning.disable"
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1562"
44name = "Impair Defenses"
45reference = "https://attack.mitre.org/techniques/T1562/"
46
47[[rule.threat.technique.subtechnique]]
48id = "T1562.001"
49name = "Disable or Modify Tools"
50reference = "https://attack.mitre.org/techniques/T1562/001/"
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Shai-Hulud is back, spreading an npm malware worm through thousands of GitHub repos. Learn the impact, attacker methods, and how to defend your supply chain.
Read More -
On November 25th, one of our engineers was compromised by the Shai-Hulud npm supply chain worm. Here's what happened, how we responded, and what we've changed.
Read More -
At 4:11 AM UTC on November 24th, a number of our SDKs and other packages were compromised, with a malicious self-replicating worm - Shai-Hulud 2.…
Read More
Related rules
- GitHub Protected Branch Settings Changed
- GitHub Exfiltration via High Number of Repository Clones by User
- GitHub Private Repository Turned Public
- Github Activity on a Private Repository from an Unusual IP
- High Number of Closed Pull Requests by User