Secret scanning: Persist detected secrets in encrypted storage (github#31710)

am-stead · sophietheking · mchammer01 · web-flow · commit e398bab4297e · 2022-10-18T16:25:22.000Z
Co-authored-by: Sophie &lt;29382425+sophietheking@users.noreply.github.com&gt;
Co-authored-by: mchammer01 &lt;42146119+mchammer01@users.noreply.github.com&gt;
Co-authored-by: Robert Bolender &lt;robertbolender@github.com&gt;
Co-authored-by: Matt Pollard &lt;mattpollard@users.noreply.github.com&gt;
diff --git a/content/code-security/secret-scanning/about-secret-scanning.md b/content/code-security/secret-scanning/about-secret-scanning.md
@@ -74,6 +74,10 @@ If you're a repository administrator you can enable {% data variables.product.pr
 
 {% ifversion ghes or ghae or ghec %}You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for a repository, organization, or enterprise. For more information, see "[Defining custom patterns for {% data variables.product.prodname_secret_scanning %}](/code-security/secret-security/defining-custom-patterns-for-secret-scanning)."
 {% endif %}
+
+{% ifversion secret-scanning-ghas-store-tokens %}
+{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes > 3.7 %} To rotate the encryption keys used for storing the detected secrets, you can contact {% data variables.contact.contact_ent_support %}.{% endif %}
+
 ### About {% data variables.product.prodname_secret_scanning %} alerts
 
 When you enable {% data variables.product.prodname_secret_scanning %} for a repository or push commits to a repository with {% data variables.product.prodname_secret_scanning %} enabled, {% data variables.product.prodname_dotcom %} scans the contents of those commits for secrets that match patterns defined by service providers{% ifversion ghes or ghae or ghec %} and any custom patterns defined in your enterprise, organization, or repository{% endif %}. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} also periodically runs a scan of all historical content in repositories with {% data variables.product.prodname_secret_scanning %} enabled.{% endif%}
diff --git a/data/features/secret-scanning-ghas-store-tokens.yml b/data/features/secret-scanning-ghas-store-tokens.yml
@@ -0,0 +1,5 @@
+# Issue 8348
+# Secret Scanning - Persist detected secrets in encrypted storage
+versions:
+  ghec: '*'
+  ghes: '>=3.8'
