{"meta":{"title":"Interpreting secret risk assessment results","intro":"Understand the results from your secret risk assessment and prioritize leak remediation.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/tutorials","title":"Tutorials"},{"href":"/en/code-security/tutorials/secure-your-organization","title":"Secure your organization"},{"href":"/en/code-security/tutorials/secure-your-organization/interpreting-secret-risk-assessment-results","title":"Interpret secret risk assessment"}],"documentType":"article"},"body":"# Interpreting secret risk assessment results\n\nUnderstand the results from your secret risk assessment and prioritize leak remediation.\n\n## Introduction\n\nIn this tutorial, you'll interpret your secret risk assessment results, and learn how to:\n\n* Understand risk metrics on the dashboard\n* Identify high-risk secret leaks\n* Prioritize secrets for remediation\n\n## Prerequisites\n\nYou must generate a secret risk assessment report and wait for the scan to complete. See [Running the secret risk assessment for your organization](/en/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/assess-your-secret-risk).\n\n## Step 1: Understand your dashboard metrics\n\nOnce your assessment completes, review the key metrics at the top of the dashboard:\n\n* **Total secrets**: Total number of secret leaks found across your organization\n* **Public leaks**: Distinct secrets found in **public** repositories\n* **Preventable leaks**: Leaks that push protection could have prevented\n\nYou can also determine the number of secrets found in your **private repositories** by subtracting the number of public leaks from your total secrets. While remediating these secrets is less immediately important, they still pose risk if someone gains unauthorized access to your repositories, or if a repository is made public.\n\n## Step 2: Understand secret categories\n\nLook at the **Secret categories** section to understand **what types of secrets** were leaked.\n\n* **Provider patterns**: Specific secret formats for known services (AWS, Azure, GitHub tokens)\n* **Generic patterns**: Generic secret formats like private keys, API keys, passwords\n\nProvider patterns are often easier to identify and revoke because you know exactly which service they belong to. Generic patterns may require more investigation.\n\n## Step 3: Identify how many repositories are affected\n\nCheck the **Repositories with leaks** metric, which shows how many of your repositories contain secret leaks.\n\nIf a **high percentage** of repositories contain leaks, this may indicate:\n\n* A widespread culture issue around secret management\n* A need for organization-wide training\n* Missing guardrails like push protection, which blocks secrets before they are committed\n\nIf only a **few** repositories contain leaks, you can:\n\n* Focus remediation efforts on specific teams\n* Use the leak information to determine which repositories are high-risk areas\n\n## Step 4: Review leaked secrets by type\n\nScroll to the bottom to see the detailed **Secret type** table, which includes:\n\n* **Secret type**: The specific kind of secret\n* **Distinct repositories**: How many different repositories contain this type\n* **Secrets found**: Total count of this secret type across all repositories\n\nThe table sorts by highest count automatically, helping you identify the greatest risks.\n\nIf you see **many secrets of the same type** (for example, multiple AWS keys), this indicates:\n\n* Developers may not be using environment variables\n* Missing documentation on secret management\n\n## Step 5: Prioritize remediation and related actions\n\nNow that you understand the metrics, prioritize remediation based on risk.\n\nThe highest priority secrets are **leaked provider patterns in public repositories**, because they are:\n\n* Accessible to anyone on the internet\n* Often easier to identify and revoke, since you know which service they belong to\n\nNext, you can address secrets that present lower risk or require more extensive efforts to remediate. These can be:\n\n* **Generic patterns in public repositories**, which may require investigation to identify the service or system they belong to\n* **Private repository leaks**, that represent a lower immediate risk but should still be addressed\n\nFinally, look for the following indicators, which may require additional prevention efforts beyond leak remediation:\n\n* **Many repositories with leaks**: Indicates need for organization-wide training and improved security awareness\n* **Repeated secret types**: Suggests specific workflows or teams need targeted intervention\n* **Common secret categories**: May point to particular CI/CD processes requiring security improvements\n\n## Next steps\n\nAfter understanding your secret exposure, select repositories for a GitHub Secret Protection pilot. See [Best practices for selecting pilot repositories](/en/code-security/concepts/security-at-scale/best-practices-for-selecting-pilot-repositories)."}