Ensure GitHub Advanced Security and secret scanning are enabled for the organization in Settings > Security > Code security.
Create a fine-grained personal access token or GitHub App installation token with the security_events read permission scoped to the organization.
Call GET /orgs/{org}/secret-scanning/alerts with the header Authorization: token YOUR_TOKEN to retrieve all secret scanning alerts across repos in the org.
Use query parameters state (open or resolved), secret_type, and resolution to narrow results; page through using the Link response header.
For each alert, inspect fields including secret_type, locations_url, push_protection_bypassed, and html_url to prioritize remediation.
Retrieve specific alert locations with GET /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}/locations to identify every file and commit where the secret appears.
Known gotchas
Organization-level listing requires the token holder to be an organization owner or security manager; repo-scoped tokens cannot call the org endpoint.
The secret_type parameter value must match GitHub's internal identifier string (e.g., github_personal_access_token), not a human-readable label.
Alerts for non-provider patterns (passwords, generic secrets) were added to the API in 2024; older integrations may not expect these types and could drop them silently.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp