Verify that GitHub Advanced Security is licensed for your organization; secret scanning requires GHAS on private repositories.
Use a token with the admin:org scope or an organization owner's fine-grained token with organization administration write permissions.
Enable secret scanning and push protection for all new repositories by PATCH-ing /orgs/{org} with the body fields secret_scanning_enabled_for_new_repositories: true and secret_scanning_push_protection_enabled_for_new_repositories: true.
Enumerate existing private repositories with GET /orgs/{org}/repos?type=private and for each, enable secret scanning with PATCH /repos/{owner}/{repo} using the body field security_and_analysis.secret_scanning.status: enabled.
Confirm enablement by GET-ing /repos/{owner}/{repo} and checking the security_and_analysis.secret_scanning.status field equals enabled.
After enablement, poll GET /orgs/{org}/secret-scanning/alerts?state=open to retrieve any pre-existing secrets surfaced by the initial scan of historical commits.
Known gotchas
Enabling secret scanning on a repository triggers a scan of its full commit history; this can surface alerts for secrets that were added and deleted long ago — triage by commit date and verify whether credentials are still valid.
The PATCH /repos/{owner}/{repo} endpoint requires the security_and_analysis object to be nested correctly; a flat body structure returns a 422 error.
Secret scanning cannot be enabled on public repositories via the API in the same way; public repos have secret scanning enabled automatically by GitHub, but push protection requires explicit opt-in.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp