For public repositories, when GitHub's secret scanning detects a credential from a partner service provider, it automatically forwards the secret to that provider. The service provider then validates the credential and can take immediate remediation steps, such as revoking the secret and notifying the account owner. This proactive measure is crucial for mitigating the high risk associated with exposed credentials in a public setting. GitHub also creates a security alert for repository administrators.

B. It immediately blocks the commit to protect the secret.

This describes push protection, a feature of GitHub Advanced Security that prevents secrets from being pushed, but it is not the default action for secrets already found in a public repository.

C. It deletes the secret from the repository automatically.

GitHub does not automatically alter or delete content from a user's repository history. The responsibility for removing the committed secret lies with the repository maintainers.

D. It notifies the admin via webhook.

While administrators are notified of alerts, and webhooks can be configured for this purpose, the primary and most critical action for public repositories is notifying the service provider to revoke the token.

---

1. GitHub Docs

"About secret scanning."

Section: "About secret scanning for public repositories"

Content: "When secret scanning detects a set of credentials in a public repository

GitHub notifies the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret

issue a new secret

or reach out to you directly..." This directly supports answer A.

2. GitHub Docs

"Protecting pushes with secret scanning."

Section: "About push protection for secret scanning"

Content: "Push protection for secret scanning is available on repositories with a GitHub Advanced Security license." This confirms that blocking pushes (Option B) is a distinct

non-default feature.

3. GitHub Docs

"Managing alerts from secret scanning."

Section: "About alerts for secret scanning"

Content: "When a secret is detected in a repository

GitHub generates a security alert... GitHub notifies the repository administrators and organization owners about security alerts by default." This shows that notification occurs

but the provider notification (Option A) is the unique

primary action for public repositories. It also clarifies that webhooks (Option D) are a method of notification

not the action itself.