Secret scanning REST API responses including first_location_detected and has_more_locations are now generally available

The secret scanning REST API now returns additional metadata to help you triage alerts more effectively. The new first_location_detected object provides structured location data for the first detected instance of the secret, without requiring a separate call to the token locations API.

The has_more_locations object indicates whether the same secret appears in multiple locations in the repository, offering a lightweight signal that additional locations exist without returning the full set.

These fields are returned from the following endpoints:

– List secret scanning alerts for a repository
– List secret scanning alerts for an organization
– List secret scanning alerts for an enterprise

Learn more from the secret scanning REST API product documentation.

JUN.17Improvement
Secret scanning updates – June 2026
- Application Security
JUN.16Release
GitHub Code Quality generally available July 20, 2026
- Application Security
JUN.16Release
Organization-level enablement for GitHub Code Quality
- Application Security
JUN.10Improvement
Incremental analysis for Go, C/C++, and CodeQL CLI
- Application Security
JUN.10Improvement
Dedicated security review command now available in Copilot CLI
- Application Security
JUN.9Release
Periodic code scanning of inactive repositories
- Application Security
JUN.9Improvement
Security validation for third-party coding agents
- Application Security
JUN.5Improvement
CodeQL 2.25.6 adds Swift 6.3.2 support and improves C# coverage
- Application Security
JUN.2Release
Cloud and local sandboxes for GitHub Copilot now in public preview
- Application Security

Secret scanning REST API responses including first_location_detected and has_more_locations are now generally available

Related Posts

Subscribe to our developer newsletter