This detection rule monitors the operational status of the secret scanning feature within GitHub repositories and enterprise accounts. When the secret scanning capability is disabled, it poses a serious risk as sensitive data like API keys, tokens, and passwords may be inadvertently exposed in public or private repositories. The rule analyzes GitHub audit logs for specific actions that indicate the disabling of secret scanning. The actions of interest include disabling secret scanning at both the repository level and enterprise level, including configurations for new repositories. By ensuring that this feature is enabled, organizations can enhance their security posture and reduce the risk of credential leakage. The requirement for this detection to function is the activation of the audit log streaming feature, which must be set up as per GitHub's documentation. The detection is classified as high-level due to the potential impact of disabling such an important security feature. False positives are noted to include legitimate administrative operations that are within normal bounds.