GitHub Secret Scanning Now Generally Available
Code-hosting platform GitHub this week announced that secret scanning is now generally available for all public repositories, for free.
Initially released in beta in December 2022, the feature is meant to help organizations and developers identify credentials and secrets (such as tokens and private keys) that might be exposed in their code.
With secret scanning enabled, developers are notified of any potentially exposed secrets, and can enable alerts across all their repositories.
“You can enable secret scanning alerts across all the repositories you own to notify you of leaked secrets across your full repository history including code, issues, description, and comments,” GitHub says.
The feature is backed by over 100 service providers in the GitHub Partner Program and delivers notifications and an audit log even for exposed self-hosted keys, for full visibility into potential risks.
The alerts for partners, GitHub explains, are automatically delivered for all public repositories, to inform service providers when their secrets are leaked. Whenever a repository is made public, GitHub scans it for secrets that match partner patterns.
Service providers then decide whether the secret should be revoked and a new secret issued instead, or if they should contact the repository administrator or owner directly, depending on the associated risks.
“Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the Security tab of repositories,” GitHub explains.
Secret scanning can be enabled by any owner or admin of a public repository, while organizations can bulk enable notifications for multiple repositories.
To enable the secret scanning feature, admins need to navigate to the ‘Code security and analysis’ section of the ‘Settings’ tab and select ‘Security’.
Whenever a secret is identified, GitHub sends email alerts to the repository administrators and organization owners and to the contributor who committed the secret.
Related: GitHub Revokes Code Signing Certificates Following Cyberattack
Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery
Related: GitHub Introduces Automatic Vulnerability Scanning Feature