Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

GitHub Announces Free Secret Scanning, Mandatory 2FA

Microsoft-owned code hosting platform GitHub this week announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors.

Microsoft-owned code hosting platform GitHub this week announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors.

The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, it helped identify 1.7 million potential secrets exposed in public repositories.

“Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner—for example, if the keys to your self-hosted HashiCorp Vault are exposed,” GitHub explains.

Starting this week, the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. The feature is now rolling out in beta and GitHub expects it to reach all users by the end of January 2023.

Developers will find the option available in their repositories under ‘Code security and analysis’ settings. Secret scanning can be launched from the ‘Security’ tab, underneath ‘Vulnerability alerts’. A list of identified secrets will be available there, containing remediation suggestions for each of them.

On Thursday, GitHub announced that organizations that have defined custom patterns for their secret scanning can now enable push protection for them and configure it on a pattern-by-pattern basis.

“You can define custom patterns at the repository, organization, and enterprise levels. And now, you can also enable push protection for custom patterns at the organization or repository level. With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern,” the code hosting platform says.

Custom patterns can be defined from the organization’s code security settings page, if GitHub Advanced Security and secret scanning are enabled. Organizations can dry run new patterns before publishing them and can enable ‘Push protection’ from the custom pattern’s page.

“GitHub recommends regularly checking your custom pattern’s alerts to make sure that you’re keeping false positive noise as low as possible for your developers. This strategic use of push protection can help you build trust between your contributors and their security alerts, so that alerts are properly actioned when needed,” the platform notes.

To further improve repository security, GitHub will require millions of developers on the platform to enable 2FA for their accounts in 2023. Initially announced in May, the requirement will be rolled out gradually starting March 2023 and is expected to reach all developers and contributors by the end of the year.

Mandatory 2FA targets users who publish GitHub or OAuth apps or packages, those who create a release, who are enterprise and organization administrators, and those who contribute code, either to the approximate top four million public and private repositories or to repositories deemed critical by NPM, OpenSSF, PyPI, or RubyGems.

“We’ll assess the outcomes of the rollout after each group–observing user success rates for 2FA onboarding, rates of account lockout and recovery, and our support ticket volume. This data will enable us to adjust our approach and more appropriately size and schedule remaining groups as needed to ensure a positive experience for developers, and support workloads GitHub can sustain,” GitHub announced.

The platform will start sending reminders to the targeted users 45 days prior to the mandatory 2FA deadline, will then prompt them to enable the feature each day when they access GitHub, and, seven days after the deadline, will block their accounts from accessing the platform’s features until 2FA is enabled.

“Twenty-eight (28) days after you enable 2FA, you will be presented with a 2FA check-up while using, which validates that your 2FA setup is working correctly. Previously signed in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors or recovery codes during onboarding,” GitHub explains.

Related: GitHub Introduces Private Vulnerability Reporting for Public Repositories

Related: GitHub Improves npm Account Security as Incidents Rise

Related: Google Teams Up With GitHub for Supply Chain Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...