CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Cloud Security

GitHub Improves Secret Scanning Feature With Expanded Token Validity Checks

GitHub beefs up its secret scanning feature, now allowing users to check the validity of exposed credentials for major cloud services.

Software development giant GitHub on Wednesday announced an enhancement to its secret scanning feature, now allowing users to check the validity of exposed credentials for major cloud services.

Generally available since March 2023, the secret scanning feature is meant to help organizations and developers identify potentially exposed secrets in their repositories and take immediate action.

Backed by a large number of service providers in the GitHub Partner Program, the feature sends alerts to developers when exposed self-hosted keys are detected, and also notifies GitHub partners of leaked secrets in public repositories.

Developers and administrators can enable secret scanning for all their repositories to receive notifications as soon as a secret is inadvertently included in a code commit.

To help organizations and developers triage alerts and remedy exposed tokens faster, GitHub introduced validity checks for its own tokens earlier this year, eliminating the need to check whether each exposed token is active or not.

Now, the code-hosting platform is expanding the capability to AWS, Google, Microsoft, and Slack tokens, GitHub said.

“These account for some of the most common types of secrets detected across repositories on GitHub. We’ll continuously expand validation support on more tokens in our secret scanning partner program.

Enterprise owners and repository administrators can enable the validation checks under “Code security and analysis” in “Settings”, by enabling “Automatically verify if a secret is valid by sending it to the relevant partner” option in the “Secret scanning” section.

Advertisement. Scroll to continue reading.

After enabling the setting, information on whether an exposed token is active or not will be included in the received alerts.

The checks, GitHub says, are performed periodically in the background, but manual checks can also be made, by clicking ‘Verify secret’ in the top right corner.

“Validity checks are another piece of information at your disposal when investigating a secret scanning alert. We hope this feature will provide greater speed and efficiency in triaging alerts and remediation efforts,” GitHub added.

Related: Stolen GitHub Credentials Used to Push Fake Dependabot Commits

Related: GitHub Enterprise Server Gets New Security Capabilities

Related: GitHub Announces New Security Improvements

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.