Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

GitHub Secret Scanning Now Generally Available

GitHub this week made secret scanning generally available and free for all public repositories.

Code-hosting platform GitHub this week announced that secret scanning is now generally available for all public repositories, for free.

Initially released in beta in December 2022, the feature is meant to help organizations and developers identify credentials and secrets (such as tokens and private keys) that might be exposed in their code.

With secret scanning enabled, developers are notified of any potentially exposed secrets, and can enable alerts across all their repositories.

“You can enable secret scanning alerts across all the repositories you own to notify you of leaked secrets across your full repository history including code, issues, description, and comments,” GitHub says.

The feature is backed by over 100 service providers in the GitHub Partner Program and delivers notifications and an audit log even for exposed self-hosted keys, for full visibility into potential risks.

The alerts for partners, GitHub explains, are automatically delivered for all public repositories, to inform service providers when their secrets are leaked. Whenever a repository is made public, GitHub scans it for secrets that match partner patterns.

Service providers then decide whether the secret should be revoked and a new secret issued instead, or if they should contact the repository administrator or owner directly, depending on the associated risks.

“Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the Security tab of repositories,” GitHub explains.

Secret scanning can be enabled by any owner or admin of a public repository, while organizations can bulk enable notifications for multiple repositories.

To enable the secret scanning feature, admins need to navigate to the ‘Code security and analysis’ section of the ‘Settings’ tab and select ‘Security’.

Whenever a secret is identified, GitHub sends email alerts to the repository administrators and organization owners and to the contributor who committed the secret.

Related: GitHub Revokes Code Signing Certificates Following Cyberattack

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...