SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

GitHub Secret Scanning Now Generally Available

GitHub this week made secret scanning generally available and free for all public repositories.

Code-hosting platform GitHub this week announced that secret scanning is now generally available for all public repositories, for free.

Initially released in beta in December 2022, the feature is meant to help organizations and developers identify credentials and secrets (such as tokens and private keys) that might be exposed in their code.

With secret scanning enabled, developers are notified of any potentially exposed secrets, and can enable alerts across all their repositories.

“You can enable secret scanning alerts across all the repositories you own to notify you of leaked secrets across your full repository history including code, issues, description, and comments,” GitHub says.

The feature is backed by over 100 service providers in the GitHub Partner Program and delivers notifications and an audit log even for exposed self-hosted keys, for full visibility into potential risks.

The alerts for partners, GitHub explains, are automatically delivered for all public repositories, to inform service providers when their secrets are leaked. Whenever a repository is made public, GitHub scans it for secrets that match partner patterns.

Service providers then decide whether the secret should be revoked and a new secret issued instead, or if they should contact the repository administrator or owner directly, depending on the associated risks.

“Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the Security tab of repositories,” GitHub explains.

Advertisement. Scroll to continue reading.

Secret scanning can be enabled by any owner or admin of a public repository, while organizations can bulk enable notifications for multiple repositories.

To enable the secret scanning feature, admins need to navigate to the ‘Code security and analysis’ section of the ‘Settings’ tab and select ‘Security’.

Whenever a secret is identified, GitHub sends email alerts to the repository administrators and organization owners and to the contributor who committed the secret.

Related: GitHub Revokes Code Signing Certificates Following Cyberattack

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Protecting Executives and Enterprises from Digital, Narrative and Physical Attacks
March 12, 2025

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Paul Calatayud has been named CISO of developer security posture management firm Archipelo.

Cyber readiness and response firm Sygnia has appointed Avi Golan as its new CEO.

Cybersecurity firm Absolute Security announced Harold Rivas as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.