Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available

SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

GitHub Secret Scanning Now Generally Available

GitHub this week made secret scanning generally available and free for all public repositories.

Code-hosting platform GitHub this week announced that secret scanning is now generally available for all public repositories, for free.

Initially released in beta in December 2022, the feature is meant to help organizations and developers identify credentials and secrets (such as tokens and private keys) that might be exposed in their code.

With secret scanning enabled, developers are notified of any potentially exposed secrets, and can enable alerts across all their repositories.

“You can enable secret scanning alerts across all the repositories you own to notify you of leaked secrets across your full repository history including code, issues, description, and comments,” GitHub says.

The feature is backed by over 100 service providers in the GitHub Partner Program and delivers notifications and an audit log even for exposed self-hosted keys, for full visibility into potential risks.

The alerts for partners, GitHub explains, are automatically delivered for all public repositories, to inform service providers when their secrets are leaked. Whenever a repository is made public, GitHub scans it for secrets that match partner patterns.

Service providers then decide whether the secret should be revoked and a new secret issued instead, or if they should contact the repository administrator or owner directly, depending on the associated risks.

“Any strings that match patterns provided by secret scanning partners, by other service providers, or defined by you or your organization, are reported as alerts in the Security tab of repositories,” GitHub explains.

Advertisement. Scroll to continue reading.

Secret scanning can be enabled by any owner or admin of a public repository, while organizations can bulk enable notifications for multiple repositories.

To enable the secret scanning feature, admins need to navigate to the ‘Code security and analysis’ section of the ‘Settings’ tab and select ‘Security’.

Whenever a secret is identified, GitHub sends email alerts to the repository administrators and organization owners and to the contributor who committed the secret.

Related: GitHub Revokes Code Signing Certificates Following Cyberattack

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

CIEM Chat: How to Reduce Cloud Identity Risk
March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

Virtual Event: Ransomware Resilience & Recovery Summit
April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

September 24, 2019
What Sort of Testing Do My Applications Need?

Application Security

What Sort of Testing Do My Applications Need?

November 14, 2017
VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Application Security

VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

December 13, 2022
Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Application Security

Fortinet Ships Emergency Patch for Already-Exploited VPN Flaw

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

December 12, 2022
PayPal Warns Users of Credential Stuffing Attacks

Application Security

PayPal Warns Users of Credential Stuffing Attacks

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

January 20, 2023
CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Application Security

CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

January 19, 2023
GitHub Revokes Code Signing Certificates Following Cyberattack

Application Security

GitHub Revokes Code Signing Certificates Following Cyberattack

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

January 31, 2023
Drupal Patches Vulnerabilities Leading to Information Disclosure

Application Security

Drupal Patches Vulnerabilities Leading to Information Disclosure

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

January 20, 2023