Skip to content

Adafruit and Samsara join our token scanning program

Token leaks are one of the most common security mistakes, and they can have disastrous consequences. GitHub token scanning looks for leaked tokens in public repositories and works with the issuer to notify the developer and/or revoke the token as appropriate. This protects users from fraud and data leaks. Starting today, GitHub has partnered with Adafruit and Samsara to scan for their respective developer tokens! This brings our total number of token scanning partners to 21.

GitHub token scanning now scans inside any zip-encoded file. This covers files with a .zip extension and many other common file formats, like .xlsx and .numbers, that are zip-encoded. These scans are in addition to the existing scans of the text content of every commit to every public repository. In all cases, we scan for both GitHub tokens and tokens for a number of our partners.

When GitHub detects a set of credentials, we notify the service provider who issued the token. The service provider validates the credential and then decides whether they should revoke the token, issue a new token, or reach out to you directly, which will depend on the associated risks to you or the service provider. These steps can protect you from data loss and from unexpected large bills from your service providers.

Learn more about how to become a token scanning partner

See more