Skip to content

Our Secret Scanning program adds new partners

Secret leaks are one of the most common security mistakes, and they can have disastrous consequences. GitHub Secret Scanning looks for leaked secrets in all public repositories, and enrolled private repositories, and works with the issuer to notify the developer and/or revoke the token as appropriate. This protects users from fraud and data leaks.

In addition to our 29 existing partners, GitHub has partnered with Clojars, Mailchimp, Finicity, and Plivo to scan for their developer tokens! This brings our total number of token scanning partners to 33.

Code scanning API

If you are enrolled in the GitHub Advanced Security code scanning beta, we are releasing new APIs for you to start using. This release also includes some breaking changes to the existing code scanning /alerts API.

New capabilities

  • Get recent code scanning analyses for a repository
  • Update the state of a code scanning alert
  • Upload a SARIF file to create alerts from your GitHub App or GitHub Actions workflow
  • Get webhook events for code scanning alerts

Breaking changes

  • The existing code scanning /alerts endpoint has changed.
    • open has been replaced by state, which can have values open, fixed, or dismissed
    • closed_at, closed_reason, and closed_by have been replaced by dismissed_at, dismissed_reason and dismissed_at.
    • Rule properties are now nested within a rule object
    • Tool properties are now nested within a tool object
    • You can now get status about alerts across multiple branches. This state is stored in the instances object

For more information, see the code scanning API reference

See more
View all changes