The Python Package Index is now a GitHub secret scanning integrator

GitHub and the Python Package Index (PyPI) are collaborating to help protect you from leaked PyPI API tokens.

From today, GitHub will scan every commit to a public repository for exposed PyPI API tokens. We will forward any tokens we find to PyPI, who will automatically disable them and notify their owners. The end-to-end process takes just a few seconds.

PyPI is just the latest GitHub secret scanning integrator – since 2018 GitHub has collaborated with 35 token issuers to help keep their customers safe. We continue to welcome new integrators for public repo secret scanning. In addition, GitHub Advanced Security customers can now also scan their private repositories for leaked secrets.

We'd like to thank Joachim Jablon for his work on PyPI that made this collaboration possible.