Skip to content

The Python Package Index is now a GitHub secret scanning integrator

GitHub and the Python Package Index (PyPI) are collaborating to help protect you from leaked PyPI API tokens.

From today, GitHub will scan every commit to a public repository for exposed PyPI API tokens. We will forward any tokens we find to PyPI, who will automatically disable them and notify their owners. The end-to-end process takes just a few seconds.

PyPI is just the latest GitHub secret scanning integrator – since 2018 GitHub has collaborated with 35 token issuers to help keep their customers safe. We continue to welcome new integrators for public repo secret scanning. In addition, GitHub Advanced Security customers can now also scan their private repositories for leaked secrets.

We'd like to thank Joachim Jablon for his work on PyPI that made this collaboration possible.

Submodules defined with relative paths are now clickable in the web UI, making it easy to navigate to linked repositories. Previously, only submodules with absolute URLs were clickable.

Only relative paths following the format ../{repo} (a repository with the same owner) or ../{owner}/{repo} (a repository with a different owner) are supported.

To learn more about submodules, see Working with submodules on the GitHub blog.

See more