If you commit a secret to a public repository, the whole world can see it. GitHub secret scanning helps protect you from fraud and data breaches by scanning for leaked API tokens and, via our partners, automatically notifying you and/or revoking them.
From today, GitHub will scan every commit to a public repository for exposed RubyGems, Adobe and OpenAI API keys. We will forward any keys we find to the relevant service, who will automatically disable them and notify their owners. The end-to-end process takes just a few seconds.
RubyGems, Adobe and OpenAI are just the latest GitHub secret scanning integrators – since 2018 GitHub has collaborated with 36 token issuers to help keep their customers secure. We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.
If your organization uses IP allow lists to restrict access, any API requests made with an installation access token for a GitHub App installed on your organization already respects those settings.
GitHub is extending this so that the API request to create the installation access token will also respect your organization's allowed IP addresses.
GitHub Advanced Security customers can now specify custom patterns for use in private repo secret scanning. When a new pattern is specified, secret scanning searches a repository's entire git history for it, as well as any new commits.
User defined patterns are in beta on cloud and will be available on GHES next quarter. They can be defined at the repository and organization level.
Learn more about custom patterns
Learn more about secret scanning