Skip to content

Checkout.com and FullStory are now GitHub secret scanning partners

GitHub Secret Scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and fraudulent uses of secrets that were committed accidentally.

Checkout.com is a cloud-based global payments platform that empowers brands like Adidas, Samsung, and Wise with digital payments built for speed and scale. Checkout.com alerts customers and their account managers of any suspected credential compromise based on notifications from GitHub.

FullStory's Digital Experience Intelligence platform helps companies answer questions about their digital experience by transforming digital interactions across websites and mobile apps into actionable metrics. If a token is exposed, FullStory will notify the developer at risk. For more information on protecting and rotating your FullStory tokens, please refer to their documentation.

We partnered with Checkout.com and FullStory to scan for their API tokens to help keep all of our mutual developers and customers secure. We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

Today, we are releasing version 8 of the npm CLI. A Semver-Major release of the CLI allows us to drop support for Node.js 10, making it easier for us to maintain npm through the LTS life cycle of Node.js 16.

With this change, most customers will automatically get the update when updating Node.js, and version 8 will be the default version installed when you run npm i -g npm. If you’re interested in reading more about this change, check out this breaking changes issue.

See more

In March we made a change in GitHub Actions that forced workflows triggered by Dependabot to run with a read-only token. This change was made to protect your repositories from potentially malicious dependencies in the same way we prevent pull requests from forks from having privileged access to your repository. We received a lot of feedback from you on how this impacted your workflows and while it was great to be in a safe configuration by default, you wanted to have the option to continue working as you had prior to this change.

In April we introduced the permissions key in the Actions workflow config which enables you to control which permissions are given to a particular workflow or job.

Starting October 11, 2021 workflow runs on push and pull_request events triggered by Dependabot will begin to respect the permissions specified in your workflows putting you back in control of how you manage automatic dependency updates. The default token permissions will remain read-only.

In addition to the permissions change we are working to enable workflows triggered by Dependabot to use Dependabot secrets. This change will enable you to use those secrets to pull dependencies from private repositories.

Learn more about the permissions key in Actions workflows

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more