Skip to content

Secret scanning now stores encrypted secrets

GitHub now stores detected secrets using symmetric encryption. Storing the encrypted secret allows secret scanning to provide the best possible user experience.

Previously, we only stored the locations of the exposed secret and a hash of it. Each time we presented the secret in our user experience or API we therefore had to re-derive it from its location and hash. This meant that we could not always display a preview of a detected secret in the UI or API, preventing the user from ensuring proper revocation and remediation. Below are a few examples of when we could not previously show users the secret preview:

  1. If a contributor leaked a secret and then rewrote their Git history
  2. If the secret was found in a file larger than a certain size, for practical performance reasons
  3. If the secret was detected in a file with certain text encoding that was incompatible for previewing in GitHub UI

Now, GitHub stores detected secrets separately from source code using symmetric encryption. By storing this information we can more reliably retrieve and display detected secrets with a consistent user experience even if they've been removed from version history. As a result, as a user, you'll no longer be left wondering what a previously detected secret was and whether its previous exposure represents a long-term threat.

With our users’ security always top of mind, we’re confident that the change to our secrets storage will allow our users to take the proper remediation and revocation steps they need to secure their software.

The enterprise audit log now records changes to GitHub Advanced Security, secret scanning, and push protection enablement.

The organization-level audit log now also records when a push protection custom message is enabled, disabled, or updated.

For more information:

See more

Adding a configuration for Codespaces involves adding a Development Container to a repository and editing it to meet your needs. Previously, a dev container configuration could either be written manually or created with a VS Code extension. We have now added the ability to create or edit a configuration directly from the Code drop down on a GitHub repository page.

Code dropdown showing the new Codespaces configuration option

Whether you use this mechanism, or you already have a dev container in your repository, you can now edit that configuration within GitHub using the new configuration editor. To open the editor from the code view in a repository, click the pencil icon while viewing a devcontainer.json file.

screenshot of view of devcontainer.json file

You are now editing the devcontainer.json file in place in the browser. The dev container needs to conform to the Development Container specification. The editor makes using dev container Features easy. Dev container Features provide reusable configurations for Codespaces created from the repository. Browse available features from right side of the dev container editor.

screenshot of editor and marketplace

To use a dev container feature, copy the snippet of json and place it in the features object of your devcontainer.json file. Once you have the features you want, commit those changes to the repository by clicking the "Start commit" button.

screenshot of the start commit button function

We hope this will make configuring your repositories for Codespaces significantly easier.

See more