Skip to content

Secret scanning scans public npm packages

Secret scanning automatically detects leaked secrets across all public packages on the npm registry. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact the committer directly. Package maintainers will not receive secret scanning alerts for these detections.

There are two new metrics available under the Repository object in the GraphQL API:

  • LastContributionDate – The most recent date there was any of the following activity: a commit to a repository’s default branch, opening an issue or discussion, answering a discussion, proposing a pull request, or submitting a pull request review. This is a good single-number metric to find projects that may be unmaintained or in need of archiving.
  • CommitCount – A monotonically increasing count of the total number of commits pushed to the default branch of the repository. Tracking the change in this over time will give a sense of the overall activity in the repository.

These metrics are currently in public beta, so you will need to include a header to your GraphQL requests to opt-in:

GraphQL-Features: ospo_metrics_api

Additional documentation and context around these metrics is available in the github-ospo repo. Please provide your feedback on this discussion thread:

See more