Skip to content

Secret scanning adds validity checks for Mailgun and Mailchimp

Secret scanning is extending validity check support to Mailgun (mailgun_api_key) and Mailchimp (mailchimp_api_key) API keys.

Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically verify validity for alerts on supported token types.

Validity checks are available for repositories with GitHub Advanced Security on Enterprise Cloud. You can enable the feature at both organization and repository levels from the “Code security and analysis” settings page by checking the option to “automatically verify if a secret is valid by sending to the relevant partner.”

Learn more about secret scanning or our supported patterns for validity checks.

The GitHub Enterprise Server 3.12 release candidate is here

GitHub Enterprise Server 3.12 gives customers more fine-grained control over deployment requirements, enhanced security controls, and some . Here are a few highlights:

  • Restrict your deployment rollouts to select tag patterns in Actions Environments.
  • Enforce which Actions workflows must pass with organization-wide repository rulesets.
  • Scale your security strategy with Dependabot Alert Rules. This public beta allows customers to choose how to respond to Dependabot alerts automatically by setting up custom auto-triage rules in their repository or organization.
  • Automate pull request merges using Merge Queues. Previously developers needed to manually update their pull requests prior to merging, to ensure their changes wouldn’t break the main branch. These updates would initiate a round of continuous integration checks that needed to pass before a pull request could be merged. But with merge queues, this process is automated by ensuring each pull request queued for merging is tested with other pull requests queued ahead of it.
  • Enhance the security of your code with a public beta of Secret Scanning for non-provider patterns, and an update to Code Scanning’s default setup to support all CodeQL languages.
  • GitHub Project templates are available at the organization level, allowing customers to share out and learn best practices in how to set up and use projects to plan and track their work.
  • Updated global navigation to make using and finding information better, as well as improve accessibility and performance.
  • Highlight text in markdown files with accessibility aspects in mind with the alerts markdown extension, which gives you five levels to use (note, tip, important, warning, and caution).

Release Candidates are a way for you to try the latest features early, and they help us gather feedback to
ensure the release works in your environment. They should be tested on non-production environments.
Read more about the release candidate process.

Read more about GitHub Enterprise Server 3.12 in the release notes,
or download the release candidate now.
If you have any feedback or questions, please contact our Support team.

See more

Developers with free accounts on GitHub could enable secret scanning’s push protection at the user level since last August. This automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has secret scanning enabled. On February 27, this feature will be start to be enabled automatically for all free accounts across GitHub.

If a secret is detected in any push to a public repository, your push will be blocked. You will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.

You can enable this feature now in your user settings. After February 27, you can opt out of push protection and disable it. Disabling push protection may cause secrets to be accidentally leaked.

See more