Secret scanning indicates known public leaks and duplicate alerts for private exposures (public beta)

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now indicates if a secret detected in your repository has also leaked publicly with a public leak label on the alert. The alert also indicates if the secret was exposed in other repositories across your organization or enterprise with a multi-repo label.

These labels provide additional understanding into the distribution of an exposed secret, while also making it easier to assess an alert’s risk and urgency. For example, a secret which has a known associated exposure in a public location has a higher likelihood of exploitation. Detection of public leaks is only currently supported for provider-based patterns.

The multi-repo label makes it easier to de-duplicate alerts and is supported for all secret types, including custom patterns. Both indicators apply only for newly created alerts.

In the future, GitHub will surface locations of the known public leak, as well as repository names with duplicate alerts. This metadata will also be surfaced via the REST API and webhooks.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

New commit details page (public beta)

A new version of the commit details page is now available in public beta!

This new page, which is enabled by default, lets you quickly understand and navigate the changes in a commit with improvements to filtering, commenting, and keyboard navigation.

Screen shot of the new commit details page that shows the metadata about the commit, a file tree showing the 3 files changed by the commit, diff snippets for each of the changed files, and a floating comment

What’s new 🎉

Here are a few of the noteworthy changes:

  • Floating comments: Code comments float over the diff when selected. To select, click on the commenter’s avatar to the right of the line.
  • Comment counts: To help you identify files with comments, the number of comments for a file now appears in the file tree.
  • Keyboard navigation within diffs: You can now navigate around changed lines in the diff using the up and down keys on your keyboard. A new context menu also makes it easier to comment, copy, and select.
  • Quick view switching: Switching between unified and split views no longer reloads the page.
  • Filter by file extension: Easily filter changed files by file extension in the diff to see the content most relevant to you.
  • Filtered out diffs hidden: When filtering the file tree, diffs are filtered as well, allowing you to reduce distraction and see the files you care about most.

Next steps 📣

To give feedback, ask questions, or report a bug join us in the feedback discussion.

To opt out of the preview, go the Feature Preview dialog on your profile, select New Commit Details Page, and click Disable.

To learn more about viewing commits, see About commits.

See more

New advanced filters for code security configurations

When reviewing code security configurations, you can now more easily filter repositories with new filter options.

The new filters allow you to sort repositories based on the status of specific features or GHAS itself:

  • advanced-security:enabled
  • dependabot-alerts:enabled
  • dependabot-security-updates:enabled
  • code-scanning-alerts:enabled
  • code-scanning-default-setup:enabled
  • code-scanning-pull-request-alerts:enabled
  • secret-scanning-alerts:enabled
  • secret-scanning-push-protection:enabled

Note that :disabled also works for each of the filters above to achieve the inverse.

Additionally, you can filter based on whether or not a repository is eligible for code scanning default setup:
– code-scanning-default-setup:eligible
– code-scanning-default-setup:not-eligible

These filters are available for organizations with GitHub Advanced Security (GHAS) enabled, and are only available in the UI at this time.

Learn more about code security configurations and send us your feedback.

See more
View all changes