Copilot secret scanning for generic passwords is generally available

Copilot secret scanning is now generally available. Copilot secret scanning, which detects generic passwords using AI, offers greater precision for unstructured credentials that can cause security breaches if exposed. Over 350,000 repositories have already enabled this password detection.

To enable Copilot secret scanning, select “Scan for generic secrets” within your code security and analysis settings at the repository level, or the code security global settings at the organization level. You can also use the Update a repository API endpoint for enablement at the repository level. Support for enablement through your organization’s code security configurations, as well as enablement for organizations and enterprises with the API, will come in a future release.

Password detection is backed by the Copilot API and is available for all repositories with a GitHub Advanced Security license. You do not need a Copilot license to enable generic secret detection. Passwords found in git content will create a secret scanning alert in the “Experimental” tab, separate from regular alerts.

In effort to reduce false positives and detections of secrets that are used in tests, Copilot secret scanning will not:
– detect more than 100 passwords per push
– detect secrets in media files (.svg, .png, .jpeg)
– detect secrets in language files (.js, .py, .ts, .java, .cs, or .rb) that contain test, mock, or spec in the filepath
– detect additional secrets in files where five or more alerts have been marked as false positive

Note that passwords will not be detected in non-git content, like GitHub Issues or pull requests. Passwords are also excluded from push protection, another feature of secret scanning designed to prevent sensitive information from being pushed to your repository.

Learn more about secret scanning and generic secret detection or join our community discussion.

New PAT rotation policies preview and optional expiration for fine-grained PATs

Enterprise and organization administrators can now set limits on token lifetimes for the personal access tokens (PATs) used against their resources. These policies mandate token rotation on a regular basis and reduce how long a compromised token is good for, while also providing a lever to reduce the use of less-secure PATs in your company. This public preview is available for all enterprises and organizations, and will be included in GHES 3.16.

Administrators can choose a maximum lifetime between 1 and 366 days for fine-grained PATs and PATs (Classic).
The policies for each token type are distinct, so you can promote the use of fine-grained tokens with a longer lifetime while driving down PAT (Classic) usage with a very short lifetime requirement.

Screenshot of the policy UI for fine-grained PATs, showing that fine-grained PATs must expire within 90 days and that enterprise administrators are exempt

The policies apply when tokens are created, regenerated, or used.

If you want to create a PAT for a specific organization, but that organization or enterprise has a lifetime policy, your lifetime options will be restricted. Additionally, if you try to use an already-created PAT in an organization or enterprise with a policy, the call will fail if the token has too long a lifetime.

If your enterprise has audit log streaming enabled, you’ll be able to track when this policy has blocked a PAT from being used.

Allowing infinite-lifetime fine-grained PATs

With this change, developers can now create fine-grained tokens with no expiration for personal projects, an option that developer feedback said was needed to migrate from PATs (Classic) to more secure fine-grained PATs.

Enterprises and organizations have a 366 day expiration policy for fine-grained tokens by default, so developers still can’t create infinite lifetime fine-grained PATs for use against an organization they’re a member of, unless the administrator relaxes the policy.

For more information, see our documentation on Enterprise and Organization PAT policies.

Join the discussion within GitHub Community for feedback and questions.

See more

New Terminology for GitHub Previews

As part of our commitment to improving your experience at GitHub, we’re simplifying the terminology we use to refer to products that are in testing and validation stages. Starting on October 18, 2024, you’ll start seeing the word “Preview” instead of “Alpha” or “Beta” to describe our features that are not yet generally available.

What’s Changing?

Our goal with this update is to create a more consistent, clear process that helps our customers understand the state of new features and how they fit into their development workflows.

  • As shown in the table below, we’re reducing the number of terms we’re using but keeping the same flexibility for giving early access and gathering customer feedback before a General Availability (GA) launch.
  • The key difference between “Private” and “Public” previews is whether the release is publicly announced.

What to Expect

These changes are now live in customer-facing documentation as of today.

Here’s an overview of the changes:

Previous Terminology New Terminology Details
Alpha Private Preview
  • Not publicly announced
  • Limited number of customers
Private Beta
Technical Preview Technical Preview
  • Used for experiments and research projects primarily from GitHub Next
  • Limited number of customers
Limited Public Beta Public Preview
  • Publicly announced on the GitHub Changelog and includes GitHub Docs
  • May be open to all, or limited to selected customers behind a waitlist
Public Beta
General Availability General Availability
Deprecation Closing Down
  • Signals that a product or service is being phased out
Sunset Retired
  • Marks the official end of a product or feature’s life
  • No longer available, supported, or maintained

Thanks for being part of the GitHub community! These updates are designed to provide clearer communication and a smoother experience as we roll out new features.

See more
View all changes