Skip to content

secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Secret scanning has recently expanded coverage to GitHub discussions and pull requests.

GitHub is now performing a backfill scan, which will detect any historically existing secrets found in GitHub discussions and pull request bodies or comments.

For repositories with secret scanning enabled, if a secret is detected in a discussion or pull request, you will receive a secret scanning alert for it. Public leaks detected in public GitHub discussion or pull requests will also be sent to providers participating in the secret scanning partnership program.

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn how to secure your repositories with secret scanning or become a secret scanning partner.

See more

GitHub secret scanning now supports validity checks for Google Cloud Platform (GCP) account credentials and Slack webhooks. This improvement involves changes to how account credentials for GCP are detected and alerted on.

What’s changing

Secret scanning alerts for Slack webhooks now support validity checks, in addition to previously supported Slack API tokens.

In addition, secret scanning now also alerts on complete GCP service account credential objects which include the fully matched private key, private key ID, and certificate URLs. These alerts support validity checks. As part of this change, you will no longer receive alerts for GCP private key IDs.

About validity checks

Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically check validity for alerts on supported token types.

Validity checks are available for repositories with GitHub Advanced Security on Enterprise Cloud. You can enable the feature at the enterprise, organization, or repository level from the “Code security and analysis” settings page by checking the option to “automatically verify if a secret is valid by sending it to the relevant partner.”

Share feedback

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn more about secret scanning or our supported patterns for validity checks.

See more

Today, we’re releasing security tool-specific filters for the security overview dashboard and secret scanning metrics page.

Security tool-centric filters in the filter bar drop-down on the overview dashboard

Have you ever wondered, “How well is my organization handling SQL injections?” or “How quickly are we responding to [partner name] secret leaks?” Maybe you’re curious about the pace of updating your npm dependencies. Well, wonder no more!

With our new security tool filters, you can tailor your search to the exact details you’re curious about, giving you a more focused and relevant report for your needs.

Discover the new filters that are designed to transform your security analysis:

  • Dependabot filters: Zero in on a specific ecosystem, package, and dependency scope.
  • CodeQL/third-party filters: Drill down to the rule that matters most to you.
  • Secret scanning filters: Get granular with filters for secret type, provider, push protection bypassed status and validity.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview and send us your feedback

See more

Secret scanning is expanding coverage to GitHub wiki content. If secret scanning is enabled for your repository, you’ll automatically begin to receive alerts for newly introduced secrets found in your GitHub wiki.

Publicly leaked secrets in GitHub wikis will also be sent to secret scanning partners participating in the secret scanning partner program.

Share feedback or learn more

Sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

Learn how to secure your repositories with secret scanning or become a secret scanning partner.

See more

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings that can be applied to groups of repositories. Your organization can apply the ‘GitHub recommended’ security configuration, which applies GitHub’s suggested settings for Dependabot, secret scanning, and code scanning. Alternatively, you can instead create your own custom security configurations. For example, an organization could create a ‘High risk’ security configuration for production repositories, and a ‘Minimum protection’ security configuration for internal repositories. This lets you manage security settings based on different risk profiles and security needs. Your organization can also set a default security configuration which is automatically applied to new repositories, avoiding any gaps in your coverage.

With security configurations, you can also see the additional number of GitHub Advanced Security (GHAS) licenses that are required to apply a configuration, or made available by disabling GHAS features on selected repositories. This lets you understand license usage when you roll out GitHub’s code security features in your organization.

Security configurations are now available in public beta on GitHub.com, and will be available in GitHub Enterprise Server 3.14. You can learn more about security configurations or send us your feedback.

See more

We have partnered with Mergify to scan for their tokens to help secure our mutual users in public repositories. Mergify’s API key enables users to interact with Mergify’s API in order to retrieve information on their merge queues. GitHub will forward any exposed API keys found in public repositories to Mergify, who will then revoke the key and notify the key owner. Read more information about Mergify API keys.

GitHub Advanced Security customers can also scan for and block Mergify tokens in their private repositories.
Learn more about secret scanning
Partner with GitHub on secret scanning

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.

We have partnered with volcengine to scan for their access tokens, which are used for cloud computing services. We’ll forward access tokens found in public repositories to volcengine, who will notify the user by email without making any changes to the tokens. Users can request support for their volcengine API tokens.

We continue to welcome new partners for public repository secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.
Learn more about secret scanning
Partner with GitHub on secret scanning

See more

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Lightspeed to scan for their tokens to help secure our mutual users in public repositories. Lightspeed Retail Personal Tokens enable users to interact with Lightspeed Retail POS programmatically. Read more information about Lightspeed tokens.

GitHub Advanced Security customers can also scan for and block Lightspeed tokens in their private repositories.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with WorkOS to scan for their tokens to help secure our mutual users in public repositories. WorkOS’ API key enables access to WorkOS’ API for adding Enterprise Ready features to your application. GitHub will forward any exposed API keys found in public repositories to WorkOS, who will then notify admin users on your WorkOS account. Read more information about WorkOS API keys.

GitHub Advanced Security customers can also scan for and block WorkOS tokens in their private repositories.

See more

Today, we’re releasing a host of new insights to the security overview dashboard, as well as an enhanced secret scanning metrics page.

New dashboard insights

overview dashboard with third-party tools, the trend indicator for age of alerts, and reopened alerts tile highlighted

  • Third-party alerts integration: Beyond GitHub’s own CodeQL, secret scanning, and Dependabot security tools, you can now view alert metrics for third-party tools directly on the overview dashboard. Use tool:[third-party-tool name] to view metrics for a specific third-party security tool, or tool:third-party to view metrics for all third-party security alerts.
  • Reopened alerts tracking: Uncover recurring vulnerabilities with the new reopened alerts metric tile, which identifies vulnerabilities that have resurfaced after being previously resolved. This data point helps assess the long-term effectiveness of your remediation efforts.
  • Trend indicators: Review changes over time with trend indicators for key metrics like age of alerts, mean time to remediate, net resolve rate, and total alert count. These indicators offer a clear view of performance shifts and trends between a given date range and that same range reflected backward in time.
  • Advisories tab: Stay informed with the new advisories table, which details the top 10 alert advisories affecting your organization, including the advisories’ CVE IDs, ecosystems, open alert counts, and severities.

Secret scanning metrics page enhancements

secret scanning metrics page with filter bar highlighted

You can now refine your insights with filters for dates, repository custom properties, teams, and more on the secret scanning metrics page. These new filters empower you to pinpoint specific repositories and view changes over time, enabling a more targeted analysis. Additionally, if you are an organization member, you can now view metrics for the repositories you have access to.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and send us your feedback

See more

Starting today, you can take advantage of the new “age” grouping for the alert trends graph and explore enhanced filter options on the security overview dashboard, aimed at improving your analytical process and security management.

alert trends grouped by age

Explore the dynamics of your security alerts with the new alert age grouping on the alert trends graph. This new functionality offers a refined view into the lifecycle of your security alerts, enabling you to better evaluate the timeliness and effectiveness of your response strategies.

New filter options

repository custom property filter on the security overview page

Leverage enhanced filters to fine-tune your security insights on the overview dashboard:
* Custom repository property filters: With repository custom properties, you can now tag your repositories with descriptive metadata, aiding in efficient organization and analysis across security overview.
* Severity filters: Severity-based filters allow you to concentrate on the vulnerabilities that matter most, streamlining the process of security risk assessment and prioritization.
* Improved date picker controls: Navigate through time with ease using the new date picker options, allowing for quick selection of rolling periods like “Last 14 days,” “Last 30 days,” or “Last 90 days.” Bookmark your preferred time window to keep your analysis current with each visit.

You can access these new functionalities in security overview by navigating to the “Security” tab at the organization level.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and send us your feedback

See more

You can now monitor enablement trends for all security products within your GitHub organization. This functionality is designed to give you a detailed overview of how your organization is implementing security product coverage.

new tool adoption report

Explore enablement trends for historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends page, visit security overview at the organization level. You can find security overview by clicking on the “Security” tab.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and join the discussion within the GitHub Community

See more

Secret scanning now helps you more easily define custom patterns with GitHub Copilot.

As of today, you can leverage AI to generate custom patterns without expert knowledge of regular expressions.

Generate a secret scanning custom pattern with AI

What’s changing?

You can create your own custom detectors for secret scanning by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.

How do I use the regular expression generator?

When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.

The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.

Who can use the regular expression generator?

Anyone able to define custom patterns is able to use the regular expression generator. This feature is shipping to public beta today for all GitHub Enterprise Cloud customers with GitHub Advanced Security.

Learn more about the regular expression generator or how to define your own custom patterns.

See more

All new public repositories owned by personal accounts will now have secret scanning and push protection enabled by default. Pushes to the repository that include known secrets will be blocked by push protection, and any known secrets that are detected in the repository will generate a secret scanning alert. Secret scanning and push protection can be disabled by the repository administrator after the repository is created.

Existing public repositories are not affected, nor are new public repositories that belong to an organization.

See more

We’ve started the rollout for enabling push protection on all free user accounts on GitHub. This automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has secret scanning enabled.

If a secret is detected in any push to a public repository, your push will be blocked. You will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.

It might take a week or two for this change to apply to your account; you can verify status and opt-in early in your code security and analysis settings. Once enabled, you also have the option to opt-out. Disabling push protection may cause secrets to be accidentally leaked.

See more

Enterprise Managed Users can now enable secret scanning on their user namespace repositories. Owners of user repositories will receive secret scanning alerts when a supported secret is detected in their repository. User namespace repositories can also enable push protection.

In the enterprise level list of secret scanning alerts, enterprise owners can view all secrets detected in user namespace repositories. Enterprise owners can temporarily access user namespace repositories to view the secret details.

User namespace repositories are included in the security risk and coverage pages.

Secret scanning will also be supported on Enterprise Server personal repositories starting on GHES 3.13.

See more

Secret scanning is extending validity check support to Mailgun (mailgun_api_key) and Mailchimp (mailchimp_api_key) API keys.

Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically verify validity for alerts on supported token types.

Validity checks are available for repositories with GitHub Advanced Security on Enterprise Cloud. You can enable the feature at both organization and repository levels from the “Code security and analysis” settings page by checking the option to “automatically verify if a secret is valid by sending to the relevant partner.”

Learn more about secret scanning or our supported patterns for validity checks.

See more

Developers with free accounts on GitHub could enable secret scanning’s push protection at the user level since last August. This automatically protects you from accidentally committing secrets to public repositories, regardless of whether the repository itself has secret scanning enabled. On February 27, this feature will be start to be enabled automatically for all free accounts across GitHub.

If a secret is detected in any push to a public repository, your push will be blocked. You will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block.

You can enable this feature now in your user settings. After February 27, you can opt out of push protection and disable it. Disabling push protection may cause secrets to be accidentally leaked.

See more

The secret_scanning_alert webhook is sent for activity related to secret scanning alerts. Secret scanning webhooks now support validity checks, so you can keep track of changes to validity status.

Changes to the secret_scanning_alert webhook:

  • A new validity property that is either active, inactive, or unknown depending on the most recent validity check.
  • A new action type, validated, which is triggered when a secret’s validity status changes.

Note: you must enable validity checks at the repository or organization level in order to opt in to the feature. This can be done from your secret scanning settings on the Code security and analysis settings page by selecting the option to “automatically verify if a secret is valid by sending it to the relevant partner.”

Learn more about which secret types are supported or the secret scanning webhook.

See more

Secret scanning is extending validity check support to several additional token types.

Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically verify validity for alerts on supported token types. In addition to token types announced in our previous changelogs, you will now see validity checks for the following token types:

Provider Token
Dropbox dropbox_short_lived_access_token
Notion notion_integration_token
OpenAI openai_api_key
OpenAI openai_api_key_v2
SendGrid sendgrid_api_key
Stripe stripe_api_key
Stripe stripe_test_secret_key
Telegram telegram_bot_token

Validity checks are available for repositories with GitHub Advanced Security on Enterprise Cloud. You can enable the feature at both organization and repository levels from the “Code security and analysis” settings page by checking the option to “automatically verify if a secret is valid by sending to the relevant partner.”

Learn more about secret scanning or our supported patterns for validity checks.

See more