secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Persona to scan for their API keys and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Persona API keys allow users to create, update, and interact with their identity-related data. GitHub will forward API keys found in public repositories to Persona, who will notify affected customers and work with them to rotate their API keys. You can read more information about Persona API keys here.

GitHub Advanced Security customers can also scan for Persona API keys and block them from entering their private and public repositories with push protection.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Twilio Segment to scan for their tokens and help secure our mutual users on all public repositories, and private repositories with GitHub Advanced Security. Twilio Segment tokens allow users to programmatically manage their workspaces. GitHub will forward access tokens found in public repositories to Twilio Segment, who will immediately revoke the token and notify workspace owners. You can learn more about Twilio Segment tokens here.

GitHub Advanced Security customers can also block Twilio Segment tokens from entering their private and public repositories with push protection.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

Secret scanning users can now view the validity of detected GitHub tokens by clicking into the related alert's UI page. The alert page will tell you whether the GitHub token is still active and able to be used.

Secret scanning alerts are available for free on public repositories and as part of GitHub Advanced Security on private repositories.

See more

GitHub, the Rust Foundation, and the Rust Project are collaborating to help protect you from leaked crates.io keys.

From today, GitHub will scan every commit to a public repository for exposed crates.io keys. We will forward any tokens we find to crates.io, who will automatically disable the tokens and notify their owners. The end-to-end process takes only a few seconds.

Crates.io is the latest GitHub secret scanning integrator; since 2018, GitHub has partnered with over 100 token issuers to help keep our mutual customers safe. We continue to welcome new partners for public repository secret scanning. In addition, GitHub Advanced Security customers can scan their private repositories for leaked secrets.

We’d like to thank the crates.io team, the staff at the Rust Foundation, and the work from AWS’ Dan Gardner on this GitHub pull request that made our collaboration with Rust possible.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

GitHub Advanced Security customers can view an event in their organization or enterprise audit log when an admin enables or disables push protection for a custom pattern at the repository, organization, or enterprise level.

See more

As of last month, GitHub Advanced Security customers can enable push protection for push protection for any custom pattern defined at the repository or organization level. Now, customers can also protect patterns that they've defined at the enterprise level.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Tencent Weixin to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Tencent Weixin tokens allow users to verify the Weixin Official Accounts and Mini Programs developers, obtain sensitive information on business applications and can be used to verify merchant identities.

GitHub will forward access tokens found in public repositories to Tencent Weixin, who will notify affected users. Tencent Weixin encourages users to delete leaked API tokens on GitHub and to create a new token. More information about Tencent Weixin tokens can be found here.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

Secret scanning alerts for third party API key detections now include a link to relevant documentation provided by the service provider, where available. These links are intended to help users better understand detections and take appropriate action.

The links will appear in the alert view for all repositories with secret scanning enabled. You can enable secret scanning on your public repositories and any private repository with GitHub Advanced Security. If you have feedback on any provided links, please write us a note in our code security discussion.

example alert with provider docs

For more information:

See more

Previously, GitHub Advanced Security customers could enable push protection for all patterns supported by default.

Now, admins can also enable push protection for any custom pattern defined at the repository or organization level. Push protection for enterprise-level custom patterns will come in January.

blocked custom pattern

See more

Previously, only organizations with GitHub Advanced Security could enable secret scanning's user experience on their repositories. Now, any admin of a public repository on GitHub.com can detect leaked secrets in their repositories with GitHub secret scanning.

The new secret scanning user experience complements the secret scanning partner program, which alerts over 100 service providers if their tokens are exposed in public repositories. You can read more about this change and how secret scanning can protect your contributions in our blog post.

See more

Enterprises with GitHub Advanced Security can now enable secret scanning and push protection on all their organizations using a single call to an enterprise-level REST API endpoint.

You can also use the enterprise API to set a default custom link that will appear on a push protection block.

This new endpoint supplements the existing enterprise enablement settings in the UI and the repository-level and organization-level REST API enablement endpoints.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Telnyx to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Telnyx tokens allow users to manage their usage and resources on the Telnyx communications and connectivity platform.

GitHub will forward access tokens found in public repositories to Telnyx, who will immediately reach out to the user and work to swiftly rotate the key. More information about Telnyx tokens can be found here.

GitHub Advanced Security customers can also block Telnyx tokens from entering their private and public repositories with push protection.

Learn more about secret scanning
Learn more about protecting pushes
Partner with GitHub on secret scanning

See more

GitHub Advanced Security customers using secret scanning can now view any new secrets exposed in an issue's title, description, or comments within the UI or the REST API. This expanded coverage will also detect and surface secrets matching any custom pattern defined at the repository, organization, or enterprise levels.

We have also expanded the secret scanning partner program. Secret scanning partners will now receive notifications for secrets found in public issues that match their token formats.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Figma to scan for their API tokens and help secure our mutual users on public repositories. Figma API tokens can be used to read and interact with Figma and FigJam files — both through Figma’s own platform and other Figma-integrated applications. GitHub will forward access tokens found in public repositories to Figma, who will will immediately notify token owners. You can read more information about Figma's tokens here.

GitHub Advanced Security customers can also scan for Figma tokens and block them from entering their private and public repositories with push protection.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with LocalStack to scan for their API key tokens and help secure our mutual users on public repositories. LocalStack's tokens allow for activation of the advanced LocalStack features for their Pro/Team/Enterprise products. GitHub will forward access tokens found in public repositories to LocalStack, who will immediately notify users and revoke any compromised tokens. You can read more information about LocalStack's tokens here.

GitHub Advanced Security customers can also scan for LocalStack tokens and block them from entering their private and public repositories with push protection.

See more

GitHub Advanced Security customers using secret scanning can now specify a custom link via the organization level REST API that will show in the message when push protection detects and blocks a potential secret. Admins can use the custom link to point their developers to company-specific guidance on secrets.

Previously, admins could only set a custom link through the UI.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Chief Tools to scan for their tokens and help secure our mutual users on public repositories. Chief Tools tokens allow users to access the Chief Tools API and perform automated actions on behalf of the user that created the token. GitHub will forward access tokens found in public repositories to Chief Tools, who will immediately revoke the token and email the owner of the leaked token with instructions on next what to do next. You can read more information about Chief Tools tokens here.

GitHub Advanced Security customers can also scan for Chief Tools tokens and block them from entering their private and public repositories with push protection.

See more

GitHub now stores detected secrets using symmetric encryption. Storing the encrypted secret allows secret scanning to provide the best possible user experience.

Previously, we only stored the locations of the exposed secret and a hash of it. Each time we presented the secret in our user experience or API we therefore had to re-derive it from its location and hash. This meant that we could not always display a preview of a detected secret in the UI or API, preventing the user from ensuring proper revocation and remediation. Below are a few examples of when we could not previously show users the secret preview:

  1. If a contributor leaked a secret and then rewrote their Git history
  2. If the secret was found in a file larger than a certain size, for practical performance reasons
  3. If the secret was detected in a file with certain text encoding that was incompatible for previewing in GitHub UI

Now, GitHub stores detected secrets separately from source code using symmetric encryption. By storing this information we can more reliably retrieve and display detected secrets with a consistent user experience even if they've been removed from version history. As a result, as a user, you'll no longer be left wondering what a previously detected secret was and whether its previous exposure represents a long-term threat.

With our users’ security always top of mind, we’re confident that the change to our secrets storage will allow our users to take the proper remediation and revocation steps they need to secure their software.

See more

The enterprise audit log now records changes to GitHub Advanced Security, secret scanning, and push protection enablement.

The organization-level audit log now also records when a push protection custom message is enabled, disabled, or updated.

For more information:

See more

GitHub will regularly run a historical scan to detect newly added secret types on repositories with GitHub Advanced Security and secret scanning enabled.

Previously, customers could manually trigger a historical scan to detect new secret types by re-enabling secret scanning, e.g. clicking "Enable all" at the organization level. Now, historical scans are automatic; customers can expect an email of any new detections in their repositories, just like they would when first enabling secret scanning today.

See more