secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub secret scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and prevent the fraudulent use of accidentally committed secrets.

We have partnered with Meta to scan for their access tokens and help keep our mutual users secure. Our scan currently covers Facebook user access tokens and page access tokens. These tokens provide permissions to APIs that read, write, or modify the data belonging to a Facebook user or page.

We'll forward access tokens found in public repositories to Meta. Meta will then automatically invalidate tokens that have a valid session and notify app developers.

We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub secret scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and prevent the fraudulent use of accidentally committed secrets.

When enabled on private repositories, GitHub secret scanning raises alerts directly to users. The quality of this experience depends on the quality of the patterns we scan for, which we are constantly refining. In line with that, we are removing our pattern for Azure SQL connection strings from our default pattern set on private repositories.

Advanced Security customers can replicate our previous pattern for Azure SQL connection strings using custom patterns with the following regex:
(?i)[a-z][a-z0-9-]+\.database(?:\.secure)?\.(?:(?:windows|usgovcloudapi)\.net|chinacloudapi\.cn|cloudapi\.de)

We intend to introduce a more general pattern for database connection strings, with a lower false positive rate, in the near future.

Check out our docs for more information on the 100+ patterns that we scan for.

See more

GitHub Secret Scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and fraudulent uses of secrets that were committed accidentally.

Checkout.com is a cloud-based global payments platform that empowers brands like Adidas, Samsung, and Wise with digital payments built for speed and scale. Checkout.com alerts customers and their account managers of any suspected credential compromise based on notifications from GitHub.

FullStory's Digital Experience Intelligence platform helps companies answer questions about their digital experience by transforming digital interactions across websites and mobile apps into actionable metrics. If a token is exposed, FullStory will notify the developer at risk. For more information on protecting and rotating your FullStory tokens, please refer to their documentation.

We partnered with Checkout.com and FullStory to scan for their API tokens to help keep all of our mutual developers and customers secure. We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Advanced Security customers can now edit their custom patterns defined at the repository, organization, and enterprise levels. After a user edits and saves a pattern, secret scanning searches for matches both in a repository's entire git history and in any new commits. Editing a pattern will close alerts previously associated with the pattern if they no longer match the updated version.

The new editing feature comes along with other UI and UX updates, with additional improvements like dry-runs in the works.

Now that users can edit their patterns, we're also taking custom patterns out of beta on cloud. Over 50 enterprises have adopted the feature and written over 100 unique patterns since the initial release in June.

User-defined patterns will be generally available on server next quarter in GitHub Enterprise Server 3.3.

Learn more about custom patterns
Learn more about secret scanning

See more

GitHub Secret Scanning scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally. This protects users from fraud and data leaks.

Contributed Systems provides open source and commercial background job systems (Sidekiq and Faktory) for business applications written in a variety of programming languages, including Ruby, Go, Python, and JavaScript. If your Contributed Systems credentials are committed to a public repository, we'll send those matches to them and they'll reach out to you directly.

We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Advanced Security customers can now view all their private repo secret scanning alerts in the organization security tab. This view is currently only available to organization owners, but will soon also be available to users with the security manager role.

For API use cases, please see the recent secret scanning org-level REST API release.

Org-level secret scanning results

Learn more about security overview
Learn more about GitHub Advanced Security

See more

GitHub Secret Scanning scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally. This protects users from fraud and data leaks.

PlanetScale is a MySQL compatible, serverless database platform built for developers with horizontal scaling, unlimited connections and an elegant GitHub-style workflow. We partnered with PlanetScale to help keep our customers secure by scanning for their developer tokens.

We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Secret Scanning scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally. This protects users from fraud and data leaks.

GitHub has partnered with Linear and Ionic to scan for their developer tokens! They are just the latest GitHub secret scanning integrators – since 2018 GitHub has collaborated with 36 token issuers to help keep their customers secure. We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

If you commit a secret to a public repository, the whole world can see it. GitHub secret scanning helps protect you from fraud and data breaches by scanning for leaked API tokens and, via our partners, automatically notifying you and/or revoking them.

From today, GitHub will scan every commit to a public repository for exposed RubyGems, Adobe and OpenAI API keys. We will forward any keys we find to the relevant service, who will automatically disable them and notify their owners. The end-to-end process takes just a few seconds.

RubyGems, Adobe and OpenAI are just the latest GitHub secret scanning integrators – since 2018 GitHub has collaborated with 36 token issuers to help keep their customers secure. We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Advanced Security customers can now specify custom patterns for use in private repo secret scanning. When a new pattern is specified, secret scanning searches a repository's entire git history for it, as well as any new commits.

User defined patterns are in beta on cloud and will be available on GHES next quarter. They can be defined at the repository and organization level.

Learn more about custom patterns
Learn more about secret scanning

See more

Secret scanning for private repositories is now generally available for all GitHub Advanced Security customers on GitHub Enterprise Cloud. Since announcing the beta last year, we've:

We have lots more improvements planned for secret scanning, including support for custom patterns in June.

Learn more about secret scanning
Learn more about GitHub Advanced Security

See more

GitHub and the Python Package Index (PyPI) are collaborating to help protect you from leaked PyPI API tokens.

From today, GitHub will scan every commit to a public repository for exposed PyPI API tokens. We will forward any tokens we find to PyPI, who will automatically disable them and notify their owners. The end-to-end process takes just a few seconds.

PyPI is just the latest GitHub secret scanning integrator – since 2018 GitHub has collaborated with 35 token issuers to help keep their customers safe. We continue to welcome new integrators for public repo secret scanning. In addition, GitHub Advanced Security customers can now also scan their private repositories for leaked secrets.

We'd like to thank Joachim Jablon for his work on PyPI that made this collaboration possible.

See more